A Corporate Governance Approach to Cybersecurity Risk Disclosure

Abstract

AbstractThis article sheds light on cybersecurity risk disclosure practices, offering explanations based on the corporate governance literature. We argue that cybersecurity risk management poses particular challenges for corporations due to amplified agency problems. Cybersecurity risks are increasing in number and growing in complexity for companies worldwide. The financial sector in the Benelux region was already digitalising rapidly when, in 2020, enhanced remote-working requirements due to the COVID-19 pandemic further contributed to risk exposure. Substantiating our theoretical discussion, we present and discuss insights as to the most pressing cybersecurity risk management issues in the financial sector based on evidence from semi-structured interviews with Chief Information Security Officers/Chief Security Officers from financial sector leads in the Benelux region. We discuss contemporary factors that might induce management to dedicate more attention to cybersecurity. This apparent shift in companies’ approaches regarding cybersecurity is likely to encounter obstacles and should not be expected to be an even and linear process, given the challenges of processing and communicating information in an environment featuring high uncertainty and technical complexity as well as potentially misaligned incentives.