Cyber Risk Disclosure Practice in Top 10 U.S. Information Technology Companies: An Empirical AnalysisTools Al Lawati, Taha Mustafa Mohsin (2017) Cyber Risk Disclosure Practice in Top 10 U.S. Information Technology Companies: An Empirical Analysis. [Dissertation (University of Nottingham only)]
AbstractCyber risk disclosure has received significant attention recently, but it is still not examined in empirical research investigating companies’ cyber risk disclosure practices. This research aims to explore the gap in the literature and examines cyber risk disclosure in the annual reports, corporate governance statements and guidelines and proxy statements in a sample of 10 U.S. information technology companies using a sentence analysis approach. The data was derived solely from these documents and their contents were analyzed to identify cyber risk disclosures. The findings show that all disclosures related to cyber risk are qualitative in nature. There is no attempt to quantify cyber risk by any means nor to assign a probability of cyber risk materializing. Also, there is no significant correlation between having a director with a direct specialist expertise and the quality of cyber risk disclosure. Similarly, not mentioning cyber risk in corporate governance guidelines and statement have no significant correlation with the quality of cyber risk disclosure in annual reports. Nevertheless, the companies exhibit readiness to disclose forward-looking information. In addition, there is a positive correlation between designating a committee to be responsible for cyber risk with the quality of cyber risk disclosure. Overall, cyber risk disclosures are commonplace and bland and lacked the depth required for clearly understanding the companies’ exposure to cyber risk.
Actions (Archive Staff Only)
|