<p>Cybersecurity risk disclosures are an important source of information for investors, auditors, and regulators, yet they are often lengthy, heterogeneous, and dominated by boilerplate language. As generative AI systems are increasingly used to mediate access to complex textual information, it is important to understand how different AI-based representations shape which information embedded in regulatory disclosures becomes available for assessment. This study examines how alternative text-processing approaches affect access to cybersecurity-related information in Item&#xa0;1A risk disclosures from U.S. firms’ annual filings. We compare a traditional keyword-based disclosure measure with a modeling framework that uses large language model (LLM)–generated summaries as inputs to a regression task predicting future software vulnerability exposure. Using externally observable vulnerability data constructed from firms’ reported software tools, we evaluate four analytical tasks that assess forward-looking signal, the role of historical disclosures, the impact of summarization, and the sensitivity of results to alternative risk outcomes. The results show that Item&#xa0;1A disclosures contain information related to future vulnerability severity, but that access to this information depends on how the text is processed. LLM-based summarization generally yields more stable alignment with severity-based risk measures by filtering boilerplate and emphasizing security-relevant content, while also exhibiting limits when contextual details are compressed. Overall, the findings highlight how generative systems mediate access to information embedded in long regulatory texts and clarify both the value and the boundaries of using generative AI to support interpretation of narrative risk disclosures.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

AI-Mediated Access to Cybersecurity Risk Information in Corporate Disclosures

  • Hongmin W. Du,
  • Xiao Li,
  • Linda Du

摘要

Cybersecurity risk disclosures are an important source of information for investors, auditors, and regulators, yet they are often lengthy, heterogeneous, and dominated by boilerplate language. As generative AI systems are increasingly used to mediate access to complex textual information, it is important to understand how different AI-based representations shape which information embedded in regulatory disclosures becomes available for assessment. This study examines how alternative text-processing approaches affect access to cybersecurity-related information in Item 1A risk disclosures from U.S. firms’ annual filings. We compare a traditional keyword-based disclosure measure with a modeling framework that uses large language model (LLM)–generated summaries as inputs to a regression task predicting future software vulnerability exposure. Using externally observable vulnerability data constructed from firms’ reported software tools, we evaluate four analytical tasks that assess forward-looking signal, the role of historical disclosures, the impact of summarization, and the sensitivity of results to alternative risk outcomes. The results show that Item 1A disclosures contain information related to future vulnerability severity, but that access to this information depends on how the text is processed. LLM-based summarization generally yields more stable alignment with severity-based risk measures by filtering boilerplate and emphasizing security-relevant content, while also exhibiting limits when contextual details are compressed. Overall, the findings highlight how generative systems mediate access to information embedded in long regulatory texts and clarify both the value and the boundaries of using generative AI to support interpretation of narrative risk disclosures.