How Informative are Cybersecurity Risk Disclosures? Empirical Analysis of Breached Firms
This study analyzed six years of 10-K filings from 45 firms affected by ransomware, labeling 6,282 cybersecurity-related statements. Findings show disclosures increasingly focus on prospective risks and mitigation strategies, but fewer than half mention incident responses, revealing a lack of transparency. Firms often fail to connect potential risks to actual damages, highlighting limited awareness of ransomware threats.