The recurrence of cyberattacks on businesses in the last decade has attracted significant attention from policy makers and market participants to the importance of corporations’ responsibility and transparency on cybersecurity. In this study, we investigate cybersecurity disclosure made by the 48 largest Canadian and US banks from 2014 to 2020, using an exploratory qualitative approach. The banking industry has been a major target of cyberattacks due to the critical data that it contains. We first develop an index based on previous literature, current policies on cybersecurity disclosure and consultation with academics and practitioners. We then use the index to manually code bank reports related to cybersecurity. Afterward, we investigate the content of the disclosures in detail and discuss the level of compliance with the index. We then critically discuss banks’ disclosure behaviors using proprietary cost, signaling and legitimacy theories and provide recommendations for policy makers and other stakeholders.

过去十年来，针对企业的网络攻击反复出现，引起了政策制定者和市场参与者对企业网络安全责任和透明度重要性的高度关注。在这项研究中，我们采用探索性定性方法调查了 2014 年至 2020 年加拿大和美国 48 家最大银行的网络安全披露情况。由于银行业包含关键数据，银行业一直是网络攻击的主要目标。我们首先根据以往的文献、当前的网络安全披露政策以及与学者和从业者的咨询制定了一个指数。然后，我们使用该索引手动编码与网络安全相关的银行报告。随后，我们详细调查披露内容并讨论与指数的合规程度。