Help
Cart
Skip main navigation

Available Issues

April 10, 2013 - June 5, 2026

Available Issues

April 10, 2013 - June 5, 2026

Inexpert Supervision: Field Evidence on Boards’ Oversight of Cybersecurity

Published Online:23 May 2025https://doi.org/10.1287/mnsc.2023.04147

References

  • Abbott LJ, Parker S, Peters GF (2004) Audit committee characteristics and restatements. Auditing 23(1):69–87.CrossrefGoogle Scholar
  • Adams RB, Ferreira D (2007) A theory of friendly boards. J. Finance 62(1):217–250.CrossrefGoogle Scholar
  • Agrawal A, Chadha S (2005) Corporate governance and accounting scandals. J. Law Econom. 48(2):371–406.CrossrefGoogle Scholar
  • Aguilar LA (2014) Boards of directors, corporate governance and cyber-risks: Sharpening the focus. Speech, June 10. Cyber Risks and the Boardroom Conference (SEC, Washington, DC), https://www.sec.gov/newsroom/speeches-statements/2014-spch061014laa.Google Scholar
  • Anderson R (2020) Security Engineering: A Guide to Building Dependable Distributed Systems, 3rd ed. (John Wiley & Sons, Indianapolis, IN).CrossrefGoogle Scholar
  • Ashraf M, Michas PN, Russomanno D (2020) The impact of audit committee information technology expertise on the reliability and timeliness of financial reporting. Accounting Rev. 95(5):23–56.CrossrefGoogle Scholar
  • Baugh M, Hallman NJ, Kachelmeier SJ (2022) A matter of appearances: How does auditing expertise benefit audit committees when selecting auditors? Contemporary Accounting Res. 39(1):234–270.CrossrefGoogle Scholar
  • Beasley MS (1996) An empirical analysis of the relation between the board of director composition and financial statement fraud. Accounting Rev. 71(4):443–465.Google Scholar
  • Beasley MS, Carcello JV, Hermanson DR, Neal TL (2009) The audit committee oversight process. Contemporary Accounting Res. 26(1):65–122.CrossrefGoogle Scholar
  • Bédard J, Chtourou SM, Courteau L (2004) The effect of audit committee expertise, independence, and activity on aggressive earnings management. Auditing 23(2):13–35.CrossrefGoogle Scholar
  • Bills KL, Hayne C, Stein SE (2018) A field study on small accounting firm membership in associations and networks: Implications for audit quality. Accounting Rev. 93(5):73–96.CrossrefGoogle Scholar
  • Blosfield E (2021) Maine one of latest states to enact NAIC-inspired Insurance Data Security Act. Accessed August 12, 2021, https://www.insurancejournal.com/news/east/2021/05/06/612996.htm.Google Scholar
  • Bromley P, Powell WW (2012) From smoke and mirrors to walking the talk: Decoupling in the contemporary world. Acad. Management Ann. 6(1):483–530.CrossrefGoogle Scholar
  • Brühne AI, Schanz D (2022) Defining and managing corporate tax risk: Perceptions of tax risk experts. Contemporary Accounting Res. 39(4):2861–2902.CrossrefGoogle Scholar
  • Bruynseels L, Cardinaels E (2014) The audit committee: Management watchdog or personal friend of the CEO? Accounting Rev. 89(1):113–145.CrossrefGoogle Scholar
  • Center for Audit Quality and Deloitte (2022) Audit committee practices report: Common threads across audit committees. Report, Center for Audit Quality, Washington, DC.Google Scholar
  • Chen X, Cheng Q, Wang X (2015) Does increased board independence reduce earnings management? Evidence from recent regulatory reforms. Rev. Accounting Stud. 20(2):899–933.CrossrefGoogle Scholar
  • Cheng JY-J, Groysberg B, Healy P, Vijayaraghavan R (2021) Directors’ perceptions of board effectiveness and internal operations. Management Sci. 67(10):6399–6420.LinkGoogle Scholar
  • Clune R, Hermanson DR, Tompkins JG, Ye Z (2014) The nominating committee process: A qualitative examination of board independence and formalization. Contemporary Accounting Res. 31(3):748–786.CrossrefGoogle Scholar
  • Cohen JR, Krishnamoorthy G, Wright AM (2002) Corporate governance and the audit process. Contemporary Accounting Res. 19(4):573–594.Google Scholar
  • Cohen JR, Krishnamoorthy G, Wright AM (2008a) Form versus substance: The implications for auditing practice and research of alternative perspectives on corporate governance. Auditing 27(2):181–198.CrossrefGoogle Scholar
