How Informative are Cybersecurity Risk Disclosures? Empirical Analysis of Breached Firms
This study analyzed six years of 10‑K filings from 45 firms affected by ransomware, labeling 6,282 cybersecurity‑related statements. Findings show disclosures increasingly focus on prospective risks and mitigation strategies, but fewer than half mention incident responses, revealing a lack of transparency. Firms often fail to connect potential risks to actual damages, highlighting limited awareness of ransomware threats.