Dr. Heba Besheir Eltokhy Abd Elfattah :: Publications:

Research Problem The development of information and communications technology has led to a significant development in the field of information, which has been accom-panied by the emergence of large and diverse cyber threats that threaten in-formation security and the integrity of the information it contains. This is because this technological development has not been accompanied by a simi-lar development in regulatory procedures and controls, nor has it been ac-companied by a similar development in the awareness and experience of employees and users of electronic information systems. Cybersecurity risks have also increased due to the spread of the Coronavirus (COVID-19) and the sudden shift of all businesses to remote working in a digital environment, for which some companies were not adequately prepared. Today's global business environment has forced companies to have a secure digital infra-structure to conduct their business transactions. This interconnected global digital infrastructure is called cyberspace, which includes the internet, com-puter systems, hardware, software, services, and digital information. Accordingly, cybersecurity risks have become one of the biggest threats fac-ing companies and affecting their future. These risks have numerous nega-tive consequences, ranging from fines and litigation costs to the loss of the company's reputation and the trust of shareholders and stakeholders, which could affect its survival in the market. According to a CISCO report (2017), more than 20% of companies that experience a security breach, experience significant revenue losses, a decrease in the number of customers, a loss of market share, and a decline in their stock prices. The total losses amounted to approximately 17 million US dollars per company. The report also identi-fied the most significant Arab countries that have experienced cyber-attacks on their systems, with Egypt ranking third with 57%. As a result, pressure has increased on companies to disclose cybersecurity risks and the efforts they are making to eliminate them. Disclosure of cybersecurity risks has thus received significant attention from stakeholders, particularly investors, in re-sponse to their demand for more information to assist them in making in-vestment decisions. On the other hand, disclosing cybersecurity risks is one of the most im-portant means of achieving the transparency required by corporate govern-ance practices sought by various systems. The Board of Directors is one of the most important mechanisms that help in implementing corporate gov-ernance effectively. The Board of Directors is responsible for managing the company’s affairs, supervising, appointing, and monitoring, setting policies and objectives, developing strategic plans, and making investment decisions with complete neutrality and independence. The Corporate Governance Guide of 2016 stipulated in paragraph (2/4) that “the company’s board of directors is generally responsible for managing risks in a manner consistent with the nature of the company’s activity, its size, and the market in which it operates. The company has the right to establish an independent risk man-agement department according to its needs, and the board is responsible for developing a strategy to identify the risks facing the company”, how to deal with it, the level of risks that the company is dealing with, and presenting all of this clearly to shareholders. With the increase in cyber-attacks against companies, cybersecurity and cyber risks have become a top priority for the Board of Directors. Effective Board oversight of management's efforts to address these issues is critical to preventing and responding effectively to successful cyber-attacks, protecting companies and stakeholders, as well as protecting investors and the integrity of capital markets. In this regard, the US Securities and Exchange Commission issued addition-al guidance in 2018 affirming companies' obligations to disclose cybersecuri-ty risks, material breaches, and the potential impact of such breaches on business, finance, and operations. Companies are urged to disclose their cy-bersecurity measures and the board's role and involvement in cyber risk oversight. Disclosures include whether the board of directors is solely re-sponsible for risk oversight, whether it is delegated to specific board com-mittees, and whether risk management staff report to the board. In the same context, one study indicated that boards of directors are respon-sible for overseeing the company's establishment of appropriate risk man-agement programs, supervising how management implements those pro-grams, and advising management when making decisions related to cyberse-curity to protect the interests of stakeholders. Another study found that board effectiveness positively impacts a company's decision to disclose cy-bersecurity information. Board independence and financial expertise also have a positive impact on cybersecurity risk disclosure, while board size has no impact on disclosure. On the other hand, some studies have indicated that disclosing cybersecurity risks contributes to reducing information asymmetry and helps stakeholders assess the company's ability to maintain information security and reduce the likelihood of future breaches and negative events. It is also a way to in-crease credibility, protect, and assist investors in making investment deci-sions, which is reflected in stock prices. It reduces potential litigation costs that companies may face, increases transparency, and effectively contributes