Skip to main content

Board effectiveness and cybersecurity disclosure

Abstract

This study explores the impact of board effectiveness on cybersecurity-related disclosure. Based on a sample of 300 firm-years consisting of the largest Canadian listed companies over a period of five years, we find evidence that board effectiveness positively affects a firm’s decision to disclose cybersecurity information, and board independence and financial expertise have a positive impact on the amount of this disclosure. Independent members of the board, acting as a governance and oversight mechanism, significantly increase the disclosure of cybersecurity risks in the company’s financial statements. The board has a fiduciary role to monitor management and board members’ financial expertise contributes to risk assessment and management. Cybersecurity, as an emerging governance topic, demands multiple areas of expertise in technical, ethical, and financial areas. Board members should be continually trained to be aware of the evolution and diversification of business risks and should have appropriate skills and competencies to manage them. Our findings shed light on the positive impact of board members’ financial expertise on the volume of cybersecurity disclosure. However, board size appears to have no impact on this amount, possibly because few board members have cybersecurity expertise.

This is a preview of subscription content, access via your institution.

Notes

  1. U.S. Senator Doug Jones, in a press release, available at https://www.warner.senate.gov/public/index.cfm/2019/3/key-u-s-senators-lead-bipartisan-push-for-stronger-cybersecurity-by-public-companies. Accessed 2021/02/11.

  2. 2016–2017 NACD Public Company Governance Survey, available at:

    https://www.nacdonline.org/insights/publications.cfm?ItemNumber=37812. Accessed on 2021/02/11.

  3. TMX Money about S&P/TSX 60 Index: https://money.tmx.com/en/quote/%5ETX60.

  4. Sedar: https://www.sedar.com/.

  5. University of Toronto, https://www.rotman.utoronto.ca/FacultyAndResearch/ResearchCentres/JohnstonCentre/BoardRatings.

References

  • Abeysekera, I. (2010). The influence of board size on intellectual capital disclosure by Kenyan listed firms.Journal of intellectual capital

  • Abraham, S., & Cox, P. (2007). Analysing the determinants of narrative risk information in UK FTSE 100 annual reports. The British Accounting Review, 39(3), 227–248

  • Akerlof, G. A. (1978). The market for “lemons”: Quality uncertainty and the market mechanism. Uncertainty in economics (pp. 235–251). Elsevier

  • Allegrini, M., & Greco, G. (2013). Corporate boards, audit committees and voluntary disclosure: Evidence from Italian listed companies. Journal of Management & Governance, 17(1), 187–216

    Article  Google Scholar 

  • Allini, A., Manes Rossi, F., & Hussainey, K. (2016). The board’s role in risk disclosure: an exploratory study of Italian listed state-owned enterprises. Public Money & Management, 36(2), 113–120

    Article  Google Scholar 

  • Amir, E., Levi, S., & Livne, T. (2018). Do firms underreport information on cyber-attacks? Evidence from capital markets. Review of Accounting Studies, 23(3), 1177–1206

    Article  Google Scholar 

  • Amran, A., Bin, A. M. R., & Hassan, B. C. (2009). H. M. Risk reporting.Managerial Auditing Journal

  • Assante, M. J., & Tobey, D. H. (2011). Enhancing the cybersecurity workforce. IT professional, 13(1), 12–15

    Article  Google Scholar 

  • Audit Analytics (2020). Trends in Cybersecurity Breach Disclosures

  • Ben-Amar, W., Francoeur, C., Marsat, S., & Wahid, S. (2021). A. How do firms achieve corporate social performance? An integrated perspective. Corporate Social Responsibility and Environmental Management

  • Ben-Amar, W., & McIlkenny, P. (2015). Board effectiveness and the voluntary disclosure of climate change information. Business Strategy and the Environment, 24(8), 704–719

    Article  Google Scholar 

  • Brammer, S., Brooks, C., & Pavelin, S. (2006). Corporate social performance and stock returns: UK evidence from disaggregate measures. Financial management, 35(3), 97–116

    Article  Google Scholar 

  • Bravo, F. (2018). Does board diversity matter in the disclosure process? An analysis of the association between diversity and the disclosure of information on risks. International Journal of Disclosure and Governance, 15(2), 104–114

