nach oben

Journal of Management and Governance

Erschienen in:

18.11.2022

Board of directors’ attributes and aspects of cybersecurity disclosure

verfasst von: Sylvie Héroux, Anne Fortin

Erschienen in: Journal of Management and Governance | Ausgabe 2/2024

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

As cybersecurity is a critical risk issue for organizations, cybersecurity disclosure is important for financial regulators, financial analysts, shareholders, and other stakeholders. Organizations face challenges when deciding whether, what, and when cybersecurity-related information should be disclosed. Prior studies have contributed few insights regarding the potential determinants of cybersecurity disclosure. Furthermore, their findings are based on a general or narrow measurement of this disclosure. This study draws on upper echelons and signaling theories to examine the association between various board of directors’ characteristics and extent of overall cybersecurity disclosure and its individual aspects. Extent of cybersecurity disclosure is measured based on a content analysis of annual financial regulatory filings of the 250 companies listed on the S&P/TSX Composite Index, using a scoring grid of 40 items grouped into seven categories representing different aspects of cybersecurity disclosure. This expanded disclosure measurement provides original insights for firms and their stakeholders. The main findings indicate that the presence of a committee responsible for cybersecurity on the board of directors is key to increasing cybersecurity disclosure. With or without such a committee, board IT expertise, board tenure, board independence, women directors, and board age are associated with the extent of total cybersecurity disclosure or some of its specific aspects, particularly cybersecurity risk mitigation. These findings contribute to the cybersecurity literature by examining which board of directors’ characteristics influence the extent of specific aspects of cybersecurity disclosure. They also complement results from upper echelons-based studies on corporate reporting determinants and prior IT governance studies.

Nächster Artikel Research in the greenwashing field: concepts, theories, and potential impacts on economic and social value

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

Haapamäki and Sihvonen (2019) identified only a small number of studies on disclosure of cybersecurity activities in their review of 39 cybersecurity-related accounting and auditing studies published between 2000 and 2018. Walton et al. (2021) found only two studies on the determinants of cybersecurity disclosure in their extensive analysis of 68 cybersecurity papers published from 2001 to 2019 in accounting, information systems, and computer science research.

This is illustrated by the following excerpts: “When acting with a view of the best interests of the corporation … the directors and officers of the corporation may consider, but are not limited to, the following factors: the interests of shareholders, employees, retirees and pensioners, creditors, consumers, and governments; the environment; and the long-term interest of the corporation” (Canada Business Corporation Act, 1985, p. 122(1.1)). Further, “In determining what the director reasonably believes to be in the best interests of the corporation, [a director may consider] (1) the long-term as well as the short-term interests of the corporation, (2) the interests of the shareholders, long-term as well as short-term, including the possibility that those interests may be best served by the continued independence of the corporation, (3) the interests of the corporation’s employees, customers, creditors and suppliers, and (4) community and societal considerations, including those of any community in which any office or other facility of the corporation is located. A director may also consider, in the discretion of such director, any other factors the director reasonably considers appropriate in determining what the director reasonably believes to be in the best interests of the corporation” (Connecticut Business Corporation Act, 1997, 45 CS 101, Sect. 33–756, g). In the United States, business corporation laws are a state matter.

Since the SEC’s (2011) disclosure guidelines needed to be enhanced (Ferraro, 2014; Young, 2013), the SEC issued interpretive guidance on public company cybersecurity disclosures (SEC, 2018).

Strategic choices are “complex and of major significance to the organization…. The term “strategic choice” … is intended to be a fairly comprehensive term to include choices made formally and informally, indecision as well as decision” (Hambrick & Mason, 1984, pp. 194–195). With this in mind, considering the importance of the potential consequences related to cybersecurity and the many challenges organizations face in making cybersecurity disclosure decisions, cybersecurity disclosure qualifies as a strategic decision.

https://money.tmx.com/en/quote/^TSX.

Items similar to those in CSA (2017b) are covered in SEC (2018) but are organized differently.