  • Cohen JR, Krishnamoorthy G, Wright AM (2008b) The corporate governance mosaic and financial reporting quality. J. Accounting Literature 23:87–152.Google Scholar
  • Cohen JR, Krishnamoorthy G, Wright AM (2010) Corporate governance in the post-Sarbanes-Oxley era: Auditors’ experiences. Contemporary Accounting Res. 27(3):751–786.CrossrefGoogle Scholar
  • Cohen JR, Krishnamoorthy G, Wright AM (2017) Enterprise risk management and the financial reporting process: The experiences of audit committee members, CFOs, and external auditors. Contemporary Accounting Res. 34(2):1178–1209.CrossrefGoogle Scholar
  • Cohen JR, Hoitash U, Krishnamoorthy G, Wright AM (2014) The effect of audit committee industry expertise on monitoring the financial reporting process. Accounting Rev. 89(1):243–273.CrossrefGoogle Scholar
  • Couchoux O (2024) Navigating knowledge and ignorance in the boardroom: A study of audit committee members’ oversight styles. Contemporary Accounting Res. 41(1):459–497.CrossrefGoogle Scholar
  • Council of Institutional Investors (2016) Prioritizing cybersecurity. Report, Council of Institutional Investors, Washington, DC.Google Scholar
  • Cunningham LM, Stein SE, Walker K, Wolfe K (2025) Redefining perceived boundaries: Insights into the audit committee’s evolving responsibilities. Accounting Rev., ePub ahead of print March 19, https://doi.org/10.2308/TAR-2023-0474.Google Scholar
  • DeFond ML, Hann RN, Xuesong HU (2005) Does the market value financial expertise on audit committees of boards of directors? J. Accounting Res. 43(2):153–193.CrossrefGoogle Scholar
  • DiMaggio PJ, Powell WW (1983) The iron cage revisited: Institutional isomorphism and collective rationality in organizational fields. Amer. Sociol. Rev. 48(2):147–160.CrossrefGoogle Scholar
  • Dodgson MK, Agoglia CP, Bennett GB, Cohen JR (2020) Managing the auditor-client relationship through partner rotations: The experiences of audit firm partners. Accounting Rev. 95(2):89–111.CrossrefGoogle Scholar
  • Duchin R, Matsusaka JG, Ozbas O (2010) When are outside directors effective? J. Financial Econom. 96(2):195–214.CrossrefGoogle Scholar
  • Edmans A, Gosling T, Jenter D (2023) CEO compensation: Evidence from the field. J. Financial Econom. 150(3):103718.CrossrefGoogle Scholar
  • Eisenhardt KM (1989) Agency theory: An assessment and review. Acad. Management Rev. 14(1):57–74.CrossrefGoogle Scholar
  • Faleye O, Hoitash R, Hoitash U (2011) The costs of intense board monitoring. J. Financial Econom. 101(1):160–181.CrossrefGoogle Scholar
  • Fama EF (1980) Agency problems and the theory of the firm. J. Political Econom. 88(2):288–307.CrossrefGoogle Scholar
  • Fama EF, Jensen MC (1983) Separation of ownership and control. J. Law Econom. 26(2):301–325.CrossrefGoogle Scholar
  • Federal Bureau of Investigation (2024) Internet Crime Report 2023. Report, FBI, Washington, DC.Google Scholar
  • Federal Trade Commission (2021) Corporate boards: Don’t underestimate your role in data security oversight. Report, Federal Trade Commission, Washington, DC.Google Scholar
  • Ferracone (2019) Good governance: Do boards need cyber security experts? Accessed October 5, 2021, https://www.forbes.com/sites/robinferracone/2019/07/09/good-governance-do-boards-need-cyber-security-experts/?sh=15d506f21859.Google Scholar
  • Fich EM, Shivdasani A (2007) Financial fraud, director reputation, and shareholder wealth. J. Financial Econom. 86(2):306–336.CrossrefGoogle Scholar
  • Fiolleau K, Hoang K, Pomeroy B (2019) Auditors’ communications with audit committees: The influence of the audit committee’s oversight approach. Auditing J. Practice Theory 38(2):125–150.Google Scholar
  • Fisher RJ (1993) Social desirability bias and the validity of indirect questioning. J. Consumer Res. 20(2):303–315.CrossrefGoogle Scholar
  • Free C, Trotman AJ, Trotman KT (2021) How audit committee chairs address information-processing barriers. Accounting Rev. 96(1):147–169.CrossrefGoogle Scholar