    Article  Google Scholar 

  • Campbell, D. (2004). A longitudinal and cross-sectional analysis of environmental disclosure in UK companies—a research note. The British Accounting Review, 36(1), 107–117

    Article  Google Scholar 

  • Campbell, J. L., Chen, H., Dhaliwal, D. S., Lu, H., & Steele, L. B. (2014). The information content of mandatory risk factor disclosures in corporate filings. Review of Accounting Studies, 19(1), 396–455

    Article  Google Scholar 

  • Coles, J. L., Daniel, N. D., & Naveen, L. (2008). Boards: Does one size fit all? Journal of financial economics, 87(2), 329–356

    Article  Google Scholar 

  • Conheady, B., McIlkenny, P., Opong, K. K., & Pignatel, I. (2015). Board effectiveness and firm performance of Canadian listed firms. The British Accounting Review, 47(3), 290–303

    Article  Google Scholar 

  • Canada, C. P. A., C. P. A (2017). Reporting Alert: Corporate reporting. Cybersecurity Risks and Incidents - Reassessing Your Disclosure Practices

  • Craigen, D., Diakun-Thibault, N., & Purse, R. (2014). Defining cybersecurity.Technology Innovation Management Review, 4(10)

  • CSA, C. S. A. (2013). CSA Staff Notice 11–326 Cyber Security. https://www.osc.gov.on.ca/en/SecuritiesLaw_csa_20130926_11-326_cyber-security.htm

  • CSA, C. S. A. (2016). CSA Staff Notice 11–332 Cyber Security. https://www.osc.gov.on.ca/en/SecuritiesLaw_csa_sn_20160927_11-332-cyber-security.htm

  • CSA, C. S. A. (2017a). CSA Multilateral Staff Notice 51–347 Disclosure of Cyber Security Risks and Incidents. https://www.osc.gov.on.ca/en/SecuritiesLaw_csa_20170119_51-347_disclosure-cyber-security.htm

  • CSA, C. S. A. (2017b). CSA Staff Notice 33–321 Cyber Security and Social Media https://www.osc.gov.on.ca/en/SecuritiesLaw_csa_20171019_33-321_cyber-security-and-social-media.htm

  • Davis, G. F. (1996). The significance of board interlocks for corporate governance. Corporate Governance: An International Review, 4(3), 154–159

    Article  Google Scholar 

  • De Andres, P., & Vallelado, E. (2008). Corporate governance in banking: The role of the board of directors. Journal of banking & finance, 32(12), 2570–2580

    Article  Google Scholar 

  • Donnelly, R., & Mulcahy, M. (2008). Board structure, ownership, and voluntary disclosure in Ireland. Corporate Governance: An International Review, 16(5), 416–429

    Article  Google Scholar 

  • Dye, R. A. (1985). Disclosure of nonproprietary information.Journal of accounting research,123–145

  • Elshandidy, T., Fraser, I., & Hussainey, K. (2013). Aggregated, voluntary, and mandatory risk disclosure incentives: Evidence from UK FTSE all-share companies. International Review of Financial Analysis, 30, 320–333

    Article  Google Scholar 

  • Elshandidy, T., & Neri, L. (2015). Corporate governance, risk disclosure practices, and market liquidity: Comparative evidence from the UK and I taly. Corporate Governance: An International Review, 23(4), 331–356

    Article  Google Scholar 

  • Elzahar, H., & Hussainey, K. (2012). Determinants of narrative risk disclosures in UK interim reports.The Journal of Risk Finance

  • Eng, L. L., & Mak, Y. T. (2003). Corporate governance and voluntary disclosure. Journal of accounting and public policy, 22(4), 325–345

    Article  Google Scholar 

  • Fama, E. F., & Jensen, M. C. (1983). Separation of ownership and control. The journal of law and Economics, 26(2), 301–325

    Article  Google Scholar 

  • Foglietta, C., Masucci, D., Palazzo, C., Santini, R., Panzieri, S., Rosa, L. … Lev, L. (2018). From detecting cyber-attacks to mitigating risk within a hybrid environment. IEEE Systems Journal, 13(1), 424–435

