Les pratiques de transparence en matière de risque cyber : Une analyse des rapports annuels  des entreprises du CAC 40: Une analyse des rapports annuels des entreprises du CAC 40

Laura Georg-Schaffner; Elodie Behnam; Jessie Pallud

Authors

Laura Georg-Schaffner EM Strasbourg Business School https://orcid.org/0000-0001-8215-4094
Elodie Behnam EM Strasbourg Business School https://orcid.org/0000-0002-3572-6173
Jessie Pallud EM Strasbourg Business School https://orcid.org/0000-0001-8225-8192

Keywords:

Cyber risks, cybersecurity, transparency, scoring grid, annual report

Abstract

Cyber risk disclosure is an essential transparency lever for publicly traded companies, particularly since the European Securities and Markets Authority (ESMA) has tightened its requirements. This study analyzes the compliance of CAC 40 companies' annual reports with these new standards, between 2019 and 2022, by developing a specific evaluation grid. Our results highlight recent progress, but also persistent heterogeneity in cyber risk disclosure, as CAC40 companies do not always follow these transparency standards. Few studies have proposed criteria for assessing cyber risk disclosure, especially in a European context. By opening up this issue to the field of information systems management, our research highlights the key role of regulation in reducing information asymmetry, raising stakeholder awareness and building investor confidence. It thus provides a useful analytical tool for researchers and cybersecurity professionals to help companies move towards greater transparency and better governance of information systems.

Author Biographies

Laura Georg-Schaffner, EM Strasbourg Business School

Laura Georg Schaffner est professeure associée en systèmes d'information à l'École de Management Strasbourg et membre du laboratoire de recherche HuManiS de l'Université de Strasbourg. Ses recherches actuelles portent sur la gouvernance de la sécurité et le développement de métriques. Elle a obtenu son doctorat à l'Université de Genève avec summa cum laude et a travaillé pendant 8 ans en tant que consultante en management. De 2015 à 2017, elle a dirigé le laboratoire norvégien de sécurité de l'information, l'un des plus grands laboratoires de recherche européens en sécurité. Depuis 2014, elle intervient en tant qu'experte pour les programmes de financement Horizon 2020 et Horizon Europe dans le domaine des SSI de la Commission européenne. Depuis 2024, elle occupe le poste de responsable groupe de la stratégie et de la sensibilisation à la sécurité chez AXA.

Elodie Behnam, EM Strasbourg Business School

Élodie Behnam est titulaire d’un doctorat en comptabilité financière et d’un master en communication organisationnelle. Elle a travaillé dans la communication organisationnelle dans le secteur bancaire. Elle est actuellement professeure associée à l’École de Management Strasbourg. Ses domaines de recherche sont la comptabilité financière et le reporting d’entreprise, avec une spécialisation dans les stratégies de divulgation financière. Ses articles portent principalement sur la lisibilité de l'information financière et l’hypothèse d’obfuscation.

Jessie Pallud, EM Strasbourg Business School

Jessie Pallud est professeure des universités en management des systèmes d'information à l'École de Management de Strasbourg. Ses recherches portent sur l'adoption des technologies de l'information afin d'examiner les nouvelles pratiques de travail liées à ces technologies. Elle étudie également des aspects plus critiques liés à l'usage des technologies avec des sujets tels que la digitalisation de l'individu et le dark side des technologies. Elle a publié dans les revues académiques suivantes European Journal of Information Systems, Journal of Management Information Systems, Information Systems Journal, Information and Management, ainsi que dans les actes de conférences internationales majeures telles que ICIS, AMCIS et ECIS.

References

Abraham, S., & Shrives, P. J. (2014). Improving the relevance of risk factor disclosure in corporate annual reports. British Accounting Review, 46(1), 91–107.

Amar, W. B., & Boujenoui, A. (2008). Transparence de l'information au sujet des pratiques de gouvernance d'entreprise au Canada. Comptabilité-Contrôle-Audit, 14(1), 169-190.

