Abstract
As cybersecurity is a critical risk issue for organizations, cybersecurity disclosure is important for financial regulators, financial analysts, shareholders, and other stakeholders. Organizations face challenges when deciding whether, what, and when cybersecurity-related information should be disclosed. Prior studies have contributed few insights regarding the potential determinants of cybersecurity disclosure. Furthermore, their findings are based on a general or narrow measurement of this disclosure. This study draws on upper echelons and signaling theories to examine the association between various board of directors’ characteristics and extent of overall cybersecurity disclosure and its individual aspects. Extent of cybersecurity disclosure is measured based on a content analysis of annual financial regulatory filings of the 250 companies listed on the S&P/TSX Composite Index, using a scoring grid of 40 items grouped into seven categories representing different aspects of cybersecurity disclosure. This expanded disclosure measurement provides original insights for firms and their stakeholders. The main findings indicate that the presence of a committee responsible for cybersecurity on the board of directors is key to increasing cybersecurity disclosure. With or without such a committee, board IT expertise, board tenure, board independence, women directors, and board age are associated with the extent of total cybersecurity disclosure or some of its specific aspects, particularly cybersecurity risk mitigation. These findings contribute to the cybersecurity literature by examining which board of directors’ characteristics influence the extent of specific aspects of cybersecurity disclosure. They also complement results from upper echelons-based studies on corporate reporting determinants and prior IT governance studies.
Similar content being viewed by others
Data availability
Data are available from public sources.
Code availability
Not applicable.
Notes
Haapamäki and Sihvonen (2019) identified only a small number of studies on disclosure of cybersecurity activities in their review of 39 cybersecurity-related accounting and auditing studies published between 2000 and 2018. Walton et al. (2021) found only two studies on the determinants of cybersecurity disclosure in their extensive analysis of 68 cybersecurity papers published from 2001 to 2019 in accounting, information systems, and computer science research.
This is illustrated by the following excerpts: “When acting with a view of the best interests of the corporation … the directors and officers of the corporation may consider, but are not limited to, the following factors: the interests of shareholders, employees, retirees and pensioners, creditors, consumers, and governments; the environment; and the long-term interest of the corporation” (Canada Business Corporation Act, 1985, p. 122(1.1)). Further, “In determining what the director reasonably believes to be in the best interests of the corporation, [a director may consider] (1) the long-term as well as the short-term interests of the corporation, (2) the interests of the shareholders, long-term as well as short-term, including the possibility that those interests may be best served by the continued independence of the corporation, (3) the interests of the corporation’s employees, customers, creditors and suppliers, and (4) community and societal considerations, including those of any community in which any office or other facility of the corporation is located. A director may also consider, in the discretion of such director, any other factors the director reasonably considers appropriate in determining what the director reasonably believes to be in the best interests of the corporation” (Connecticut Business Corporation Act, 1997, 45 CS 101, Sect. 33–756, g). In the United States, business corporation laws are a state matter.
Strategic choices are “complex and of major significance to the organization…. The term “strategic choice” … is intended to be a fairly comprehensive term to include choices made formally and informally, indecision as well as decision” (Hambrick & Mason, 1984, pp. 194–195). With this in mind, considering the importance of the potential consequences related to cybersecurity and the many challenges organizations face in making cybersecurity disclosure decisions, cybersecurity disclosure qualifies as a strategic decision.
“An AIF provides material information about a company … [and] its operations, prospects, risks and other factors that impact its business”. “Financial statements must be accompanied by the MD&A …, a narrative explanation, through the eyes of management, of how a company performed during the period covered by the financial statements, and of the company's financial condition and future prospects”. “A proxy is a method by which a shareholder appoints a person or company to act on the shareholders’ behalf at a shareholder meeting…. When a company solicits proxies, it must also prepare an information circular … [which] includes information on how to exercise a proxy and provides details of the matters to be voted on at the shareholder meeting”. https://www.osc.ca/en/industry/companies/continuous-disclosure.
For readability, Table 9 does not present the full regression results for each dependent variable.
References
Amemiya, T. (1984). Tobit models: A survey. Journal of Econometrics, 24, 3–61.
American Institute of Certified Public Accountants (AICPA). (2017). Reporting on an entity’s cybersecurity risk management program and controls: Attestation guide. American Institute of Certified Public Accountants.
Amir, E., Levi, S., & Livne, T. (2018). Do firms underreport information on cyberattacks? Evidence from capital markets. Review of Accounting Studies, 23(3), 1177–1206.
Ashraf, M., Michas, P. N., & Russomanno, D. (2020). The impact of audit committee information technology expertise on the reliability and timeliness of financial reporting. The Accounting Review, 95(5), 23–56.
