Cyber Risk Disclosures and the Influence of Agency Problems in Dutch Annual Reports

Arjan Wester S32736791 Schierstins 109, Amsterdam Tel: +31 (0)6-18775873

E-mail: a.t.wester@student.rug.nl Supervisor: prof. dr. D.M. Swagerman Second grader: dr. J.S. Gusc

Cyber Risk Disclosures and the Influence of Agency

Problems in Dutch Annual Reports

Master’s thesis for a combined program of Accountancy and Controlling University of Groningen, Faculty of Economics and Business

ARJAN WESTER June 25th_{, 2018}

ABSTRACT

Developments in the type of risks companies face and the limited amount of research to these developments have made it extremely interesting for us to find insights in the underlying incentives of disclosing information on cyber risks. Based on the principles of agency theory, we conducted an empirical research on the quantity of cyber risk reporting and the association with several determinants. We performed regression analysis on the number of disclosures in the annual reports of 2016 and 2017 of 50 Dutch listed companies. We found that size, managerial ownership and leverage were significantly related to the quantity of cyber disclosures. With additional analysis we also found that base CEO salary and short-term incentives showed significant relations, which strengthens our problem statement. These results are subject to limitations since (i) not all our hypotheses are accepted and (ii) our variables are not necessarily the only indicators for agency problems. This study adds to current literature by providing evidence on determinants of cyber reporting specifically and provides insight into the effect of agency theory on cyber disclosures. We discussed some practical implications for the profession of auditors and business controllers. Lastly, this study offers suggestions for future research.

Key words: cyber, risk reporting, disclosures, agency conflicts, incentives, determinants, Dutch listed

companies, annual reports

Word count: 12.531

Acknowledgement: I would like to thank my supervisor prof. dr. D. Swagerman for his support, contribution and feedback during the group sessions and review moments. Swagerman supervised this thesis for both the controlling program as well as for the accountancy program.

TABLE OF CONTENTS

I INTRODUCTION ... 1

II LITERATURE REVIEW ... 3

Risk management reporting ... 3

Cyber risk reporting... 5

III THEORETICAL FRAMEWORK AND HYPOTHESIS DEVELOPMENT ... 7

Agency theory ... 7 Hypothesis development ... 9 IV METHODOLOGY ... 14 Approach ... 14 Sample ... 15 Dependent variable ... 16 Independent variables ... 16 V EMPIRICAL RESULTS... 18 Descriptive statistics ... 18

Analyses and results ... 19

Additional analysis ... 23

VI CONCLUSIONS AND DISCUSSION ... 24

Findings ... 24

Theoretical and practical implications... 26

Limitations and future research ... 27

Discussion ... 28

REFERENCES ... 31

APPENDICES ... 37

Appendix A: Research population ... 37

Appendix B: Histogram... 38

Appendix C: Normal P-P Plot of Regression ... 38

I INTRODUCTION

he role of information technology (IT) in business has changed enormously over the past decades. Where IT was only seen as a supportive tool in the beginning years, it nowadays fulfils a value creating, critical business role (Ruan, 2017). This new role has made companies more vulnerable and has come with extensive and impactful new risks which could harm core processes (Gordon, Loeb & Sohail, 2003) or could even lead a firm into bankruptcy (Eddolls, 2016). Fast developments in technology make it quite a task for managers, controllers and IT-specialists to prevent companies from such disasters. An important yob is the one of the business controller because these IT-related risks should be handled as any other risk in the risk management process (Eddolls, 2016), which obviously demands additional knowledge. This is quite challenging due to the multiple interconnected systems companies possess which requires a high level of security (Breu, Burger, Hafner & Popp, 2004). One strand of IT-risks that could harm an organisation is cyberattacks. The risk and size of these attacks will increase in the future and forces companies to continuously improve their security (Cashell, Jackson, Jickling & Webel, 2004). The National Coordinator for Counterterrorism called cyberattacks a serious issue and stated that companies and government agencies are vulnerable (FD, 2018).

The annual cybercrime report concludes that the total loss of cybercrime will near a damage of 6 trillion dollars in 2021 and that expenditures on cyber security will rise 12 to 15 percent annually (Morgan, 2017). A data breach costs a company 0.5 to 1 percent of their annual sales, which is applicable for both internet dependent as well as for internet independent companies (Garg, Curtis & Halper, 2003). However, the biggest losses derive from drops in market value after a security breach announcement has taken place (Cavusoglu, Mishra, and Raghunathan, 2004). Moreover, Garg et al. (2003) found significant results in share price drops on the first and the first three days after an announcement, showing direct and delayed market reactions. This is in line with research from Healy and Palepu (2001), who state that disclosures are important and informative to investors and that these disclosure are related to stock price performance. However, this is in contrast with the assumption that providing information reduces information asymmetry, which should actually lead to an increase in firm value (Bravo, 2017).

This information asymmetry stockholders and stakeholders face, is explained by the agency theory, introduced by Jensen and Meckling (1976). Agency theory explains the difficulties owners experience when they hand over their decision-making right to managers. Stock Owners therefore demand knowledge concerning the actions of the agent and want to monitor this manager in the best possible way by gathering information and reduce their information gap. These owners want to know if the company is in control and the risks and results are in line with their view of the company.

Elshandidy and Neri (2015, p.8) state: ‘accurate risk information, as an external control mechanism

that reduces agency costs, is fundamental for shareholders, analysts and investors, enabling them to assess a company’s risk profile, estimate its market value and make accurate investment decisions’. Companies have several channels to inform their investors on the risks and the financial situation of the company, an important one is the annual report. To provide assurance to the owners (and other stakeholders) on the reliability of this annual report, an important role is reserved for the accountant whose knowledge on IT related aspects is challenged by the ongoing changes in risks and audit techniques.

