Firm Transparency of Risk Oversight: An Examination of Cybersecurity Governance Disclosures

Abstract

In this study, I examine board attributes associated with firm transparency of governance over cybersecurity risk (GCR). Using a sample of firms that report cybersecurity as a material risk, I hand collect GCR data from 8,384 proxy statements filed from 2019 to 2021. Surprisingly, I find that only 57 percent of the filings provide stakeholders information about GCR. In multivariate analysis, I find that a firm’s GCR disclosure is positively associated with board size, independence, information technology expertise, and those boards with a higher proportion of “busy” directors. I further find that boards with longer serving directors provide less GCR disclosure. Finally, I find increasing levels of GCR disclosure over the three-year period, suggesting that firms are responding to stakeholder demand for increased transparency. These findings should be helpful to firms looking to benchmark disclosure practices and to the SEC in evaluating the efficacy of existing cybersecurity disclosure guidance. Data Availability: All data are publicly available from the cited sources in the text. JEL Classifications: G32; G34; M15.