Baalouch, F., Ayadi, S. D., & Hussainey, K. (2019). A study of the determinants of environmental disclosure quality: Evidence from French listed companies. Journal of Management & Governance, 23(4), 939–971.
Bakker, T. G., & Streff, K. (2016). Accuracy of self-disclosed cybersecurity risks of large U.S. banks. Journal of Applied Business and Economics, 18(3), 39–51.
Bamber, L. S., Jiang, J., & Wang, I. Y. (2010). What’s my style? The influence of top managers on voluntary corporate financial disclosure. The Accounting Review, 85(4), 1131–1162.
Barako, D. G., & Brown, A. M. (2008). Corporate social reporting and board representation: Evidence from the Kenyan banking sector. Journal of Management & Governance, 12(4), 309–324.
Baran, L., & Forst, A. (2015). Disproportionate insider control and board of director. Journal of Corporate Finance, 35, 62–80.
Barroso, C., Villegas, M. M., & Pérez-Calero, L. (2011). Board influence on a firm’s internationalization. Corporate Governance: An International Review, 19(4), 351–367.
Bear, S., Rahman, N., & Post, C. (2010). The impact of diversity and gender composition on corporate social responsibility. Journal of Business Ethics, 97(2), 207–221.
Ben-Amar, W., Chang, M., & McIlkenny, P. (2017). Board gender diversity and corporate response to sustainability initiatives: Evidence from the carbon disclosure project. Journal of Business Ethics, 142(2), 369–383.
Ben-Amar, W., Francoeur, C., Hafsi, T., & Labelle, R. (2013). What makes better boards? A closer look at diversity and ownership. British Journal of Management, 24(1), 85–101.
Benaroch, M., & Chernobai, A. (2017). Operational IT failures, IT value destruction, and board-level IT governance changes. MIS Quarterly, 41(3), 729–762.
Bing, N. S., & Amran, A. (2017). The role of board diversity on materiality disclosure in sustainability disclosure. Global Business and Management Research: An International Journal, 9(4), 96–109.
Bonime-Blanc, A. (2017). A strategic cyber roadmap for the board. Retrieved August 26, 2020, from https://corpgov.law.harvard.edu/2017/01/12/a-strategic-cyber-roadmap-for-the-board/
Bravo, F. (2018). Does board diversity matter in the disclosure process? An analysis of the association between diversity and the disclosure of information on risks. International Journal of Disclosure and Governance, 15(2), 104–114.
Brown, S. V., Tian, X., & Tucker, J. W. (2018). The spillover effect of SEC comment letters on qualitative corporate disclosure: Evidence from the risk factor disclosure. Contemporary Accounting Research, 35(2), 622–656.
Caluwe, L., & De Haes, S. (2019). Board engagement in IT governance: Opening up the black box of IT oversight committees at board level. In Proceedings of the 52nd Hawaii International Conference on System Sciences (pp. 6189–6197). Retrieved August 26, 2020, from https://scholarspace.manoa.hawaii.edu/handle/10125/60053
Canada Business Corporations Act. (1985). R.S., 1985, c. C-44, s. 1; 1994, c. 24, s. 1(F). Retrieved October 26, 2021, from https://laws-lois.justice.gc.ca/eng/acts/c-44/page-1.html
Canadian Securities Administrators (CSA). (2016). CSA staff notice 11-332: Cyber security. Montreal, Canada. Retrieved September 24, 2021, from https://www.bcsc.bc.ca/-/media/PWS/Resources/Securities_Law/Policies/Policy1/11332-CSA-Staff-Notice-September-27-2016.pdf
Canadian Securities Administrators (CSA). (2017a). Multilateral staff notice 51-347: Disclosure of cyber security risks and incidents. Canadian Securities Administrators.
Canadian Securities Administrators (CSA). (2017b). CSA staff notice 33-321: Cyber security and social media. Canadian Securities Administrators.
Center for Strategic and International Studies (CSIS) – Washington, D. C. (2021). Significant cyberincidents. Retrieved January 20, 2021, from https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
Chuang, T.-T., Nakatani, K., & Zhou, D. (2009). An exploratory study of the extent of information technology adoption in SMEs: An application of upper echelon theory. Journal of Enterprise Information Management, 22(1/2), 183–196.
Connecticut Business Corporation Act, 1997, 45 CS 101, sect. 33–756, g. Retrieved October 26, 2021, from https://www.cga.ct.gov/current/pub/chap_601.htm#sec_33-756
Croson, R., & Gneezy, U. (2009). Gender differences in preferences. Journal of Economic Literature, 47(2), 448–474.