    Article  Google Scholar 

  • Freeman, R. E. (2010). Strategic management: A stakeholder approach. Cambridge University Press

  • Fullbrook, M., & Spizzirri, A. (2018). 2018 Board Shareholder Confidence Index. https://www.rotman.utoronto.ca/FacultyAndResearch/ResearchCentres/JohnstonCentre/JohnstonCentre/2019/12/13/The-2019-Board-Sharehold-Confidence-Index-is-now-out

  • Gandía, J. L. (2008). Determinants of internet-based corporate governance disclosure by Spanish listed companies.Online Information Review

  • Garcia-Meca, E., & Sanchez-Ballesta, J. P. (2010). The association of board independence and ownership concentration with voluntary disclosure: A meta-analysis. European Accounting Review, 19(3), 603–627

    Article  Google Scholar 

  • Giannarakis, G. (2014). Corporate governance and financial characteristic effects on the extent of corporate social responsibility disclosure.Social Responsibility Journal

  • Grant, G. H., & Grant, C. T. (2014). SEC cybersecurity disclosure guidance is quickly becoming a requirement. The CPA Journal, 84(5), 69

    Google Scholar 

  • Hernández-Madrigal, M., Blanco-Dopico, M. I., & Aibar-Guzmán, B. (2012). The influence of mandatory requirements on risk disclosure practices in Spain. International Journal of Disclosure and Governance, 9(1), 78–99

    Article  Google Scholar 

  • Hidalgo, R. L., García-Meca, E., & Martínez, I. (2011). Corporate governance and intellectual capital disclosure. Journal of business ethics, 100(3), 483–495

    Article  Google Scholar 

  • Hung, H. (1998). A typology of the theories of the roles of governing boards. Corporate Governance: An International Review, 6(2), 101–111

    Article  Google Scholar 

  • Hussain, N., Rigoni, U., & Orij, R. P. (2018). Corporate governance and sustainability performance: Analysis of triple bottom line performance. Journal of business ethics, 149(2), 411–432

    Article  Google Scholar 

  • Husted, B. W., & de Sousa-Filho, J. M. (2019). Board structure and environmental, social, and governance disclosure in Latin America. Journal of Business Research, 102, 220–227

    Article  Google Scholar 

  • Ingley, C., & Van Der Walt, N. (2008). Risk management and board effectiveness. International Studies of Management & Organization, 38(3), 43–70

    Article  Google Scholar 

  • Ingley, C. B., & Van der Walt, N. T. (2001). The strategic board: The changing role of directors in developing and maintaining corporate capability. Corporate Governance: An International Review, 9(3), 174–185

    Article  Google Scholar 

  • Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), 973–993

    Article  Google Scholar 

  • Jensen, M. C. (1993). The modern industrial revolution, exit, and the failure of internal control systems. the Journal of Finance, 48(3), 831–880

    Article  Google Scholar 

  • Jensen, M. C., & Meckling, W. H. (1976). Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of financial economics, 3(4), 305–360

    Article  Google Scholar 

  • John, K., & Senbet, L. W. (1998). Corporate governance and board effectiveness. Journal of banking & finance, 22(4), 371–403

    Article  Google Scholar 

  • Kamiya, S., Kang, J. K., Kim, J., Milidonis, A., & Stulz, R. M. (2020). Risk management, firm reputation, and the impact of successful cyberattacks on target firms.Journal of financial economics

  • Khan, A., Muttakin, M. B., & Siddiqui, J. (2013). Corporate governance and corporate social responsibility disclosures: Evidence from an emerging economy. Journal of business ethics, 114(2), 207–223

    Article  Google Scholar 

  • Kothari, S. P., Li, X., & Short, J. E. (2009). The effect of disclosures by management, analysts, and business press on cost of capital, return volatility, and analyst forecasts: A study using content analysis. The Accounting Review, 84(5), 1639–1670

    Article  Google Scholar 

  • Krause, R., Semadeni, M., & Cannella, A. A. Jr. (2013). External COO/presidents as expert directors: A new look at the service role of boards. Strategic Management Journal, 34(13), 1628–1641

    Article  Google Scholar 

  • Kure, H. I., Islam, S., & Razzaque, M. A. (2018). An integrated cyber security risk management approach for a cyber-physical system. Applied Sciences, 8(6), 898

