Limited usefulness of firm-provided cybersecurity information in institutional investors’ investment analysis

Abstract

PurposeThe purpose of this study is to examine how financial analysts deal with cybersecurity information in their investment analysis process and whether they find cybersecurity disclosures in companies’ financial reports useful.Design/methodology/approachInvestment managers/financial analysts and chief information security officers (CISOs) at seven institutional investors were interviewed.FindingsNot all financial analysts consider cybersecurity risk in their investment analyses. Those who do look at company strategy, how the company integrates cybersecurity into its processes and whether it has certified its cybersecurity information. The financial analysts use this qualitative information to adjust the results of their quantitative analysis. They do not find boilerplate or cursory cybersecurity information in financial reports to be useful. In fact, they view it as unreliable and prefer drawing on other information sources to assess the company’s cybersecurity risk.Practical implicationsThe results of this study highlight to securities regulators that reported cybersecurity information is of limited usefulness. Regulators are challenged to revisit their disclosure requirements. Companies wishing to improve the usefulness of their cybersecurity information should provide more company-specific information.Originality/valueTo the best of the authors’ knowledge, this study is the first to look at financial analysts’ perception of cybersecurity-related information. It complements findings from prior market studies by adding new insights into the way influential market participants deal with this information in their investment analysis process.