Cybersecurity disclosure in the UK: the role of board attributes and female director critical mass Open Access

The growing reliance of businesses on digital technology emphasizes the significance of cybersecurity as an emerging component of risk management (Gopal et al., 2025; Sallos et al., 2024). This has garnered considerable public attention due to the rising incidence of security breaches and cyber hazards, which have increased the vulnerability of business enterprises (Amir et al., 2018; Vo and Pham, 2025). An enterprise’s exposure to digital transformation often determines the extent of disruption it faces from cyberattacks, cyber threats, and data breaches (Chen and Sui, 2025). This highlights the growing relevance of cybersecurity resilience for business enterprises (Dong et al., 2024). Hence, it calls for immediate action from management to acknowledge that corporate governance mechanisms should incorporate cyber and information security to safeguard the firm's interests (Von Solms and Von Solms, 2018). In today’s technology-driven business world, integrating cyber risk into the risk management process has become a crucial duty of the board. However, evidence suggests that many boards still lack adequate focus on cybersecurity risk management (Gale et al., 2022). The changing landscape of cybersecurity threats and increasing digital vulnerabilities have reshaped what constitutes effective corporate governance. Yet, little is known about which board attributes influence the level of cybersecurity disclosure (CSD), particularly in voluntary regimes.

According to the World Economic Forum (2025), nearly 72% of businesses face cybersecurity risks resulting from ransomware, phishing, and disinformation. Higher exposure to cybersecurity risks leads to both economic and non-economic consequences (Tan et al., 2025). Morgan (2020) predicts that the estimated annual cost of cybersecurity breaches could reach US$10.5 trillion by 2025. Additionally, the loss of customer trust and confidence represents significant non-economic harm to businesses. The surge in incidence of cybersecurity breaches and cyberattacks has captured the attention of both management and policymakers, emphasizing the importance of organizational cyber resilience (Sallos et al., 2024). Enhanced cyber resilience allows firms to prevent financial losses resulting from cybersecurity failures (Sallos et al., 2024; Tayaksi et al., 2022). Consequently, firm-level cybersecurity governance can strengthen cybersecurity safeguards and resilience, reduce the threat of abnormal loss, and improve organizational adaptability (Faro et al., 2024; Gale et al., 2022).

As a new era of governance, cybersecurity requires enhanced disclosures about potential cyber threats, strategies for risk prevention, and future risk aversion planning (American Institute of Certified Public Accountants (AICPA), 2017). Moreover, legislators and accounting standard setters have paid more attention to strengthening businesses' CSD, responding to concerns that stakeholders lack sufficient, timely information about cybersecurity risks and risk mitigation initiatives (American Institute of Certified Public Accountants (AICPA), 2017). In response, companies are aligning their disclosure strategies to meet stakeholder expectations. A recent survey by the Voice of the Chief Information Security Officer (CISO) revealed that 80% of CISOs agree that organizations should be obligated to report serious cyber incidents to legislators within a reasonable timeframe, while only 6% disagree (Glover, 2023). This indicates a growing corporate inclination toward meeting stakeholders’ expectations by disclosing cybersecurity-related information.

The regulations related to CSD vary across countries and regions due to differences in legal frameworks, regulatory priorities, and stakeholder pressure (Bose et al., 2025). Developed economies such as the United States, the European Union, Canada, and Australia have implemented stringent CSD regulations (Delphin and Davis, 2025). In contrast, countries like the United Kingdom (UK), India, and several others in Asia and Africa typically rely on softer regulations. Among UK cybersecurity-related legislations, the Network and Information Systems (NIS) Regulations 2018 are prominent, though they do not require firms to report cybersecurity risks (Department for Digital Culture, Media and Sport, 2018). The FRC’s 2017 draft guidance urges boards to consider non-financial risks (e.g. cyber risks) alongside financial risks, outline the areas where risks have arisen, and clarify how those risks could influence business operations (Financial Reporting Council, 2017). Even though cybersecurity risk is considered a major threat, the UK still lacks explicit disclosure requirements (Deloitte, 2018). Therefore, it is crucial to understand how corporate boards respond to increasing stakeholder pressures and manage cybersecurity risks in the UK. As a voluntary practice, most UK companies disclose cybersecurity information, recognizing that such disclosure can shield them from the contagion effects of cyber threats and signal their preparedness for unexpected cyber incidents (Kelton and Pennington, 2020).

A recent Deloitte survey found that 70% of corporate leaders discuss cybersecurity concerns at board meetings at least once a month (Deloitte, 2023). According to the UK Corporate Governance Code, companies are expected to manage cybersecurity risks and incidents by establishing a dedicated team that includes board members and by adopting a top-down approach rather than forming a separate cybersecurity committee (Financial Reporting Council, 2018, 2024). The code does not explicitly specify particular competence requirements for the members of the cybersecurity risk committee. However, they should possess sufficient knowledge to engage meaningfully with cybersecurity personnel and address emerging cyber risks (Financial Reporting Council, 2024). Moreover, prior governance literature highlights the board's oversight role in preventing, detecting, and responding to cyber incidents (Héroux and Fortin, 2024; Smaili et al., 2023). In addition, gender diversity on boards has been found to enhance non-financial reporting and risk management (Mehnaz and Yang, 2025), which may be particularly important in contexts where mandatory disclosure regulations are lacking. The presence of women on boards has recently gained significant attention, with global efforts underway to increase female participation in leadership roles. Globally, women now hold 24% of board seats, with North America and Europe leading at 28.6% and 34.4%, respectively (Jayaraman et al., 2025). Notably, the UK ranks second globally for female board representation among FTSE100 companies, with women occupying approximately 40% of positions (Department for Business Energy and Industrial Strategy, 2022). This trend suggests that companies are increasingly recognizing and valuing women's contributions in boardrooms, leading to enhanced firm performance, more ESG disclosures, improved CSD, and better financial reporting quality (Nicolò et al., 2022; Radu and Smaili, 2022; Smaili et al., 2023).