    Article  Google Scholar 

  • Lankton, N., Price, J. B., & Karim, M. (2020). Cybersecurity Breaches and Information Technology Governance Roles in Audit Committee Charters.Journal of Information Systems,0000–0000

  • Lewis, J. A. (2006). Cybersecurity and critical infrastructure protection. Center for Strategic and International Studies

  • Li, H., No, W. G., & Wang, T. (2018). SEC’s cybersecurity disclosure guidance and disclosed cybersecurity risk factors. International Journal of Accounting Information Systems, 30, 40–55

    Article  Google Scholar 

  • Liao, L., Luo, L., & Tang, Q. (2015). Gender diversity, board independence, environmental committee and greenhouse gas disclosure. The British Accounting Review, 47(4), 409–424

    Article  Google Scholar 

  • Lipton, M., & Lorsch, J. W. (1992). A modest proposal for improved corporate governance.The business lawyer,59–77

  • Lopes, P. T., & Rodrigues, L. L. (2007). Accounting for financial instruments: An analysis of the determinants of disclosure in the Portuguese stock exchange. The International Journal of Accounting, 42(1), 25–56

    Article  Google Scholar 

  • Lorca, C., Sánchez-Ballesta, J. P., & García-Meca, E. (2011). Board effectiveness and cost of debt. Journal of business ethics, 100(4), 613–631

    Article  Google Scholar 

  • Lorsch, J. W., & MacIver. (1989). Pawns or Potentates: The Reality of America’s Corporate Boards. Harvard Business School Press

  • Lu, J., & Wang, W. (2018). Managerial conservatism, board independence and corporate innovation. Journal of Corporate Finance, 48, 1–16

    Article  Google Scholar 

  • Luo, Y. (2005). How does globalization affect corporate governance and accountability? A perspective from MNEs. Journal of International Management, 11(1), 19–41

    Article  Google Scholar 

  • Michelon, G., & Parbonetti, A. (2012). The effect of corporate governance on sustainability disclosure. Journal of Management & Governance, 16(3), 477–509

    Article  Google Scholar 

  • Minton, B. A., Taillard, J. P., & Williamson, R. (2014). Financial expertise of the board, risk taking, and performance: Evidence from bank holding companies.Journal of Financial and Quantitative Analysis,351–380

  • Mintzberg, H. (1983). The case for corporate social responsibility.Journal of Business Strategy

  • Moore, T., Dynes, S., & Chang, F. R. (2015). Identifying how firms manage cybersecurity investment. Southern Methodist University 32. https://cpb-us-w2.wpmucdn.com/blog.smu.edu/dist/e/97/files/2015/10/SMU-IBM.pdf

  • Moriarty, K. M. (2020). Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain. Emerald Group Publishing

  • Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017). National initiative for cybersecurity education (NICE) cybersecurity workforce framework. NIST special publication, 800(2017), 181

  • Nicholson, G. J., & Kiel, G. C. (2004). A framework for diagnosing board effectiveness. Corporate Governance: An International Review, 12(4), 442–460

    Article  Google Scholar 

  • Ntim, C. G., & Soobaroyen, T. (2013). Corporate governance and performance in socially responsible corporations: New empirical insights from a Neo-Institutional framework. Corporate Governance: An International Review, 21(5), 468–494

    Article  Google Scholar 

  • Oliveira, J., Rodrigues, L. L., & Craig, R. (2011). Risk-related disclosures by non‐finance companies.Managerial Auditing Journal

  • Ontario, S., & Commission, O. (2015). National instrument (pp. 52–110). Audit Committees

  • Pigé, B. (2002). Stakeholder theory and corporate governance: the nature of the board information. Management: Journal of contemporary management issues, 7(1), 1–17

    Google Scholar 

  • Prado-Lorenzo, J. M., & Garcia-Sanchez, I. M. (2010). The role of the board of directors in disseminating relevant information on greenhouse gases. Journal of business ethics, 97(3), 391–424

    Article  Google Scholar 

  • Public Safety Canada (2018). National Cyber Security Strategy. Canada’s Vision for Security and Prosperity in the Digital Age. 35

