Citation: Ramírez, M.; Rodríguez
Ariza, L.; Gómez Miranda, M.E.;
Vartika. The Disclosures of
Information on Cybersecurity in
Listed Companies in Latin
America—Proposal for a
Cybersecurity Disclosure Index.
Sustainability 2022, 14, 1390. https://
doi.org/10.3390/su14031390
Academic Editors: Lúcia
Lima Rodrigues, João Carlos de
Oliveira Matias and Paolo Renna
Received: 11 December 2021
Accepted: 14 January 2022
Published: 26 January 2022
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2022 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
Article
The Disclosures of Information on Cybersecurity in Listed
Companies in Latin America—Proposal for a Cybersecurity
Disclosure Index
Maricela Ramírez
1,
* , Lázaro Rodríguez Ariza
2
, María Elena Gómez Miranda
2
and Vartika
3
1
Faculty of Economic and Administrative Sciences, Pedagogical and Technological University of Colombia,
Tunja 150001, Colombia
2
Department of Financial Economics and Accounting, University of Granada, 18071 Granada, Spain;
lazaro@ugr.es (L.R.A.); melena@ugr.es (M.E.G.M.)
3
Indian Institute of Management Rohtak, Rohtak 124010, India; vartikajnu3007@gmail.com
* Correspondence: maricela@correo.ugr.es; Tel.: +57-3204878826
Abstract:
For the corporate sphere, cybersecurity becomes an inescapable business responsibility,
and accountability becomes a way of providing trust and ensuring resilience against cyber risks and
high-impact cyber threats. The purpose of this study was to create a disclosure index that allows
analysis of the scope of the disclosure of voluntary and mandatory cybersecurity information. The
content analysis technique used focuses on the examination and identification of the cybersecurity
information revealed in the annual reports and the 20 F annual forms of the companies with the
highest stock market prices in Argentina, Brazil, Chile, Colombia, Mexico, and Peru during the period
of 2016–2020. Longitudinal analysis indicates an increase over time in the disclosures and scope of
information. The findings highlight that the country with the highest related disclosure is Argentina;
the most extensive disclosures are due to the financial sector; and the strategy dimension represents
the greatest weight in the index score. The study provides a novel instrument for measuring the
content of disclosure on cybersecurity that is applicable in any specific context. In this case, the scope
of disclosure in Latin America—a region which, according to our research, does not have previous
studies on the subject—is evaluated.
Keywords:
cybersecurity disclosure; disclosure index; cybersecurity governance; cybersecurity
strategies; cybersecurity risk management; financial implications of cybersecurity risk
1. Introduction
The World Economic Forum [
1
] presents among the emerging risks of high probability
the cybersecurity failures generated by the rapid increase in digitization. In this regard,
professionals from the insurance industry across six regions of the planet, including Latin
America, pointed out in the Axa survey [
2
] that the second-most important emerging
risk—after that of climate change—comes due to the failures of cybersecurity, a perception
that has almost doubled in importance since 2019, with a rate of 54%. Cybersecurity has
become a major problem faced by most organizations [
3
], and in a digitally-connected
world, it presents ongoing risks and threats to capital markets and companies operating in
all industries [
4
]. According to King [
5
], technology is now the source both of many future
opportunities for an organization, as well as of potential disruptions, and is an excellent
example of how risk and opportunity are increasingly becoming two sides of the same
coin. Now, returning to the definition of corporate social responsibility ISO 26,000 [
6
], the
relationship between it and the measurement of the organizational impact is noted, and is
understood as that positive or negative change that is generated in society, the economy
or environment produced—in whole or in part—by the past and present decisions and
activities of an organization. According to Rashid et al. [
7
], cybersecurity should be thought
Sustainability 2022, 14, 1390. https://doi.org/10.3390/su14031390 https://www.mdpi.com/journal/sustainability