“An AIF provides material information about a company … [and] its operations, prospects, risks and other factors that impact its business”. “Financial statements must be accompanied by the MD&A …, a narrative explanation, through the eyes of management, of how a company performed during the period covered by the financial statements, and of the company's financial condition and future prospects”. “A proxy is a method by which a shareholder appoints a person or company to act on the shareholders’ behalf at a shareholder meeting…. When a company solicits proxies, it must also prepare an information circular … [which] includes information on how to exercise a proxy and provides details of the matters to be voted on at the shareholder meeting”. https://www.osc.ca/en/industry/companies/continuous-disclosure.

For readability, Table 9 does not present the full regression results for each dependent variable.

Amemiya, T. (1984). Tobit models: A survey. Journal of Econometrics, 24, 3–61.CrossRef

American Institute of Certified Public Accountants (AICPA). (2017). Reporting on an entity’s cybersecurity risk management program and controls: Attestation guide. American Institute of Certified Public Accountants.

Amir, E., Levi, S., & Livne, T. (2018). Do firms underreport information on cyberattacks? Evidence from capital markets. Review of Accounting Studies, 23(3), 1177–1206.CrossRef

Ashraf, M., Michas, P. N., & Russomanno, D. (2020). The impact of audit committee information technology expertise on the reliability and timeliness of financial reporting. The Accounting Review, 95(5), 23–56.CrossRef

Baalouch, F., Ayadi, S. D., & Hussainey, K. (2019). A study of the determinants of environmental disclosure quality: Evidence from French listed companies. Journal of Management & Governance, 23(4), 939–971.CrossRef

Bakker, T. G., & Streff, K. (2016). Accuracy of self-disclosed cybersecurity risks of large U.S. banks. Journal of Applied Business and Economics, 18(3), 39–51.

Bamber, L. S., Jiang, J., & Wang, I. Y. (2010). What’s my style? The influence of top managers on voluntary corporate financial disclosure. The Accounting Review, 85(4), 1131–1162.CrossRef

Barako, D. G., & Brown, A. M. (2008). Corporate social reporting and board representation: Evidence from the Kenyan banking sector. Journal of Management & Governance, 12(4), 309–324.CrossRef

Baran, L., & Forst, A. (2015). Disproportionate insider control and board of director. Journal of Corporate Finance, 35, 62–80.CrossRef

Barroso, C., Villegas, M. M., & Pérez-Calero, L. (2011). Board influence on a firm’s internationalization. Corporate Governance: An International Review, 19(4), 351–367.CrossRef

Bear, S., Rahman, N., & Post, C. (2010). The impact of diversity and gender composition on corporate social responsibility. Journal of Business Ethics, 97(2), 207–221.CrossRef

Ben-Amar, W., Chang, M., & McIlkenny, P. (2017). Board gender diversity and corporate response to sustainability initiatives: Evidence from the carbon disclosure project. Journal of Business Ethics, 142(2), 369–383.CrossRef

Ben-Amar, W., Francoeur, C., Hafsi, T., & Labelle, R. (2013). What makes better boards? A closer look at diversity and ownership. British Journal of Management, 24(1), 85–101.CrossRef

Benaroch, M., & Chernobai, A. (2017). Operational IT failures, IT value destruction, and board-level IT governance changes. MIS Quarterly, 41(3), 729–762.CrossRef

Bing, N. S., & Amran, A. (2017). The role of board diversity on materiality disclosure in sustainability disclosure. Global Business and Management Research: An International Journal, 9(4), 96–109.

Bonime-Blanc, A. (2017). A strategic cyber roadmap for the board. Retrieved August 26, 2020, from https://corpgov.law.harvard.edu/2017/01/12/a-strategic-cyber-roadmap-for-the-board/

Bravo, F. (2018). Does board diversity matter in the disclosure process? An analysis of the association between diversity and the disclosure of information on risks. International Journal of Disclosure and Governance, 15(2), 104–114.CrossRef

Brown, S. V., Tian, X., & Tucker, J. W. (2018). The spillover effect of SEC comment letters on qualitative corporate disclosure: Evidence from the risk factor disclosure. Contemporary Accounting Research, 35(2), 622–656.CrossRef

Caluwe, L., & De Haes, S. (2019). Board engagement in IT governance: Opening up the black box of IT oversight committees at board level. In Proceedings of the 52nd Hawaii International Conference on System Sciences (pp. 6189–6197). Retrieved August 26, 2020, from https://scholarspace.manoa.hawaii.edu/handle/10125/60053

