Top

Published in:

2022 | OriginalPaper | Chapter

The Disclosure of Non-financial Risk. The Emerging of Cyber-Risk

Authors : Claudia Arena, Simona Catuogno, Rita Lamboglia, Antonella Silvestri, Stefania Veltri

Published in: Non-financial Disclosure and Integrated Reporting

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The chapter aims to deepen the emerging issue of cyber-risk that, among non-financial (NF) risks, represents a major threat for organizations due to the growing sophistication and variety of data breaches and cyberattacks. The research provides a general background for NF risks disclosure illustrating the path that led from external voluntary to mandatory frameworks for the disclosure of NF risks following the EU Directive. Then, we move on to describe the role of internal auditors for the management and disclosure of the digital risk. In order to better understand the effectiveness of corporate governance mechanisms for digital risk disclosure, we conduct a review of literature and a visualization to provide the most frequent topics and their chronological evolution. The chapter contributes to the risk disclosure and corporate governance literature, by providing some theoretical and practical implications.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Do Corporate Governance Mechanisms Affect the Non-financial Reporting Readability? Evidence from Italy

next chapter Implementing SDGs and Mandatory Non-financial Reporting in Corporate Practices: Insight from an Italian Global Player

In the chapter, an external, communicational perspective, leaving aside the risk management perspective in the sense of the activities carried out at the organizational level to face corporate risks. In other words, it is an external, communicational perspective. Consistently with Dumay (2016), we believe that disclosure is different from reporting, even if the terms are mostly used synonymously. In detail, disclosure is ‘the revelation of information that was previously secret or unknown’, whilst reporting is a ‘detailed periodic account of a company’s activities, financial condition and prospects that is made available to shareholders and investors’ (Dumay, 2016).

Among the voluntary initiatives, we can mention the Eco- Management and Audit Scheme (EMAS) in 1993 and its successive revision in 2001 (EC No 761/2001) and 2009 (EC No 1221/2009).

This covers approximately 6000 large companies and groups across the EU, including listed companies, banks, insurance companies, other companies designated by national authorities as PIE.

Regulation EU 2019/2088 on sustainability-related disclosures in the financial services sector.

Alelayani, A. M., Al Zahrani, F. M., Munshi, A. M., Monshi, R. M., & Al-sofyani, S. A. (2020). Cybersecurity regulation and governance. International Journal of Computer Science and Network Security, 20(5), 1–5.

Al-Sartawi, A. M. M. (2020). Information technology governance and cybersecurity at the board level. International Journal of Critical Infrastructures, 16(2), 150–161.CrossRef

American Institute of Certified Public Accountants. (AICPA). (2018a). Cybersecurity risk management reporting fact sheet. www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/cybersecurity-fact- sheet.pdf

American Institute of Certified Public Accountants. (AICPA). (2018b). SOC for cybersecurity: A backgrounder. www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/soc-for-cybersecurity-backgrounder.pdf

Amir, E., Levi, S., & Livne, T. (2018). Do firms underreport information on cyber-attacks? Evidence from capital markets. Review of Accounting Studies, 23(3), 1177–1206.CrossRef

Appelbaum, D., Kogan, A., & Vasarhelyi, M. A. (2017). Big data and analytics in the modern audit engagement: Research needs. Auditing: A Journal of Practice & Theory, 36(4), 1–27.CrossRef

Arena, C., Catuogno, S., & Moscariello, N. (2020). The unusual debate on non-GAAP reporting in the current standard practice. The lens of corporate governance. Journal of Management and Governance, 1–30.

ASX Corporate Governance Council (ASX CGC). (2014). Corporate governance principles and recommendations (3rd ed.). ASX Corporate Governance Council.