Nevertheless, information concerning cyber incidents is scarce and the size and impact of incidents are not transparent for stakeholders and academics. This is remarkable because organizations are facing cyber incidents every day in different yet, growing sizes. (Kuypers, Maillart & Paté-Cornell, 2016). Since these cyber risks are a growing concern and reporting on these risks is important for investors and stakeholders, it would be highly interesting to investigate whether companies are actually responding to this demand, especially because companies nowadays do not provide the information investors want (Abraham & Shrives, 2014; Beretta & Bozzolan, 2004; Linsley & Shrives, 2006; Solomon, Solomon, Norton & Joseph, 2000) and the quantity they do disclose, depends on the disclosure incentives they experience (Dobler, 2008). We therefore expect that when the separation between ownership and control increases (thus consequently more incentives), companies will be more inclined or even be forced to disclose a higher quantity of risk information. We would like to know how companies inform their investors on cyber risks and if agency problems cause differences in the quantity of these disclosures, therefore our problem statement of this study is:

The quantity of cyber risk disclosures depends on the size of agency problems present in an organization

This research contributes to the literature in several ways. First of all, there has been little to no research to cyber risk reporting. The field of risk management has been widely researched and studies to general risk disclosures have been performed extensively. Also, cyber is gaining more and more attention among scientists; however, this attention is focussed on the technical aspect and the impact that it causes, but does not make the relation with reporting on these risks. This research can therefore contribute to the literature by providing insights into the determinants of cyber risk reporting of which today there is still hardly any research. Secondly, this study answers the call of Linsley and Shrives (2006) to research specific risk disclosures aspects to further understand the motivations behind risk disclosure and the call of Liepenberg and Hoyt (2003) by comparing risk management disclosures among different ownership structures.

In the remainder of this research we will discuss the current literature followed by the theoretical framework and hypothesis development. Subsequently, we will discuss the methodology we used and the results derived from this study. Then, we will make conclusions, state the limitations of this research, provide suggestions for further research and will discuss our findings.

II LITERATURE REVIEW

This study has the focus on cyber risk reporting, but before we delve into cyber risks, we will first start with general risk management and risk disclosures. In the second part of this literature review we will focus on cyber risk management and cyber reporting specifically. We will conclude with the current state of literature on (cyber) risk reporting and mention the shortcomings that we noticed.

Risk management reporting

In the mid-1990s, there was an increasing interest in Enterprise risk management (ERM) amongst researchers and practitioners (Arena, Arnaboldi & Azzone, 2010). ERM practices came with multiple benefits on both micro and macro levels and created shareholder wealth (Nocco & Stulz, 2006). There have been several studies to the stage of implementation of ERM and several determinants over the years (e.g. Beasley, Clune & Hermanson, 2005; Paape & Speklé, 2012; Pagach & Warr, 2007). For example, there are positive relations between ERM and CRO presence, board independence, CFO and CEO support, audit quality, regulatory environment, size, certain industries, leverage, and stock performance. Moreover, there has been research into the impact of culture on risk management and results show that organizational culture influences the form and design of risk management (Kimbrough & Componation, 2009; Mikes, 2009). When it comes down to the current state of risk management, surprisingly companies do not do so well and show shortcomings2 _{(Paape, et} al. 2009; Paape et al., 2014). Paape et al., argued that after the financial crisis companies still underperformed in terms of risk management and that the progression over the years is barely visible. Based on institutional theory, they also argue that risk management can be used as a proper instrument to become compliant to regulations, and can create legitimacy for the supervisors to show that the company is in control.

A more important question for this study would be: why and how are companies reporting on their risk management? It is important to know what the motivations and incentives for companies are to report on the risks they face. Several studies have set up some sort of a risk disclosure index to measure the quantity and quality of risk disclosures and linked this to several firm characteristics (e.g.

Beattie McInnes & Fearnley, 2004; Beretta & Bozzolan, 2004; Bushee & Noe, 2000; Elzahar & Hussainey, 2012; Eng & Mak, 2003; Linsley & Shrives, 2006; Lopes & Rodrigues, 2007). Next to these firm specific characteristics, quantity of risk reporting depends on country specific characteristics such as the legal system, cultural values and systematic risks (Elshandidy, Fraser, & Hussainey, 2015). Further, Dobler (2008), who addressed incentives for (voluntary) risk reporting, found that risk reporting is restricted when information endowment is uncertain and if issues concerning the credibility of information are present.

Linsley and Shrives (2000), argue that there are four theories that explain why firms are disclosing information. Firstly, they mention agency theory, which we will further elaborate on in our theoretical framework since this theory forms the base of our research. The second theory they mention is signalling theory. Elzahar and Hussainey (2012) used a combination of agency theory and signalling theory to investigate the quantity of corporate risk disclosures. According to them, signalling theory explains that there is a higher disclosure level because managers want to send a signal to (potential) investors about the state of the organisation. They used a combination of these theories because together the theories provide a better prediction of accounting choices. Thirdly, Linsley and Shrives mention the political cost theory. They make the connection between this theory and voluntary disclosure based on the idea that companies want to reduce negative media attention by disclosing information to manipulate their image. Lastly, there is legitimacy theory, which is about the social contract that companies have with society. Companies should behave according to the norms and values that society imposes them to. To report that the company does so, they have to report on this, creating their legitimacy.

Reporting on these risks could come with several benefits for the company. For example, reporting on risks and risk management increases market liquidity, reduces cost of capital, decreases agency costs, provides useful information, improves accountability, encourages better ERM and provides a perceived view of a more effective risk management system for investors (Elshandidy & Neri, 2015; Linsley & Shrives, 2000; Paape & Speklé, 2012). However, companies nowadays tend to disclose risk information that is too general and or of little to no use for investors. The disclosures are relatively general and do almost not change over time, which causes irrelevant or outdated risks. (Abraham & Shrives, 2014). Risk disclosures mostly consists of general risk policies (Linsley & Shrives, 2006), which are not the type of disclosures investors want (Solomon et al., 2000). Investors also desire forward-looking (Linsley & Shrives, 2000), quantified (Beretta & Bozzolan, 2004) and non-dispersed displayed risk information (Linsley & Shrives, 2006). Beretta and Bozzolan argue that good quality disclosure is about the quantity and richness of the disclosures. The richness of risk disclosures is determined by type of content, the type of measurement used for the economic impact and the disclosure approach of management. Abraham and Shrives (2014) discuss risk disclosure themes that are demanded by investors from two theoretical lenses; proprietary costs theory and

institutional theory. Based on proprietary costs theory, companies should (i) disclose regularly updated firm specific information and (ii) evaluate disclosures in the annual reports on a regular basis. According to institutional theory, companies should discuss the actual experienced risks in their disclosures.

Cyber risk reporting

When focussing on cyber risk management specifically, a lot less research has been conducted. This is remarkable because information technology and the corresponding risks have made companies more vulnerable, and is brought to the forefront of directors’ agendas (Gordon et al., 2003). This is supported by the fact that 88% of senior executives rank IT security as a high priority issue (Damianides, 2005). Eddolls (2016) argues that IT should even be the number one priority of companies and that it should be handled the same way as any other risk in the process of risk management, making it an important task for the business controller to focus on. Companies should set up a cybersecurity strategy as an integral part of their business strategy and align these two strategies to make security strategy company-specific and a top priority (Sabherwal, Hirschheim & Goles, 2001).