  • Gartner (2023) Gartner forecasts global security and risk management spending to grow 14% in 2024. Report, Gartner, Stamford, CT.Google Scholar
  • Gendron Y, Bédard J (2006) On the constitution of audit committee effectiveness. Accounting Organ. Soc. 31(3):211–239.CrossrefGoogle Scholar
  • Goh BW (2009) Audit committees, boards of directors, and remediation of material weaknesses in internal control. Contemporary Accounting Res. 26(2):549–579.CrossrefGoogle Scholar
  • Hambrick DC, Misangyi VF, Park CA (2015) The quad model for identifying a corporate director’s potential for effective monitoring: Toward a new theory of board sufficiency. Acad. Management Rev. 40(3):323–344.CrossrefGoogle Scholar
  • Hayne C, Vance M (2019) Information intermediary or de facto standard setter? Field evidence on the indirect and direct influence of proxy advisors. J. Accounting Res. 57(4):969–1011.CrossrefGoogle Scholar
  • Hermanson DR, Hurley PJ, Obermire KM (2024) Audit committee research: Where do we stand, and where do we go from here? Auditing 43(3):165–185.CrossrefGoogle Scholar
  • Hermanson DR, Tompkins JG, Veliyath R, Ye Z (2012) The compensation committee process. Contemporary Accounting Res. 29(3):666–709.CrossrefGoogle Scholar
  • Hillman AJ, Dalziel T (2003) Boards of directors and firm performance: Integrating agency and resource dependence perspectives. Acad. Management Rev. 28(3):383–396.CrossrefGoogle Scholar
  • Hoitash U, Hoitash R, Bedard JC (2009) Corporate governance and internal control over financial reporting: A comparison of regulatory regimes. Accounting Rev. 84(3):839–867.CrossrefGoogle Scholar
  • Holder-Webb L, Cohen JR, Nath L, Wood D (2009) The supply of corporate social responsibility disclosures among U.S. firms. J. Bus. Ethics 84(4):497–527.CrossrefGoogle Scholar
  • Huang HH, Wang C (2021) Do banks price firms’ data breaches? Accounting Rev. 96(3):261–286.CrossrefGoogle Scholar
  • Hwang B-H, Kim S (2009) It pays to have friends. J. Financial Econom. 93(1):138–158.CrossrefGoogle Scholar
  • Institute of Internal Auditors (2010) Global Technology Audit Guide (GTAG(R)) 15 Information Security Guidance (Institute of Internal Auditors, Altamonte Springers, FL).Google Scholar
  • Internet Security Alliance, National Association of Corporate Directors (2020) Internet Security Alliance and National Association of Corporate Directors Release New Guide for Cyber-Risk Oversight (Internet Security Alliance, Arlington, VA).Google Scholar
  • Jackson RJ (2018) Corporate governance: On the front lines of America’s cyber war. Speech, March 15 (SEC, Washington, DC), https://www.sec.gov/newsroom/speeches-statements/speech-jackson-cybersecurity-2018-03-15.Google Scholar
  • Jensen MC (1993) The modern industrial revolution, exit, and the failure of internal control systems. J. Finance 48(3):831–880.CrossrefGoogle Scholar
  • Jensen MC, Meckling WH (1976) Theory of the firm: Managerial behavior, agency costs and ownership structure. J. Financial Econom. 3(4):305–360.CrossrefGoogle Scholar
  • Johns G (2006) The essential impact of context on organizational behavior. Acad. Management Rev. 31(2):386–408.CrossrefGoogle Scholar
  • Johns G (2017) Reflections on the 2016 Decade Award: Incorporating context in organizational research. Acad. Management Rev. 42(4):577–595.CrossrefGoogle Scholar
  • Kalbers LP, Fogarty TJ (1998) Organizational and economic explanations of audit committee oversight. J. Managerial Issues 10(2):129–150. Google Scholar
  • Kamiya S, Kang J-K, Kim J, Milidonis A, Stulz RM (2021) Risk management, firm reputation, and the impact of successful cyberattacks on target firms. J. Financial Econom. 139(3):719–749.CrossrefGoogle Scholar
  • Kang YJ, Trotman AJ, Trotman KT (2015) The effect of an Audit Judgment Rule on audit committee members’ professional skepticism: The case of accounting estimates. Accounting Organ. Soc. 46:59–76.CrossrefGoogle Scholar
  • Klein A (2002) Audit committee, board of director characteristics, and earnings management. J. Accounting Econom. 33(3):375–400.CrossrefGoogle Scholar
