Published online by Cambridge University Press: 18 May 2022
This article sheds light on cybersecurity risk disclosure practices, offering explanations based on the corporate governance literature. We argue that cybersecurity risk management poses particular challenges for corporations due to amplified agency problems. Cybersecurity risks are increasing in number and growing in complexity for companies worldwide. The financial sector in the Benelux region was already digitalising rapidly when, in 2020, enhanced remote-working requirements due to the COVID-19 pandemic further contributed to risk exposure. Substantiating our theoretical discussion, we present and discuss insights as to the most pressing cybersecurity risk management issues in the financial sector based on evidence from semi-structured interviews with Chief Information Security Officers/Chief Security Officers from financial sector leads in the Benelux region. We discuss contemporary factors that might induce management to dedicate more attention to cybersecurity. This apparent shift in companies’ approaches regarding cybersecurity is likely to encounter obstacles and should not be expected to be an even and linear process, given the challenges of processing and communicating information in an environment featuring high uncertainty and technical complexity as well as potentially misaligned incentives.
1 SW Klemash, JC Smith and C Seets, “What Companies Are Disclosing about Cybersecurity Risk and Oversight” (Harvard Law School Forum on Corporate Governance, 2020) <https://corpgov.law.harvard.edu/2020/08/25/what-companies-are-disclosing-about-cybersecurity-risk-and-oversight/> (last accessed 3 January 2022).
2 EF Fama, “Efficient Capital Markets: A Review of Theory and Empirical Work” (1970) 25(2) Journal of Finance 383.
3 JC Coffee, “The Rise of Dispersed Ownership: The Roles of Law and the State in the Separation of Ownership and Control” (2001) 111(1) Yale Law Journal 1.
4 MJ Jensen and WH Meckling, “Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure” (1976) 3(4) Journal of Financial Economics 305.
5 M Becht, P Bolton and A Röell, “Corporate Law and Governance” in AM Polinsky and S Shavell (eds.), Handbook of Law and Economics – Volume 2 (Amsterdam, Elsevier 2007).
6 BD Bernheim and MD Whinston, “Common Agency” (1986) 54(4) Econometrica 923.
7 BE Hermalin and MS Weisbach, “The Study of Corporate Governance” in BE Hermalin and MS Weisbach (eds.), Handbook of the Economics of Corporate Governance – Volume 1 (Amsterdam, Elsevier 2017).
8 BE Hermalin, “Aspects of the Economics of Organization with Application to Corporate Governance” in BE Hermalin and MS Weisbach (eds.), Handbook of the Economics of Corporate Governance – Volume 1 (Amsterdam, Elsevier 2017), p 76f.
9 S Park, “Why Information Security Law Has Been Ineffective in Addressing Security Vulnerabilities: Evidence from California Data Breach Notifications and Relevant Court and Government Records” (2019) 58 International Review of Law and Economics 132.
10 ibid.
11 C Chatterjee and DD Sokol, “Data Security, Data Breaches, and Compliance” in B van Rooij and DD Sokol (eds.), Cambridge Handbook on Compliance (Cambridge, Cambridge University Press 2021).
12 RJ Anderson and T Moore, “The Economics of Information Security” (2006) 314 Science 610.
13 ibid.
14 GA Akerlof, “The Market for Lemons: Quality Uncertainty and the Market Mechanism” (1970) 84(3) Quarterly Journal of Economics 488.
15 Dutch Safety Board (2021) Kwetsbaar door software <https://www.onderzoeksraad.nl/nl/page/17171/kwetsbaar-door-software---lessen-naar-aanleiding-van> (last accessed 3 January 2022).
16 See Recital 97 of GDPR: “Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner”.
17 See E Kiesow Cortez, “Cybersecurity Risk for Companies” (2018) 4 Strafblad 12.
18 G Kostopoulos, Cyberspace and Cybersecurity, 2nd edn (London, Taylor & Francis 2017).
19 SANS Institute, 2017 Threat Landscape Survey: Users on the Front Line (White Paper, 2017) <https://www.qualys.com/forms/whitepapers/sans-2017-threat-landscape-survey-users-front-line/> (last accessed 3 January 2022).
