U.S. Corporations Increase Cybersecurity Reporting Under New SEC Mandate While Stock Market Reactions Remain Muted

Study of 3,440 U.S. firms shows new SEC cybersecurity reporting rules improve internal governance but fail to influence stock prices or analyst behavior.

By: AXL Media

Published: Apr 30, 2026, 9:32 AM EDT

Source: Information for this report was sourced from EurekAlert!

The Gap Between Corporate Transparency And Market Valuation

The introduction of rigorous cybersecurity disclosure requirements for U.S. public companies has not yet translated into a shift in investor behavior. According to the study published in the International Journal of Accounting Information Systems, the first full year of reporting under the SEC’s "Item 1C" rule saw thousands of firms providing granular details on their risk management and oversight structures. However, Associate Professor Elina Haapamäki notes that despite the increased volume of information, stock prices did not react systematically, and professional analysts did not elevate their focus on cybersecurity during firm evaluations.

Analyzing The Early Impact Of SEC Item 1C

The 2024 Form 10-K filings served as the first major test for the new disclosure framework, which requires a much more systematic description of governance responsibilities. Researchers analyzed 3,440 public companies to determine if these reports were merely cosmetic relocations of existing risk language. The findings suggest that firms actually produced genuinely new content rather than recycling old boilerplate text. Despite this substantive change in reporting depth, the study found that market participants appear to be discounting these governance-level details when making valuation decisions.

Discretion In Reporting Quality Among Public Firms

A significant finding of the research is that the quality and extent of these disclosures varied widely and were not necessarily dictated by a company's past history with digital threats. Associate Professor Jukka Sihvonen explains that disclosure quality was not influenced by whether a firm had previously experienced a cyber incident or by its overall level of digitalization. This indicates that corporate leadership still retains considerable discretion over how much specific information they share with the public, which may contribute to the lukewarm response from the investment community.