This study addresses a key research gap by examining the extent of CSD and the influence of board characteristics within a voluntary regulatory setting. In a systematic literature review, Amani et al. (2025) observe that several studies simply use an indicator variable to assess CSD, while some other studies measure the extent of CSD using the number of words. Although recent research (Alodat et al., 2024) has focused on the relationship between CSD and board attributes, we provide a more detailed measurement of CSD, incorporating a firm’s responsiveness to cyber risks as disclosed in its annual report. Many studies have addressed the issue of gender representation and CSD in both developed (Radu and Smaili, 2022) and developing economy perspectives (Mazumder and Hossain, 2023). However, it remains underexplored in the CSD literature within the UK context. To address this gap, we investigate the potential tokenism of female directors in CSD practices. Although companies are at high risk of cyberattacks and data breaches, regulators in the UK have not implemented stringent policies on CSD. However, the cyber disclosure regulations from other countries signal the readiness for UK firms to counter cyber vulnerability. As a matter of choice, most UK companies voluntarily disclose cybersecurity information, recognizing that such disclosure can shield them from the contagion effects of cyber threats and signal their preparedness for unexpected cyber incidents (Kelton and Pennington, 2020).

This study investigates the extent of CSD in the annual reports of UK firms and examines whether board characteristics are associated with disclosure levels. Grounding in the resource-based view (RBV), it focuses on specific board attributes, including female representation, board size, board independence, audit committee independence, the presence of a dedicated cybersecurity committee, and the adoption of a formal cybersecurity policy. The study further explores whether achieving a critical mass of female directors (at least three women) enhances the quality of CSD. It draws on critical mass theory, which posits that merely having female board members to meet regulatory requirements may not always be enough for meaningful contributions to board decisions, and a threshold must be reached for women to exert significant impact on CSD practices.

Using a sample of 630 firm-year observations from 2015 to 2021 of UK firms, we find that board size and the board committee responsible for cybersecurity are positively associated with the extent of CSD. The adoption of a firm-level cybersecurity policy also has a significant positive relationship with CSD when we do not control for industry and year effects. While board gender diversity does not have a substantial impact on the extent of CSD, further analysis reveals that boards with at least three female directors are more likely to increase CSD in annual reports, indicating the role of critical mass among female directors.

This study makes several contributions to the literature. First, it provides evidence on the extent of CSD in the UK, where such disclosure is not yet mandated. This paper is closely related to the recent studies on CSD (Gao et al., 2020; Mazumder and Hossain, 2023; Radu and Smaili, 2022; Smaili et al., 2023). For instance, Gao et al. (2020) investigate CSD practices and their drivers in the US context; Radu and Smaili (2022) explore the impact of board gender diversity; Smaili et al. (2023) examine board attributes in the Canadian context; and Mazumder and Hossain (2023) identify board attributes as determinants of CSD in the Bangladeshi banking industry. In contrast, this study investigates the UK context, a voluntary regime for CSD, and extends the analysis across all sectors. Although a concurrent study by Alodat et al. (2024) also examines the link between board attributes and CSD in the UK, our study is unique for a few reasons: (1) their analysis relies solely on a binary indicator of CSD presence, similar to prior studies (e.g. Smaili et al., 2023), whereas we measure the extent of CSD in annual reports using automated content analysis, and (2) while they focus on identifying board attributes as drivers, our study further observes how the impact of board gender diversity on CSD varies with the level of representation.

Furthermore, our study validates the theoretical lens of RBV and contributes to the managerial perspective of leveraging internal resources during times of uncertainty and risk. The findings suggest that institutional pressures have encouraged boards to provide more CSD, even in the absence of explicit FRC guidelines. It also provides robust evidence that a dedicated committee and formal policies help reduce information asymmetry related to cybersecurity governance. Our results suggest that RBV promotes the organizational resilience of UK firms in managing external pressure and provides relevant CSD to meet stakeholders’ expectations. Moreover, this study proposes some policy strategies. First, it recommends the formulation of specific CSD guidelines for the markets with high exposure to cyber risks. Second, the appointment of expert and trustworthy directors who can lead companies in times of uncertainty, where no specific guidelines are spelled out. Third, it promotes the development of gender-balanced boardrooms, where female directors can articulate their opinions and contribute to steering firms toward success.

CSD regulation in the UK remains voluntary despite cybersecurity risk being identified as a major threat across all industries in 2018 (Alodat et al., 2024; Deloitte, 2018). The Network and Information Systems (NIS) Regulations 2018 remain the only existing cybersecurity legislation in the UK, yet it does not require firms to report cybersecurity risks (Department for Digital Culture, Media and Sport, 2018). In contrast, the SEC’s cybersecurity disclosure regulation requires all listed companies in the United States to report material cybersecurity incidents in detail (Liu et al., 2025). This regulation has also spilled over to companies with cross-border operations (Martin, 2025). Moreover, the FRC has advised UK companies to incorporate CSD within their reporting of major risks and uncertainties (Deloitte, 2018). Nevertheless, there is no comprehensive framework in the UK to support listed companies in reporting their activities and strategies for addressing growing cybersecurity threats. Given this unique setting, this study investigates the influence of corporate boards – a central force in establishing firm-level policy and best practices – on CSD within the UK's predominantly unregulated market.

Cybersecurity governance has emerged as a critical element of enterprise governance, requiring businesses to embed data security into their strategic plans (Gale et al., 2022; Vo and Pham, 2025). It can be understood as the managerial system for overseeing cybersecurity risks (Posthumus and Von Solms, 2004). Over time, the literature has expanded to include more detailed components of cybersecurity governance. For instance, Li et al. (2018) describe it as a process that defines the roles and responsibilities of the board and top management in providing strategic direction, ensuring targets are met, managing risks effectively, and utilizing resources responsibly. Several scholars have also proposed frameworks to promote effective cybersecurity governance practices within organizations. These frameworks assess a company’s capacity to safeguard information systems by ensuring data confidentiality, integrity, availability, and usefulness, while preventing unauthorized access, misuse, disclosure, disruption, modification, or damage (Sallos et al., 2024). Executive management and the board are accountable for approving or rejecting management initiatives, developing strategies, monitoring implementation, and linking the company with key external stakeholders (Hoppmann et al., 2019). Therefore, board members should be proactive in asking relevant questions and seeking information on the company’s cyber vulnerability, preparedness, and potential failures (Radu and Smaili, 2022).

