The Securities and Exchange Commission (SEC) is planning to issue new cybersecurity disclosure rules, and I applaud their efforts because there is the need to help prevent “Information failure.” Cyber incidents appear to be escalating in frequency, duration, and complexity. Investors should be aware of the implications of not disclosing this vital information to all.
Information failure can be considered a market failure if some or all of the participants in an economic exchange do not have perfect knowledge. Information failure occurs when one participant in an economic exchange knows more than the other. I refer to this as having asymmetric, or unbalanced, information.
The practical implication is that there is a misallocation of resources, meaning that consumers pay too little or too much and firms either produce too little or too much. Information failure is common and appears to exist in numerous market exchanges. The U.S. Department of Agriculture addressed this issue as it related to food labeling, stating that:
Government intervention in labeling in the United States has served three main purposes: to ensure fair competition among producers, to increase consumers’ access to information, and to reduce risks to individual consumer safety and health.
The same can be said about buyers and sellers of financial products, including stocks and bonds. Disclosing information on cybersecurity ensures fair competition among companies and increases buyers’ access to information.
Asymmetric information is also associated with the principal-agent problem. This can occur when individual decision making relies on the advice of experts who have more knowledge than them. For example, the shareholders of firms, the principals, usually delegate responsibility for day-to-day decision making to appointed managers, the agents. This creates a situation of asymmetric knowledge, with managers knowing much more than the shareholders, and raises the possibility of inefficiencies, especially when shareholders and managers have different objectives. Managers may decide to possibly not reveal certain information to shareholders. They may engage in certain kinds of dealing where they exploit their knowledge of the business’s prospects to buy or sell shares and make a personal gain.
From a firm’s perspective, the principal-agent problem can increase costs and make the firm less efficient than it could be. These inefficiencies include the costs associated with monitoring the performance of the managers and having to pay a premium to attract the “best” managers.
There are many other reasons for cybersecurity disclosure rules, but the fact that cyber incidents appear to be escalating increases the cost to everyone and underlines the need for information sharing.