Abstract
This study explores the impact of board effectiveness on cybersecurity-related disclosure. Based on a sample of 300 firm-years consisting of the largest Canadian listed companies over a period of five years, we find evidence that board effectiveness positively affects a firm’s decision to disclose cybersecurity information, and board independence and financial expertise have a positive impact on the amount of this disclosure. Independent members of the board, acting as a governance and oversight mechanism, significantly increase the disclosure of cybersecurity risks in the company’s financial statements. The board has a fiduciary role to monitor management and board members’ financial expertise contributes to risk assessment and management. Cybersecurity, as an emerging governance topic, demands multiple areas of expertise in technical, ethical, and financial areas. Board members should be continually trained to be aware of the evolution and diversification of business risks and should have appropriate skills and competencies to manage them. Our findings shed light on the positive impact of board members’ financial expertise on the volume of cybersecurity disclosure. However, board size appears to have no impact on this amount, possibly because few board members have cybersecurity expertise.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
U.S. Senator Doug Jones, in a press release, available at https://www.warner.senate.gov/public/index.cfm/2019/3/key-u-s-senators-lead-bipartisan-push-for-stronger-cybersecurity-by-public-companies. Accessed 2021/02/11.
2016–2017 NACD Public Company Governance Survey, available at:
https://www.nacdonline.org/insights/publications.cfm?ItemNumber=37812. Accessed on 2021/02/11.
TMX Money about S&P/TSX 60 Index: https://money.tmx.com/en/quote/%5ETX60.
Sedar: https://www.sedar.com/.
University of Toronto, https://www.rotman.utoronto.ca/FacultyAndResearch/ResearchCentres/JohnstonCentre/BoardRatings.
References
Abeysekera, I. (2010). The influence of board size on intellectual capital disclosure by Kenyan listed firms.Journal of intellectual capital
Abraham, S., & Cox, P. (2007). Analysing the determinants of narrative risk information in UK FTSE 100 annual reports. The British Accounting Review, 39(3), 227–248
Akerlof, G. A. (1978). The market for “lemons”: Quality uncertainty and the market mechanism. Uncertainty in economics (pp. 235–251). Elsevier
Allegrini, M., & Greco, G. (2013). Corporate boards, audit committees and voluntary disclosure: Evidence from Italian listed companies. Journal of Management & Governance, 17(1), 187–216
Allini, A., Manes Rossi, F., & Hussainey, K. (2016). The board’s role in risk disclosure: an exploratory study of Italian listed state-owned enterprises. Public Money & Management, 36(2), 113–120
Amir, E., Levi, S., & Livne, T. (2018). Do firms underreport information on cyber-attacks? Evidence from capital markets. Review of Accounting Studies, 23(3), 1177–1206
Amran, A., Bin, A. M. R., & Hassan, B. C. (2009). H. M. Risk reporting.Managerial Auditing Journal
Assante, M. J., & Tobey, D. H. (2011). Enhancing the cybersecurity workforce. IT professional, 13(1), 12–15
Audit Analytics (2020). Trends in Cybersecurity Breach Disclosures
Ben-Amar, W., Francoeur, C., Marsat, S., & Wahid, S. (2021). A. How do firms achieve corporate social performance? An integrated perspective. Corporate Social Responsibility and Environmental Management
Ben-Amar, W., & McIlkenny, P. (2015). Board effectiveness and the voluntary disclosure of climate change information. Business Strategy and the Environment, 24(8), 704–719
Brammer, S., Brooks, C., & Pavelin, S. (2006). Corporate social performance and stock returns: UK evidence from disaggregate measures. Financial management, 35(3), 97–116
Bravo, F. (2018). Does board diversity matter in the disclosure process? An analysis of the association between diversity and the disclosure of information on risks. International Journal of Disclosure and Governance, 15(2), 104–114
Campbell, D. (2004). A longitudinal and cross-sectional analysis of environmental disclosure in UK companies—a research note. The British Accounting Review, 36(1), 107–117
Campbell, J. L., Chen, H., Dhaliwal, D. S., Lu, H., & Steele, L. B. (2014). The information content of mandatory risk factor disclosures in corporate filings. Review of Accounting Studies, 19(1), 396–455
Coles, J. L., Daniel, N. D., & Naveen, L. (2008). Boards: Does one size fit all? Journal of financial economics, 87(2), 329–356
