Timely Cybersecurity Disclosure and Information Manipulation

Highlights

1. There was a significant spike in insider sales within 10 days prior to the reported discovery date for sample incidents, suggesting that managers may possess private information about breaches before the reported discovery date, indicating that some firms misreport the discovery date of a cybersecurity incident.
2. Misreporting of the reported discovery date is deterred by strong internal control systems and high litigation risk, but is more likely when cybersecurity incidents are severe and when firms face greater pressure to meet a disclosure deadline.
3. Firms suspected of misreporting their reported discovery date of a cybersecurity incident tend to submit disclosures towards the end of the legal disclosure window, and often provide more detailed remedial actions, pointing to possible misrepresentation of incident timing and strategic delay of disclosure to manage the impact of cybersecurity breaches.

Cybersecurity incidents pose a significant business risk to modern companies. Consequently, regulators have increasingly mandated prompt disclosures regarding cybersecurity incidents to facilitate timely and effective external monitoring of cybersecurity risk. For instance, the European Cyber Resilience Act (CRA), adopted in 2023, requires software publishers to report any unaddressed security vulnerabilities within 24 hours of their discovery. Similarly, the U.S. Securities and Exchange Commission (SEC) recently adopted a new rule requiring firms to disclose a cybersecurity incident within four business days after determining its materiality.

However, critics contend that these timely disclosure requirements inadvertently reveal a firm’s security system vulnerabilities before the firm can effectively mitigate them. As such exposure has the potential to attract subsequent cyberattacks and provoke stakeholder anxiety, firms might have incentives to strategically manipulate incident-related information to delay the public disclosure of cybersecurity breaches. This study provides the first evidence on the credibility of mandatory cybersecurity disclosure.

The researchers evaluated the credibility of cybersecurity disclosures made in compliance with state-level data breach notification laws, which mandate that firms promptly notify the public within a specified timeframe.

In a typical disclosure report, firms delineate crucial event dates (i.e., starting, discovery, and ending dates) pertaining to the incident; regulatory bodies often rely on the discovery date reported by firms (“reported discovery date”) to assess their compliance with the disclosure timeframes. This study investigated whether firms intentionally misrepresent the discovery date to postpone public disclosure of cybersecurity incidents.

The study hypothesis was built on the premise that promptly disclosing a cybersecurity incident before affected firms undertake full investigations and mitigation actions potentially incurs costs because the disclosure may reveal security vulnerabilities and provoke stakeholder anxiety. Consequently, firms are motivated to delay the disclosure of cybersecurity incidents to gain additional time and opportunities for addressing security vulnerabilities that could otherwise be exploited by malicious actors. This strategic delay also allows opportunities for discussions on remedial actions and business restoration strategies when attacked firms eventually disclose the incident, thereby helping them to mitigate reputational and financial losses.

Given the inherent difficulty for outsiders to discover and verify cybersecurity-related information, managers can plausibly misreport the discovery date of an incident as a means to strategically postpone disclosures. Conversely, internal control mechanisms (e.g., whistleblower programs) and expected litigation costs associated with mispresenting information may ensure timely and accurate disclosures.

The researchers obtained a list of 250 material cybersecurity incidents that were disclosed by firms and have available information on the discovery date from 2010 to 2021. Due to the infeasibility of observing the actual discovery date, the researchers proposed a measure based on the degree of abnormal insider trading activity preceding the reported discovery date to infer whether managers possess information about an incident before the reported discovery date. A spike in insider sales before the reported discovery date creates an inference that managers possess information about an incident before the reported discovery date, and the reported discovery date is thus suspicious. For each incident, the researchers tracked the insider sales from 45 trading days before to 45 trading days after the reported discovery date.

The researchers found that insider sales increase sharply from 10 days before the reported discovery date to 1 day before (day-10 to day-1), followed by a return to normal levels thereafter. The effect was economically significant: 24% of incidents in the sample were accompanied by extra insider sales preceding the reported discovery date, and the average trading volume amounted to about $1 million. This result indicates that insiders likely possessed private information about a cybersecurity incident before the reported discovery date, suggesting that some of the reported discovery dates are suspicious.

To strengthen their argument, the researchers conducted a difference-in-differences (DiD) analysis. For each attacked firm, the researchers selected a matched firm that operated in the same industry, had never experienced a cybersecurity incident, and shared similar observable firm characteristics with the attacked firm (e.g., board expertise in cybersecurity). The researchers then constructed a firm-date panel covering both attacked and control firms spanning the period from 45 trading days before to 45 trading days after the reported discovery date of each incident.

The DiD estimates suggest that the nonroutine insider sales by attacked firms are significantly greater within the day-10 to day-1 window preceding the reported discovery date. Moreover, these insider sales avoid significant future losses (4.8% over the 180-day post-trading period). Collectively, these results support the argument that managers likely possess private information before the reported discovery date, implying that some of the reported discovery dates are questionable.

Further analyses suggested that such misreporting is deterred by strong internal control and high litigation risk. In addition, the researchers found suggestive evidence that managers misreported the discovery date to postpone disclosure to allow time to take remedial action. Specifically, the researchers found that misreporting was more likely to involve severe incidents that required additional time and effort to remediate the cybersecurity system, and when firms faced a deadline for disclosure. In addition, the researchers found that suspicious firms tended to submit their disclosures to state attorneys’ offices toward the end of the permissible timeframe, and these disclosures tended to provide more detailed discussions of their remedial actions.

Study results contribute to the ongoing policy debate on cybersecurity-related regulation. Data-breach notification laws aim to build a transparent information environment and impose reputation sanctions on attacked firms. One concern raised by legal scholars is the lack of effort to increase the probability of apprehension and conviction for failures to report breaches.

Study results suggest that discovery dates are misreported to delay disclosure and emphasize the importance of effective information verification and enforcement mechanisms to increase disclosure reliability. This study underscores the trade-off between disclosure timeliness and information quality for mandatory cybersecurity disclosure.

Keywords: Cybersecurity, Mandatory disclosure, Misreporting, Insider trading, Disclosure timeliness

* Learn more from the full research article here:
https://doi.org/10.1287/mnsc.2023.01058