  • Krishnan J (2005) Audit committee quality and internal control: An empirical analysis. Accounting Rev. 80(2):649–675.CrossrefGoogle Scholar
  • Krishnan J, Wen Y, Zhao W (2011) Legal expertise on corporate audit committees and financial reporting quality. Accounting Rev. 86(6):2099–2130.CrossrefGoogle Scholar
  • Larcker DF, Reiss PC, Tayan B (2017) Critical update needed: Cybersecurity expertise in the boardroom. Rock Center for Corporate Governance at Stanford University Closer Look Series: Topics, Issues and Controversies in Corporate Governance, 17–70.Google Scholar
  • Lisic LL, Myers LA, Seidel TA, Zhou J (2019) Does audit committee accounting expertise help to promote audit quality? Evidence from auditor reporting of internal control weaknesses. Contemporary Accounting Res. 36(4):2521–2553.CrossrefGoogle Scholar
  • Lowry MR, Sahin Z, Vance A (2022) Taking a seat at the table: The quest for CISO legitimacy. ICIS 2022 Proc. (Association of Information Systems (AIS), Atlanta), 14.Google Scholar
  • Malsch B, Salterio SE (2016) “Doing good field research”: Assessing the quality of audit field research. Auditing 35(1):1–22.CrossrefGoogle Scholar
  • Masulis RW, Mobbs S (2014) Independent director incentives: Where do talented directors spend their limited time and energy? J. Financial Econom. 111(2):406–429.CrossrefGoogle Scholar
  • McDaniel L, Martin RD, Maines LA (2002) Evaluating financial reporting quality: The effects of financial expertise vs. financial literacy. Accounting Rev. 77(suppl 1):139–167.CrossrefGoogle Scholar
  • Miles MB, Huberman AM, Saldaña J (2020) Qualitative Data Analysis: A Methods Sourcebook, 4th ed. (Sage Publications, Thousand Oaks, CA).Google Scholar
  • Milica L, Pearlson K (2023) Boards are having the wrong conversations about cybersecurity. Harvard Bus. Rev. Insight Center Collect. (May 2), https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity.Google Scholar
  • Morgan S (2019) Global Cybersecurity spending predicted to exceed $1 trillion from 2017–2021. Cybercrime Magazine (June 10), https://cybersecurityventures.com/cybersecurity-market-report/.Google Scholar
  • Morse JM (1995) The significance of saturation. Qual. Health Res. 5(2):147–149.CrossrefGoogle Scholar
  • Mullins F (2018) HR on board! The implications of human resource expertise on boards of directors for diversity management. Human Resource Management 57(5):1127–1143.CrossrefGoogle Scholar
  • Myers MD (2009) Qualitative Research in Business & Management (Sage Publications, Thousand Oaks, CA).CrossrefGoogle Scholar
  • National Association of Corporate Directors (2020) Cyber-risk oversight 2020: Key principles and practical guidance for corporate boards. Report, National Association of Corporate Directors, Arlington, VA.Google Scholar
  • New York Department of Financial Services (2017) Cybersecurity requirements for financial services companies. Report, New York State Department of Financial Services, Albany, NY.Google Scholar
  • New York Department of Financial Services (2023) 23 NYCRR 500: Cybersecurity requirements for financial services companies. Report, New York State Department of Financial Services, Albany, NY.Google Scholar
  • Odendahl T, Shaw AM (2002) Interviewing elites. Gubrium JF, Holstein JA, eds. Handbook of Interview Research: Context and Method (Sage Publications, Thousand Oaks, CA), 299–316.Google Scholar
  • Ody-Brasier A, Vermeulen F (2020) Who is punished most for challenging the status quo? Acad. Management J. 63(5):1621–1651.CrossrefGoogle Scholar
  • Paternoster R, Simpson S (1996) Sanction threats and appeals to morality: Testing a rational choice model of corporate crime. Law Soc. Rev. 30(3):549–583.CrossrefGoogle Scholar
  • Piquero AR, Bouffard JA, Piquero NL, Craig JM (2016) Does morality condition the deterrent effect of perceived certainty among incarcerated felons? Crime Delinquency 62(1):3–25.CrossrefGoogle Scholar
  • Public Company Accounting Oversight Board (2018) Panel discussion: Cybersecurity. Standing Advisory Group Meeting (PCAOB, Washington, DC).Google Scholar