20 SL Garfinkel, “The Cybersecurity Risk” (2012) 55(6) Communications of the ACM 29–32.
21 D Palmer, “Ransomware: Not Dead, Just Getting a Lot Sneakier” (ZDNet, 2018) <https://www.zdnet.com/article/ransomware-not-dead-just-getting-a-lot-sneakier/> (last accessed 3 January 2022).
22 World Economic Forum (2018) The Global Risks Landscape 2018 <http://reports.weforum.org/global-risks-2018/global-risks-landscape-2018/#landscape> (last accessed 3 January 2022).
23 A Hern, “WannaCry, Petya, NotPetya: How Ransomware Hit the Big Time in 2017” (The Guardian, 2017) <https://www.theguardian.com/technology/2017/dec/30/wannacry-petya-notpetya-ransomware> (last accessed 3 January 2022).
24 ER Leukfeldt, “Phishing for Suitable Targets in the Netherlands: Routine Activity Theory and Phishing Victimization” (2014) 17(8) Cyberpsychology, Behavior, and Social Networking 551.
25 H de Bruijn and M Janssen, “Building Cybersecurity Awareness: The Need for Evidence-Based Framing Strategies” (2017) 34(1) Government Information Quarterly 1.
26 On the “public good” approach to cybersecurity and its potential consequence being underinvestment in cybersecurity by companies, see CJ Coyne and PT Leeson, “Who’s to Protect Cyberspace?” (2005) 1(2) Journal of Law, Economics & Policy 473. For more on economics of cybersecurity and a “cybersecurity as a public good” approach, see DK Mulligan and FB Schneider, “Doctrine for Cybersecurity” (2011) 140(4) Daedalus 70; T Moore and RJ Anderson, “Internet Security” in M Peitz and J Waldfogel (eds.), The Oxford Handbook of the Digital Economy (Oxford, Oxford University Press 2012). On the analysis of regulatory strategies, see B van den Berg, “Coping with Information Underload” in M Hildebrandt and B van den Berg (eds.), Information, Freedom and Property (London, Routledge 2016).
27 Cisco Annual Cyber Security Report 2017 <https://www.cisco.com/c/dam/en/us/solutions/collateral/security/annual-reports/acr-infographic-2017.pdf> (last accessed 3 January 2022).
28 ibid.
29 ENISA Cybersecurity Cultures in Organisations 2018 <https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations> (last accessed 3 January 2022).
30 ibid.
31 IBM X-Force Threat Intelligence Index 2017 <https://www.ibm.com/security/data-breach/threat-intelligence> (last accessed 3 January 2022).
32 ENISA Cybersecurity Cultures in Organisations 2018 <https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations> (last accessed 3 January 2022).
33 ibid.
34 ENISA Threat Landscape Report 2020 <https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends> (last accessed 3 January 2022).
35 ibid.
36 PA Ralston, JH Graham and JL Hieb, “Cyber Security Risk Assessment for SCADA and DCS Networks” (2007) 46(4) ISA transactions 583.
37 ibid.
38 ibid.
39 On how investors react to information security breaches of companies, see LA Gordon, MP Loeb and L Zhou, “The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?” (2011) 19(1) Journal of Computer Security 33.
40 On the risk of creating a roadmap for future cybercriminals by disclosing vulnerabilities, see MF Ferraro, “Groundbreaking or Broken; An Analysis of SEC Cybersecurity Disclosure Guidance, Its Effectiveness, and Implications” (2013) 77 Albany Law Review 297.
41 S Kaplan and BJ Garrick, “On the Quantitative Definition of Risk” (1981) 1(1) Risk Analysis 11.
42 ibid, p 12. The authors do not include the definition of the absolute risk and perceived risk, but they differentiate by referring to a hypothetical scenario. In this scenario, they imagine a person puts a rattlesnake in another person’s mailbox. They explain that if the mailbox owner were asked whether he would be taking a risk if he put his hand into his mailbox, he would say “no”. However, this response would only reflect the perceived risk, as the mailbox owner lacks information regarding the placement of the snake, not the absolute risk.
43 ibid.
44 ibid.
45 RE Kasperson, O Renn, P Slovic, HS Brown, J Emel, R Goble, JX Kasperson and S Ratick, “The Social Amplification of Risk: A Conceptual Framework” (1988) 8(2) Risk Analysis 177.
46 For a recent study analysing whether the news media amplifies the data protection risk, see T Reijmer and M Spruit, “Cybersecurity in the News: A Grounded Theory Approach to Better Understand Its Emerging Prominence” (2014) Technical Report Series (UU-CS-2014-006).