Canada Business Corporations Act. (1985). R.S., 1985, c. C-44, s. 1; 1994, c. 24, s. 1(F). Retrieved October 26, 2021, from https://laws-lois.justice.gc.ca/eng/acts/c-44/page-1.html

Canadian Securities Administrators (CSA). (2016). CSA staff notice 11-332: Cyber security. Montreal, Canada. Retrieved September 24, 2021, from https://www.bcsc.bc.ca/-/media/PWS/Resources/Securities_Law/Policies/Policy1/11332-CSA-Staff-Notice-September-27-2016.pdf

Canadian Securities Administrators (CSA). (2017a). Multilateral staff notice 51-347: Disclosure of cyber security risks and incidents. Canadian Securities Administrators.

Canadian Securities Administrators (CSA). (2017b). CSA staff notice 33-321: Cyber security and social media. Canadian Securities Administrators.

Center for Strategic and International Studies (CSIS) – Washington, D. C. (2021). Significant cyberincidents. Retrieved January 20, 2021, from https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents

Chuang, T.-T., Nakatani, K., & Zhou, D. (2009). An exploratory study of the extent of information technology adoption in SMEs: An application of upper echelon theory. Journal of Enterprise Information Management, 22(1/2), 183–196.CrossRef

Connecticut Business Corporation Act, 1997, 45 CS 101, sect. 33–756, g. Retrieved October 26, 2021, from https://www.cga.ct.gov/current/pub/chap_601.htm#sec_33-756

Croson, R., & Gneezy, U. (2009). Gender differences in preferences. Journal of Economic Literature, 47(2), 448–474.CrossRef

Czarnecki, G. M. (2015). Cyber threats necessitate a new governance model. NCAD Directorship (September/October), 8–9.

Deloitte. (2015). The board’s-eye view of cyber crisis management. Retrieved August 26, 2020, from https://www2.deloitte.com/global/en/pages/risk/articles/boards-view-cyber-crisis-management.html

Edmondson, A. C., & McManus, S. E. (2007). Methodological fit in management field research. Academy of Management Review, 32(4), 1155–1179.

Ettredge, M. L., Guo, F., & Li, Y. (2018). Trade secrets and cybersecurity breaches. Journal of Accounting and Public Policy, 37(6), 564–585.CrossRef

Ferraro, M. F. (2014). “Groundbreaking” or broken? An analysis of SEC cybersecurity disclosure guidance, its effectiveness and implications. Albany Law Review, 77(2), 297–346.

Frank, M. L., Grenier, J. H., & Pysoha, J. S. (2019). How disclosing a prior cyberattack influences the efficacy of cybersecurity risk management and independent assurance. Journal of Information Systems, 33(3), 183–200.CrossRef

Georg, L. (2017). Information security governance: Pending legal responsibilities of non-executive boards. Journal of Management & Governance, 21(4), 793–814.CrossRef

Golden, B. R., & Zajac, E. J. (2001). When will boards influence strategy? Inclination × power = strategic change. Strategic Management Journal, 22(12), 1087–1111.CrossRef

Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Sohail, T. (2006). The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities. Journal of Accounting and Public Policy, 25, 503–530.CrossRef

Gordon, L. A., Loeb, M. P., & Sohail, T. (2010). Market value of voluntary disclosures concerning information security. MIS Quarterly, 34(3), 567–594.CrossRef

Haapamäki, E., & Sihvonen, J. (2019). Cybersecurity in accounting research. Managerial Auditing Journal, 34(7), 808–834.CrossRef

Hafsi, T., & Turgut, G. (2013). Boardroom diversity and its effect on social performance: Conceptualization and empirical evidence. Journal of Business Ethics, 112(3), 463–479.CrossRef

Hair, J. F., Jr., Anderson, R. E., Tatham, R. L., & Black, W. C. (1998). Multivariate data analysis (5th ed.). Prentice Hall.