Czarnecki, G. M. (2015). Cyber threats necessitate a new governance model. NCAD Directorship (September/October), 8–9.
Deloitte. (2015). The board’s-eye view of cyber crisis management. Retrieved August 26, 2020, from https://www2.deloitte.com/global/en/pages/risk/articles/boards-view-cyber-crisis-management.html
Edmondson, A. C., & McManus, S. E. (2007). Methodological fit in management field research. Academy of Management Review, 32(4), 1155–1179.
Ettredge, M. L., Guo, F., & Li, Y. (2018). Trade secrets and cybersecurity breaches. Journal of Accounting and Public Policy, 37(6), 564–585.
Ferraro, M. F. (2014). “Groundbreaking” or broken? An analysis of SEC cybersecurity disclosure guidance, its effectiveness and implications. Albany Law Review, 77(2), 297–346.
Frank, M. L., Grenier, J. H., & Pysoha, J. S. (2019). How disclosing a prior cyberattack influences the efficacy of cybersecurity risk management and independent assurance. Journal of Information Systems, 33(3), 183–200.
Georg, L. (2017). Information security governance: Pending legal responsibilities of non-executive boards. Journal of Management & Governance, 21(4), 793–814.
Golden, B. R., & Zajac, E. J. (2001). When will boards influence strategy? Inclination × power = strategic change. Strategic Management Journal, 22(12), 1087–1111.
Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Sohail, T. (2006). The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities. Journal of Accounting and Public Policy, 25, 503–530.
Gordon, L. A., Loeb, M. P., & Sohail, T. (2010). Market value of voluntary disclosures concerning information security. MIS Quarterly, 34(3), 567–594.
Haapamäki, E., & Sihvonen, J. (2019). Cybersecurity in accounting research. Managerial Auditing Journal, 34(7), 808–834.
Hafsi, T., & Turgut, G. (2013). Boardroom diversity and its effect on social performance: Conceptualization and empirical evidence. Journal of Business Ethics, 112(3), 463–479.
Hair, J. F., Jr., Anderson, R. E., Tatham, R. L., & Black, W. C. (1998). Multivariate data analysis (5th ed.). Prentice Hall.
Hambrick, D. C., & Mason, P. A. (1984). Upper echelons: The organization as a reflection of its top managers. Academy of Management Review, 9(2), 193–206.
Higgs, J., Pinsker, R. E., Smith, T. J., & Young, G. R. (2016). The relationship between board-level technology committees and reported security breaches. Journal of Information Systems, 30(3), 79–98.
Hitchcock, C., Lamm, B., & Parsons, K. (2017). On the board’s agenda: US trends in audit committee reporting. Deloitte Development LLC. Retrieved August 26, 2020, from https://www2.deloitte.com/content/dam/Deloitte/us/Documents/center-for-board-effectiveness/us-cbe-january-2017-on-the-boards-agenda.pdf
Information Systems and Control Association (ISACA)/Downs, F. (2020). Top cyberattacks of 2020 and how to build cyberresiliency. Retrieved January 20, 2021, from https://www.isaca.org/resources/news-and-trends/industry-news/2020/top-cyberattacks-of-2020-and-how-to-build-cyberresiliency
Jewer, J., & McKay, K. N. (2012). Antecedents and consequences of board IT governance: Institutional and strategic choice perspectives. Journal of the Association for Information Systems, 13(7), 581–617.
Johnson, S. G., Schnatterly, K., & Hill, A. D. (2013). Board composition beyond independence: Social capital, human capital, and demographics. Journal of Management, 39(1), 232–262.
Kagzi, M., & Guha, M. (2018). Board demographic diversity: A review of literature. Journal of Strategy and Management, 11(1), 33–51.
Kesner, I. F. (1988). Directors’ characteristics and committee membership: An investigation of type, occupation, tenure, and gender. Academy of Management Journal, 31(1), 66–84.
Labelle, R., Gargouri, M., & Francoeur, C. (2010). Ethics, diversity management and financial reporting quality. Journal of Business Ethics, 93, 335–353.
Lankton, N., Price, J., & Karim, M. (2020). Cybersecurity breaches and information technology governance roles in audit committee charters. Journal of Information Systems. https://doi.org/10.2308/isys-18-071
Larkin, M. B., Bernardi, R. A., & Bosco, S. M. (2013). Does female representation on boards of directors associate with increased transparency and ethical behavior? Accounting and the Public Interest, 13(1), 132–150.
Li, H., No, W. G., & Wang, T. (2018). SEC’s cybersecurity disclosure guidance and disclosed cybersecurity risk factors. International Journal of Accounting Information Systems, 30, 40–55.