Conheady, B., McIlkenny, P., Opong, K. K., & Pignatel, I. (2015). Board effectiveness and firm performance of Canadian listed firms. The British Accounting Review, 47(3), 290–303
Canada, C. P. A., C. P. A (2017). Reporting Alert: Corporate reporting. Cybersecurity Risks and Incidents - Reassessing Your Disclosure Practices
Craigen, D., Diakun-Thibault, N., & Purse, R. (2014). Defining cybersecurity.Technology Innovation Management Review, 4(10)
CSA, C. S. A. (2013). CSA Staff Notice 11–326 Cyber Security. https://www.osc.gov.on.ca/en/SecuritiesLaw_csa_20130926_11-326_cyber-security.htm
CSA, C. S. A. (2016). CSA Staff Notice 11–332 Cyber Security. https://www.osc.gov.on.ca/en/SecuritiesLaw_csa_sn_20160927_11-332-cyber-security.htm
CSA, C. S. A. (2017a). CSA Multilateral Staff Notice 51–347 Disclosure of Cyber Security Risks and Incidents. https://www.osc.gov.on.ca/en/SecuritiesLaw_csa_20170119_51-347_disclosure-cyber-security.htm
CSA, C. S. A. (2017b). CSA Staff Notice 33–321 Cyber Security and Social Media https://www.osc.gov.on.ca/en/SecuritiesLaw_csa_20171019_33-321_cyber-security-and-social-media.htm
Davis, G. F. (1996). The significance of board interlocks for corporate governance. Corporate Governance: An International Review, 4(3), 154–159
De Andres, P., & Vallelado, E. (2008). Corporate governance in banking: The role of the board of directors. Journal of banking & finance, 32(12), 2570–2580
Donnelly, R., & Mulcahy, M. (2008). Board structure, ownership, and voluntary disclosure in Ireland. Corporate Governance: An International Review, 16(5), 416–429
Dye, R. A. (1985). Disclosure of nonproprietary information.Journal of accounting research,123–145
Elshandidy, T., Fraser, I., & Hussainey, K. (2013). Aggregated, voluntary, and mandatory risk disclosure incentives: Evidence from UK FTSE all-share companies. International Review of Financial Analysis, 30, 320–333
Elshandidy, T., & Neri, L. (2015). Corporate governance, risk disclosure practices, and market liquidity: Comparative evidence from the UK and I taly. Corporate Governance: An International Review, 23(4), 331–356
Elzahar, H., & Hussainey, K. (2012). Determinants of narrative risk disclosures in UK interim reports.The Journal of Risk Finance
Eng, L. L., & Mak, Y. T. (2003). Corporate governance and voluntary disclosure. Journal of accounting and public policy, 22(4), 325–345
Fama, E. F., & Jensen, M. C. (1983). Separation of ownership and control. The journal of law and Economics, 26(2), 301–325
Foglietta, C., Masucci, D., Palazzo, C., Santini, R., Panzieri, S., Rosa, L. … Lev, L. (2018). From detecting cyber-attacks to mitigating risk within a hybrid environment. IEEE Systems Journal, 13(1), 424–435
Freeman, R. E. (2010). Strategic management: A stakeholder approach. Cambridge University Press
Fullbrook, M., & Spizzirri, A. (2018). 2018 Board Shareholder Confidence Index. https://www.rotman.utoronto.ca/FacultyAndResearch/ResearchCentres/JohnstonCentre/JohnstonCentre/2019/12/13/The-2019-Board-Sharehold-Confidence-Index-is-now-out
Gandía, J. L. (2008). Determinants of internet-based corporate governance disclosure by Spanish listed companies.Online Information Review
Garcia-Meca, E., & Sanchez-Ballesta, J. P. (2010). The association of board independence and ownership concentration with voluntary disclosure: A meta-analysis. European Accounting Review, 19(3), 603–627
Giannarakis, G. (2014). Corporate governance and financial characteristic effects on the extent of corporate social responsibility disclosure.Social Responsibility Journal
Grant, G. H., & Grant, C. T. (2014). SEC cybersecurity disclosure guidance is quickly becoming a requirement. The CPA Journal, 84(5), 69
Hernández-Madrigal, M., Blanco-Dopico, M. I., & Aibar-Guzmán, B. (2012). The influence of mandatory requirements on risk disclosure practices in Spain. International Journal of Disclosure and Governance, 9(1), 78–99
Hidalgo, R. L., García-Meca, E., & Martínez, I. (2011). Corporate governance and intellectual capital disclosure. Journal of business ethics, 100(3), 483–495
Hung, H. (1998). A typology of the theories of the roles of governing boards. Corporate Governance: An International Review, 6(2), 101–111
Hussain, N., Rigoni, U., & Orij, R. P. (2018). Corporate governance and sustainability performance: Analysis of triple bottom line performance. Journal of business ethics, 149(2), 411–432
Husted, B. W., & de Sousa-Filho, J. M. (2019). Board structure and environmental, social, and governance disclosure in Latin America. Journal of Business Research, 102, 220–227