Beretta, S., & Bozzolan, S. (2004). A framework for the analysis of firm risk communication. The International Journal of Accounting, 39(3), 265–288.CrossRef

Berkman, H., Jona, J., Lee, G., & Soderstrom, N. (2018). Cybersecurity awareness and market valuations. Journal of Accounting and Public Policy, 37(6), 508–526.CrossRef

Boyd, D., & Crawford, K. (2012). Critical questions for big data: Provocations for a cultural, technological, and scholarly phenomenon. Information, Communication & Society, 15(5), 662–679.CrossRef

Bozzolan, S., & Miihkinen, A. (2019). The quality of mandatory non-financial (risk) disclosures: The moderating role of audit firm and partner characteristics. SSRN. Retrieved January 10, 2020, from https://ssrn.com/abstract¼3342703

Brown, H. S., De Jong, M., & Lessidrenska, T. (2009). The rise of global reporting initiative as a case of institutional entrepreneurship. Environmental Politics., 18(4), 182–200.CrossRef

Brown-Liburd, H., Issa, H., & Lombardi, D. (2015). Behavioral implications of Big Data’s impact on audit judgment and decision making and future research directions. Accounting Horizons, 29(2), 451–468.CrossRef

Calderon, T. G., & Gao, L. (2020). Cybersecurity risks disclosure and implied audit risks: Evidence from audit fees. International Journal of Auditing.

Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1), 70–104.CrossRef

Clarkson, P. M., Fang, X., Li, Y., & Richardson, G. (2013). The relevance of environmental disclosures: Are such disclosures incrementally informative? Journal of Accounting and Public Policy, 32(5), 410–431.CrossRef

Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2017). Enterprise risk management. Integrating with strategy and performance. AICPA.

Committee of Sponsoring Organizations of the Treadway Commission. (2018). Enterprise risk management—Applying enterprise risk management to environmental, social and governance-related risks. The Committee of Sponsoring Organizations of the Treadway Commission.

De Bakker, K., Boonstra, A., & Wortmann, H. (2010). Does risk management contribute to IT project success? A meta-analysis of empirical evidence. International Journal of Project Management, 28(5), 493–503.CrossRef

De Luca, F., & Phat, H. (2019). Informativeness assessment of risk and risk-management disclosure in corporate reporting: An empirical analysis of Italian large listed firms. Financial Reporting, 2, 9–41.CrossRef

Di Lernia, C., Hardy, C., & Dori, A. (2020). Cyber-related risk disclosure in Australia: Evidence from the ASX200. Company and Securities Law Journal, 37(4), 255–278.

Dobler, M., Lajili, K., & Zéghal, D. (2014). Environmental performance, environmental risk and risk management. Business Strategy and the Environment, 23, 1–17.CrossRef

Dumay, J. (2016). A critical reflection on the future of intellectual capital: From reporting to disclosure. Journal of Intellectual Capital, 17(1), 168–184.CrossRef

Dumay, J., Bernardi, C., Guthrie, J., & La Torre, M. (2017). Barriers to implementing the international integrated reporting framework. Meditary Accountancy Research, 25(4), 461–480.CrossRef

Dumay, J., & Hossain, M. D. A. (2019). Sustainability risk disclosure practices of listed companies in Australia. Australian Accounting Review, 29(2), 343–359.CrossRef

Elshandidy, T., Shrives, P. J., Bamber, M., & Abraham, S. (2018). Risk reporting: A review of the literature and implications for future research. Journal of Accounting Literature, 40, 54–82.CrossRef

Eng, L. L., & Mak, Y. T. (2003). Corporate governance and voluntary disclosure. Journal of Accounting and Public Policy, 22(4), 325–345.CrossRef

EU Commission. (2011). Disclosure of non-financial information by companies. Directorate general for internal markets and services, public consultation on disclosure of non-financial information by companies.

European Commission. (2017). Guidelines on non-financial reporting (Methodology for reporting non-financial information) (2017/C, 215/01). European Commission. Available on: www.ec.europe.eu/antitrafficking/sites/antitrafficking/files/guidelines_on_non-financial_reporting.pdf

European Union. (2014). Directive as regards disclosure of non-financial and diversity information by certain large undertakings and groups, 2014/95/EU.http://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32014L0095&from=EN/

Federation of European Accountants. (FEE). (2015). The future of corporate reporting—Creating the dynamics for change. FEE.

Federation of European Accountants. (FEE). (2016). EU directive on disclosure of non-financial and diversity information: Achieving good quality and consistent reporting. FEE.