Cashell et al. (2004) summarized studies to past and future security breaches and questioned whether or not we spend enough time and money on cyber security. They distinguished two types of attacks: distributed denial-of-service (DDoS) attacks and security breaches, of which the latter is the most serious and dangerous. DDoS attacks cause the loss of access to systems with no loss of actual information, which is the case with a security breach. To prevent such disasters, the first solution is not creating firewalls, but to set roles and responsibilities of senior management in order to create the right culture and organisational structure (Dutta & McCrohan, 2002). This underpins the view of Bulgurcu, Cavusoglu and Benbasat (2010), who state that employees could be the weakest part in cyber prevention, but could also the biggest asset to prevent cyber incidents, depending on organizational behaviour. Barafort, Mesquida and Mas (2017) discuss how more general management system standards (i.e. ISO standards) provide guidance to set up a well-functioning IT system and help to reduce risks. Information systems and information technology currently play an important role in obtaining reliable accounting and control information; their relationship is mutual and interdepended. To make sure this information is reliable, a well-developed information system should be put into place (Ferreira & Otley, 2009).

Based on the fact that every organisation faces cyberattacks (Kuypers et al., 2016) and companies have noticed the importance of these attacks, one would expect that the information provision for IT incidents would be of great importance and would lead to a high level of information provision. Besides, when firms are announcing a virus attack, they do not experience a lower market

value according to Hovav and D’Arcy (2004). This is in contrast with Cavusoglu et al. (2004), who found that when the announcement of a security breach takes place, the market value drops by 2.1 percent within two days with an average drop of 1,65 billion dollars in market capitalization. This means that reporting on IT breaches does have a direct negative impact on the market value of a company, which will result in companies becoming reluctant to disclose information on IT incidents. Besides, firms have little incentives to disclose on IT breaches (Laube & Böhme, 2016). Information on breaches and information security is being disclosed minimally because firms are strongly discouraged on doing so, do not have the ability to quantify and value these incidents (Cashell et al., 2004) and there is a lack of historical data (Hovav & D’Arcy, 2004). Cashell et al. (2004) sum up six incentives for why companies do not report on information security. First and most importantly, is the (direct) impact on the financial market. Secondly, a company may face reputation damage and lose investor confidence due to negative publicity and a negative brand name. Thirdly, stakeholders may sue the organisation after a cyber incident has taken place which could result in extensive fines. Fourthly, executives might face personal sanctions under certain federal laws. Fifthly, the announcement on a weakness in the cyber security system could inspire other hackers to attack the organisation. Lastly, employees from the IT department may fear losing their job and therefore may not inform higher management.

To assure that the information provision on cyber risks in the annual report is fully disclosed and reliable, auditors play an important role. According to Elshandidy and Neri (2015) a ‘reputable’ auditor creates higher investor confidence in the firm and in their reports. When an auditor is of higher quality, the stage of risk management is higher (Beasley et al., 2005) and the amount of risk disclosures increases (Lopes & Rodrigues, 2007). In the current environment it is almost impossible for auditors to perform their job without using IT (Pedrosa, Costa & Laureano, 2015). Besides, according to the International Standards on Auditing 2009, auditors are obliged to know about the IT environment and have to perform procedures concerning IT risks (ISA 315)3_{. In addition, Al-Duwaila} and Abdullah (2017) conducted research into the opinion of auditors towards their knowledge of IT and the importance of IT in their work and found that auditors view their own knowledge as less as it should be to perform their work adequately. They studied the opinion of auditors on 31 audit technologies and these auditors believed they lacked knowledge in 18 technologies. Also, Abou‐El‐ Sood, Kotb and Allam (2015) found that auditors highly perceive the importance of IT technologies and procedures in their work, especially in performing risk assessments.

In conclusion it can be observed that the current state of literature predominantly focusses on the traditional risks and barely takes the new risks into account, whilst these new risks are far more important and relevant to companies in the current fast changing environment. This fundamental

3 _{International Standard on Auditing 315: Identifying and assessing the risks of material misstatement through} understanding the entity and its environment

difference between these types of risks (new versus traditional) causes a dichotomy between research and practice which should be bridged. This gap between research and practice in management accounting is studied by Tucker and Lowe (2014) who found that research is currently of limited use for practitioners. Furthermore, most researches concerning risk reporting have been outdated since those studies have been carried out more than a decade ago and have therefore lost their relevance for practitioners as well as for academics. Besides, those studies were about general risk management and do not take one specific type of risk into account; thus providing only general and obvious insights. We therefore seriously question why these ‘new’ cyber risks that companies face do not lead to more research and scientific publications. This research tries to shed light on the disclosures concerning this new and important risk and therefore partly bridges the gap of limited cyber information research. Moreover, this research adds value to the current literature by providing insights on the reporting incentives from an agency perspective.

III THEORETICAL FRAMEWORK AND HYPOTHESIS

DEVELOPMENT

The focus of this study is on the quantity of disclosed cyber risk information and further builds on the principles of agency theory. After explaining the underlying theory, we will illustrate the conceptual framework and we develop, support and justify the hypotheses of this study.

Agency theory

As seen in the literature review, are cyber risks becoming more and more important. However, these risks are not always transparent to external parties; this causes an information gap. This information gap plays an important role in the agency theory, since stockholders are not sure if the agent is acting in the best interest of the principal and if their information provision is complete and reliable. (Hill & Jones, 1992). Agency theory concerns the information asymmetry between agents (managers) and principals (stockholders). An agency relation exists when there is an agent who has the decision making rights and performs a service for the principal, who delegates this service. In order to exercise control over the agent, the principal should set up the right incentives and monitor the actions of the agent. The total cost of these control mechanisms, together with the residual loss, amount to the costs derived from the agency problem. (Jensen & Meckling, 1976). Companies can reduce these costs by setting corporate governance mechanisms and disclose extra information voluntarily (Elshandidy & Neri, 2015).

An expansion on agency theory is stakeholder theory, which takes more external parties into account than only shareholders into account. Stakeholders, rather than stockholders, also provide

certain contributions to the firm and thus expect something in return. Since these stakeholders bring in specific resources (e.g. finance, human capital, input, revenues, infrastructure, etc.) and experience a lack in control on the organisation, they also demand information provision. (Hill & Jones, 1992). For that reason, stakeholder theory is often used in combination with risk reporting, mainly because of the interrelatedness between the stakeholders and the organization (Amran, Manaf Rosli Bin & Che Haat Mohd Hassan, 2008). This is further supported by the fact that when a company grows bigger, more stakeholders are involved, which induces more risk reporting.