Liu, M., & Ji, D. (2022). An overview of the literature on upper echelons. Accounting Perspectives. https://doi.org/10.1111/1911-3838.12288
Michelon, G., & Parbonetti, A. (2012). The effect of corporate governance on sustainability disclosure. Journal of Management & Governance, 16(3), 477–509.
Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26(3), 565–584.
National Association of Corporate Directors (NACD). (2017). Cyber-risk oversight—Director’s handbook series. National Association of Corporate Directors.
Newman, C. A. (2018). When to report a cyberattack? For companies, that’s still a dilemma. The New York Times, March 5. Retrieved August 26, 2020, from https://www.nytimes.com/2018/03/05/business/dealbook/sec-cybersecurity-guidance.html
Nielsen, S., & Huse, M. (2010). The contribution of women on boards of directors: Going beyond the surface. Corporate Governance: An International Review, 18(2), 136–148.
Nolan, R., & McFarlan, F. W. (2005). Information technology and the board of directors. Harvard Business Review, 83(10), 96–106.
Nursimloo, S., Ramdhony, D., & Mooneeapen, O. (2020). Influence of board characteristics on TBL reporting. Corporate Governance, 20(5), 765–780.
Patelli, L., & Pedrini, M. (2015). Is tone at the top associated with financial reporting aggressiveness? Journal of Business Ethics, 126, 3–19.
Plöckinger, M., Aschauer, E., Hiebl, M. R. W., & Rohatschek, R. (2016). The influence of individual executives on corporate financial reporting: A review and outlook from the perspective of upper echelon theory. Journal of Accounting Literature, 37, 55–75.
Price, J. B., & Lankton, N. (2018). A framework and guidelines for assessing and developing board-level information technology committee charters. Journal of Information Systems, 32(1), 109–129.
Radu, C., & Smaili, N. (2021). Board gender diversity and corporate response to cyber risk: Evidence from cybersecurity related disclosure. Journal of Business Ethics, 177, 351–374.
Ran, G., Fang, Q., Luo, S., & Chan, K. C. (2015). Supervisory board characteristics and accounting information quality: Evidence from China. International Review of Economics & Finance, 37, 18–32.
Rashid, F. Y. (2015). NYSE survey examines cybersecurity in the boardroom. Security Week, May 28. Retrieved August 26, 2020, from https://www.securityweek.com/nyse-survey-examines-cybersecurity-boardroom
Securities and Exchange Commission (SEC). (2018). 17 CFR parts 229 and 249 [Release nos. 33-10459; 34-82746] commission statement and guidance on public company cybersecurity disclosures. Securities and Exchange Commission.
Securities and Exchange Commission (SEC), Division of Corporation Finance. (2011). CF disclosure guidance: Topic no. 2, cybersecurity.
Smaili, N., Radu, C., & Khalili, A. (2022). Board effectiveness and cybersecurity disclosure. Journal of Management and Governance. https://doi.org/10.1007/s10997-022-09637-6
Songini, L., Pistoni, A., Tettamanzi, P., Fratini, F., & Minutiello, V. (2021). Integrated reporting quality and BoD characteristics: An empirical analysis. Journal of Management and Governance, 26, 579–620.
Turel, O., Liu, P., & Bart, C. (2019). Board-level IT governance. IT Professional, 21(2), 58–65.
Vafeas, N. (2003). Length of board tenure and outside director independence. Journal of Business Finance & Accounting, 30(7–8), 1043–1064.
Vairavan, A., & Zhang, G. P. (2020). Does a diverse board matter? A mediation analysis of board racial diversity and firm performance. Corporate Governance, 20(7), 1223–1241.
Valentine, E. L. H., & Stewart, G. (2013). The emerging role of the board of directors in enterprise business technology governance. International Journal of Disclosure and Governance, 10(4), 346–362.
Vincent, N. E., Higgs, J. L., & Pinsker, R. E. (2019). Board and management-level factors affecting the maturity of IT risk management practices. Journal of Information Systems, 33(6), 117–135.
Walton, S., Wheeler, P. R., Zhang, Y., & Zhao, X. (2021). An integrative review and analysis of cybersecurity research: Current state and future directions. Contemporary Accounting Research, 35(1), 155–186.
Wang, Y., Kannan, K., & Ulmer, J. (2013). The association between the disclosure and the realization of information security risk factors. Information Systems Research, 24(2), 201–218.
Westpal, J. D., & Fredrickson, J. W. (2001). Who directs strategic change? Director experience, the selection of new CEOs, and change in corporate strategy. Strategic Management Journal, 22(12), 1113–1137.
