Content Analysis of Voluntary Disclosures on Cybersecurity in Malaysia

Abstract

Digitalisation is an important driver of the digital economy. The COVID-19 pandemic further accelerates the adoption of digital technology. Having huge data of clients, suppliers, investors, collaborators, and other business contacts expose companies to cyber threats and attacks. Several regulators such as the Security Exchange Commission (SEC) in the US requires public listed companies to disclose information related to cybersecurity risks. This study aims to explore how Malaysian listed companies reveal information related to cybersecurity in their annual reports. In addition, it also attempts to determine the themes or nature of these disclosures and to assess the disclosure levels. Using a content analysis, this study examined forty-nine annual reports from four sectors. It discovers that most companies disclose information related to cybersecurity under eight (8) common sections: governance and leadership, risk management and internal control, key risks and opportunities, management report, sustainability statement, organisational capital, external environment, and performance review. Furthermore, it suggests that these voluntary disclosures are mostly related to eight (8) themes: Data Protection Act, Data Security and Data Integrity, Cyber Threats and Risks, Cybersecurity Assessment, Focus and Priority, Optimisation, Enhanced and Investment, Policies and Artificial Intelligence. Even though most of these disclosures are at the basic level, there are a few companies with comprehensive disclosure on cybersecurity. The research findings provide valuable insights into voluntary disclosures related to cybersecurity among Malaysian listed companies.