Since risks, actions and intentions are not always clear to the shareholders (principals), managers (agents) should provide information on this, predominantly because there is a strong demand from these shareholders (Healy & Palepu, 2001). Information asymmetry can be reduced by publicly free information or by information gathered from analysts (Hill & Jones, 1992). Disclosure can cause a reduction in information asymmetry in two ways. First, investors will experience less uncertainty concerning their investments, and second, when private information is hard to obtain for investors, the chances of trading with a more informed investors become smaller (Elshandidy & Neri, 2015).

Reporting on risks is one aspect of disclosure and can therefore partly reduce information asymmetry, thus leading to an increase in firm value (Bravo, 2017). This makes sense because managers are more inclined to disclose positive news rather than negative news (Linsley & Shrives, 2006). Due to regulatory rules, information on risk management can be mandatory or voluntarily disclosed in annual reports or other public available reports or statements. The presence of agency problems in combination with risk reporting is supported by Deumes and Knechel (2008) who found evidence that firms with more outside ownership, thus a bigger agency problem, disclose more information on risk management than firms with more intern ownership.

There are two ways to reduce agency problems, namely with monitor and control activities or with aligning interests. The first way to reduce these problems and create firm value is to let an independent party monitor the executive board, internal control systems and financial figures. (Jensen & Meckling, 1976). Due to these monitoring roles, investors will view the financial statements from the board as credible (Healey & Palepu, 2001)4_{. This demand for independent monitoring has created} the legitimacy for external and internal parties such as the external auditor, audit committee and supervisory board. A second way to reduce agency problems is to align the interests of managers and owners. This interest alignment can be created by providing the right set of incentives for managers. (Jensen & Meckling, 1976). For example, an executive compensation system with (cash) bonuses, options or stocks payments could create performance incentives. However, there are still some critical notes on the relationship between incentives and performance. For example, Cooper, Gulen and Rau (2016) found that excessive incentive payments do not lead to higher firm performance. This is in line with Shi, Connelly and Hoskisson (2017) who state that, from an agency perspective, external

corporate governance destroys the intrinsic motivation of managers, which causes the opposite effect of what is intended. They found that managers are more inclined to conduct financial misbehaviour (i.e. financial fraud) when these mechanism are in place.

In short it can be deduced that even after more than forty years of research in agency theory, there are still questions left open for further research. It is still rather unclear why agency problems still exist, how these problems can be mitigated and what the exact effects these agency problems cause for the organization, its stockholders, stakeholders and the information provision. This information provision should be higher when agency problems are present due to the information gap. We therefore want to know whether these agency problems specifically impact the quantity of cyber risk reporting. Especially since not only investors are interested in the cyber risks companies’ face but also stakeholders are because often it is their personal data that is at stake.

Hypothesis development

The anomalies in prior literature and our theoretical framework concerning risk reporting and agency theory mentioned in the conclusions of these sections, were reason for us to test the relation between the two. The first showing predominantly research in traditional risks and the latter showing unresolved issues about its effects. To study this relation between agency problems on the quantity of disclosures, we hypothesized six relations which could induce or reduce agency problems. We tested whether there was an association between the number of disclosures and size, managerial ownership, outside block ownership, financial leverage, board independence and audit committee. Figure 1 shows an overview of the hypothesised relations together with the expected effects on the number of cyber risk disclosures. It shows a schematic representation of the relationships which will be tested in this research.

We have chosen these hypotheses specifically because these are (i) agency related, (ii) are proven to have an impact on general risk management or the amount of risk disclosures and (iii) have not been researched in combination with cyber risk reporting (as of yet). In case the relation between agency theory and general risk reporting determinants is confirmed in prior research, we want to test whether or not this relation also counts for cyber risk disclosure specifically and thus measure the impact of agency problems on cyber risks specifically.

Based on the agency theory of Jensen and Meckling (1976), it can be seen that agency problems arise when the distance between agents and principals increases and can be reduced through independent monitoring roles. This distance between agents and principals increases when a firm is of larger size (H1), when ownership is more dispersed (H3) and is in the hands of outside equity holders (H2) or debt holders (H4). The independent monitoring roles in an organization can reduce information asymmetry and thus agency problems. In this study we investigated the role of the

supervisory board (H5) and the number of members on the audit committee (H6). Additionally, Elshandidy and Neri (2015) found evidence of this relation between corporate governance mechanisms and the amount of disclosures to mitigate agency problems. Further justification of hypotheses, their relationship with risk reporting and literature background is provided separately per hypothesis in the upcoming sections.

Figure 1: Conceptual model

Firm size

First of all, research concludes that when firms grow bigger in size, agency conflicts rise, and agency costs increase (Hamidah, Wicaksono & Ahmad, 2017). When focussing on risk management, (ERM) implementation is at further stage at larger companies (Beasley et al., 2005; Liebenberg & Hoyt, 2003). This makes sense because larger companies face greater and more diverse risks and have more resources to deploy ERM. Moreover, when larger firms announce ERM activities, they experience greater benefit5 _{(Beasley, Pagach & Warr, 2008). When it comes down to risk disclosures,} the relation with size is also confirmed (Beattie et al., 2004). Linsley and Shrives (2006) found evidence for the relation between size with the total number of disclosures, number of financial risk disclosures and number of non-financial risk disclosures. However, Beretta and Bozzolan (2004) did not find a significant relation between size and disclosure. However, from a stakeholder theory perspective, the relation between disclosure and size has been confirmed. When a company grows

bigger, more stakeholders are involved, which induces more risk reporting (Amran et al., 2008). For these reasons, we expect that when a firm is of bigger size, they will report more on cyber risk management.

H1: There will be a positive association between the size of a firm and the number of cyber

risk disclosures

Ownership structure

Agency conflicts arise from different situations where opposite interests exist amid involved parties. Differences in ownership structure can create more information asymmetry due to a separation between ownership and control. This can be the case between managers and investors (type 1) or between managers and debt holders (type 2).

