Comparison of disclosures and legitimacy strategies employed after a cybersecurity incident: the case of Desjardins

Abstract

The magnitude of the personal data breach at Desjardins financial cooperative in 2019 raises legitimacy concerns for Desjardins and its peers. Our study examines changes in the scope of cybersecurity disclosures and the legitimation strategies used in Desjardins's annual reports and compares them to those of other Canadian companies in the financial, communications and technology sectors. Based on a content analysis grid developed by Héroux and Fortin (2020), our results for Desjardins show an increase in disclosures related to the incident to repair damages to the organisation's legitimacy, but little change otherwise. Other companies in the sample, which need to maintain their legitimacy, also had very few changes in their cybersecurity disclosures. Our results reveal legitimation strategies that differ from past reactions to comparable legitimacy threatening incidents. Our contributions highlight conformity strategies targeting the incident for Desjardins and reluctance to change cybersecurity disclosures both for Desjardins and for its peers.