to reducing distortions in financial markets and improving their efficiency by sending positive signals to the market regarding the company's efforts to mitigate cybersecurity risks, which positively impacts stock prices. While other studies have indicated that cybersecurity risk disclosure nega-tively impacts stock prices, significant and negative changes are a significant indicator of investor reaction to such disclosures, which impacts firm value and market efficiency, as the information, profits, and future cash flows dis-closed by a company are immediately reflected in stock prices. In light of the previous presentation and given the differences in the results of previous studies that focused on the relationship between board of direc-tors’ characteristics and disclosure of cybersecurity risks and its impact on stock prices, in addition to the scarcity of previous studies that addressed the subject in the Egyptian environment and applied to companies listed on the Egyptian Stock Exchange - to the best of the researchers' knowledge - and the fact that most studies were conducted in foreign environments, the research problem can be formulated through the following two questions: - What is the relationship between board of directors’ characteristics and cybersecurity risk disclosure in the Egyptian business environment? - What is the impact of cybersecurity risk disclosure on the stock prices of companies listed on the Egyptian Stock Exchange? 2. Research Objectives: The primary objective of this research is to analyze the relationship between board of directors’ characteristics and cybersecurity risk disclosure and ex-amine its impact on stock prices for companies listed on the Egyptian Ex-change. This main objective is addressed through the following sub-objectives: - Assess the influence of board of directors’ characteristics on cybersecurity risk disclosure. - Investigate the impact of cybersecurity risk disclosure on stock prices. 3. Research Importance: The importance of this research stems from the importance of the topic it addresses. Therefore, the research's importance lies in: First: Scientific Importance: - Growing interest in disclosing cybersecurity risks, given its clear impact on information security and confidentiality, the success and continuity of com-panies, and improving the quality of their financial reports. Furthermore, professional councils, bodies, and organizations are increasingly interested in issuing numerous guidelines that regulate and develop the disclosure of cybersecurity risks and how to manage them. The current study is an extension of the accounting literature that has ad-dressed the field of cybersecurity risk disclosure, focusing on studying the relationship between board of directors’ characteristics and cybersecurity risk disclosure and its impact on stock prices of companies listed on the Egyptian Stock Exchange, which may be characterized by scarcity in applied accounting studies in the Egyptian environment, to the best of the research-ers’ knowledge. Second: Practical Importance: - The topic of cybersecurity risk disclosure has received significant attention recently due to the increasing development of information and communica-tions technology and digital transformations. Therefore, the researchers are attempting to design a cybersecurity risk disclosure index consisting of (40) items derived from previous publications and studies. The level of cyberse-curity risk disclosure is measured based on the information content of the index, thus providing practical evidence of the most important characteris-tics of the board of directors that influence cybersecurity risk disclosure and its impact on stock prices of companies in the Egyptian business environ-ment. The study's findings may provide important information that will help regu-latory and professional bodies in Egypt develop binding standards and legis-lation regulating cybersecurity risk disclosure. It will also contribute to in-creasing Egyptian companies' understanding and awareness of the im-portance of cybersecurity risk disclosure. It will also enable investors and stakeholders to assess a company's ability to maintain information security and reduce the likelihood of future breaches and negative events, which will increase their confidence in the company's future performance and guide their investment decisions. 4. Scope of the research: The research is limited to examining the impact of board of directors’ char-acteristics on the level of disclosure of cybersecurity risks without address-ing the rest of the corporate governance mechanisms except to the extent that achieves the research objective. The study is limited to examine the impact of cybersecurity risk disclosure on stock prices, without examining other economic impacts of cybersecurity risk disclosure, such as investment efficiency, firm value, company financial performance, cash holding, cost of capital, and audit fees. The research is limited to use a content analysis approach to examine the annual reports of companies listed on the Egyptian Stock Exchange and op-erating in the banking sector, the non-banking financial services sector, the communications, media and information technology sector, the services, in-dustrial products, and automotive sector, and the healthcare and pharmaceu-tical sector. These sectors are the most vulnerable to cyber threats and inci-dents, as well as the sensitive information these companies possess, during the period (2020-2022). 