As explained by Jensen and Meckling (1976), the first type of agency problems between the manager (agent) and the stockholder (principal). In the case of managerial ownership, the manager is also one of the stockholders. In such a situation the interests of the other stockholders and the manager are better aligned. The manager, as a stockholder, does not see the need of disclosing information because he has all information available. Moreover, other stockholders also have a lower demand for information because they know that the manager acts in their best interest. Therefore, we expect that managerial ownership to have a negative association with the number of disclosures. This is supported by the research of Eng and Mak (2003) and Deumes and Knechel (2008) who found a link between voluntary disclosure and managerial ownership. Consequently, our second hypothesis is:

H2: There will be a negative association between the extent of managerial ownership and the

number of cyber risk disclosures

Secondly, companies with more dispersed ownership have more incentives to voluntarily disclose information on risk management than companies with block ownership, due to more information asymmetry and thus a bigger agency problem (Deumes & Knechel, 2008). This is based on the fact that investors with a bigger proportion of stocks are more often able to gather and process the information themselves (Bushee & Noe, 2000) and less monitoring is required (Eng & Mak, 2003). Shareholders with a only a small proportion of stocks also have less incentives for monitoring, since the costs of monitoring are less than the benefits deriving from better results (Elshandidy & Neri, 2015). Moreover, studies found that short term investors (more often non-block holders) prefer more financial disclosures (Abraham & Cox, 2007; Bushee & Noe, 2000). This is in contrast with

institutional investors, who prefer to invest in companies who disclose less information on risk reporting (Abraham & Cox, 2007). For these reasons, our next hypothesis is:

H3: There will be a negative association between the extent of outside block ownership and

the number of cyber risk disclosures

Next to the agency conflict between shareholders and managers, there is also a second agency problem between managers and debt holders (Jensen & Meckling, 1976). This type of agency conflicts mostly exists because managers are more risk taking than debt holders would have liked. When a larger proportion of debt is present, agency problems increase and the demand for disclosure increases. Moreover, Pagach and Warr (2007) argue that firms who are higher levered, face greater financial distress and therefore have more incentives to initiate ERM programmes. Amran et al. (2009) use stakeholder theory as an explanation for an increase in risk disclosures when financial leverage is of larger proportion. When a company takes more risks by having a larger proportion of debt, they have to explain and justify this to their stakeholders. These explanations are in accordance with the findings of Deumes and Knechel (2008); who found a connection between disclosure on internal control and financial leverage. Therefore, our fourth hypothesis is:

H4: There will be a positive association between the extent of financial leverage and the

number of cyber risk disclosures

Monitoring roles

For stockowners and debt owners to know that managers are acting in their best interest, they must have a strong demand to monitor their actions. These monitoring roles should be independent in order to provide an objective and reliable opinion. For this research we studied the impact of the supervisory board and the audit committee.

First of all, the supervisory board, which consists of independent non-executive directors is able to reduce agency problems between the executive directors and the stockholders, because they do not have similar incentives to executives. They might even have strong incentives to disclose more information because it shows their independence to outsiders and their ability to create shareholder value. (Elshandidy & Neri, 2015). Earlier studies confirmed a positive relationship between the number of independent directors in the managing board with the stage of ERM implementation (Beasley et al., 2005), the number of disclosures (Abraham & Cox, 2007) and disclosure quality (Elzahar & Hussainey, 2012). Moreover, Eng and Mak (2003) and Elshandidy and Neri (2015) found

a positive relation between the number of outside (non-executive) directors and the quantity of disclosures. These studies performed their research at one-tier structured boards, which is different to the Dutch two-tier structure. In this two-tier structure there is a separation between the executive (managing) board and the supervisory board. The supervisory board in this context can be seen as the independent non-executive directors that are used in one-tier studies, which leads us to our next hypothesis:

H5: There will be a positive association between the number of members in the supervisory

board and the number of cyber risk disclosures

A second independent party is the audit committee, which consists of either independent non-executive directors or supervisory board members. Among other things, the audit committee deals, among other things, with the monitoring role in risk management practices and internal financial control systems (Elzahar & Hussainey, 2012). The audit committee assists the board in monitoring the reporting process and aligns managers and shareholders interest by assessing the board’s decisions and ensuring the completeness and relevance of the disclosed information that the shareholder wants (Samaha, Khlif & Hussainey, 2015). The presence of an audit committee leads to a further developed ERM implementation stage (Paape & Speklé, 2012) and an increase in the number of risk disclosures (Samaha et al., 2015). In addition, our final hypothesis is:

H6: There will be a positive association between the number of members in the audit

committee and the number of cyber risk disclosures

With these six hypotheses we will try to shed light on the influence of agency problems on the quantity of cyber risk disclosures. In the upcoming chapter we will explain the methodology we used in this study.

IV METHODOLOGY

In this chapter we will briefly discuss the research techniques used, data collection methods, data analysis methods and justify the choices made. We will explain our regression model and elaborate on the sample we used during this research. Furthermore, we will provide proxies for the dependent, independent and control variables.

Approach

For our research, we chose to use quantitative hypothesis testing research because we wanted to test the effect of several independent variables on our dependent variable. This is commonly used in the field of risk reporting because it can provide statistical generalization (high external validity) and is a statistically very strong research method. Our sample of listed firms can, for example, be generalized to other globally listed firms, which creates insights into cyber risk reporting for the total population; this generalization is often harder to prove in other research designs. With this research technique we are able to analyse large numbers of companies which is in contrast with for example case studies where no statistical generalization is possible. With hypothesis testing we are able to obtain evidence on the independent variables (determinants) that influence the dependent variable (amount of risk disclosures) with real data. During this research, we conducted regression analysis to measure the association between the number of disclosers, six independent variables, and four control variables. This statistical method has often been used in earlier research to the relationship between disclosures and different independent variables. In this study, we made use of multiple regression analysis, and used the following regression model:

CRD = 𝛼 + 𝛽1CRD + 𝛽2MO + 𝛽3BLOCK + 𝛽4LEV + 𝛽5BI + 𝛽6AC + 𝛽7ROE + 𝛽8AQ + 𝛽9IND + 𝛽10CIO + 𝜀

CRD is the number of cyber risk disclosures (a more in-depth description of the dependent variable and the collection method is further elaborated on in the depended variable section). α is the intercept and the ten different β’s are the explanatory (independent and control) variables and are further explained in the independent variable section. Lastly, ε is the error term. A lot of the empirical studies in the field of risk reporting uses some sort of risk model to quantify the quantity or quality of the disclosures (Bushee & Noe, 2000; Elzahar & Hussainey, 2012; Eng & Mak, 2003; Lopes & Rodrigues, 2007). This kind of model is not applicable to this research since it only takes one aspect of risk reporting into account, namely cyber risks.

In case one or more of the hypotheses cannot be accepted, we cannot fully state that agency problems influence the number of cyber risk disclosures. In order for our research question to be accepted in the end, we have to perform supplementary research. We chose to conduct additional

literature research in order to triangulate our results because then, we can still be able to accept our hypotheses and thus our main question.

Sample

For this research we used Dutch listed firms on the Amsterdam Stock Exchange and based these on the annual reports of the AEX and AMX listed companies for the years 2016 and 2017, appendix A provides an overview of the companies in the sample. First of all, we chose Dutch companies because Dutch companies are representative of other foreign listed companies based on the similarities between the equity market of the Netherlands and the US and United Kingdom and the fact that The Netherlands has an even developed capital market. Moreover, the stock exchange in the Netherlands is of decent scale and contains some of the world’s largest companies. (Deumes & Knechel, 2008). The choice of Dutch companies is also based on the fact that they have to report a mandatory risk section in their annual report which will probably provide more information on cyber risks than companies without this obligation. Further, based on the Dutch Financial Supervision Act 2006, all publicly listed firms are obliged to disclose their shareholders with at least 3 percent of the total outstanding shares, which gives us the opportunity to measure our ownership hypothesis.

We chose to use these two indexes (AEX & AMX) for several reasons. Firstly, these contain the most frequently traded stocks and contain the majority of the biggest companies in the Netherlands, which, in general provide more information in their annual reports than smaller firms do. Secondly, going public is the optimal form of ownership dispersion (Pagano & Röell, 1998) and firms with a more dispersed ownership structure have a relatively large distance between investors and managers, thus creating agency problems (Deumes & Knechel, 2008), which is interesting for this study. This is supported by Oliveira, Lima Rodrigues and Craig (2011), who state that firms with more concentrated ownership face less agency costs. Further, the ownership of Dutch listed companies are relatively more dispersed in comparison to other listed companies (De Jong, Kabir, Marra & Röell, 1999), which should mean that they generally have more incentives to disclose information. Instead of only using AEX, we also took AMX into account to create a larger sample. In order to measure and draw conclusion on the current state, we intended to use the annual reports of 2016 and 2017 which created a sample of 100 annual reports. This sample size is within the range of previous studies that performed content analysis on risk reports, (Dobler, 2008).

Although it may have occurred a while ago, the Dutch listed market is characterized by an ownership structure where on average the largest shareholder owns 27 percent of the shares and the three largest own 41 percent. The Dutch board structure has a two-tier structure, which means that there is a separation between the managing board and the supervisory board. (De Jong et al., 1999). Furthermore, Dutch listed firms are subject to the Dutch Corporate Governance Code 2016, which

provides rules and regulations on corporate governance aspects and is based on the ‘comply or explain’ principle. It also contains some guidelines about risk management and cyber security.

Dependent variable

For the dependent variable, we used the number of disclosers, which we collected through a content analysis. With content analysis, we analysed the cyber risk disclosures of companies’ annual reports in the Netherlands. We chose to use a content analysis because it is an established method in the social sciences and is often used in relation to disclosure analysis (Beattie et al., 2004). Dobler (2008) collected and summarized ten empirical studies on risk reporting between 2003 and 2007, which all used a content analysis for their research.

With this technique we were able to draw conclusions based on the classification of themes which are disclosed (cyber risk disclosures vs. non-cyber risk disclosures). The data was human-coded and performed by one single person, both increasing reliability (Beattie et al., 2004). To achieve construct validity we used a coding scheme. Even though there are concerns about the validity of using a content analysis as a proxy for quality, this does not apply to this research since it is not about the quality of the content but rather about the quantity (Linsley & Shrives, 2006; Amran et al., 2009). We used number of disclosure sentences instead of word or page count because this is the most used and appropriate way in risk reporting research (Abraham & Cox, 2007; Linsley & Shrives, 2006; Amran et al., 2009). Further, sentences are a better way of classifying cyber or non-cyber themes than single words where this distinction is a lot less clear. We searched for sections which contained specific or included information about cyber (risks), data breaches, cyber-attacks and data- and cyber security and then counted these sentences.

Independent variables

For this research we tested ten variables which induce or reduce agency problems. To test the hypotheses, we performed OLS regression analysis. With this method we were able to measure the association between the number of disclosures and the different determinants. Table I provides an overview of the independent and control variables that we used in this study which includes the directions of our expectations, the variable name, the way of measurement and the source of information.

Table I

Measurement of variables and source

Expectation Variable Measurement Source

Firm size (+) FSIZE Natural log of assets Orbis

Managerial ownership (-) MO Proportion of outstanding stocks of managers (>5%)

Annual Report

Outside block ownership (-) BLOCK Proportion of outstanding stocks of outside block holders (>5%)

Annual Report

Financial leverage (+) LEV Ratio of total liabilities divided by the total assets

Orbis

Board independence (+) BI Number of supervisory board members BoardEx

Audit committee (+) AC Number of audit committee members BoardEx

Control variables

Profitability ROE Return on shareholders' equity Orbis

Audit quality AQ Total amount of audit fees Annual report

IT-industry IND IT-industry 1, otherwise 0 Orbis

CIO presence CIO CIO presence 1, otherwise 0 BoardEx

For the size of the firm (FSIZE) we took the total assets of the company. This a very common proxy for firm size and is commonly used in statistical research. We used the natural log of assets instead of total assets to reduce the wide variance between values, which is a widely used technique for total assets. To test hypothesis two, names of the executive board were compared to the names in the list of major shareholders (>3%). In order to test hypothesis three we took all other block owners into account (non-managerial block-ownership). Based on the Dutch Financial Supervision Act 2006 do all companies in the sample have the obligation to report their major shareholders (>3%). This information makes it possible for us to measure the proportion of stocks in hands of outside block holders and the proportion of stocks in hands of managers, similar as Deumes and Knechel (2008) did. We chose to only take the shareholders with more than 5 percent into account because that is part of the definition of a block holder. Return of shareholders’ equity (ROE) is calculated by the profits before tax is divided by the shareholders’ equity. We used the number of supervisory board member as a proxy for board independence (BI), because the members of the supervisory board are marked as independent and are non-executive. Leverage (LEV) and number of members of the audit committee (AC) do not need further explanation.

