Are there trade-offs with mandating timely disclosure of cybersecurity incidents? Evidence from state-level data breach disclosure laws

Abstract

On March 23, 2022, the SEC proposed that firms publicly disclose their cybersecurity incidents within four days of discovery. In the U.S., state-level data breach disclosure laws require firms to disclose the occurrence of a data breach, with some mandating disclosure within a deadline while others do not. Exploiting this state-level variation in disclosure deadlines, we find that, when facing a deadline, firms disclose a data breach 90 percent faster but are 58 percent less likely to disclose breach details. Investors respond negatively to delayed breach disclosures but are forgiving of a delay when it is used to gather more breach details. Our study highlights the trade-offs of mandating a disclosure deadline for cybersecurity incidents.