Amir, E., Levi, S., & Livne, T. (2018). Do Firms Underreport Information on Cyber-Attacks? Evidence from Capital Markets. Review of Accounting Studies, 23, 1177–1206.

Ashraf, M., Jiang, J. (Xuefeng), & Wang, I. Y. (2022). Are there trade-offs with mandating timely disclosure of cybersecurity incidents? Evidence from state-level data breach disclosure laws. The Journal of Finance and Data Science, 8, 202–213. https://doi.org/10.1016/j.jfds.2022.08.001

Bansal, & Axelton, Z. (2023). Impact of Cybersecurity Disclosures on Stakeholder Intentions. The Journal of Computer Information Systems, 1–14. https://doi.org/10.1080/08874417.2023.2180785

Bae, S., Masud, M., & Kim, J. (2018). A Cross-Country Investigation of Corporate Governance and Corporate Sustainability Disclosure: A Signaling Theory Perspective. Sustainability, 10(8), 2611-. https://doi.org/10.3390/su10082611

Baillette, P., Barlette, Y., & Berthevas, J. F. (2022). Intérêts et risques de la Shadow IT dans le domaine de la santé: Une revue narrative de la littérature. Systèmes d'information et management, 27(2), 35-35.

Barlette, Y., Gundolf, K., & Jaouen, A. (2017). CEO’s information security behaviour in SMEs: Does ownership matter? Systèmes d’Information et Management, 22(3), 7–45.

Barlette, Y., & Jaouen, A. (2019). Information security in SMEs: determinants of CEOs’ protective and supportive behaviors. Systèmes d’information et Management, 24(3), 7–40. https://doi.org/10.3917/sim.193.0007

Benaroch, M., & Fink, L. (2021). No Rose without a thorn: Board IT competence and market reactions to operational IT failures. Information & Management, 58(8), 103546.

Boncori, A. L., & Cadet, I. (2013). Le comply or explain, un avatar de l'accountability. Revue française de gestion, (8), 35-55.

Calderon, & Gao, L. (2022). Changes in corporate cybersecurity risk disclosures after SEC comment letters. Journal of Accounting and Public Policy, 41(5), 106993–. https://doi.org/10.1016/j.jaccpubpol.2022.106993

Cecchini, Mark, Haldun Aytug, Gary J. Koehler, and Praveen Pathak (2010). “Making Words Work: Using Financial Text as a Predictor of Financial Events.” Decision Support Systems 50 (1): 164–75. https://doi.org/10.1016/j.dss.2010.07.012.

Chen, J., Henry, E. & Jiang, X. (2023). Is Cybersecurity Risk Factor Disclosure Informative? Evidence from Disclosures Following a Data Breach. Journal of Business Ethics. 187, 199–224. https://doi.org/10.1007/s10551-022-05107-z

Cheong, Yoon, K., Cho, S., & No, W. G. (2021). Classifying the Contents of Cybersecurity Risk Disclosure through Textual Analysis and Factor Analysis. The Journal of Information Systems, 35(2), 179–194. https://doi.org/10.2308/ISYS-2020-031

COSO-ERM. (2017). Internal control-Integrated Framework: Compendium of Illustrative Examples. A supplement to COSO’s 2013 Internal Control - Integrated Framework. AICPA.

Dagorn, & Poussing, N. (2012). Engagement et pratiques des organisations en matière de gouvernance de la sécurité de l’information. Systèmes d’information et management, 17(1), 113–143. https://doi.org/10.3917/sim.121.0113

D’Elia, D. (2018). Industrial policy: the holy grail of French cybersecurity strategy? Journal of Cyber Policy, 3(3), 385–406. https://doi.org/10.1080/23738871.2018.1553988

Duhamel, J. C., Fasterling, B., & Refait-Alexandre, C. (2009). La transparence: outil de conciliation de la finance et du management. Revue française de gestion, (8), 59-75.

Elshandidy, T., Shrives, P. J., Bamber, M., & Abraham, S. (2018). Risk reporting: A review of the literature and implications for future research. Journal of Accounting Literature, 40, 54–82.