The theoretical underpinning for the importance of board attributes is anchored in the RBV of the firm, which highlights both core competence (Prahalad and Hamel, 1994) and the dynamic capability (Teece et al., 1997) of board members in enhancing firm capabilities. Originating from strategic management, the RBV emphasizes the creation and maintenance of sustainable competitive advantage (Freeman et al., 2021). Firms achieve this by strategically allocating internal resources to respond to external challenges while minimizing internal weaknesses (Barney, 1991). This approach simultaneously mitigates external threats while minimizing internal weaknesses. In this view, internal resources, including board composition, information technology capabilities, and diversity in nationality and international experience, are considered key sources of competitive advantage (Katmon et al., 2019). Empirical studies support the application of RBV in explaining the value of board heterogeneity in enhancing board effectiveness (Katmon et al., 2019) and achieving desirable organizational outcomes (Galbreath, 2005). These suggest that board composition, when viewed through the RBV lens, represents strategic resources that can drive organizational performance.

In accounting research, RBV explains how firms respond to uncertainty by leveraging internal resources (Del Gesso and Lodhi, 2025). For instance, Demerjian et al. (2013) show that managerial ability – an internal resource – influences disclosure quality, with boards playing a critical role in IT-related disclosure. In the context of cybersecurity, board members or a dedicated cybersecurity committee are essential to advise management on the scope of CSD, including cybersecurity incidents, their implications, mitigation strategies, and the approach to cybersecurity responsibility (Héroux and Fortin, 2024). Similarly, Turel and Bart (2014) employ RBV to demonstrate that the board of directors is a critical asset in achieving effective IT governance.

Gender diversity represents one of the key indicators of internal resources. Within the realm of corporate risk disclosure, prior studies have shown mixed evidence regarding the impact of women directors on risk disclosure quality. For instance, literature reports that the mere presence of women on corporate boards is negatively linked with the extent of risk disclosure (Allini et al., 2016). In contrast, Triana et al. (2014) find that while female directors can enhance corporate disclosure practices, this effect may not hold in times of uncertainty, as it is only evident during periods of stability. To gain a deeper understanding of the role of gender diversity in governance, this study further incorporates critical mass theory. This theory elucidates how the number of women in a group influences group interaction processes and decision-making. A board with at least three female directors constitutes a critical mass (García-Sánchez et al., 2025). Kanter (2008) argues that when women make up only a small minority within a team as “tokens,” they are viewed as gender representatives rather than as individuals, which limits their influence and ability to perform optimally. Achieving a critical mass allows female directors to combine their voices and contribute more effectively to strategic decisions (Yarram and Adapa, 2021). A critical mass of at least three women is thus necessary to ensure meaningful participation in board discussions and enhance board effectiveness (Kanter, 2008; Yang and Konrad, 2025).

Gender diversity on boards has continued to grow significantly in corporate governance arrangements worldwide over recent years (Mukherjee and Krammer, 2024; Terjesen et al., 2009). According to the literature on gender-based disparities, women and men perceive leadership roles differently (Garikipati and Kambhampati, 2021). Men are generally described as having agentic traits, whereas women are more often characterized as having communal attributes such as being encouraging, sympathetic, and kind. Therefore, female directors tend to prioritize stakeholders' interests due to these communal traits, while male directors typically focus more on shareholders and financial concerns (Adams et al., 2011). Literature also suggests that gender diversity in boardrooms offers new thoughts and perspectives that enhance firm performance (Carter et al., 2003; Duppati et al., 2020). Saggar and Singh (2017) emphasize the importance of female participation by demonstrating that diverse boards have a stronger influence on promoting transparent risk disclosure, mitigating information asymmetry, and conflicts of interest through their distinctive knowledge and creativity. Additionally, Bufarwa et al. (2020) find a positive relationship between gender diversity and risk disclosure in the UK context, where boards tend to be more diverse in both ethnic and gender composition.

The literature on corporate voluntary disclosure further highlights the influence of board gender diversity on the extent of voluntary disclosures in annual reports (Bueno et al., 2018; Loulou-Baklouti, 2024; Saha and Kabra, 2022). Because of their greater sensitivity to stakeholders’ interests, female directors may offer alternative perspectives to executive management when determining the scope of CSD, thereby facilitating effective risk management (Héroux and Fortin, 2024; Mehnaz and Yang, 2025). Elnahass et al. (2024) argue that female executives provide more cybersecurity-related information than male directors. Furthermore, Sun (2025) advocates that female leadership on the board can efficiently manage cybersecurity risks. Mazumder and Hossain (2023) reach similar conclusions in their study of developing countries, finding that a higher proportion of female directors is associated with more extensive CSD. Moreover, gender-diverse boards may foster stronger stakeholder engagement, increased transparency, and show a greater willingness to disclose cybersecurity threats (Elnahass et al., 2024). Furthermore, this transparency may be attributed to the influence of female members on decision-making, as well as risk aversion, stakeholder sensitivity, and diverse perspectives. From the perspective of the RBV, female directors, as valuable internal resources, are expected to contribute to cybersecurity risk management and promote more comprehensive disclosures, thereby supporting firms’ strategic positioning. Accordingly, the following hypothesis is formulated:

The intended benefits of gender diversity on boards may diminish if female directors’ voices are not adequately heard in male-dominated environments. In such cases, the presence of women on the board may serve as a symbolic gesture rather than a substantive contribution, placing undue pressure on the few female representatives (Yarram and Adapa, 2021). Yang and Konrad (2025) argue that the benefits of board diversity are realized only when female directors reach a critical mass. This is often defined as at least three women on the board, supported by the “magic number” concept (Joecks et al., 2013). Seebeck and Vetter (2022) similarly note that board decisions on risk disclosure are significantly affected only when the proportion of female directors exceeds a threshold, consistent with critical mass theory. Consistent with prior literature, Radu and Smaili (2022) find evidence that boards with at least three female directors are more likely to disclose cybersecurity information. Elnahass et al. (2024) further corroborate the importance of achieving a critical mass in fostering robust CSD practices. Therefore, based on critical mass theory, we hypothesize:

A substantial body of research shows that the quality and frequency of management’s information to investors improve when boards oversee and supervise management more effectively (Karamanou and Vafeas, 2005). Firms with effective boards often experience lower information asymmetry. One important factor influencing board effectiveness is board size. Larger boards typically provide broader expertise and stronger oversight capacity (Alodat et al., 2024). An adequate number of members enhances monitoring, thereby reducing information asymmetry through improved disclosure. In this regard, RBV theory asserts that larger and more diverse boards provide stronger oversight, greater stakeholder representation, and a broader knowledge base, which in turn enhances the timeliness and reliability of risk-related disclosures (Moumen et al., 2016; Peasnell et al., 2005). However, some studies find that board size does not significantly affect CSD (Mazumder and Hossain, 2023), while others report a negative association with voluntary disclosure (Alfraih and Almutawa, 2017). Based on RBV, this study expects that larger boards are more inclined to disclose cybersecurity risks due to their broader expertise and knowledge, increasing the availability of prevention and mitigation information in annual reports. Thus, the following hypothesis is proposed:

Independent directors bring knowledge from diverse sectors and strengthen the objectivity of board decisions by providing expertise that management may lack (Yoo and Kim, 2012). Board independence is thus a key factor in ensuring efficiency and disclosure quality (Dahya and McConnell, 2007; Mazumder and Hossain, 2023). Moreover, independent directors also reduce information asymmetry and promote cyber risk communication (Héroux and Fortin, 2024; Smaili et al., 2023). These directors may win over the public's confidence and establish a good impression as knowledgeable labor market experts by providing more disclosure (Patelli and Prencipe, 2007; Samaha et al., 2012). Evidently, several studies show a positive association between independent directors and voluntary disclosure (Cheng and Courtenay, 2006; Lim et al., 2007). Specifically, Mazumder and Hossain (2023) note that greater board independence is associated with higher CSD. However, some studies report no significant or even negative effects on corporate disclosure. Though independent directors bring expertise and best practices to the organization, they do not significantly affect risk-related disclosure (Allini et al., 2016; Nahar et al., 2016; Saggar and Singh, 2017). Through the theoretical lens and based on prior studies, we propose the following hypothesis:

Public firms, particularly those exposed to high cybersecurity risks, should promptly notify investors of material threats and incidents (Securities and Exchange Commission (SEC), 2018). However, boards often lack the technical expertise to manage cybersecurity concerns effectively (Hartmann and Carmenate, 2021). The effective monitoring of board oversight related to cybersecurity issues is significantly influenced by directors' cybersecurity competence, particularly in bringing attention to cyber incidents and preparing them to ask incisive management questions (Lowry et al., 2023). As a result, many firms begin appointing technology specialists and establish IT or cybersecurity committees at the board level (Hartmann and Carmenate, 2021).

Deloitte (2018) suggests that companies should accept responsibility for their actions by outlining who is in charge at the executive level, how they report to the board, what the board's obligations are, the regulatory framework, control systems, and disaster recovery strategies in place to manage potential cyber risks. Firms may create a technology committee at the board level to communicate to stakeholders that top management views IT as a strategic instrument (Turel and Bart, 2014). A dedicated technology committee may also enhance governance by increasing the likelihood of disclosure, as well as improving credibility through various ways, such as monitoring and recognizing breaches (Higgs et al., 2016). Gartner (2021) reports that fewer than 10% of boards currently have a dedicated cybersecurity committee, though this is projected to reach 40% by 2025. Additionally, boards can utilize the company’s cybersecurity expertise, such as through routinely arranged briefings and discussions, the firm's Chief Information Security Officer (CISO) or other senior officials in charge of monitoring security, can assist the board in better understanding cybersecurity (National Association of Corporate Directors (NACD), 2023). From the RBV perspective, dedicated committees or teams responsible for cybersecurity risk management will enhance the company’s resilience by optimizing internal resources. Hence, based on the theoretical assumption and the given arguments, the following hypothesis is formulated:

Audit committee independence is a widely examined variable in the corporate governance literature, which verifies the integrity of independent audit committee members in ensuring accountability and transparency. When a dedicated committee for cybersecurity does not exist, the audit committee often assumes responsibility for overseeing cybersecurity-related matters (Harrast and Swaney, 2019). A 2022 National Association of Corporate Directors (NACD) study reveals that 47% of public company boards assign cybersecurity oversight responsibility to the audit committee, while 32% assign it to the board itself, and 13% assign it to a risk committee (National Association of Corporate Directors (NACD), 2023). As such, examining the composition of the audit committee is necessary to understand its potential influence on CSD practices. Previous literature has investigated the relationship between audit committee independence and voluntary disclosure, yielding mixed evidence (Li et al., 2022). From the RBV lens, the audit committee serves as an internal resource that oversees cybersecurity risk management strategies, which are important for an organization's survival. Accordingly, this study explores audit committee independence as a possible determinant of CSD. The following hypothesis is formulated:

As cyber threats become increasingly sophisticated, they pose significant risks to data security, operations, and corporate reputation. Business and cybersecurity leaders today face mounting challenges in defending against cyberattacks while navigating evolving compliance requirements (Deloitte, 2023). With the increasing number of cyberattacks, investors are also seeking cyber-related information in annual reports to make informed investment decisions. Companies are therefore expected to develop policies that disclose their risk management strategies, governance, and responses to incidents of cyber breaches. FRC proposes that companies should also design strategies related to IT investments, IT recruitment, IT training, and IT infrastructure, aligning these efforts with their business strategy, and disclose these efforts accordingly (Gribben, 2022). Moreover, SEC proposed rules would push the registered US companies to provide in Form 10-K a thorough description of their data security policies and processes, identifying IT risks and threats like operational risk, intellectual property theft, scams, extortion, harm to employees or customers, breach of privacy laws and other disputes and legal risk and reputational risk (Modi et al., 2022). Therefore, UK companies may feel pressure from institutional forces to enhance and improve their disclosure strategies, providing more relevant information in their annual reports. Moreover, through the lens of RBV, it is expected that the company must provide more information to the stakeholders regarding increased cybersecurity policies. Thus, the following hypothesis is proposed:

Our sample consists of UK companies listed on the London Stock Exchange and included in the UK FTSE 100 index. Our sample includes companies from a wide range of industries, which are significant in size and adopt best reporting practices (Chithambo et al., 2022). The study timeframe spans from 2015 to 2021. Three key considerations drive our selection for 2015 as the initial point in our study's timeline. Firstly, there has been a surge of cyber incidents since 2015, including cyberattacks on JD Wetherspoon and TalkTalk, which caused the firms to lose confidential data and suffer financial losses (Hern, 2016; Kollewe, 2015). Secondly, businesses started to adopt a cybersecurity policy after experiencing or fearing cybersecurity threats since 2015 (Department for Business Innovation and Skills, 2015). Finally, the National Cyber Security Strategy in the UK was initially focused on the period from 2016 to 2021 (Department for Crime Justice and Law, 2016), which formulated national-level cybersecurity-related strategies, drawing lessons from cases that mostly occurred in 2015. After excluding observations with missing or incomplete data, the final sample comprises 90 companies, resulting in a total of 630 firm-year observations (see Table 1).

The classification of industry is given in Panel B. The finance sector comprises the largest portion of the sample, accounting for 24.44% of the total. The Oil, Gas, and Coal Extraction and Products sectors, along with the Telephone and Television Transmission sectors, represent the smallest portions, each constituting 2.22% of the sample. Our data includes both financial and non-financial metrics, such as the percentage of female board members, board size, board independence, audit committee independence, cybersecurity policy, firm size, return on assets (ROA), and leverage. Furthermore, other variables, such as the committee responsible for overseeing cybersecurity and the frequency of specific words in the annual reports, have been manually collected from the annual reports of sample firms.

This study measures CSD by analyzing the frequency of words related to cybersecurity in the annual reports available to the stakeholders. The frequency of words is used as a dependent variable where a list of keywords is identified and explored to determine how frequently the words appear in the annual reports with the help of NVivo software, labeled as DISVOL, used in the equation.

For data collection on CSD, the study follows similar steps consistent with those of Radu and Smaili (2022) and Mazumder and Hossain (2023). Some studies have used the presence of cyber-related information (1 if any cyber-related information is present and 0 otherwise) as a measure for CSD (Li et al., 2018). Other researchers have identified keywords such as “cyber,” “cybersecurity,” “cyber-attack,” and “information security” to manually identify relevant paragraphs in annual reports for measuring cyber disclosure (Radu and Smaili, 2022). Following the issuance of SEC guidance (2011 and 2018), companies have increasingly used litigious language in their disclosures (Calderon and Gao, 2022). Furthermore, larger firms generally use less litigious language. At the same time, companies in industries with a high intensity of business information technology, such as consumer services, software and services, and banking, are likely to use more legal terms than other companies (Calderon and Gao, 2022). Given the absence of explicit guidelines for CSD in the UK, this study has counted keywords such as “cyber,” “cybersecurity,” “security,” “cyber-attack,” “data security,” “data breach,” “information technology,” and “IT” using NVivo software, followed by a manual check of the keyword counts. Initially, the annual reports were uploaded into NVivo software for a thorough check to determine whether the target words were present. The words were then manually counted to collect the final data. Based on the collected data, the disclosure index was constructed.

To conduct content analysis using NVivo 14, a predefined list of cybersecurity-related keywords was created. The software then identified and counted instances where at least one of these keywords appeared in the dataset, following Mazumder and Hossain (2023) and (Radu and Smaili, 2022). NVivo is widely used for content analysis through keyword searches in accounting disclosure research (Mazumder and Hossain, 2023; Rainsbury et al., 2023). Additionally, Abhayawansa (2011) argue that NVivo is efficient in extracting text units for the coded keyword list. Hence, we chose keyword-based analysis over sentence-level analysis to avoid potential inconsistencies caused by variations in grammar, sentence structure, and different reporting entities.

Previous studies have commonly examined board characteristics such as board size, board independence, and the proportion of female directors in relation to risk disclosures (Adelopo et al., 2021; Bufarwa et al., 2020). Similarly, Héroux and Fortin (2020) and Mazumder and Hossain (2023) examine the influence of board size, board independence, and gender diversity on CSD. Consistent with the literature, this study includes several board-related variables: gender diversity (GENDIV), board size (BDSIZE), board independence (INDPDIR), the presence of a board-level committee responsible for cybersecurity (COMPRN), audit committee independence (AUDCOMIND), and the presence of a formal cyber policy (CYBERPOLICY). Additionally, a separate gender diversity measure grounded in critical mass theory is employed to explore the threshold effect of female board representation. A full description of all variables is provided in  Appendix.

Following previous studies, we include several control variables in this study. We control for firm size (SIZE) as it captures various factors, including stakeholder pressure and operational resources, that motivate management to provide forward-looking disclosures on cybersecurity risks. We expect it to have a positive impact on disclosure volume (Smaili et al., 2023). Secondly, we include leverage (LEV) as a control variable. Leverage serves as a stimulus for greater disclosure, as higher leverage leads to increased information disclosure in response to pressure from financing stakeholders (Clarkson et al., 2008). Moreover, profitability is also a determinant of relevant information disclosure. Hence, we consider return on assets (ROA) to address this issue (Smaili et al., 2023). We also consider the firm’s business growth a decisive factor in voluntary information disclosure on cybersecurity. Firms with higher growth opportunities tend to disclose more information to reduce information asymmetry and create a positive market impression (Ben-Amar et al., 2017; Radu and Smaili, 2022). We take market-to-book (MTB) as a proxy for this. Lastly, we include the cybersecurity risk industry (CRISKIND) in the model, which can address a firm’s exposure to cybersecurity risk because its business operation is highly dependent on IT infrastructure.

