In August, the U.S. Security and Exchange Commission (SEC) justified its final rule entitled "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure" aimed at publicly traded companies under the Securities Exchange Act of 1934 by citing a 2015 article entitled "The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective" by Lawrence A. Gordon, Martin P. Loeb, Lei Zhou, and Center for Governance of Technology and Systems (GoTech) Research Director, William Lucyshyn, among other studies demonstrating the importance of information sharing on various outcomes.
In the article, the authors argue that firms are less prone to delay important cybersecurity investments when they embrace information sharing. Employing a 'real options perspective', the study suggests that cybersecurity investment choices are not binary and that the option to defer in full or in part becomes more likely when decision-makers are uncertain about the potential payoff and/or believe the investment is irreversible. In other words, uncertainty increases the value of deferring decisions. However, the authors also find that with effective information dissemination, these uncertainties diminish, nudging firms toward a more proactive cybersecurity investment strategy.
In transmitting this new rule, the SEC seeks to curtail information asymmetry by mandating faster and more credible disclosures that help mitigate the risk of adverse selection faced by investors, among other benefits. The rule accomplishes this by focusing on prompt disclosure of significant cybersecurity incidents; routine revelations about a company's strategies to navigate cybersecurity risks, emphasizing the roles of the board and management; and the advanced requirement that such disclosures be formatted in Inline eXtensible Business Reporting Language (Inline XBRL), boosting availability and reporting efficiency. These transparent disclosure standards arm investors and market stakeholders with consistent and timely information to assess a firm's susceptibility to cyber threats.
In the dense world of regulatory guidelines, the acknowledgment of the research by Gordon, Loeb, Lucyshyn, and Zhou demonstrates how academic insights can help inform policymaking processes on 21st-century challenges. Scholarly perspectives will continue to play an essential role in crafting cyber rules and norms that help us navigate the uncertainties of the digital age.