  • PwC (2021) Stronger enforcement puts teeth in cyber and privacy rules. Accessed August 21, 2021, https://www.pwc.com/us/en/services/consulting/cybersecurity-privacy-forensics/library/cybersecurity-enforcement-financial-sector.html.Google Scholar
  • PwC (2022) Overseeing cyber risk: The board’s role. Report, PwC Governance Insights Center, New York.Google Scholar
  • Rundle J (2023) Boards still lack cybersecurity expertise; Just 12% of S&P 500 companies have board directors with relevant cyber credentials, new study says. Wall Street Journal (September 25), https://www.wsj.com/articles/boards-still-lack-cybersecurity-expertise-70094266.Google Scholar
  • Sahin Z, Vance A (2025) What do we need to know about the chief information security officer? A literature review and research agenda. Computers Security 148:104063.CrossrefGoogle Scholar
  • Saldaña J (2013) The Coding Manual for Qualitative Researchers, 2nd ed. (Sage Publications, Thousand Oaks, CA).Google Scholar
  • Schwartz-Ziv M, Weisbach MS (2013) What do boards really do? Evidence from minutes of board meetings. J. Financial Econom. 108(2):349–366.CrossrefGoogle Scholar
  • SEC (2011) Cybersecurity. SEC Division of Corporation Finance (SEC, Washington, DC).Google Scholar
  • SEC (2018) Commission Statement and Guidance on Public Company Cybersecurity Disclosures (SEC, Washington, DC).Google Scholar
  • SEC (2021a) Cybersecurity Risk Governance (SEC, Washington, DC).Google Scholar
  • SEC (2021b) SEC Announces Three Actions Charging Deficient Cybersecurity Procedures (SEC, Washington, DC).Google Scholar
  • SEC (2021c) SEC Charges Issuer with Cybersecurity Disclosure Controls Failures (SEC, Washington, DC).Google Scholar
  • SEC (2021d) SEC Charges Pearson Plc for Misleading Investors About Cyber Breach (SEC, Washington, DC).Google Scholar
  • SEC (2022) Proposed Rule: Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure (SEC, Washington, DC).Google Scholar
  • SEC (2023) Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (SEC, Washington, DC).Google Scholar
  • Sila V, Gonzalez A, Hagendorff J (2017) Independent director reputation incentives and stock price informativeness. J. Corporate Finance 47:219–235.CrossrefGoogle Scholar
  • Suchman MC (1995) Managing legitimacy: Strategic and institutional approaches. Acad. Management Rev. 20(3):571–610.CrossrefGoogle Scholar
  • Tidy J (2021) U.S. companies hit by ‘colossal’ cyberattack. Accessed July 19, 2021, https://www.bbc.com/news/world-us-canada-57703836.Google Scholar
  • Trotman AJ, Trotman KT (2015) Internal audit’s role in GHG emissions and energy reporting: Evidence from audit committees, senior accountants, and internal auditors. Auditing 34(1):199–230.CrossrefGoogle Scholar
  • Tunggal AT (2021) Why is cybersecurity important. Accessed July 19, 2021, https://www.upguard.com/blog/cybersecurity-important.Google Scholar
  • U.S. Department of the Treasury (2001) Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Recision of Year 2000 Standards for Safety and Soundness (U.S. Department of the Treasury, Washington, DC).Google Scholar
  • U.S. Department of the Treasury (2020) Consent Order (U.S. Department of the Treasury, Office of the Comptroller of the Currency, Washington, DC).Google Scholar
  • Weisbach MS (1988) Outside directors and CEO turnover. J. Financial Econom. 20:431–460.CrossrefGoogle Scholar
  • Wijen F (2014) Means versus ends in opaque institutional fields: Trading off compliance and achievement in sustainability standard adoption. Acad. Management Rev. 39(3):302–323.CrossrefGoogle Scholar
  • Xie B, Davidson WN, DaDalt PJ (2003) Earnings management and corporate governance: The role of the board and the audit committee. J. Corporate Finance 9(3):295–316.CrossrefGoogle Scholar
  • Yin RK (2018) Case Study Research and Applications: Design and Methods, 6th ed. (Sage Publications, Los Angeles, CA).Google Scholar
Back to Top
Next
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree