Board of directors’ attributes and aspects of cybersecurity disclosure

As cybersecurity is a critical risk issue for organizations, cybersecurity disclosure is important for financial regulators, financial analysts, shareholders, and other stakeholders. Organizations face challenges when deciding whether, what, and when cybersecurity-related information should be disclosed. Prior studies have contributed few insights regarding the potential determinants of cybersecurity disclosure. Furthermore, their findings are based on a general or narrow measurement of this disclosure. This study draws on upper echelons and signaling theories to examine the association between various board of directors’ characteristics and extent of overall cybersecurity disclosure and its individual aspects. Extent of cybersecurity disclosure is measured based on a content analysis of annual financial regulatory filings of the 250 companies listed on the S&P/TSX Composite Index, using a scoring grid of 40 items grouped into seven categories representing different aspects of cybersecurity disclosure. This expanded disclosure measurement provides original insights for firms and their stakeholders. The main findings indicate that the presence of a committee responsible for cybersecurity on the board of directors is key to increasing cybersecurity disclosure. With or without such a committee, board IT expertise, board tenure, board independence, women directors, and board age are associated with the extent of total cybersecurity disclosure or some of its specific aspects, particularly cybersecurity risk mitigation. These findings contribute to the cybersecurity literature by examining which board of directors’ characteristics influence the extent of specific aspects of cybersecurity disclosure. They also complement results from upper echelons-based studies on corporate reporting determinants and prior IT governance studies.