TITLE:
Cybersecurity Reporting: Preliminary Empirical Evidence on the Impact of Item 1C of 10-K Reports Filed with the SEC
AUTHORS:
Lawrence A. Gordon, Martin P. Loeb, Chih-Yang Tseng, Lei Zhou
KEYWORDS:
Cybersecurity Economics, Information Security, Cybersecurity Regulations, 10-K Cybersecurity Disclosures, Internal Control, Material Weaknesses
JOURNAL NAME:
Journal of Information Security,
Vol.16 No.4,
October
16,
2025
ABSTRACT: This paper provides evidence of the impact of the 2023 U.S. Security and Exchange Commission (SEC) disclosure rules requiring registrants to disclose their approach toward Cybersecurity Risk Management (CRM) in Item 1C (Cybersecurity) of Form 10-K. Specifically, the paper investigates how Material Weaknesses in Internal Control (MWIC) influence a firm’s decision to disclose the integration of its CRM system into its Enterprise Risk Management (ERM) framework in Item 1C. The empirical analysis indicates that firms reporting MWIC are significantly less likely to disclose in Item 1C the fact that they integrated their CRM system into their ERM framework compared to companies that do not report any MWIC. However, companies reporting both IT MWIC and non-IT MWIC are significantly more likely to disclose in Item 1C the fact that they integrated their cyber risk management systems into their overall enterprise risk management framework compared to companies only reporting non-IT MWIC.