Gao, L., Calderon, T. G., & Tang, F. (2020). Public companies’ cybersecurity risk disclosures. International Journal of Accounting Information Systems, 38, 100468.CrossRef

Garcia-Meca, E., & Sanchez-Ballesta, J. P. (2010). The association of board independence and ownership concentration with voluntary disclosure: A meta-analysis. European Accounting Review, 19(3), 603–627.CrossRef

Global Reporting Initiative. (2013). G4 guidelines–reporting principles and standard disclosures. Retrieved September 12, 2020, from www.globalreporting.org

Gordon, L. A., Loeb, M. P., & Sohail, T. (2010). Market value of voluntary disclosures concerning information security. MIS Quarterly, 567–594.

Griffin, P. A., & Wright, A. M. (2015). Commentaries on big Data’s importance for accounting and auditing. Accounting Horizons, 29(2), 377–379.CrossRef

Gyun No, W., & Vasarhelyi, M. A. (2017). Cybersecurity and continuous assurance. Journal of Emerging Technologies in Accounting, 14(1), 1–12.CrossRef

Haapamäki, E., & Sihvonen, J. (2019). Cybersecurity in accounting research. Managerial Auditing Journal, 34(7), 808–834.CrossRef

Hancock, M. (2017). UK cyber security research report. Department for Digital, Culture, Media & Sport. www.gov.uk/government/publications/cyber-security-breaches-survey

Healy, P. M., & Palepu, K. G. (2001). Information asymmetry, corporate disclosure, and the capital markets: A review of the empirical disclosure literature. Journal of Accounting and Economics, 31(1–3), 405–440.CrossRef

Héroux, S., & Fortin, A. (2020). Cybersecurity disclosure by the companies on the S&P/TSX 60 index. Accounting Perspectives, 19(2), 73–100.CrossRef

Higgs, J. L., Pinsker, R. E., Smith, T. J., & Young, G. R. (2016). The relationship between board-level technology committees and reported security breaches. Journal of Information Systems, 30(3), 79–98.CrossRef

Hilary, G., Segal, B., & Zhang, M. H. (2016). Cyber-risk disclosure: Who cares? Georgetown McDonough School of Business Research Paper, 2852519.

Hrubey, P. S. (2020). Privacy and data protection. Part 1: Internal Audit’s role in establishing a resilient framework. The Institute of Internal Auditors Research Foundation (IIARF).

ICAEW. (1997). Financial reporting of risk: Proposals for a statement of business risk. Institute of Chartered Accountants of England and Wales.

International Integrated Reporting Council (IIRC). (2013). The international integrated reporting framework. International Integrated Reporting Council.

International Organization of Securities Commissions. (IOSC). (2016). Cyber security in securities markets—An international perspective.https://www.iosco.org/library/pubdocs/pdf/IOSCOPD528.pdf

Isa 250 (revised). Consideration of laws and regulations in an audit of financial statements. https://www.iaasb.org/publications/isa-250-revised-consideration-laws-and-regulations-audit-financial-statements-13

ISACA. (2018). COBIT 2019 framework: Governance and management objectives.

ISO. (2013). ISO/IEC 27001—information technology, security techniques, information security management systems, requirements. ISO.

Jarison, J., Morris, L., & Wilkinson, C. (2018). The future of cyber security in internal audit. www.crowe.com/-/media/Crowe/LLP/foliopdf/The-Future-of-Cybersecurity-in-IA-Risk-18000-002A-update.Ashx

Kahyaoglu, S. B., & Caliyurt, K. (2018). Cyber security assurance process from the internal audit perspective. Managerial Auditing Journal.

KPMG. (2015). Currents of change: The KPMG survey of corporate responsibility reporting 2015. KPMG.

Krahel, J. P., & Titera, W. R. (2015). Consequences of big data and formalization on accounting and auditing standards. Accounting Horizons, 29(2), 409–422.CrossRef

La Torre, M., Botes, V. L., Dumay, J., & Odendaal, E. (2019). Protecting a new Achilles heel: The role of auditors within the practice of data protection. Managerial Auditing Journal.

La Torre, M., Dumay, J., & Rea, M. A. (2018a). Breaching intellectual capital: Critical reflections on big data security. Meditari accountancy. Research.