To test the hypotheses, the following model describes the relationship between board characteristics and the extent of cyber-related information in the annual reports. Our estimated model is:

where DISVOL is the dependent variable for year t and firm i. The independent variables are GENDIV, BDSIZE, INDPDIR, COMPRN, AUDCOMIND, and CYBERPOLICY. The control variables used in the equation are CRISKIND, SIZE, LEV, ROA, and MTB.

Table 2 Panel A represents the descriptive statistics of the variables. The mean of DISVOL (log value of word count) is 3.055, indicating that the frequency of CSD in the annual report is 3.055 times on average, with a standard deviation of 0.974. The average number of board members is 10.437, with a standard deviation of 2.121. Additionally, the median value of BDSIZE is 10, indicating that most companies have 10 board members. The mean value of GENDIV is 0.308. This indicates that the average percentage of women on the board is approximately 31%. The mean value of INDPDIR is 0.672, indicating that 67.2% of the independent directors are on the UK board. Some UK companies have independent non-executive board members, while some have one-third of the total board members.

The average committee presence in overseeing cybersecurity policies is 80.3%, indicating an increased awareness of cybersecurity among the board members. Most companies have a dedicated committee for managing cyber risk and implementing strategies to minimize future cyber breach events. Moreover, most companies appoint audit committees to supervise their cybersecurity activities, which demand the independence of the audit committee members. On average, the percentage of independent members in the audit committee is 96.8%. The percentage of companies with an explicit cybersecurity policy (CYBERPOLICY) is around 33%, indicating that fewer companies have a cybersecurity policy over time. Over time, companies have developed their own cybersecurity mitigation strategies, enabling them to take preventive measures to limit cyber exposure and enhance their capabilities for detecting, responding to, and recovering from cyberattacks. The average size of the sample firms is 16.515, with a standard deviation of 1.888, indicating that most firms are larger with slight variation among them. The average LEV, ROA, and MTB are 0.244, 0.081, and 5.041, respectively, over the sample period.

Table 2 Panel B demonstrates year-wise descriptive statistics of the frequency of words in the annual reports of the sample companies. On average, the word count is 42.62 in 2021, the highest in all years, with greater dispersion among companies (standard deviation 32.98). The lowest word count is in 2015, with an average of 16.94, but the dispersion in word count among companies is less than in other years (standard deviation 20.58). Therefore, it can be said that companies with higher cyber exposure risk have provided more related information over the years, whereas other firms have not. Overall, the frequency of disclosing cybersecurity information increased steadily, as companies experienced a more significant exposure to cyber risk due to the acceleration of digital transformation.

Table 3 illustrates Pearson’s correlation coefficients for the variables used in the regression models. The results indicate that CSD, measured by DISVOL, is positively correlated with GENDIV, BDSIZE, INDPDIR, COMPRN, and CYBERPOLICY, providing initial support for the hypotheses indicating that board size, gender diversity, independence, any board committee responsible for cybersecurity, and the presence of cybersecurity policy are positively correlated with CSD. However, the correlation between DISVOL and AUDCOMIND is statistically insignificant at the 5% level, indicating that audit committee independence is correlated with CSD. Control variables CRISKIND and SIZE are correlated with most of the dependent and independent variables, while LEV, ROA, and MTB are not statistically correlated with most of the variables. None of the reported correlations between independent variables exceeds the threshold value recommended by Gujarati and Porter (2009), suggesting that multicollinearity is not a problem in the model.

Table 4 presents the results of the multivariate regression analysis used to test the hypotheses regarding the relationship between board characteristics and the extent of CSD in the annual reports. Column (1) reports the results of CSD without controlling for control variables, industry, and year-fixed effects. Results show that BDSIZE, COMPRN, and CYBERPOLICY have positive and statistically significant effects on DISVOL (p-values <0.05). In contrast, the coefficients of GENDIV, INDPDIR, and AUDCOMIND are not statistically significant in relation to DISVOL. Column (4) presents the full model, which includes both year and industry fixed effects, and reports the results. The coefficient of DISVOL on GENDIV (0.254, p-value >0.05) is positive but insignificant, suggesting that gender diversity in boardrooms is not significantly associated with CSD. This insignificant relationship is consistent with Alodat et al. (2024) but inconsistent with Radu and Smaili (2022). In column (4), the BDSIZE coefficient (0.096) is positive and significant at the 1% level. This finding suggests that having a larger number of board members leads to greater disclosure of cybersecurity-related policies and measures. This finding is consistent with that of Alodat et al. (2024), but it contrasts with the findings of Smaili et al. (2023) and Mazumder and Hossain (2023). However, there is literature stating that effective oversight of management by large and experienced boards can ensure that stakeholders receive reliable and consistent information related to risk and performance (Bozec and Bozec, 2012). Therefore, based on the RBV, this finding suggests that a large board size can ensure complete compliance with the accountability paradigm and tends to enhance the variety of members' areas of competence, such as information technology and cyber knowledge. The coefficient of INDPDIR is not statistically significant (p-value >0.10) for sample companies, indicating that independent directors do not have a significant impact on the extent of cybersecurity information. This finding is inconsistent with those of Mazumder and Hossain (2023) and Smaili et al. (2023). Nevertheless, some studies found no significant relationship between risk disclosure and the presence of independent directors (Allini et al., 2016; Elzahar and Hussainey, 2012).

Moreover, COMPRN has a positive and significant effect on DISVOL at the 5% level. The boards having separate committees for cybersecurity make the boards responsible for disclosing more relevant information related to their data security, which is consistent with the finding of Héroux and Fortin (2024). Here, the RBV suggests that companies with a separate cybersecurity oversight committee possess greater internal strength and higher organizational resilience in tackling cybersecurity threats. The existence of a separate IT committee may help mitigate a firm’s financial and non-financial risks with scarce resources, thereby moderating the plausible conflicting expectations of institutional forces to which the firm is exposed. However, AUDCOMIND has an insignificant impact (p-value > 0.05) on DISVOL, indicating that having independent members on the audit committee does not significantly affect the disclosure of more information, even if they have a responsible committee for managing cyber information. Moreover, the result also finds no association between CYBERPOLICY and DISVOL in column (4). However, the CYBERPOL coefficient is positive and significant, with DISVOL at 5% without industry and year-fixed effects. This also signifies the formulation of firm-level cybersecurity policy and ensures transparency through cybersecurity governance.

