Abstract: Cyber-risks have generated considerable interest in the media and in the public. Perhaps as a response, regulators are devoting an increasing amount of resources to improving corporate disclosure related to these risks. In contrast, we find that, despite this increased focus, cyber risk disclosures by publicly listed firms remain scant. Moreover, a qualitative analysis of five major cases as well as a systematic analysis of security price reactions upon the announcement of breaches shows that the effect on stock prices is very limited. We also find no evidence of systematic effect on executive employment. This lack of reaction is inconsistent with a market or regulatory failure associated with the poor disclosure on cyber-risk.