Ingley, C., & Van Der Walt, N. (2008). Risk management and board effectiveness. International Studies of Management & Organization, 38(3), 43–70
Ingley, C. B., & Van der Walt, N. T. (2001). The strategic board: The changing role of directors in developing and maintaining corporate capability. Corporate Governance: An International Review, 9(3), 174–185
Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), 973–993
Jensen, M. C. (1993). The modern industrial revolution, exit, and the failure of internal control systems. the Journal of Finance, 48(3), 831–880
Jensen, M. C., & Meckling, W. H. (1976). Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of financial economics, 3(4), 305–360
John, K., & Senbet, L. W. (1998). Corporate governance and board effectiveness. Journal of banking & finance, 22(4), 371–403
Kamiya, S., Kang, J. K., Kim, J., Milidonis, A., & Stulz, R. M. (2020). Risk management, firm reputation, and the impact of successful cyberattacks on target firms.Journal of financial economics
Khan, A., Muttakin, M. B., & Siddiqui, J. (2013). Corporate governance and corporate social responsibility disclosures: Evidence from an emerging economy. Journal of business ethics, 114(2), 207–223
Kothari, S. P., Li, X., & Short, J. E. (2009). The effect of disclosures by management, analysts, and business press on cost of capital, return volatility, and analyst forecasts: A study using content analysis. The Accounting Review, 84(5), 1639–1670
Krause, R., Semadeni, M., & Cannella, A. A. Jr. (2013). External COO/presidents as expert directors: A new look at the service role of boards. Strategic Management Journal, 34(13), 1628–1641
Kure, H. I., Islam, S., & Razzaque, M. A. (2018). An integrated cyber security risk management approach for a cyber-physical system. Applied Sciences, 8(6), 898
Lankton, N., Price, J. B., & Karim, M. (2020). Cybersecurity Breaches and Information Technology Governance Roles in Audit Committee Charters.Journal of Information Systems,0000–0000
Lewis, J. A. (2006). Cybersecurity and critical infrastructure protection. Center for Strategic and International Studies
Li, H., No, W. G., & Wang, T. (2018). SEC’s cybersecurity disclosure guidance and disclosed cybersecurity risk factors. International Journal of Accounting Information Systems, 30, 40–55
Liao, L., Luo, L., & Tang, Q. (2015). Gender diversity, board independence, environmental committee and greenhouse gas disclosure. The British Accounting Review, 47(4), 409–424
Lipton, M., & Lorsch, J. W. (1992). A modest proposal for improved corporate governance.The business lawyer,59–77
Lopes, P. T., & Rodrigues, L. L. (2007). Accounting for financial instruments: An analysis of the determinants of disclosure in the Portuguese stock exchange. The International Journal of Accounting, 42(1), 25–56
Lorca, C., Sánchez-Ballesta, J. P., & García-Meca, E. (2011). Board effectiveness and cost of debt. Journal of business ethics, 100(4), 613–631
Lorsch, J. W., & MacIver. (1989). Pawns or Potentates: The Reality of America’s Corporate Boards. Harvard Business School Press
Lu, J., & Wang, W. (2018). Managerial conservatism, board independence and corporate innovation. Journal of Corporate Finance, 48, 1–16
Luo, Y. (2005). How does globalization affect corporate governance and accountability? A perspective from MNEs. Journal of International Management, 11(1), 19–41
Michelon, G., & Parbonetti, A. (2012). The effect of corporate governance on sustainability disclosure. Journal of Management & Governance, 16(3), 477–509
Minton, B. A., Taillard, J. P., & Williamson, R. (2014). Financial expertise of the board, risk taking, and performance: Evidence from bank holding companies.Journal of Financial and Quantitative Analysis,351–380
Mintzberg, H. (1983). The case for corporate social responsibility.Journal of Business Strategy
Moore, T., Dynes, S., & Chang, F. R. (2015). Identifying how firms manage cybersecurity investment. Southern Methodist University 32. https://cpb-us-w2.wpmucdn.com/blog.smu.edu/dist/e/97/files/2015/10/SMU-IBM.pdf
Moriarty, K. M. (2020). Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain. Emerald Group Publishing
Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017). National initiative for cybersecurity education (NICE) cybersecurity workforce framework. NIST special publication, 800(2017), 181
Nicholson, G. J., & Kiel, G. C. (2004). A framework for diagnosing board effectiveness. Corporate Governance: An International Review, 12(4), 442–460
Ntim, C. G., & Soobaroyen, T. (2013). Corporate governance and performance in socially responsible corporations: New empirical insights from a Neo-Institutional framework. Corporate Governance: An International Review, 21(5), 468–494