Regarding the control variables, the results indicate that sectors with higher exposure to cyber risk tend to prioritize addressing cyber risk as their primary concern and provide more detailed information to mitigate potential cyberattacks. We have employed CRISKIND as a control variable, which indicates firms belonging to cyber-sensitive businesses. As reported in the regression tables, we find that CRISKIND has a positive and significant impact on DISVOL, indicating that firms with high cyber risk provide more CSD to establish a clear stance among stakeholders. However, firms with higher leverage appear to have no relationship with the frequency of cybersecurity information, as the results show no statistically significant difference. Moreover, LEV and ROA have no significant effect on CSD. The result shows a positive and significant relationship between MTB and cyber-related information in the year-end reports.

Board gender diversity (GENDIV) has no significant impact on DISVOL, which raises questions about the effectiveness of female representation in the UK boardroom. We extend our analysis by grounding the critical mass theory of gender diversity to explore whether their presence effectively enhances CSDs while their participation reaches a critical number (i.e. three). Table 5 reports the regression results differentiating the level of women's representation based on the total number of women directors. Columns (1) and (2) indicate no significant relationship between the presence of one or two women on the board and the extent of CSD in the annual reports of UK companies. However, the result reported in column (3) changes when the number of women increases to three or more, which shows a significant positive relationship between a critical mass of three women and the level of CSD. This implies that the presence of at least three women is necessary to significantly influence CSD, which also supports previous literature (e.g. Radu and Smaili, 2022).

We cannot ignore the potential endogeneity issues that arise from an empirical investigation of the relationship between board gender diversity and CSD. First, we employ the Heckman (1979) two-stage selection model to address potential endogeneity from self-selection bias and reverse causality. In the first stage, we employ a probit model that predicts factors driving higher gender diversity on the board (GENDIV_HIGH). To be specific, we develop the following model:

where GENDIV_HIGH is a dummy variable coded as one if a firm’s proportion of gender diversity is higher than the median value of GENDIV. Following the methodologies of prior literature (e.g. Daradkeh et al., 2023), we include two variables: LAG_GENDIV and GENDIV_IND in Eq. (2), along with all baseline control variables. LAG_GENDIV is the one-year lag of GENDIV, and GENDIV_IND is the yearly industry average board gender diversity based on the Fama-French 12 industry classification. We predict the inverse Mills ratio (IMR) using the probit model in Equation (2), which is incorporated into the second-stage models.

Table 6 presents the results of Heckman’s (1979) two-stage analysis. Column (1) reports the first-stage regression results. The coefficients on LAG_GENDIV and GENDIV_IND are both positive and statistically significant at the 1% level of significance. This finding suggests that board gender diversity is substantially influenced by the previous year’s gender diversity and gender diversity among industry peer firms. The second-stage regression results using varying women's representation measures are reported in columns (2)–(5). The coefficient on GENDIV in column 2 is not statistically significant, whereas the coefficient on ≥3WOMEN in column 5 is statistically significant at the 1% level. Surprisingly, the negative coefficient in column 4 indicates that boards with two women directors disclose less cybersecurity-related information. However, prior studies on cybersecurity disclosure observe similar results (Radu and Smaili, 2022). These results are qualitatively consistent with those in Tables 4 and 5, indicating that our baseline findings are not driven by self-selection bias. However, the statistically insignificant coefficients on IMR in columns (2)–(5) suggest that sample selection bias is not a significant concern in our models.

Although we mitigate the endogeneity concern arising from self-selection bias utilizing Heckman’s (1979) two-stage model, observable heterogeneity may also lead to endogeneity. To address this, we employ the entropy balancing matching technique. We construct two groups, treatment and control, based on the median value of GENDIV. Firms with GENDIV values above the median constitute the treatment groups, while those below the median form the control groups. Following Hainmueller (2012), we match all firm-level covariates across the treatment and control groups.

Panel A of Table 7 presents the descriptive statistics of the covariates before and after entropy balancing, highlighting the differences in mean values of the covariates between the treatment and control groups. The statistics indicate that the differences in covariates between the two groups are reduced after performing entropy balancing. We then conduct regression analyses based on the entropy-balanced sample. Panel B of Table 7 presents the results. The coefficient (=0.300 with t-stat. 0.587) on GENDIV in column (1) indicates an insignificant nexus between board gender diversity and CSD. Additionally, the coefficients on 1WOMAN (0.106; t-stat. = 0.464) and 2WOMEN (−0.356; t-stat. = −2.753) suggest that firms with one or two female directors do not disclose cybersecurity-related information substantially. However, in column (4), the coefficient on ≥3WOMEN is 0.343 (t-stat. = 2.479), indicating that boards with three or more female directors are more likely to increase their CSD. These results are qualitatively consistent with the baseline results, reinforcing our main findings.

We further test the robustness and sensitivity of the results by employing alternative measures of key variables. The dependent variable (DISVOL) is uniquely measured by utilizing sophisticated software, and the extent of CSD is assessed by capturing the frequency of cybersecurity-related words. In sensitivity analysis, we construct a categorical variable (DECILE_DISVOL) based on deciles of DISVOL and rerun the baseline model with Poisson regression ^[1]. Table 8 Panel A reports the results where CSD is alternatively measured and shows qualitatively similar findings to the baseline. We find a significant positive impact of board size on DECILE_DISVOL. Additionally, we demonstrate the role of critical mass when the dependent variable is DECILE_DISVOL. Overall, the results resemble the baseline findings reported in Tables 4 and 5.

