South Africa is an attractive target for cybercriminals (Census and Economic Information Center Data 2022; Interpol 2021). The most prevalent cyber risks in the country include phishing, data leaks, ransomware, distributed denial-of-service (DDoS) attacks and compromised websites (Pieterse 2021; Van Niekerk 2017).

Phishing entails that malware is installed to give a hacker access to sensitive information by luring employees to click on a malicious link (Zwilling 2022). This type of cyber threat often occurs in Banking and Health Care. Another costly cyber risk is data leaks. Client trust is broken, and legal action can be taken should sensitive data be exposed (Shekokar et al. 2022).

Ransomwarae is another prevalent cyber risk in the local context that can be used to encrypt confidential data. A ransom is then typically demanded from the victim company to regain access to the encrypted data (Institute of Chartered Accountants in England and Wales [ICAEW] 2016). Furthermore, a target’s server can be flooded with internet traffic during a DDoS attack. Access to online services is then prevented and business operations come to a halt. Lastly, a website can become compromised if a hacker alters the code, thereby negatively affecting its availability, integrity and confidentiality (Pieterse 2021).

South Africa’s public sector is particularly vulnerable to cyberattacks (Pieterse 2021). The amendment of the Protection of Personal Information (POPI) Act (No. 4 of 2013) makes provision for the impact of cybercrime on the personal information of South African citizens (Republic of South Africa 2022). This Act outlines that institutions that are in possession of personal data will be held liable for data breaches.

Furthermore, the Cybercrimes Act (No. 19 of 2020) came into effect in 2021 to establish a comprehensive cybersecurity legislative framework to deal with cybersecurity issues in the country. This Act outlines cyber-related legal offences, including unlawful access to and the interception of data, hacking and the use of ransomware. Cybercrime offenses can as such result in fines and imprisonment (Republic of South Africa 2021).

Given the rise in cyberattacks and the apparent weaknesses in IT security systems, the South African Reserve Bank’s (SARB) Prudential Authority and the Financial Sector Conduct Authority (FSCA) released a joint draft standard on cybersecurity and cyber resilience requirements following the arrival of the COVID-19 pandemic. This joint standard was finalised in 2024 to ensure that local financial institutions have proper cybersecurity and cyber resilience procedures and systems (SARB 2024).

Furthermore, the King IV Report on corporate governance recommends that companies should disclose their cyber-, IT- and ICT management processes (IoDSA 2016). Principle 12 offers specific guidance on how to disclose information relating to IT: ‘The governing body should govern Technology and information in a way that supports the organisation setting and achieving its strategic objectives’ (IoDSA 2016). Details on cybersecurity should be disclosed to stakeholders in integrated reports.

Cybersecurity disclosure specifically centres on a company’s cyber risk exposure and the management thereof (Mazumder & Hossain 2023). Investors and other key stakeholders require sufficient disclosure on material matters, including cyber risks and related corporate actions to make informed decisions. Yet report preparers should be cognisant that cybersecurity disclosures that are too detailed might result in exploitation by cybercriminals (Peng & Krivacek 2020).

Internationally, limited research has been conducted on cybersecurity disclosure (Chen, Henry & Jiang, 2023; Gao et al. 2020; Héroux & Fortin 2020; Kurnia & Ardianto 2024; Sari et al. 2024). Most of these studies were conducted pre-2020. Héroux and Fortin (2020) conducted content analysis for Canadian companies between 2017 and 2018 and found that cybersecurity disclosure was low. Gao et al. (2020) further examined the content and linguistic characteristics of cybersecurity risk disclosures of listed companies in the United States between 2007 and 2018 and found that their risk disclosures became lengthy and increasingly difficult to read. Kurnia and Ardianto (2024) investigated the cybersecurity disclosures of banks in Indonesia. They compiled a cybersecurity disclosure score by conducting content analysis and largely ascribed the observed increase in cybersecurity disclosure to regulation.

