ABSTRACT
Increasingly, firms are subject to rising cybersecurity risks. One way that firms can communicate cybersecurity uncertainty and reduce information asymmetry with external stakeholders is through cybersecurity risk disclosures. SEC (2011, 2018) guidance encourages the disclosure of significant cybersecurity risk factors. However, not all firms provide informative or quality disclosures following a cybersecurity breach event. In this study, we examine firms' use of cybersecurity risk disclosures after a cybersecurity breach. We find that not all breached firms alter their cybersecurity disclosure behavior similarly following a breach. Rather, firm prior breach experience and breach-related market reactions impact the provision of additional cybersecurity disclosures. Our study provides initial evidence on when firms provide additional cybersecurity disclosures post-breach and informs regulators and policymakers on how firms utilize cybersecurity risk disclosures as a response behavior.