To read this content please select one of the options below:

Limited usefulness of firm-provided cybersecurity information in institutional investors’ investment analysis

Anne Fortin (Accounting Department École des sciences de la gestion, Université du Québec à Montréal (ESG UQAM), Montréal, Canada)
Sylvie Héroux (Accounting Department École des sciences de la gestion, Université du Québec à Montréal (ESG UQAM), Montréal, Canada)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 10 October 2022

Issue publication date: 9 February 2023

507

Abstract

Purpose

The purpose of this study is to examine how financial analysts deal with cybersecurity information in their investment analysis process and whether they find cybersecurity disclosures in companies’ financial reports useful.

Design/methodology/approach

Investment managers/financial analysts and chief information security officers (CISOs) at seven institutional investors were interviewed.

Findings

Not all financial analysts consider cybersecurity risk in their investment analyses. Those who do look at company strategy, how the company integrates cybersecurity into its processes and whether it has certified its cybersecurity information. The financial analysts use this qualitative information to adjust the results of their quantitative analysis. They do not find boilerplate or cursory cybersecurity information in financial reports to be useful. In fact, they view it as unreliable and prefer drawing on other information sources to assess the company’s cybersecurity risk.

Practical implications

The results of this study highlight to securities regulators that reported cybersecurity information is of limited usefulness. Regulators are challenged to revisit their disclosure requirements. Companies wishing to improve the usefulness of their cybersecurity information should provide more company-specific information.

Originality/value

To the best of the authors’ knowledge, this study is the first to look at financial analysts’ perception of cybersecurity-related information. It complements findings from prior market studies by adding new insights into the way influential market participants deal with this information in their investment analysis process.

Keywords

Acknowledgements

The authors are grateful for the financial support of the accounting department at ESG UQAM, the Corporate Reporting Chair, ESG UQAM and the Autorité des marchés financiers (AMF – Québec).

Citation

Fortin, A. and Héroux, S. (2023), "Limited usefulness of firm-provided cybersecurity information in institutional investors’ investment analysis", Information and Computer Security, Vol. 31 No. 1, pp. 108-123. https://doi.org/10.1108/ICS-07-2022-0122

Publisher

:

Emerald Publishing Limited

Copyright © 2022, Emerald Publishing Limited

Related articles