Disclosures on cybersecurity, cyber risks, and information security in non-financial reports of Polish companies

Abstract

PURPOSE: The aim of the article is to identify and assess the scope of disclosures on cybersecurity, cyber risks, and cyber threats in the non-financial reports of selected companies listed on the Warsaw Stock Exchange. The subject of the study included the nonfinancial reports of five selected companies operating in sectors designated as operators of essential services under the Act on the National Cybersecurity System (2018), prepared for the year 2023.

DESIGN/METHODOLOGY/APPROACH: The study employed a method of literature review, and the content analysis of selected non-financial reports in terms of disclosures related to cybersecurity, cyber risks, and cyber threats of companies.

FINDINGS: The findings of the study revealed that disclosures related to cyber risks and cybersecurity in the examined companies are relatively limited.

PRACTICAL IMPLICATIONS: The results of the study complement the research gap of current literature on the non-financial reporting by presenting the examples of Polish non-financial reports.

ORIGINALITY/VALUE: The research presented in the article contributes to the current literature on non-financial reporting by identifying gaps related to reporting on measures taken to mitigate the risks associated with cyber threats, and is aimed at presenting a critical interpretative perspective.