Hambrick, D. C., & Mason, P. A. (1984). Upper echelons: The organization as a reflection of its top managers. Academy of Management Review, 9(2), 193–206.CrossRef

Higgs, J., Pinsker, R. E., Smith, T. J., & Young, G. R. (2016). The relationship between board-level technology committees and reported security breaches. Journal of Information Systems, 30(3), 79–98.CrossRef

Hitchcock, C., Lamm, B., & Parsons, K. (2017). On the board’s agenda: US trends in audit committee reporting. Deloitte Development LLC. Retrieved August 26, 2020, from https://www2.deloitte.com/content/dam/Deloitte/us/Documents/center-for-board-effectiveness/us-cbe-january-2017-on-the-boards-agenda.pdf

Information Systems and Control Association (ISACA)/Downs, F. (2020). Top cyberattacks of 2020 and how to build cyberresiliency. Retrieved January 20, 2021, from https://www.isaca.org/resources/news-and-trends/industry-news/2020/top-cyberattacks-of-2020-and-how-to-build-cyberresiliency

Jewer, J., & McKay, K. N. (2012). Antecedents and consequences of board IT governance: Institutional and strategic choice perspectives. Journal of the Association for Information Systems, 13(7), 581–617.CrossRef

Johnson, S. G., Schnatterly, K., & Hill, A. D. (2013). Board composition beyond independence: Social capital, human capital, and demographics. Journal of Management, 39(1), 232–262.

Kagzi, M., & Guha, M. (2018). Board demographic diversity: A review of literature. Journal of Strategy and Management, 11(1), 33–51.CrossRef

Kesner, I. F. (1988). Directors’ characteristics and committee membership: An investigation of type, occupation, tenure, and gender. Academy of Management Journal, 31(1), 66–84.CrossRef

Labelle, R., Gargouri, M., & Francoeur, C. (2010). Ethics, diversity management and financial reporting quality. Journal of Business Ethics, 93, 335–353.CrossRef

Lankton, N., Price, J., & Karim, M. (2020). Cybersecurity breaches and information technology governance roles in audit committee charters. Journal of Information Systems. https://doi.org/10.2308/isys-18-071CrossRef

Larkin, M. B., Bernardi, R. A., & Bosco, S. M. (2013). Does female representation on boards of directors associate with increased transparency and ethical behavior? Accounting and the Public Interest, 13(1), 132–150.CrossRef

Li, H., No, W. G., & Wang, T. (2018). SEC’s cybersecurity disclosure guidance and disclosed cybersecurity risk factors. International Journal of Accounting Information Systems, 30, 40–55.CrossRef

Liu, M., & Ji, D. (2022). An overview of the literature on upper echelons. Accounting Perspectives. https://doi.org/10.1111/1911-3838.12288CrossRef

Michelon, G., & Parbonetti, A. (2012). The effect of corporate governance on sustainability disclosure. Journal of Management & Governance, 16(3), 477–509.CrossRef

Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26(3), 565–584.CrossRef

National Association of Corporate Directors (NACD). (2017). Cyber-risk oversight—Director’s handbook series. National Association of Corporate Directors.

Newman, C. A. (2018). When to report a cyberattack? For companies, that’s still a dilemma. The New York Times, March 5. Retrieved August 26, 2020, from https://www.nytimes.com/2018/03/05/business/dealbook/sec-cybersecurity-guidance.html

Nielsen, S., & Huse, M. (2010). The contribution of women on boards of directors: Going beyond the surface. Corporate Governance: An International Review, 18(2), 136–148.CrossRef

Nolan, R., & McFarlan, F. W. (2005). Information technology and the board of directors. Harvard Business Review, 83(10), 96–106.

Nursimloo, S., Ramdhony, D., & Mooneeapen, O. (2020). Influence of board characteristics on TBL reporting. Corporate Governance, 20(5), 765–780.CrossRef

Patelli, L., & Pedrini, M. (2015). Is tone at the top associated with financial reporting aggressiveness? Journal of Business Ethics, 126, 3–19.CrossRef

Plöckinger, M., Aschauer, E., Hiebl, M. R. W., & Rohatschek, R. (2016). The influence of individual executives on corporate financial reporting: A review and outlook from the perspective of upper echelon theory. Journal of Accounting Literature, 37, 55–75.CrossRef

Price, J. B., & Lankton, N. (2018). A framework and guidelines for assessing and developing board-level information technology committee charters. Journal of Information Systems, 32(1), 109–129.CrossRef

Radu, C., & Smaili, N. (2021). Board gender diversity and corporate response to cyber risk: Evidence from cybersecurity related disclosure. Journal of Business Ethics, 177, 351–374.CrossRef

