An analysis of cyber-risk management and governance in Maltese listed companies (MLCs)

Abstract

Purpose: As entities become more entangled with cyberspaces, a new set of threats for entities is present. The research analyses the awareness towards cyber-risk and the cyber-risk management measures undertaken by Maltese Listed Companies (MLCs). This includes the relevant disclosures prepared by the entities in order to facilitate transparency and protect the interests of their shareholders. Design: The research utilised a qualitative methodology including semi structured interviews with personnel from listed entities who were responsible for cybersecurity. Those affiliated with risk management functions were targeted. Findings: The research found that awareness has increased significantly amongst MLCs over the last couple of years. This was mainly attributed to a significant local attack on another listed company, however, this has influenced the banking industry more than others. Meaning that there is a distinction between listed credit institutions and those in other industries. In fact, more awareness and robust risk management were observed listed banks. Moreover, cyber-risk disclosures were still lacking through all interviewees, although their importance was emphasised by some. Conclusions: Given the introduction of mandatory disclosure of cyberattacks by the U.S. Securities and Exchange Commission (SEC) to American listed companies, it is evident that more guidance and regulation is necessary from local authorities which will cause wide-spread attention and application from MLCs. Also, the freedom given to the cybersecurity function may be counterproductive since its application is dependent on an entity’s management. Value: This study intends to enhance literature around cybersecurity in the local market, which is lacking, while trying to raise awareness amongst MLCs for the need of cyberattack disclosure which facilitate transparency, accountancy and investor confidence. Nevertheless, constant awareness on the subject is necessary to remind companies of the ever-growing threat especially amongst SMEs and entities that are not banks.