47 ibid, pp 185–86.
48 Regarding suggestions about cybersecurity awareness investments, see H de Bruijn and M Janssen, “Building Cybersecurity Awareness: The Need for Evidence-Based Framing Strategies” (2017) 34(1) Government Information Quarterly 1.
49 ENISA Threat Landscape Report 2020 <https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends> (last accessed 3 January 2022).
50 ENISA Threat Landscape Report 2017, pp 100–04.
51 Kasperson et al, supra, note 45.
52 S Kamiya, J-K Kang, J Kim, A Milidonis and RM Stulz, “What Is the Impact of Successful Cyberattacks on Target Firms?” NBER Working Paper No. 24409. Kamiya et al also found that firms that facing less competition in their respective market segment are more likely to experience an attack. They measure market competitiveness using the Herfindahl index as a measurement of the “uniqueness” of the firm’s product, assessed using the ratio of selling expense to sales. This might suggest that firms that do not fear losing market share to a competitor after an attack becomes public might be investing less in securing their IT systems against attacks. They may assume that losses in revenue due to a publicised cyberattack would not merit such investment.
53 JY-J Cheng and B Groysberg, “Why Boards Aren’t Dealing with Cyberthreats” (Harvard Business Review, 2017) <https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats> (last accessed 3 January 2022); JY-J Cheng, B Groysberg, PM Healy and R Vijayaraghavan, “Directors’ Perceptions of Board Effectiveness and Internal Operations” (2021) 67(10) Management Science 6399.
54 Kamiya et al, supra, note 52.
55 Cheng et al, supra, note 53, 6404.
56 NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (2020) <https://www.nist.gov/system/files/documents/2020/01/16/NIST%20Privacy%20Framework_V1.0.pdf> (last accessed 3 January 2022).
57 Klemash et al, supra, note 1.
58 M Hooker and J Pill, “You’ve Been Hacked, and Now You’re being Sued: The Developing World of Cybersecurity Litigation” (2016) 90 Florida Bar Journal 30.
59 Securities and Exchange Commission, 17 CFR Parts 229 and 249, [Release Nos. 33-10459; 34-82746] Commission Statement and Guidance on Public Company Cybersecurity Disclosures <https://www.sec.gov/rules/interp/2018/33-10459.pdf> (last accessed 3 January 2022).
60 ibid.
61 ibid.
62 ibid.
63 Division of Corporation Finance, Securities and Exchange Commission, “CF Disclosure Guidance: Topic No. 2 Cybersecurity” (2011) <https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm> (last accessed 3 January 2022).
64 H Berkman, J Jona, G Lee and N Soderstrom, “Cybersecurity Awareness and Market Valuations” (2018) 37(6) Journal of Accounting and Public Policy 508.
65 H Li, WG No and T Wang, “SEC’s Cybersecurity Disclosure Guidance and Disclosed Cybersecurity Risk Factors” (2018) 30 International Journal of Accounting Information Systems 40. For example, it would be interesting to pinpoint how far a company needs to go in order to identify all potential data protection risks. A recent study refers to a complex methodology for identifying cyberattacks early using a machine learning methodology with information retrieval techniques for analysing the content of hacker forums as well as Internet relay chat (IRC) channels. See V Benjamin, W Li, T Holt and H Chen, “Exploring Threats and Vulnerabilities in Hacker Web: Forums, IRC and Carding Shops” presented at Intelligence and Security Informatics (ISI), 2015 IEEE International Conference.
66 MF Ferraro, “Groundbreaking or Broken; An Analysis of SEC Cybersecurity Disclosure Guidance, Its Effectiveness, and Implications” (2013) 77 Albany Law Review 297.
67 SJ Hughes and RL Trope, “The SEC Staff’s Cybersecurity Disclosure Guidance: Will It Help Investors or Cyber-Thieves More” (2011) Business Law Today 1.
68 M Dowty, “Life Is Short. Go to Court: Establishing Article III Standing in Data Breach Cases” (2017) 90 Southern California Law Review 683
69 DJ Marcus, “The Data Breach Dilemma: Proactive Solutions for Protecting Consumers’ Personal Information” (2018) 68 Duke Law Journal 555
70 Scmagazine, “SolarWinds lawsuits merge as stockholders begin documenting financial losses” (2021) <https://www.scmagazine.com/news/breach/solarwinds-lawsuits-merge-as-stockholders-begin-documenting-financial-losses> (last accessed 3 January 2022).