We used the abovementioned control variables because these have been tested and proved significant in previous risk reporting and risk management studies. First of all, profitability is found to have a positive relationship with the stage of implementation (Gordon, Loeb & Tseng, 2009), but

negative according to research from Paape and Speklé (2012). Secondly, we use the amount of audit fees as a proxy for audit quality. As we have seen earlier audit quality is related to the stage of risk management (Elshandidy & Neri, 2015) and the amount of risk disclosures (Lopes & Rodrigues, 2007). These studies used a big four auditor as a proxy for audit quality, which is not possible for this study because the complete sample has a big four auditor. Therefore we used the total amount of audit fees as a proxy for quality, which is consistent with the study of Srinidhi and Gul (2007) who found a positive significant relation between the two. Furthermore, we controlled for companies that were within the IT-industry, since cyber and IT are the core business of these companies which makes it logical that they disclose more on this subject than other companies do. Lastly, the presence of chief risk officer (CRO) is found to be positively related with the stage of ERM (Paape & Speklé, 2012). However, since this research is about cyber and IT, we used the presence of a chief information officer (CIO) as a control variable instead of the CRO. The CIO is responsible for the IT-environment and the compliance of all requirements of the IT organisation (Boyson, 2014).

We collected the data from two sources: secondary data from annual reports and tertiary data from databases. We hand-collected the amount of cyber risk disclosers, ownership proportions and total audit fees because no data was available. Information on (supervisory) board members and audit committee members are derived from BoardEx. Financial information and the industry type are derived from the database Orbis.

V EMPIRICAL RESULTS

In this section, we start with the descriptive statistics which provide insights into the sample of Dutch listed firms. Subsequently, we performed correlation and regression tests and showed the results derived from these tests in order to examine our six hypotheses. Finally, we performed some additional analysis. The tests and results are generated using SPSS Statistics.

Descriptive statistics

Table II provides an overview of the descriptive statistics of the (in)dependent and control variables that we use for this study. We started with winsorizing the (in)dependent and control variables in order to neutralize the effect of outliers in the data while still maintaining a sufficient sample size. We winsorized the values which were three times the standard deviation above or under the mean. We replaced these ‘extreme’ values with the last value within the reach of three standard deviations.

The data we collected contains a hundred annual reports of fifty companies from the AEX and AMX indexes of 2016 and 2017. These companies have on average 14.212 million revenue with an

average asset total of 57.497 million euros. The annual reports of these companies contain on average of fourteen cyber risk disclosure sentences (CRD). We can see an increase in the number of sentences between 2016 and 2017 from thirteen sentences to fifteen sentences. There is also a large difference between companies from the AEX index and the AMX index, the first disclosing 20.6 sentences and the latter just 7.4.

TABLE II Descriptive statistics

N Minimum Maximum Mean Std. Deviation

CRD 100 0 48 14.000 12.183 FSIZE 100 19.103 27.464 22.871 1.851 MO 100 0.00% 58.01% 3.84% 10.82% BLOCK 100 0.00% 90.00% 28.74% 21.59% LEV 100 0.061 1.029 0.601 0.209 BI 100 3 12 6.57 2.185 AC 100 0 6 3.44 1.192 ROE 100 -29.475 73.040 13.600 18.934 AQ 100 158.000 30.000.000 6.076.203 7.494.631 IND 100 0 1 0.060 0.239 CIO 100 0 1 0.380 0.488

Thirteen of the hundred reports are disclosing a managerial ownership share (MO) of at least 5 percent, which creates a sample average of 3.84 percent of stocks in the hands of managers. The block owners (BLOCK) of these companies have an average aggregated ownership of 28.74 percent of the total stocks. The average percentage of financial leverage (LEV) is 60 percent, which means that 60 percent of their balance total consists of liabilities and 40 percent is shareholders’ equity. The companies from these two indexes have on average 6.57 supervisory board members (BI) and 3.44 audit committee members (AC). Three of the companies’ core business has to deal with IT or IT security related activities (IND). In nineteen of these fifty companies there is a chief information officer present (CIO). The average audit fee of these companies is six million, including all services. Furthermore, these companies have an average of 13.6 percent return on equity.

Analyses and results

In order to find a link between the quantity of risk disclosures and the several determinants, we conducted correlations and regression tests. With the applicable correlation test we were able to measure the association between the variables. It showed the direction of the association and whether the explanatory variables are useful, based on the degree of correlation. With regression analysis, we

tested the degree of association between the variables which will allow us to accept or reject the hypotheses.

In order to get proper results derived from the multiple linear regression analysis, we need to meet certain conditions. We checked the data on linearity, multicollinearity, homoscedasticity, outliers and normality. Based on the plotter scats we can say that the independent variables are separately and collectively, linear related to the deepened variable. Multicollinearity is checked based on the Correlation matrix (table III) and the ‘Tolerance’ and ‘VIF’ values. A rule of thumb is that no correlation values above 0.800 should be present to avoid multicollinearity problems, which we do not have. Also, all Tolerance and VIF values are within the range which is acceptable. We also have no issues concerning homoscedasticity. As mentioned earlier, we have winsorized all values outside three standard deviations of the mean to reduce the effect of extreme values. Lastly, we checked for normality based on the histogram (appendix B) and the P-P plot of regression (appendix C). We found indeed a normally distributed shape in the histogram and the points in the P-P plot are aligned along the diagonal line which indicates a normally distributed relation.

Table III shows that, apart from block ownership and return of equity, every variable is significantly correlated with the total amount of cyber risk disclosures. Furthermore, we can see that all the independent and control variables have the same direction (positive or negative) as we had expected in our hypotheses.

TABLE III Correlation

CRD FSIZE MO BLOCK LEV BI AC ROE AQ IND CIO

CRD 1 FSIZE 0.616** ₁ MO -0.255* _{-0.028 1} BLOCK -0.135 -0.111 -0.150 1 LEV 0.444** _0.499** _{0.121 -0.227}* ₁ BI 0.398** _0.486** _-0.306** _-0.203* _0.304** ₁ AC 0.394** _0.471** _{-0.073 -0.287}** _0.433** _0.426** ₁ ROE 0.067 0.017 -0.008 -0.044 0.276** _{0.049 0.116 1} AQ 0.414** _0.785** _{0.019 -0.120 0.331}** _0.468** _0.343** _{0.003 1} IND 0.264** _{0.093 0.056 -0.123 -0.011 -0.028 -0.023 -0.032 -0.008 1} CIO 0.371** _0.345** _{-0.070 -0.061 0.195 0.269}** _{0.196 -0.004 0.410}** _0.323** ₁

** Correlation is significant at the 0.01 level (2-tailed). * Correlation is significant at the 0.05 level (2-tailed).

Regression analysis

Table IV provides an overview of the results derived from the regression test performed in SPSS. As we can see, H1 (FSIZE) is found to be positive and significant on the 1% level (0.000) and can therefore be accepted. This result is actually not very shocking since larger companies are disclosing more information on basically every aspect and therefore also on cyber risks. The second hypothesis, managerial ownership (MO), is negative and significant (0,001) as expected and can thus also be accepted. Despite the fact that there were not so many firms in the sample with managerial ownership, there is a significant result which is in line with Eng and Mak (2003) and Deumes and Knechel (2008). This result indicates that when a manager is also a block owner with more than 5% of the shares, the firm discloses less. This could be due the fact that the manager already has all the information and does not feel the need to disclose it or that there is less demand from other investors since they know interests are aligned.