La Torre, M., & Lucchese M. (2020). Cybersecurity, impatto sul sistema aziendale e sulla governance. In R. Lombardi, M. S. Chiucchi, & D. Mancini (Eds.), Smart technologies, digitalizzazione e capitale intellettuale. Sinergie e opportunità. FrancoAngeli. https://creativecommons.org/licenses/by-nc-nd/4.0/deed.it

La Torre, M., Sabelfeld, S., Blomkvist, M., Tarquinio, L., & Dumay, J. (2018b). Harmonising non-financial reporting regulation in Europe: Practical forces and projections for future research. Meditary Accountancy Research, 26(4), 598–621.CrossRef

Lamboglia, R., Lavorato, D., Scornavacca, E., & Za, S. (2020). Exploring the relationship between audit and technology. A bibliometric analysis. Meditari Accountancy Research. https://doi.org/10.1108/MEDAR-03-2020-0836

Lending, C., Minnick, K., & Schorno, P. J. (2018). Corporate governance, social responsibility, and data breaches. Financial Review, 53(2), 413–455.CrossRef

Leopizzi, R., Iazzi, A., Venturelli, A., & Principale, S. (2020). Nonfinancial risk disclosure: The ‘state of the art’ of Italian companies. Corporate Social Responsibility and Environmental Management, 27(1), 358–368.CrossRef

Li, H., No, W. G., & Boritz, J. E. (2020). Are external auditors concerned about cyber incidents? Evidence from audit fees. Auditing: A Journal of Practice & Theory, 39(1), 151–171.CrossRef

Li, H., No, W. G., & Wang, T. (2018). SEC’s cybersecurity disclosure guidance and disclosed cybersecurity risk factors. International Journal of Accounting Information Systems, 30, 40–55.CrossRef

Linsley, P., & Shrives, P. (2005). Examining risk reporting in UK public companies. The Journal of Risk Finance, 6(4), 292–305.CrossRef

Linsley, P., & Shrives, P. (2006). Risk reporting: A study of risk disclosure in the annual reports of UK companies. The British Accounting Review, 38(4), 387–404.CrossRef

Manes Rossi, F., Nicolò, G., & Levy Orelli, R. (2017). Reshaping risk disclosure through integrated reporting: Evidence from Italian early adopters. International Journal of Business and Management, 12(10), 11–23.CrossRef

Matten, D. (1995). Strategy follows structure: Environmental risk management in commercial enterprises. Business Strategy and the Environment, 4, 107–116.CrossRef

Muserra, A. L., Papa, M., & Grimaldi, F. (2019). Sustainable development and the European Union policy on non-financial information: An Italian empirical analysis. Corporate Social Responsibility and Environmental Management, 27, 22. https://doi.org/10.1002/csr.1770CrossRef

Naciti, V., Cesaroni, F., & Pulejo, L. (2021). Corporate governance and sustainability: A review of the existing literature. Journal of Management and Governance.

National Institute of Standards and Technology (NIST). (2014). Framework for improving critical infrastructure cybersecurity. National Institute of Standards and Technology.CrossRef

Neri, L., & Russo, A. (2013). Risk disclosures in the annual reports of Italian listed companies. Financial Reporting, 3–4, 141–168.

Ntim, C. G., Lindop, S., & Thomas, D. A. (2013). Corporate governance and risk reporting in South Africa: A study of corporate risk disclosures in the pre-and post-2007/2008 global financial crisis periods. International Review of Financial Analysis, 30, 363–383.CrossRef

O’Sullivan, N. (1993). Auditors’ liability: Its role in the corporate governance debate. Accounting and Business Research, 23(sup1), 412–420.CrossRef

Organization for Economic Co-operation and Development. (OECD). (2015). Digital security risk management for economic and social prosperity: OECD recommendation and companion document. OECD Publishing.

Plumlee, M., Brown, D., Hayes, R. M., & Marshall, R. S. (2015). Voluntary environmental disclosure quality and firm value: Further evidence. Journal of Accounting and Public Policy, 34(4), 336–361.CrossRef

Pugliese, A., Bezemer, P. J., Zattoni, A., Huse, M., Van den Bosch, F. A., & Volberda, H. W. (2009). Boards of directors’ contribution to strategy: A literature review and research agenda. Corporate Governance: An International Review, 17(3), 292–306.CrossRef

Quinn, J., & Connolly, B. (2017). The non-financial information directive: An assessment of its impact on corporate social responsibility. European Company Law, 14(1), 15–21.