EUR-Lex, Cybersécurité des réseaux et des systèmes d'information, consulté le Juillet 26, 2024.

EUR-Lex, Regulation of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector, consulté 26 Juillet, 2024.

European Securities and Monetary Authority. (2019). Guidelines on Risk Factors under the Prospectus Regulation, 43.

Février, R. (2020). Covid-19 et cyberattaques. Revue française de gestion, 293. 81-94.

Franceinfo, Ce que l’on sait de la cyberattaque qui a touché France Travail. consulté le 24 Juillet, 2024.

Franceinfo, Panne informatique mondiale. consulté le 24 Juillet, 2024.

Frank, M.L., Grenier, J.H., Pyzoha, J.S., & Zielinski N.B. (2023). Implications of Enhanced Cybersecurity Risk Management Reporting and Independent Assurance. Current issues in auditing, 17(1), 11–18.

Gao, L., Calderon, T. G., & Tang, F. (2020). Public companies’ cyber risk disclosures. International Journal of Accounting Information Systems, 38.

Gordon, L.A., Loeb, M.P. & Sohail, T., 2010. Market value of voluntary disclosures concerning information security. MIS Quarterly, 34 (3), 567–594.

Granados, N. F., & Gupta, A. (2013). Competing with Information in a Digital World. MIS Quarterly, 37(2), 637-641.

Gupta, R., Biswas, B., Biswas, I., & Sana, S. S. (2021). Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach. Information & Computer Security, 29(1), 73–104. https://doi.org/10.1108/ICS-02-2020-0028

Habib, A., & Hasan, M. M. (2020). Business strategies and annual report readability. Accounting & Finance, 60(3), 2513-2547.

Hellemann, N. (2023). Normalising radical transparency in cyber security. Computer Fraud & Security, 2023(6). https://doi.org/10.12968/S1361-3723(23)70025-0

Héroux, S., & Fortin, A. (2020). Cybersecurity Disclosure by the Companies on the S&P/TSX 60 Index. Accounting Perspectives, 19(2), 73-100.

Héroux, S. & Fortin, A. (2022). Board of directors’ attributes and aspects of cybersecurity disclosure. Journal of Management and Governance. 1-46.

Humpherys, S. L., Moffitt, K. C., Burns, M. B. Burgoon, J. K., & Felix, W. F.. (2011). “Identification of Fraudulent Financial Statements Using Linguistic Credibility Analysis.” Decision Support Systems 50 (3): 585–94. https://doi.org/10.1016/j.dss.2010.08.009.

Jensen, M. C., & Meckling, W. H. (1976). Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of financial economics, 3(4), 305-360.

Johnson, W., Ferber, S. & Hanson, M. (2021). SEC Returns Spotlight to Cybersecurity Disclosure Enforcement, Harvard Law School Forum on Corporate Governance.

Joshi, A., Bollen, L., Hassink, H., De Haes, S., & Van Grembergen, W. (2018). Explaining IT governance disclosure through the constructs of IT governance maturity and IT strategic role. Information & Management, 55(3), 368–380.

Kvochko, E., & Pant, R. (2015). Why data breaches don’t hurt stock prices. Harvard Business Review.

Li, F. (2008). Annual report readability, current earnings, and earnings persistence. Journal of Accounting and Economics, 45(2-3), 221–247.

Li, No, W. G., & Wang, T. (2018). SEC’s cybersecurity disclosure guidance and disclosed cybersecurity risk factors. International Journal of Accounting Information Systems, 30, 40–55. https://doi.org/10.1016/j.accinf.2018.06.003

Linsley, P. M., & Shrives, P. J. (2006). Risk reporting: A study of risk disclosures in the annual reports of UK companies. British Accounting Review, 38(4), 387–404.

Loughran, T., & McDonald, B. (2014). Measuring readability in financial disclosures. The Journal of Finance. 1643‑1671.