Furthermore, Amir, Levi and Livne (2018) reported a negative link between cyberattacks and cybersecurity disclosure, as companies tend to limit reporting on such attacks. Yet Chen et al. (2023) noticed that cybersecurity risk disclosure only increased after a severe data breach. In addition, these authors recorded a significant negative market reaction if breached companies decreased their cybersecurity disclosures. The implication is that the market anticipates increased disclosure following a data breach.

Given the significance of cybersecurity disclosures as outlined by previous research, reporters should hence be transparent and provide verifiable cybersecurity disclosures. These disclosures have a considerable influence on stakeholders’ attitudes towards and trust in reporting companies (Bansal & Axelton 2023). Furthermore, the perceived benefits of voluntary assurance on cyber disclosure, particularly if cybersecurity breaches occurred, significantly influence investors’ judgements of the impacted companies (Navarro & Sutton 2024).

Investors often consult disclosures in integrated reports to reflect on key matters, such as cybersecurity. Such analyses of corporate disclosures are typically based on the legitimacy theory (Harymawan et al. 2020; Nuber & Velte 2021; Radu & Smaili 2021). Dowling and Pfeffer (1975) explained that corporate behaviour is substantively influenced by the views of stakeholders in the environment in which companies operate. To be perceived as legitimate a company’s activities and the behaviour of its directors should be congruent with the values and beliefs of society. As South Africa is very vulnerable to cyberattacks, it is argued that corporate stakeholders will perceive companies that give more attention to cybersecurity as more legitimate than their counterparts that give less attention to this pressing matter.

Prior scholars outlined different types of legitimacy. Pragmatic legitimacy might specifically be gained through corporate disclosures (Suchman 1995). A company might obtain pragmatic legitimacy if it has the capacity to convince key stakeholders of its usefulness, inter alia, to protect their personal information (Bowen 2019).

Pragmatic legitimacy includes dispositional and exchange legitimacy. Dispositional legitimacy is acquired when companies are considered trustworthy and perceived to have their stakeholders’ best interests at heart, given the assumptions that companies are autonomous and morally responsible actors (Suchman 1995). Similarly, exchange legitimacy refers to stakeholders supporting companies based on expected or realised benefits (Suchman 1995), such as the protection of their interests through enhancing cybersecurity. It is thus important that stakeholders gain a clear understanding of related corporate actions and implications through disclosures in integrated reports (Shehata 2014).

Ethical clearance (exemption) was obtained from the relevant Departmental Ethics Screening Committee of Stellenbosch University before collecting the data. This article followed all ethical standards for research without direct contact with human or animal subjects.

The disclosure presence is shown in Figure 1. The number of cybersecurity keyword occurrences increased noticeably post-2020, from 20 mean keyword occurrences in 2019 to 28 mean keyword occurrences in 2022. The maximum number of keyword occurrences was 109 in 2020 for a company that was a victim of a cyberattack. This attack resulted in the noticeable spike in disclosure presence of cybersecurity. Yet some sampled companies only disclosed 1 keyword, as indicated by the minimum value in Figure 1.

The sampled companies focused on specific keywords, thereby highlighting the most prominent cybersecurity matters. The most disclosed keywords for the overall sample were cybersecurity, IT and IT governance. Given the rise in cybercrime in South Africa, these keywords reflect noticeable awareness of the importance of cybersecurity. The extensive use of IT governance furthermore alludes to IT- and cyber-engagement from various of the sampled companies’ boards, in line with Principle 12 of King IV (IoDSA 2016). Various of the companies, however, mentioned the keyword ‘cyber’ when disclosing details on security procedures and test breaches, instead of using the more nuanced ‘cyber resilience’. Table 1 indicates the top 15 keywords used by the sampled companies per year.

A notable switch occurred in 2020 between the two most used keywords. A possible explanation for the prominent use of the keyword ‘cybersecurity’ could be the advent of the COVID-19 pandemic which triggered an unbridled level of cybercrime (Dolley 2021; Interpol 2021; KPMG 2022). The considered companies increasingly focused on cybersecurity as a top priority during the latter part of the study period. Information Technology or IT received substantial attention pre- and post-2020.

