Abstract
In this paper we study the disclosure of cybersecurity information in annual reports, such as cybersecurity measures and cyber incidents, from a financial law and economics perspective. We start our discussion with an analysis of the requirements in financial law to disclose cybersecurity information in annual reports. Hereafter, we discuss the incentives for the board regarding disclosing cybersecurity related information and its effect on stakeholders and shareholders. We draft hypotheses regarding the actual disclosure of cybersecurity information and propose a research design of an exploring empirical study. The results of our study show that although there is no strict legal obligation to do so, 87% of the companies mention cybersecurity or similar words in their annual report in 2018. However, only 4 out of 75 companies disclosed more than six specific cybersecurity measures, while openness would generate the highest surplus for society from a social welfare perspective. Some major Dutch banks and employment agencies did not disclose any specific information with regard to their cybersecurity strategy, while those companies are highly vulnerable for cybersecurity incidents. This hampers the protection of creditors, investors and other stakeholders. Our analysis aims to propel the debate on stimulation of self-regulation or possible obligations in financial law concerning cybersecurity in annual reports.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
