Date of Award
Doctor of Philosophy
Lauren M. Cunningham
James N. Myers, Justin C. Short, Celeste Carruthers
In this study, I examine factors associated with firm transparency of board oversight using the setting of cybersecurity risk. The SEC requires that, to the extent cybersecurity risks are material, firms must disclose the nature of the board’s role in overseeing the management of that risk, allowing investors to assess how the board is fulfilling its risk oversight duties. Using textual analysis, I identify 2,921 firms that report material cybersecurity risk factors in their annual reports. From these firms’ 2021 proxy statement filings, I hand collect data relating to 12 different elements of cybersecurity board oversight and create an overall Transparency Score (T-Score). Surprisingly, I find that over 36 percent of firms provide no information about the board’s role in overseeing cybersecurity risk, even though these firms disclose material cyber risks in SEC filings. In multivariate analysis, I find that the level of disclosure relating to board oversight is positively associated with levels of cybersecurity risk, firm size, holdings by institutional investors, and board resources. I further find higher levels of disclosure when the full board shares oversight responsibility with a committee, or when a separate risk committee is tasked with oversight responsibility. Finally, I find that these determinants are generally stronger for firms that lack separate risk committees, as well as for those firms that have not previously reported a breach. These findings provide rich, descriptive evidence regarding transparency of risk oversight in an area that is timely and salient to investors, regulators, and other market participants.
Ereddia, Laurie E., "Firm Transparency of Risk Oversight: An Examination of Cybersecurity Governance Disclosures. " PhD diss., University of Tennessee, 2023.