Williams, R. J. (2003). Women on corporate boards of directors and their influence on corporate philanthropy. Journal of Business Ethics, 42(1), 1–10.
Yayla, A. A., & Hu, Q. (2014). The effect of board of directors’ IT awareness on CIO compensation and firm performance. Decision Sciences, 45(3), 401–435.
Yoo, J. W., & Kim, K. (2012). Board competence and the top management team’s external ties for performance. Journal of Management & Organization, 18(2), 142–158.
Young, S. (2013). Contemplating corporate disclosure obligations arising from cybersecurity breaches. Journal of Corporate Law, 38, 659–678.
Acknowledgements
The authors are grateful for the financial support of the accounting department at ESG UQAM, the Corporate Reporting Chair, ESG UQAM, the Autorité des marchés financiers (AMF—Québec), and the research assistance of Geneviève Girard and Souha Khaldi. They also thank the three anonymous reviewers for their insightful comments and suggestions.
Funding
This study was funded by the accounting department at ESG-UQAM, the Corporate Reporting Chair, ESG-UQAM, and the Autorité des marchés financiers (AMF—Québec).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors have no relevant financial or non-financial interests to disclose.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix
Appendix
1.1 Examples of scoring per category
Category | Selected items | Excerpts from coded documents | Reference |
---|---|---|---|
Cybersecurity risk | Description specific to the company | Our business often requires that our clients’ applications and information, which may include their proprietary information and personal information they manage, be processed and stored on our networks and systems, and in data centers that we manage. We also process and store proprietary information relating to our business, and personal information relating to our members…. The Company faces risk inherent in protecting the security of such personal data | CGI, MD&A, November 8, 2017, p. 56 |
Potential impacts of a cybersecurity incident | Reputational harm | Any system failure, cyberattack or a breach of systems could result in … reputational harm affecting customer and investor confidence…. Furthermore, media or other reports of perceived security vulnerabilities of our systems, even if no breach has been attempted or had occurred, could adversely impact our brand and reputation and materially impact our business and financial results | Bombardier, MD&A, February 15, 2018, p. 115 |
Financial fraud/theft of funds | If the Corporation becomes a victim to a cyber phishing attack it could result in a loss or theft of the Corporation's financial resources | Advantage Oil & Gas, AIF, March 5, 2018, p. 55 | |
Responsibility for cybersecurity | Responsibilities mentioned | Through its enterprise and operational risk management frameworks, the Company makes all managers accountable by asking them to confirm their sector’s compliance with procedures, describe the processes in place for ensuring this compliance, and confirm that policies and procedures are up to date. The risks that could arise are also assessed and quantified, as well as the measures taken to manage the most material risks | Industrial Alliance, MD&A, February 15, 2018, p. 38 |
Cybersecurity risk mitigation | Insufficient mitigation | Element Fleet cannot ensure that its current security measures will effectively counter security risks, prevent future slowdowns or disruptions, protect against cyber-attacks or address the security and privacy concerns of existing and potential users | Element Fleet Management, AIF, March 28, 2018, p. 38 |
Reliance on third-party experts | Keyera also relies on many third party service providers with respect to its information technology security and storage of information and data | Keyera, AIF, February 15, 2018, p. 70 | |
Potential cybersecurity incidents | Nature of the incidents | Damage or failure from a number of sources, including, but not limited to, hacking, computer viruses, security breaches, natural disasters, power loss, vandalism, theft and defects in design. We may also be targets of cyber surveillance or a cyber attack from cyber criminals, industrial competitors or government actors | Eldorado Gold Corporation, AIF, March 29, 2018, pp. 128–129 |
Actual cybersecurity incidents | Details on incidents | In 2017, our consumers were targeted by criminals through our PC Plus loyalty program. The intention of the targeted attack was to monetize the loyalty points the consumers had earned in stores and points earned using their President’s Choice Financial MasterCard | Loblaws, AIF, February 22, 2018, p. 12 |
Other cybersecurity items disclosed | Legislation | Among the various regulations, NERC has established a set of currently enforced standards and continues to issue new and revised standards to ensure that utilities and other users, owners and operators of the bulk electricity system in North America implement and sustain preventive, detective and corrective measures to mitigate cyber and physical security risks to critical infrastructure | Hydro One, AIF, March 29, 2018, p. 32 |
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Héroux, S., Fortin, A. Board of directors’ attributes and aspects of cybersecurity disclosure. J Manag Gov 28, 359–404 (2024). https://doi.org/10.1007/s10997-022-09660-7
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10997-022-09660-7