5. Research Hypotheses: Based on the research objectives and questions, the study proposes the fol-lowing hypotheses: H1: There is a positive and significant relationship between board size and cybersecurity risk disclosure. H2: There is a positive and significant relationship between board independ-ence and cybersecurity risk disclosure. H3: There is a positive and significant relationship between board diversity and cybersecurity risk disclosure. H4: Cybersecurity risk disclosure has a significant impact on stock prices. 6. Research plan: Given the importance of the research, achieving its objectives and answering its research questions, the research was divided as follows: The first section deals with the general framework of the research. The second section pre-sents the relationship between the characteristics of the board of directors and the disclosure of cybersecurity risks. The third section deals with the impact of cybersecurity risk disclosure on stock prices. The fourth section discusses previous studies, the research gap and the development of research hypotheses. The fifth section presents the applied study. The sixth section deals with the results, recommendations and areas of future research. 7. Results: The research achieved a set of results, the most important of which can be presented as follows: - There is a positive and significant correlation between the size of the board of directors and the level of disclosure of cybersecurity risks. The p-value was less than the significance level of 0.05, which confirms the first hy-pothesis. This is because a larger board of directors enhances the effective-ness of the board's oversight role due to the diverse experience and knowledge among its members. This allows for better allocation of duties and the division of the board into specialized committees to monitor and fol-low up on the company's management activities. This will then help in dis-closing more information related to cybersecurity risks. - There is a positive and significant correlation between the independence of the board of directors and the level of disclosure of cybersecurity risks, as the probability value (P.value) was less than the significance level (0.05), which confirms the second hypothesis. The researchers explain this by say-ing that the presence of independent members on the board of directors helps increase the supervisory role of executive directors and limits the con-flict of interest between management and owners. Therefore, independent di-rectors may be more inclined to encourage companies to disclose more in-formation related to cybersecurity risks. - There is a positive and significant correlation between board diversity and the level of cybersecurity risk disclosure, with the p-value being less than the significance level of 0.05, which confirms the third hypothesis. The re-searchers explain this by saying that the presence of women on the board of directors may help increase the effectiveness of the board and improve the function and efficiency of its committees, which is reflected in improving the quality of oversight of administrative decisions related to cybersecurity is-sues through diverse levels of experience. In addition, women have higher ethical standards, are more risk-averse, and are more committed to attending meetings at higher rates than men, which leads to higher quality discussions and consultations and the presentation of different viewpoints to the board of directors on cybersecurity risk factors and tools for mitigating cybersecu-rity risks. This leads to greater transparency and disclosure of this infor-mation. - There is a significant effect of cybersecurity risk disclosure on stock prices (this effect is negative), which confirms the fourth hypothesis. This is be-cause investors are influenced by disclosed information about cyber-attacks and breaches, which reduces their willingness to invest, which negatively impacts the company's reputation and stock prices. 8. Recommendations Based on the study’s findings, the following recommendations are proposed: - The professional bodies and organizations responsible for issuing Egyptian accounting standards should issue an accounting standard regulating ac-counting for cybersecurity risks, taking into account the experiences of other countries that have required their companies to disclose cybersecurity risks. This will contribute to improving the quality of disclosure. Furthermore, an audit standard should be issued to clarify the auditor's responsibility for these risks, helping all stakeholders assess the company's ability to maintain information security and reduce the likelihood of future breaches and ad-verse events. - Directing listed companies to increase their disclosure of cybersecurity risks, informing investors of all potential and actual cybersecurity risks that could impact their financial performance, and disclosing procedures for managing and mitigating these risks, thus helping investors rationalize their investment decisions. Companies should also hold workshops and training courses for employees on cybersecurity. - Directing the Financial Regulatory Authority's attention to assess listed companies based on the quality of their disclosure of cybersecurity risks, with strict penalties imposed on companies that fail to disclose their expo-sure to cyber incidents. This will enhance stakeholder confidence in pub-lished financial reports. - The need to focus accounting education curricula at Egyptian universities on a way that facilitates the teaching of various topics related to cybersecuri-ty risks and their management, contributing to the preparation of graduates capable of dealing with and eliminating such risks.