71 M Clark, “Ubiquiti Is Accused of Covering Up a ‘Catastrophic’ Data Breach – And It’s Not Denying It” (The Verge, 2021) <https://www.theverge.com/2021/3/31/22360409/ubiquiti-networking-data-breach-response-whistleblower-cybersecurity-incident> (last accessed 3 January 2022); and Businesswire, “Ubiquiti Investors: July 19, 2021 Filing Deadline in Class Action” (2021) <https://www.businesswire.com/news/home/20210611005074/en/UBIQUITI-INVESTORS-July-19-2021-Filing-Deadline-in-Class-Action-%E2%80%93-Contact-Lieff-Cabraser> (last accessed 3 January 2022).
72 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
73 PL Marcogliese and R Mukhi, “Untangling the Tangled Web of Cybersecurity Disclosure Requirements: A Practical Guide” (Harvard Law School Forum on Corporate Governance, 2018) <https://corpgov.law.harvard.edu/2018/06/17/untangling-the-tangled-web-of-cybersecurity-disclosure-requirements-a-practical-guide/> (last accessed 3 January 2022).
74 ibid.
75 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014.
76 ibid.
77 For a critical discussion of CSRD, see K Ramanna, “Friedman at 50: Is It Still the Social Responsibility of Business to Increase Profits?” (2020) 62(3) California Management Review 28.
78 European Commission, Communication from the Commission Guidelines on non-financial reporting (methodology for reporting non-financial information) (2017/C 215/01) and Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive 2013/34/EU, Directive 2004/109/EC, Directive 2006/43/EC and Regulation (EU) No 537/2014, as regards corporate sustainability reporting.
79 P Karalis, “Analysis: Is Privacy an ESG Win? SEC Filing Trend Says Yes” (Bloomberg Law Analysis, 2021) <https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-is-privacy-an-esg-win-sec-filing-trend-says-yes> (last accessed 5 January 2022).
80 ibid. For a debate on ESG ratings, see DM Christensen, G Serafeim and A Sikochi, “Why Is Corporate Virtue in the Eye of the Beholder? The Case of ESG Ratings” (2022) 97(1) The Accounting Review 147. For a discussion on the possible use of privacy ratings, see E Erdemoglu, “A Law and Economics Approach to the New EU Privacy Regulation: Analysing the European General Data Protection Regulation” in J de Zwaan, M Lak, A Makinwa and P Willems (eds.), Governance and Security Issues of the European Union (The Hague, TMC Asser Press 2016).
81 Regulation (EU) 2016/679 GDPR.
82 Art 29 Data Protection Working Party Guidelines on DPIA and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. See also: OneTrust Blog, “WP29 Issues Revised Guidelines on Data Protection Impact Assessment (DPIA)” (2017) <https://www.onetrust.com/blog/article-29-working-party-issues-revised-guidelines-data-protection-impact-assessment-dpia/> (last accessed 3 January 2022).
83 Klemash et al, supra, note 1.
84 Art 29 Data Protection Working Party 29, 18/EN, Guidelines on Personal data breach notification under Regulation 2016/679, Adopted 3 October 2017, Revised and Adopted on 6 February 2018.
85 J Ponciano, “Amazon Stock Loses $130 Billion in Market Value After $885 Million Fine and Disappointing Earnings Report” (Forbes, 2021) <https://www-forbes-com.cdn.ampproject.org/c/s/www.forbes.com/sites/jonathanponciano/2021/07/30/amazon-stock-loses-130-billion-in-market-value-after-885-million-fine-and-dismal-earnings-report/amp/> (last accessed 3 January 2022).
86 T Leggett, “Amazon Hit with $886m Fine for Alleged Data Law Breach” (BBC News, 2021) <https://www.bbc.com/news/business-58024116> (last accessed 3 January 2022).
87 HJ Lehuedé, “Corporate Governance and Data Protection in Latin America and the Caribbean” (2019) Production Development series, No. 223 (LC/TS.2019/38), Santiago, Economic Commission for Latin America and the Caribbean (ECLAC) <https://repositorio.cepal.org/bitstream/handle/11362/44629/1/S1900395_en.pdf> (last accessed 3 January 2022).