TABLE IV Regression results

Model Coefficient Std. Error t** Sig.

1 (Constant) -70.823 17.878 -3.961 0.000 *** FSIZE 3.353 0.899 3.732 0.000 *** MO -0.339 0.102 -3.326 0.001 *** BLOCK -0.021 0.044 -0.482 0.631 *** LEV 12.203 5.420 2.252 0.027 *** BI 0.042 0.522 0.080 0.936 *** AC 0.553 0.911 0.607 0.545 *** ROE -0.001 0.013 -0.041 0.967 *** AQ -0.000 0.000 -0.939 0.350 *** IND 9.976 4.082 2.444 0.016 *** CIO 2.652 2.135 1.242 0.218 *** N R2 Adjusted R2 F-statistic 100 0.546 0.495 10.722

***, ** and * indicate statistical significance at the 1%, 5% and 10% levels (two-tailed).

H3 is negative as expected but does not show significant results and should thus be rejected. We expected that block owners of the firms would have the ability to gather information themselves and therefore have less agency problems meaning that less disclosure is needed. Hypothesis four, leverage, on the other hand can be accepted because it shows positive and significant results (0.027). This result strongly indicates that firms who have a bigger proportion of debt are reporting more on

cyber risks. This could be explained by the second type of agency problems (between debtholders and managers), since these debtholders demand more information. H5 and H6 are both positive but unfortunately not significant and should thus be rejected. This means that the monitoring parties of the management board do not contribute to a higher level of cyber reporting quantity.

Where we expected positive results on the control variables, this is not the case for all variables. Only the IT-industry shows a significant and positive effect at the 5% level (0.016), a rather logical results since their expertise and core business lies in IT and cyber. CIO presence shows a positive non-significant result, which we expected based on their expertise and the fact that these companies apparently rate information technology as more important than other companies. ROE is just slightly negative with a very low significance value and has thus no effect at all on the quantity of cyber risks. A more striking result is that the amount of audit fees is strongly and negatively related to disclosure quantity. We expected that a higher amount of audit fees would be an indicator of audit quality and thus a higher level of disclosure. This surprising outcome can be explained by the fact that different studies show a negative effect between audit fees and audit quality (Hoitash, Markelevich & Barragato, 2007). We can therefore not say anything about the relation between audit quality and quantity of cyber risk disclosures, based on the fact that we do not have a better proxy for audit quality (only big four auditors in our sample).

Our results show an R2 _{of 0.546 and an adjusted R}2 _{of 0.495 which means that the explanatory} power of our variables is relatively high. The independent and control variables are therefore predicting our dependence on a high level, which makes these outcomes valuable.

Additional analysis

Next to the hypotheses which we have tested in the earlier section, we also conduct additional analysis. As we have seen, not all our hypothesis concerning the relation of agency theory and cyber risk disclosures were accepted. We therefore conduct an additional regression test to get more evidence on our problem statement which could enable us to accept this problem statement after all.

In our theoretical framework we saw that agency problems increase when the distance between agents and principals grows, reduce by monitoring and control activities and reduce by aligning interest (creating the right set of incentives). We have not made hypotheses concerning the latter one (incentive-based alignment of managers) yet because results of previous studies show mixed results (Lajili, 2009) and therefore grounded expectations were hard to make. Lajili (2009) also did not find significant relations between short-term incentives or base salaries in combination with risk disclosures and stated that more research is needed. We expect, based on agency theory, that when incentives are aligned there is less demand from investors to report and therefore managers disclose less. We measured this incentive-based alignment with the (cash) bonuses or other short-term

incentives paid to the CEO, which we derived from the annual reports. This expectation is in line with the outcome of our second hypothesis, namely that managerial ownership (alignment of interest) leads to less disclosure. Furthermore, we think that the base salary of the CEO has the opposite effect because it does not align interests and thus investors demand more information when salaries are higher. CEO’s of these companies in 2016 and 2017 earned an average base salary of 791,000 euro and received an average short-term incentive payment (e.g. bonus) of 807,000 euros.

The additional regression test that we conducted was in line with the foregoing regression. We added the two variables (BASE and INCENTIVES) into our model and kept the other dependent and control variables the same. We winsorized the variables at three standard deviations and made sure we met all conditions needed for a regression analysis. Appendix D shows the results of the regression test and as we can see, both results are significant and remain the results from our initial test approximately the same. As we can see the fixed base salary of a CEO (0.031) is positively related to the amount of cyber risk disclosures and bonuses and short-term incentives (0,000) are negatively related to this amount. These results strengthen our expectation that agency problems do affect the quantity of disclosure. Moreover, by adding two extra variables in our model, we created an even higher R2_{. In our findings section, we elaborate on these results and discuss what this means for our} problem statement.

VI CONCLUSIONS AND DISCUSSION

In this last substantive chapter, we will present our findings and discuss how these findings are related to our research question. Subsequently, we will mention the theoretical implications, the practical implications from an accountancy and controlling perspective, discuss the limitations, and give implications for further research. We end with an overall discussion on the impact of the new risks of technology and the role that auditors and controllers play in this perspective.

Findings

The research we conducted is about the quantity of cyber risk disclosures and the relationship that the incentives managers have, building further on agency principles Three of our six hypotheses were accepted but we cannot yet fully state that our prediction concerning agency theory is true. Based on the results we noticed that the structure of a company impacts the quantity of cyber risk disclosures (i.e. firm size, managerial ownership and leverage). Managerial ownership is found to be negative and significant as it indicates the effect of the original agency problem (type 1: between managers and investors), which reduces when managers have ownership shares. Besides, the second agency problem (type 2: between debt holders and managers) also holds. This indicates that more outside ownership