Companies in the United States are reporting on cybersecurity in greater detail than before, yet financial markets appear largely unmoved. A new study by the University of Vaasa and Aalto University finds that mandatory cybersecurity disclosure requirements have not triggered meaningful responses from investors or stock analysts. While firms are providing more information, the anticipated external impact on market behaviour has not materialised, suggesting that the most immediate effects are occurring within organisations rather than in the broader financial system.

The study examines the early outcomes of new disclosure rules introduced in 2023 by the U.S. Securities and Exchange Commission. These rules require publicly listed companies to include more detailed information in their annual reports about cybersecurity governance, risk management, and oversight. Analysing 3,440 Form 10-K filings from 2024, the researchers assessed how companies responded during the first full year of implementation, focusing on the newly introduced Item 1C disclosure section.

The findings show that companies did not simply shift existing language into a new section. Instead, many produced genuinely new and more structured descriptions of their cybersecurity practices. Firms were required to articulate their governance frameworks and clarify responsibilities in a way that had not been necessary before. This indicates that the regulation prompted real changes in how organisations document and communicate cybersecurity internally, rather than resulting in superficial compliance.

However, the extent and quality of these disclosures varied widely across companies. Differences could only be partially explained by factors such as company size, financial performance, or the type of auditor involved. Notably, whether a firm had previously experienced cyber incidents or operated in a highly digital environment did not strongly influence disclosure quality. This suggests that companies still retain considerable discretion in deciding how much and what kind of information to share.

Despite the increase in reporting, there was little evidence of a corresponding shift in market behaviour. Stock prices did not show consistent reactions, analysts did not significantly expand their discussion of cybersecurity issues, and investor attention to annual reports remained largely unchanged. This is somewhat unexpected given the widely recognised risks associated with cyber incidents, which can disrupt operations, expose sensitive data, and lead to substantial financial losses. The findings imply that investors may not yet be incorporating governance-level cybersecurity information into their valuation decisions.

Interviews conducted as part of the study suggest that the primary benefits of mandatory disclosure are being realised within firms themselves. The requirement has encouraged organisations to formalise and document their cybersecurity structures, processes, and decision-making practices more systematically. This internal focus aligns differently with regulatory approaches in other regions. In Europe, for example, frameworks such as the NIS2 Directive place greater emphasis on risk management responsibilities and internal accountability rather than on disclosures aimed directly at investors, highlighting a contrast in how cybersecurity governance is prioritised across jurisdictions.

More information: Elina Haapamäki et al, Mandatory cybersecurity disclosure: Early evidence from 10-K reports, International Journal of Accounting Information Systems. DOI: 10.1016/j.accinf.2026.100775

Journal information: International Journal of Accounting Information Systems Provided by University of Vaasa