Table 8, Panel B, reports the following. Following the gender diversity literature, we employ alternative measures of gender diversity, specifically the Blau index and Shannon index, to assess the robustness of our results (see  Appendix for definitions). Column (3) reports the results where the presence of women is captured using the Blau index (BLAUIDX), whereas column (4) shows regression results where gender diversity is captured using the Shannon index (SHANIDX). Overall, the results reported in Table 8 confirm our main findings, as demonstrated through a battery of robustness tests.

Drawing on the RBV and critical mass theory, this study explores how board attributes – key internal resources – affect CSD in a setting where disclosure is not mandated. It also investigates the threshold at which female directors’ voices become influential in shaping CSD and related policymaking.

Our empirical analysis yields three main findings. First, board size is positively and significantly associated with CSD, suggesting that larger boards benefit from greater diversity, which enhances cybersecurity risk disclosure, consistent with Alodat et al. (2024). Secondly, the existence of a cybersecurity committee is positively and significantly related to CSD, implying that an oversight body enables firms to manage cybersecurity risk more effectively and improve disclosure practices, in line with (Héroux and Fortin, 2024). Finally, we find a positive but statistically insignificant association between board gender diversity and CSD, indicating that female directors, on average, do not have a significant impact on CSD in the UK context. This result contrasts with the growing emphasis on the role of women in corporate governance and calls into question their influence on cybersecurity oversight.

Although the Department for Business Energy and Industrial Strategy (2022) reports strong female representation on FTSE 100 boards, our further analysis reveals that only when three or more women serve on the board does gender diversity positively affect CSD. This critical mass appears to strengthen female directors’ voices and promote more balanced and effective board oversight.

This study offers two main theoretical contributions. Firstly, by employing the RBV, it highlights how firms’ internal resources—specifically board attributes—shape CSD practices in a voluntary disclosure environment. Prior studies have largely relied on agency and institutional theories to explain CSD in regulated settings. In contrast, this study extends the RBV by demonstrating that internal governance resources can enable firms to independently develop effective disclosure strategies and manage cybersecurity risks, even in the absence of regulatory mandates.

Secondly, drawing on the critical mass theory, the study identifies the threshold at which female directors exert meaningful influence on CSD. The results indicate that mere female representation has little impact, suggesting symbolic compliance with diversity norms (Yarram and Adapa, 2021). However, when at least three women serve on the board, their collective presence generates substantive influence on CSD, marking a shift from tokenism to genuine participation. This finding reinforces the tenet of critical mass theory that sufficient representation enhances the collective efficacy of female directors, thereby strengthening board governance and strategic responsiveness.

The study has several practical implications for firms and managers in the UK and globally, where CSD remains voluntary. The following implications outline key strategic priorities for management practitioners.

1. Appoint directors with strong backgrounds in cybersecurity and digital transformation to identify and address organizational vulnerabilities more effectively.

2. Include directors with varied professional backgrounds, even those without technical expertise, as larger and more diverse boards can provide broader oversight and stronger governance during periods of uncertainty.

3. Appoint female directors with both leadership and cybersecurity expertise to enhance cybersecurity risks and move beyond tokenism.

4. Implement firm-wide cyber literacy and training programs to build organizational capacity and raise awareness to combat cybersecurity threats.

5. Strengthen internal resources and governance mechanisms to enhance the overall resilience of the firm and mitigate any vulnerability.

Cybersecurity risks are spreading globally, necessitating proactive measures from management to address threats at the firm level. Growing stakeholder pressure has heightened the demand for CSD, despite regulatory mandates differing across countries. While prior studies provide some evidence on board characteristics and CSD, to our knowledge, no study has examined the role of board characteristics and critical mass in CSD within a voluntary reporting regime, such as in the UK.

This study investigates the influence of board characteristics on CSD among FTSE 100 companies in the UK. Drawing on the RBV, we find that board size is positively and significantly associated with the extent of cyber-related disclosures. This suggests that larger, more diverse boards offer a broader range of expertise, including IT expertise, which encourages more transparent reporting of cybersecurity information in annual reports, contrary to some prior findings. Moreover, we find that firms with a dedicated cybersecurity committee are more proactive in overseeing cybersecurity risks and disclosing relevant information. However, our findings suggest that board gender diversity alone does not have a significant impact on CSD. Further analysis incorporating critical mass theory reveals that boards with at least three female directors are more likely to have a positive influence on CSD, offering new insights in the UK context. To ensure the robustness of our results, we conducted several additional analyses, all of which support our baseline findings.

This study identifies the crucial roles of board size, the presence of a dedicated cybersecurity committee, and achieving a critical mass of female directors in enhancing CSD among FTSE 100 firms. We recommend appointing board members with strong knowledge of cybersecurity and artificial intelligence to strengthen firms’ preparedness against cyber threats. Additionally, our findings suggest the presence of symbolic effort in board gender diversity, as appointing a small number of women does not significantly enhance disclosure practices. Policymakers should, therefore, encourage the inclusion of more women on boards who can make substantial contributions to strategic decision-making. However, this study is limited to board attributes and CSD in the context of FTSE 100 companies. Moreover, the study primarily relies on the committee responsible for cybersecurity, rather than the composition (in terms of knowledge and expertise) of the committee's board members. In the UK, most FTSE 100 companies rely on either an audit or a risk committee to oversee cyber threats and ensure that proper risk assessments and precautionary measures are in place. Therefore, it is imperative to ensure sufficient board-level expertise in producing well-informed cyber-related disclosures. Future research could be extended by increasing the sample size and including additional firm-level characteristics, such as board-level IT expertise, investment in information technology, and exposure to cyberattacks, to provide a more comprehensive understanding of corporate cybersecurity governance. In addition, longitudinal analysis can provide valuable insights into how cross-border regulatory differences in CSD affect management decisions and inform stakeholders accordingly. As businesses become more exposed to digital transformation, research on this topic may strengthen the interrelationship between management flexibility, organizational readiness, and regulatory intervention.

The authors appreciate the insightful feedback and constructive comments from the editor-in-chief and anonymous reviewers on earlier drafts of this paper.