"Oops! How Corporations Anticipate, Apologize, and Forget Cybersecurity Breaches"

Presentation by Naniette H. Coleman, PhD Candidate
Department of Sociology | University of California, Berkeley

Abstract:
From banks to trucking firms to paper manufacturers, every publicly traded American company faces the threat of hacks targeting corporate data and customer information. Yet we know remarkably little about how organizations across heterogeneous institutional contexts construct the language of cyber risk before a breach occurs — and whether that language reflects genuine organizational vulnerability or institutionalized performance.

This talk examines how publicly traded American companies construct cyber risk disclosures in “10-K” filings to the Security Exchange Commission before a data breach, across six industries ranging from heavily regulated national commercial banks to minimally regulated manufacturing and logistics firms. Drawing on Swidler's cultural toolkit framework and institutional theory, I argue that 10-K risk language operates as a culturally institutionalized genre — a set of available strategies organizations deploy to manage legal liability rather than to communicate substantive information about actual risk exposure.

Using qualitative content analysis of risk factor sections across nine cases in six industries during 2014-2019 — a period of voluntary rather than mandatory cyber disclosure — I find systematic variation in the amount, array, specificity, and focus of risk language across industry contexts. I argue that this variation reflects organizations' differential position in the regulatory gradient rather than differences in actual cyber vulnerability.