Limited usefulness of firm-provided cybersecurity information in institutional investors’ investment analysis
Information and Computer Security
ISSN: 2056-4961
Article publication date: 10 October 2022
Issue publication date: 9 February 2023
Abstract
Purpose
The purpose of this study is to examine how financial analysts deal with cybersecurity information in their investment analysis process and whether they find cybersecurity disclosures in companies’ financial reports useful.
Design/methodology/approach
Investment managers/financial analysts and chief information security officers (CISOs) at seven institutional investors were interviewed.
Findings
Not all financial analysts consider cybersecurity risk in their investment analyses. Those who do look at company strategy, how the company integrates cybersecurity into its processes and whether it has certified its cybersecurity information. The financial analysts use this qualitative information to adjust the results of their quantitative analysis. They do not find boilerplate or cursory cybersecurity information in financial reports to be useful. In fact, they view it as unreliable and prefer drawing on other information sources to assess the company’s cybersecurity risk.
Practical implications
The results of this study highlight to securities regulators that reported cybersecurity information is of limited usefulness. Regulators are challenged to revisit their disclosure requirements. Companies wishing to improve the usefulness of their cybersecurity information should provide more company-specific information.
Originality/value
To the best of the authors’ knowledge, this study is the first to look at financial analysts’ perception of cybersecurity-related information. It complements findings from prior market studies by adding new insights into the way influential market participants deal with this information in their investment analysis process.
Keywords
Acknowledgements
The authors are grateful for the financial support of the accounting department at ESG UQAM, the Corporate Reporting Chair, ESG UQAM and the Autorité des marchés financiers (AMF – Québec).
Citation
Fortin, A. and Héroux, S. (2023), "Limited usefulness of firm-provided cybersecurity information in institutional investors’ investment analysis", Information and Computer Security, Vol. 31 No. 1, pp. 108-123. https://doi.org/10.1108/ICS-07-2022-0122
Publisher
:Emerald Publishing Limited
Copyright © 2022, Emerald Publishing Limited