Governance Perspectives on Cybersecurity Risk Disclosure: Mandatory vs quasi-mandatory regulatory regimes

As the global economy has been transitioning from the fourth to the fifth industrial revolution, cybersecurity risks remain a critical challenge for the sustainable digital transformation of business operations. Over the last two decades, significant international, national, and firm-level efforts have been made to experiment with various cybersecurity risk management (CRM) models. Cybersecurity risk inherently differs from other business risks, and the consequence of a cyber risk incident is highly pervasive for the organizations and their stakeholders. Thus, CRM practices vary across different environments because no best CRM model is known. However, from the corporate governance perspective, disclosing CRM information is the best approach that helps managers be transparent with their stakeholders and inform them about their CRM activities, resolving information asymmetry.

Research issue:

Given this background, there is a likelihood that managers (agents) may not disclose complete CRM information because sensitive disclosures on cybersecurity issues may be a problem (Verrecchia, 1983). In corporate governance research, accounting and finance literature generally supports the idea that risk disclosures reduce market information asymmetry. However, broader management literature contradicts this view because risk disclosure, voluntarily, may help firms resolve problems and improve performance – yet it can create chaos and distract managers’ attention from risk mitigation (Desai, 2011). Given this vacuum of knowledge about the effect of risk disclosure, regulators across countries follow different policies to manage CRM information disclosure within their jurisdictions. Hence, a dilemma exists whether CRM disclosure should be mandatory or voluntary.

Research context and dilemma:

Within the global context, the US Securities and Exchange Commission – within the purview of the Cybersecurity Disclosure Act 2015 requires mandatory disclosure of prescribed cybersecurity risk information by the listed corporations. However, the UK corporate governance regime allows a company to state either its compliance with a regulatory provision or explain any non-compliance to disclosure guidance and transparency rules under GDPR and FCA. It means the UK firms have more flexibility in CRM disclosure than the US companies. Hence, it is vital to investigate whether mandatory or quasi-mandatory regulatory regimes help better cybersecurity risk governance.

Research approach and outcome:

After a careful analysis of both the mandatory and prescriptive cybersecurity risk disclosure in the US and the quasi-mandatory regime in the UK, this project intends to draw a conceptual framework for cybersecurity risk disclosure that benefits all stakeholders and examine the behaviour of firms as to what they disclose and whether their disclosures are value-relevant in a different setting. The outcome of this project would help fill the knowledge gap around the debate on mandatory vs. voluntary regimes for cybersecurity risk management.

How to apply

We invite expressions of interest from competent candidates who want to join our team and study for your PhD. The ideal applicant should have skills in econometrics, databases, and textual analysis skills.

Formal applications should be submitted through the University of Bradford web site; applicants should create an account and choose ‘Full-time PhD in Accounting, Finance and Economics’ as the course.

About the University of Bradford

Bradford is a research-active University supporting the highest-quality research. We excel in applying our research to benefit our stakeholders by working with employers and organisations world-wide across the private, public, voluntary and community sectors and actively encourage and support our postgraduate researchers to engage in research and business development activities.

Positive Action Statement

At the University of Bradford our vision is a world of inclusion and equality of opportunity, where people want to, and can, make a difference. We place equality and diversity, inclusion, and a commitment to social mobility at the centre of our mission and ethos. In working to make a difference we are committed to addressing systemic inequality and disadvantages experienced by Black, Asian and Minority Ethnic staff and students.

Under sections 158-159 of the Equality Act 2010, positive action can be taken where protected group members are under-represented. At Bradford, our data show that people from Black, Asian, and Minority Ethnic groups who are UK nationals are significantly under-represented at the postgraduate researcher level. 

These are lawful measures designed to address systemic and structural issues which result in the under-representation of Black, Asian, and Minority Ethnic students in PGR studies.