Cybersecurity disclosure in the financial sector: an examination of the influence of incident exposure, governance practices, and regulatory context

Cybersecurity has become a critical concern for organizations, prompting increasing demands from various stakeholders for more comprehensive disclosures. This study investigates how banks disclose cybersecurity information, focusing on key drivers, such as regulatory changes, incidents and governance practices. Using legitimacy theory, the research examines factors that influence cybersecurity disclosure practices, including risk exposure, management strategies, and investments. Banks annual reports were analyzed using a custom index and content analysis combined with statistical techniques. The findings highlight the need for more targeted and comprehensive cybersecurity regulations, particularly regarding investment and incident disclosure. The study also highlights the importance of gender diversity on boards and media coverage of cyber incidents for greater transparency. The study advocates for financial institutions to implement mechanisms that promote transparency and recommends that regulators enforce specific disclosure requirements, as voluntary reporting is often insufficient.