88 Kaspersky Lab, “From Data Boom to Data Doom – The Risks and Rewards of Protecting Personal Data” (2018) <https://go.kaspersky.com/rs/802-IJN-240/images/Kaspersky_Lab_Business%20in%20a%20data%20boom.pdf> (last accessed 3 January 2022).
89 Ponemon Institute and IBM Security, “Cost of Data Breach Study – Global Overview” (2017) <https://www.securityupdate.net/SU/IBMSecurity/IBM-Security-Cost-of-Data-Breach-Study.pdf> (last accessed 3 January 2022).
90 AH Southwell, E Vandevelde, R Bergsieker and JB Maute, “Gibson Dunn Reviews U.S. Cybersecurity and Data Privacy” (Columbia Law School Blue Sky Blog, 2017) <https://clsbluesky.law.columbia.edu/2017/02/03/gibson-dunnreviews-u-s-cybersecurity-and-data-privacy/> (last accessed 3 January 2022).
91 Ponemon Institute, “The Impact of Data Breaches on Reputation and Share Value” (2017) <www.centrify.com/media/4772757/ponemon_data_breach_impact_study_uk.pdf> (last accessed 3 January 2022).
92 W Jang and AL Newman, “Enforcing European Privacy Regulations from Below: Transnational Fire Alarms and the General Data Protection Regulation” (2022) 60(2) Journal of Common Market Studies 283.
93 l Helman, “Pay For (Privacy) Performance: Holding Social Network Executives Accountable for Breaches in Data Privacy Protection” (2019) 84(2) Brooklyn Law Review 523.
94 W Hartzog and N Richards, “Privacy’s Constitutional Moment and the Limits of Data Protection” (2020) 61(5) Boston College Law Review 1687.
95 H Cavusoglu, B Mishra and S Raghunathan “The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers” (2004) 9(1) International Journal of Electronic Commerce 70.
96 ibid; A Hovav and J D’Arcy, “The Impact of Denial-of-Service Attack Announcements on the Market Value of Firms” (2003) 6(2) Risk Management and Insurance Review 97.
97 A Garg, J Curtis and H Halper, “Quantifying the Financial Impact of IT Security Breaches” (2003) 11(2) Information Management & Computer Security 74.
98 K Campbell, LA Gordon, MP Loeb and L Zhou, “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market” (2003) 11(3) Journal of Computer Security 431.
99 KM Gatzlaff and KA McCullough, “The Effect of Data Breaches on Shareholder Wealth” (2010) 13(1) Risk Management and Insurance Review 61.
100 WEF, “Understanding Systemic Cyber Risk” (World Economic Forum: Global Agenda Council on Risk and Resilience, 2016) <https://www.weforum.org/whitepapers/understanding-systemic-cyber-risk> (last accessed 3 January 2022).
101 B Al-Ruwaii and G De Moura, “Why the Time Has Come to Embrace the Zero-Trust Model of Cybersecurity” (World Economic Forum, 2021) <https://www.weforum.org/agenda/2021/10/why-the-time-has-come-for-the-zero-trust-model-of-cybersecurity/> (last accessed 3 January 2022).
102 ibid.
103 R Jamilov, H Rey and A Tahoun, “The Anatomy of Cyber Risk” (2021) National Bureau of Economic Research WP No. 28906.
104 I Greenberg, “Fifth-Generation Cyberattacks Are Here. How Can the IT Industry Adapt?” (World Economic Forum, 2021) <https://www.weforum.org/agenda/2021/02/fifth-generation-cyberattacks/> (last accessed 3 January 2022).
105 HS Lallie, LA Shepherd, JRC Nurse, A Erola, G Epiphaniou, C Maple and X Bellekens, “Cyber Security in the Age of COVID-19: A Timeline and Analysis of Cyber-Crime and Cyber-Attacks During the Pandemic” (2021) 105 Computers & Security 102248.
106 For an extended version of the collected insights, see E Kiesow Cortez and M Dekker, “Cybersecurity in Finance” (2022) HCL Whitepaper, forthcoming.
107 ENISA Threat Landscape Report 2020 <https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends> (last accessed 3 January 2022).
108 Case C-311/18, ECLI:EU:C:2020:559 (2020).
109 Jamilov et al, supra, note 103.