Magnusson, C., Arppe, A., Eklund, T., Back, B., Vanharanta, H. & Visa, A.. 2005. “The Language of Quarterly Reports as an Indicator of Change in the Company’s Financial Status.” Information and Management 42 (4): 561–74. https://doi.org/10.1016/j.im.2004.02.008.

Mazumder, M. M. M., & Hossain, D. M. (2023). Voluntary cybersecurity disclosure in the banking industry of Bangladesh: does board composition matter? Journal of Accounting in Emerging Economies, 13(2), 217–239. https://doi.org/10.1108/JAEE-07-2021-0237

Miller, G. A. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological review, 63(2), 81.

Ntim, C. G., Lindop, S., & Thomas, D. A. (2013). Corporate governance and risk reporting in South Africa. International Review of Financial Analysis, 30, 363–383.

Patterson, C. M., Nurse, J. R. C., & Franqueira, V. N. L. (2024). “I don’t think we’re there yet”: The practices and challenges of organisational learning from cyber security incidents. Computers & Security, 139, 103699-. https://doi.org/10.1016/j.cose.2023.103699

Posey, C. , Bennett, R.J. & Roberts, T.L., 2011. Understanding the mindset of the abusive insider: an examination of insiders’ causal reasoning following internal security changes. Computer & Security, 30(4), 86–4 97.

Pras, B., & Zarlowski, P. (2013). Obligation de rendre des comptes. Revue française de gestion, (8), 13-32.

Radu, C., & Smaili, N. (2022). Board gender diversity and corporate response to cyber risk: evidence from cybersecurity related disclosure. Journal of Business Ethics, 177(2), 351-374.

Ramírez, M., Rodríguez Ariza, L., Gómez Miranda, M. E., & Vartika. (2022). The Disclosures of Information on Cybersecurity in Listed Companies in Latin America—Proposal for a Cybersecurity Disclosure Index. Sustainability, 14(3), 1390-. https://doi.org/10.3390/su14031390

Richardson, V. J., Smith, R. E., & Watson, M. W. (2018). Much Ado about Nothing: The (lack of) economic impact of data privacy breaches. Journal of Information Systems, 33(3), 227–265.

Safi, R., Browne, G., & Naini, A. J. (2021). Mis-spending on information security measures: Theory and experimental evidence. International Journal of Information Management, 57(1), 102291.

Securities and Exchange Commission (2018), Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 1-24.

Securities and Exchange Commission (2023), Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 1-186.

Simon, M., & Looten, V. (2020). Description of Data Breaches Notifications in France and Lessons Learned for the Healthcare Stakeholders. Studies in Health Technology and Informatics, 275, 192–196. https://doi.org/10.3233/SHTI200721

Soomro, A., Shah, M. H., & Lancashire, J. A. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215–225.

Stone G., & Parker L.D. (2013). Developing the Flesch reading ease formula for the contemporary accounting communications landscape. Qualitative Research in Accounting & Management. 10(1), 31-59.

Strupczewski, Grzegorz. (2021). Defining cyber risk. Safety Science. 135.

Wang, Yen, J.-C., & Yoon, K. (2022). Responses to SEC comment letters on cybersecurity disclosures: An exploratory study. International Journal of Accounting Information Systems, 46, 100567–. https://doi.org/10.1016/j.accinf.2022.100567

Zimmermann, V., & Renaud, K. (2021). The Nudge Puzzle: Matching Nudge Interventions to Cybersecurity Decisions. ACM Transactions on Computer-Human Interaction, 28(1), 1–45. https://doi.org/10.1145/3429888

Cyber Risk Transparency Practices: An Analysis of CAC 40 Companies’ Annual Reports

Une analyse des rapports annuels des entreprises du CAC 40

Authors

Keywords:

Abstract

Author Biographies

Laura Georg-Schaffner, EM Strasbourg Business School

Elodie Behnam, EM Strasbourg Business School

Jessie Pallud, EM Strasbourg Business School

References

Published

How to Cite

Issue

Section

License

Information

Language

Make a Submission

Keywords