Ran, G., Fang, Q., Luo, S., & Chan, K. C. (2015). Supervisory board characteristics and accounting information quality: Evidence from China. International Review of Economics & Finance, 37, 18–32.CrossRef

Rashid, F. Y. (2015). NYSE survey examines cybersecurity in the boardroom. Security Week, May 28. Retrieved August 26, 2020, from https://www.securityweek.com/nyse-survey-examines-cybersecurity-boardroom

Securities and Exchange Commission (SEC). (2018). 17 CFR parts 229 and 249 [Release nos. 33-10459; 34-82746] commission statement and guidance on public company cybersecurity disclosures. Securities and Exchange Commission.

Securities and Exchange Commission (SEC), Division of Corporation Finance. (2011). CF disclosure guidance: Topic no. 2, cybersecurity.

Smaili, N., Radu, C., & Khalili, A. (2022). Board effectiveness and cybersecurity disclosure. Journal of Management and Governance. https://doi.org/10.1007/s10997-022-09637-6CrossRef

Songini, L., Pistoni, A., Tettamanzi, P., Fratini, F., & Minutiello, V. (2021). Integrated reporting quality and BoD characteristics: An empirical analysis. Journal of Management and Governance, 26, 579–620.CrossRef

Turel, O., Liu, P., & Bart, C. (2019). Board-level IT governance. IT Professional, 21(2), 58–65.CrossRef

Vafeas, N. (2003). Length of board tenure and outside director independence. Journal of Business Finance & Accounting, 30(7–8), 1043–1064.CrossRef

Vairavan, A., & Zhang, G. P. (2020). Does a diverse board matter? A mediation analysis of board racial diversity and firm performance. Corporate Governance, 20(7), 1223–1241.CrossRef

Valentine, E. L. H., & Stewart, G. (2013). The emerging role of the board of directors in enterprise business technology governance. International Journal of Disclosure and Governance, 10(4), 346–362.CrossRef

Vincent, N. E., Higgs, J. L., & Pinsker, R. E. (2019). Board and management-level factors affecting the maturity of IT risk management practices. Journal of Information Systems, 33(6), 117–135.CrossRef

Walton, S., Wheeler, P. R., Zhang, Y., & Zhao, X. (2021). An integrative review and analysis of cybersecurity research: Current state and future directions. Contemporary Accounting Research, 35(1), 155–186.

Wang, Y., Kannan, K., & Ulmer, J. (2013). The association between the disclosure and the realization of information security risk factors. Information Systems Research, 24(2), 201–218.CrossRef

Westpal, J. D., & Fredrickson, J. W. (2001). Who directs strategic change? Director experience, the selection of new CEOs, and change in corporate strategy. Strategic Management Journal, 22(12), 1113–1137.CrossRef

Williams, R. J. (2003). Women on corporate boards of directors and their influence on corporate philanthropy. Journal of Business Ethics, 42(1), 1–10.CrossRef

Yayla, A. A., & Hu, Q. (2014). The effect of board of directors’ IT awareness on CIO compensation and firm performance. Decision Sciences, 45(3), 401–435.CrossRef

Yoo, J. W., & Kim, K. (2012). Board competence and the top management team’s external ties for performance. Journal of Management & Organization, 18(2), 142–158.CrossRef

Young, S. (2013). Contemplating corporate disclosure obligations arising from cybersecurity breaches. Journal of Corporate Law, 38, 659–678.

Titel: Board of directors’ attributes and aspects of cybersecurity disclosure
verfasst von: Sylvie Héroux
Anne Fortin
Publikationsdatum: 18.11.2022
Verlag: Springer US
Erschienen in: Journal of Management and Governance / Ausgabe 2/2024
Print ISSN: 1385-3457
Elektronische ISSN: 1572-963X
DOI: https://doi.org/10.1007/s10997-022-09660-7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2024

Has digital banking usage reshaped economic empowerment of urban women?

Does board composition matter for innovation? A longitudinal study of the organizational slack–innovation relationship in Nasdaq-100 companies

Research in the greenwashing field: concepts, theories, and potential impacts on economic and social value

Blockholders and the ESG performance of M&A targets

Can “publishing game” pressures affect the research topic choice? A survey of European accounting researchers

The gender gap: what about board members’ perspective?

Premium Partner