Oliveira, J., Rodrigues, L. L., & Craig, R. (2011). Risk-related disclosures by non‐finance companies.Managerial Auditing Journal
Ontario, S., & Commission, O. (2015). National instrument (pp. 52–110). Audit Committees
Pigé, B. (2002). Stakeholder theory and corporate governance: the nature of the board information. Management: Journal of contemporary management issues, 7(1), 1–17
Prado-Lorenzo, J. M., & Garcia-Sanchez, I. M. (2010). The role of the board of directors in disseminating relevant information on greenhouse gases. Journal of business ethics, 97(3), 391–424
Public Safety Canada (2018). National Cyber Security Strategy. Canada’s Vision for Security and Prosperity in the Digital Age. 35
Raber, R. (2003). The role of good corporate governance in overseeing risk. Corporate Governance Advisor, 11(2), 11–16
Radu, C., & Smaili, N. (2021). Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related Disclosure.Journal of business ethics,1–24
Rankin, M., Windsor, C., & Wahyuni, D. (2011). An investigation of voluntary corporate greenhouse gas emissions reporting in a market governance system. Accounting, Auditing & Accountability Journal
Rosenstein, S., & Wyatt, J. G. (1990). Outside directors, board independence, and shareholder wealth. Journal of financial economics, 26(2), 175–191
Rothrock, R. A., Kaplan, J., & Van Der Oord, F. (2018). The board’s role in managing cybersecurity risks. MIT Sloan Management Review, 59(2), 12–15
Samaha, K., Khlif, H., & Hussainey, K. (2015). The impact of board and audit committee characteristics on voluntary disclosure: A meta-analysis. Journal of International Accounting Auditing and Taxation, 24, 13–28
Schmidt, S. L., & Brauer, M. (2006). Strategic governance: How to assess board effectiveness in guiding strategy execution. Corporate Governance: An International Review, 14(1), 13–22
Section (2018). Release Nos. 33-10459; 34-82746. Commission Statement and Guidance on Public Company Cybersecurity Disclosures. https://www.sec.gov/rules/interp/2018/33-10459.pdf
Section 2020 Examination Priorities https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2020.pdf
SpencerStuart (2021). 2020 Canada: Spencer Stuart Board Index. https://www.spencerstuart.com/research-and-insight/board-indexes
Switzer, L. N., & Cao, Y. (2011). Shareholder interests vs board of director members’ interests and company performance.Review of Accounting and Finance
Torres, J. M., Comesaña, C. I., & Garcia-Nieto, P. J. (2019). Machine learning techniques applied to cybersecurity. International Journal of Machine Learning and Cybernetics, 10(10), 2823–2836
Tricker, R. I. (2019). Corporate governance: Principles, policies, and practices. USA: Oxford University Press
Van den Berghe, L., & Baelden, T. (2005). The complex relation between director independence and board effectiveness.Corporate Governance: The international journal of business in society
Verrecchia, R. E. (1983). Discretionary disclosure. Journal of accounting and economics, 5, 179–194
Wang, T., Kannan, K. N., & Ulmer, J. R. (2013). The association between the disclosure and the realization of information security risk factors. Information Systems Research, 24(2), 201–218
Watts, R. L., & Zimmerman, J. L. (1990). Positive accounting theory: a ten year perspective.Accounting review,131–156
Winter, S. G., & Williamson, O. E. (1991). The nature of the firm: origins, evolution, and development. Oxford University Press
World Economic Forum (2019). Regional Risks for Doing Business 2019. Insight report.https://www.weforum.org/press/2019/10/cyberattacks-and-fiscalcrises-top-list-of-business-risks-in-2019/
Xie, J., Nozawa, W., Yagi, M., Fujii, H., & Managi, S. (2019). Do environmental, social, and governance activities improve corporate financial performance? Business Strategy and the Environment, 28(2), 286–300
Zadeh, F. O., & Eskandari, A. (2012). Firm size as company’s characteristic and level of risk disclosure: Review on theories and literatures.International Journal of Business and Social Science, 3(17)
Funding Acknowledgement
We would like to gratefully acknowledge the financial support of the CPA Canada – CAAA.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Declarations
Not applicable.
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Smaili, N., Radu, C. & Khalili, A. Board effectiveness and cybersecurity disclosure. J Manag Gov 27, 1049–1071 (2023). https://doi.org/10.1007/s10997-022-09637-6
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10997-022-09637-6