Ravasi, D., & Zattoni, A. (2006). Exploring the political side of board involvement in strategy: A study of mixed-ownership institutions. Journal of Management Studies, 43(8), 1671–1702.CrossRef

Rizzato, F., Busso, D., Fiandrino, S., & Cantino, V. (2019). Non-financial information and risk disclosure: Compliance levels with mandatory requirements in the Italian market. In P. De Vincentiis, F. Culasso, & S. Cerrato (Eds.), The future of risk management (Vol. II). Palgrave Macmillan. https://doi.org/10.1007/978-3-030-16526-0_4CrossRef

Schinagl, S., & Shahim, A. (2020). What do we know about information security governance? Information & Computer Security.CrossRef

Securities and Exchange Commission. (SEC). (2018). Commission statement and guidance on public company cybersecurity disclosures. www.sec.gov/rules/interp/2018/33-10459.pdf

Skinner, C. P. (2019). Bank disclosures of cyber exposure. Iowa L. Rev., 105, 239.

Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: An interdisciplinary review. MIS Quarterly, 989–1015.

Smith, T. J., Higgs, J. L., & Pinsker, R. E. (2019). Do auditors price breach risk in their audit fees? Journal of Information Systems, 33(2), 177–204.CrossRef

Task Force on Climate-related Financial Disclosures (TCFD). (2016). Recommendations of the task force on climate related financial disclosures. Financial Stability Board.

The Institute of Internal Auditors. (2016). Assessing cybersecurity risk. Roles of the Three Lines of Defense. www.globaliia.org.

Truant, E., Corazza, L., & Scagnelli, D. S. (2017). Sustainability and risk disclosure: An exploratory study on sustainability reports. Sustainability, 9(636), 1–20.

Uddin, M. H., Ali, M. H., & Hassan, M. K. (2020). Cybersecurity hazards and financial system vulnerability: A synthesis of literature. Risk Management, 22, 239–309. https://doi.org/10.1057/s41283-020-00063-2CrossRef

Van Eck, N. J., & Waltman, L. (2017). Citation-based clustering of publications using CitNetExplorer and VOSviewer. Scientometrics, 111(2), 1053–1070.CrossRef

Vasarhelyi, M. A., Kogan, A., & Tuttle, B. M. (2015). Big data in accounting: An overview. Accounting Horizons, 29(2), 381–396.CrossRef

Veltri, S. (2020). Mandatory non-financial risk-related disclosure. Measurement problems and usefulness for investors. Springer.CrossRef

Veltri, S., De Luca, F., & Phan, H. (2020). Do investors value companies’ mandatory nonfinancial risk disclosure? An empirical analysis of the Italian context after the EU directive. Business Strategy and the Environment, 29(6), 2226–2237.CrossRef

Wang, T., Kannan, K. N., & Ulmer, J. R. (2013). The association between the disclosure and the realization of information security risk factors. Information Systems Research, 24(2), 201–218.CrossRef

Weinhofer, G., & Busch, T. (2013). Corporate strategies for managing climate risks. Business Strategy and the Environment, 22, 121–144.CrossRef

Xu, H., Guo, S., Haislip, J. Z., & Pinsker, R. E. (2019). Earnings management in firms with data security breaches. Journal of Information Systems, 33(3), 267–284.CrossRef

Yallop, A. C., & Aliasghar, O. (2020). No business as usual: A case for data ethics and data governance in the age of coronavirus. Online Information Review.

Title: The Disclosure of Non-financial Risk. The Emerging of Cyber-Risk
Authors: Claudia Arena
Simona Catuogno
Rita Lamboglia
Antonella Silvestri
Stefania Veltri
Publisher: Springer International Publishing
Book: Non-financial Disclosure and Integrated Reporting
Print ISBN: 978-3-030-90354-1

Electronic ISBN: 978-3-030-90355-8

Copyright Year: 2022
DOI: https://doi.org/10.1007/978-3-030-90355-8_2

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Premium Partner