  • Raber, R. (2003). The role of good corporate governance in overseeing risk. Corporate Governance Advisor, 11(2), 11–16

    Google Scholar 

  • Radu, C., & Smaili, N. (2021). Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related Disclosure.Journal of business ethics,1–24

  • Rankin, M., Windsor, C., & Wahyuni, D. (2011). An investigation of voluntary corporate greenhouse gas emissions reporting in a market governance system. Accounting, Auditing & Accountability Journal

  • Rosenstein, S., & Wyatt, J. G. (1990). Outside directors, board independence, and shareholder wealth. Journal of financial economics, 26(2), 175–191

    Article  Google Scholar 

  • Rothrock, R. A., Kaplan, J., & Van Der Oord, F. (2018). The board’s role in managing cybersecurity risks. MIT Sloan Management Review, 59(2), 12–15

    Google Scholar 

  • Samaha, K., Khlif, H., & Hussainey, K. (2015). The impact of board and audit committee characteristics on voluntary disclosure: A meta-analysis. Journal of International Accounting Auditing and Taxation, 24, 13–28

    Article  Google Scholar 

  • Schmidt, S. L., & Brauer, M. (2006). Strategic governance: How to assess board effectiveness in guiding strategy execution. Corporate Governance: An International Review, 14(1), 13–22

    Article  Google Scholar 

  • Section (2018). Release Nos. 33-10459; 34-82746. Commission Statement and Guidance on Public Company Cybersecurity Disclosures. https://www.sec.gov/rules/interp/2018/33-10459.pdf

  • Section 2020 Examination Priorities https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2020.pdf

  • SpencerStuart (2021). 2020 Canada: Spencer Stuart Board Index. https://www.spencerstuart.com/research-and-insight/board-indexes

  • Switzer, L. N., & Cao, Y. (2011). Shareholder interests vs board of director members’ interests and company performance.Review of Accounting and Finance

  • Torres, J. M., Comesaña, C. I., & Garcia-Nieto, P. J. (2019). Machine learning techniques applied to cybersecurity. International Journal of Machine Learning and Cybernetics, 10(10), 2823–2836

    Article  Google Scholar 

  • Tricker, R. I. (2019). Corporate governance: Principles, policies, and practices. USA: Oxford University Press

    Book  Google Scholar 

  • Van den Berghe, L., & Baelden, T. (2005). The complex relation between director independence and board effectiveness.Corporate Governance: The international journal of business in society

  • Verrecchia, R. E. (1983). Discretionary disclosure. Journal of accounting and economics, 5, 179–194

    Article  Google Scholar 

  • Wang, T., Kannan, K. N., & Ulmer, J. R. (2013). The association between the disclosure and the realization of information security risk factors. Information Systems Research, 24(2), 201–218

    Article  Google Scholar 

  • Watts, R. L., & Zimmerman, J. L. (1990). Positive accounting theory: a ten year perspective.Accounting review,131–156

  • Winter, S. G., & Williamson, O. E. (1991). The nature of the firm: origins, evolution, and development. Oxford University Press

  • World Economic Forum (2019). Regional Risks for Doing Business 2019. Insight report.https://www.weforum.org/press/2019/10/cyberattacks-and-fiscalcrises-top-list-of-business-risks-in-2019/

  • Xie, J., Nozawa, W., Yagi, M., Fujii, H., & Managi, S. (2019). Do environmental, social, and governance activities improve corporate financial performance? Business Strategy and the Environment, 28(2), 286–300

    Article  Google Scholar 

  • Zadeh, F. O., & Eskandari, A. (2012). Firm size as company’s characteristic and level of risk disclosure: Review on theories and literatures.International Journal of Business and Social Science, 3(17)

Download references

Funding Acknowledgement

We would like to gratefully acknowledge the financial support of the CPA Canada – CAAA.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Camélia Radu.

Ethics declarations

Declarations

Not applicable.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Smaili, N., Radu, C. & Khalili, A. Board effectiveness and cybersecurity disclosure. J Manag Gov (2022). https://doi.org/10.1007/s10997-022-09637-6

Download citation

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10997-022-09637-6

Keywords

  • Board effectiveness
  • Corporate governance
  • Cybersecurity disclosure
  • Cybersecurity