A possible reason for this trend could be the continuous introduction of new technologies (Côrte-Real et al. 2020), in particular AI which could provide competitive advantages that should be properly managed and reported on. Further, corporates must adapt their practices to reflect on the ever-changing cyberspace and IT environment to ensure survival. Consequently, IT governance remained in third position from 2018 to 2022. In 2017, King IV came into effect and, among others, promoted the importance of IT governance in Principle 12 (IoDSA 2016). The popularity of this keyword could thus be partly linked to the sampled companies’ attempts to adhere to this principle.

Integrated reporting should provide risk and opportunity-related disclosures in the context of divergent capitals, including intellectual capital (International Financial Reporting Standards 2021). References to intellectual capital in cybersecurity disclosures gradually gained prominence in the analysed integrated reports. This keyword moved to the fourth position in 2022, as shown in Table 1. The increased use of the term intellectual capital could indicate that the sampled companies gradually broadened their focus of this capital given rapid technological developments.

Cyber resilience only appeared in the list of top 15 keywords in 2022. This development shows that the considered companies became more aware of the need for cyber resilience following the advent of the COVID-19 pandemic and the discussed increase in legislation. Peter (2017) likewise suggested that cyber resilience is crucial to fully realise e-commerce and to ensure corporate continuity. Table 2 shows the top 15 keywords per industry or sector for the overall period.

As depicted in Table 2, cybersecurity was an overarching concern for all considered industries and sectors. The Banking sector had a particularly strong focus on cybercrime, IT and cyber risks. Given that the South African Banking sector predominantly operates in cyberspace, their focus on possible cyber risks and crimes was expected. A cyberattack and breach of a bank’s security could result in substantial financial losses for several stakeholders. The draft joint standard on cybersecurity and cyber resilience that is applicable to this sector most likely also contributed to their focus on cyber risk, fraud and disruption (SARB 2024).

The considered Health Care companies placed substantial emphasis on information security and related governance considerations. Four commonly used keywords contained the word security, namely cybersecurity, information security, IT security and data security. The focus on information security could be largely ascribed to their collection and sharing of confidential patient information online and across networks. Furthermore, the need to access patient data at any time, especially in emergency situations, implies that hospitals should have a very reliable cybersecurity framework (Cyber Security Institute 2023).

The Retail sector also had a strong focus on information security and the protection of personal information. Retailers often have loyalty card systems in place, as well as credit facilities. Thus, many retailers regularly collect private information from customers. A breach in a retailer’s IT systems could not only result in the loss or theft of customer data but also the loss of customer trust and loyalty (Interpol 2023).

Notably, the Technology industry was the only industry that had cyber resilience in its top 15 keywords. Furthermore, the top five keywords for this industry were systems-orientated, as the keywords cybersecurity, IT, ICT, cyber and IT governance strongly relate to cyber-systems, frameworks and infrastructure. This industry’s strong links to the recent developments in cyberspace contributed to this disclosure focus. Figure 2 shows the descriptive results for the disclosure level of cybersecurity, based on the number of disclosed keywords as a percentage of the considered 62 keywords (coverage scores).

Based on the 2017 mean of 10.85%, the sampled companies used on average between six and seven different cybersecurity-related keywords when reporting on cyber matters. In contrast, by 2022 they used about 10 keywords, as shown by the mean of 16.38% in Figure 2. The company that used 24 different cybersecurity-related keywords in their integrated report (as indicated by the maximum score of 38.71% in 2021) emphasised cyber resilience.

Yet the minimum value of 1.61% indicates that a sampled company only used one cybersecurity-related keyword in their integrated reports. This company briefly referred to ‘cybersecurity’ but did not mention any of the other keywords. Figure 3 provides the descriptive statistics for the disclosure volume, based on the number of paragraphs containing cybersecurity keywords.

An increase is also observed in the mean number of paragraphs comprising cybersecurity keywords over the duration of the research period, as shown in Figure 3. Yet there was substantial deviation in the number of paragraphs, as seen by the maximum and minimum values. Given that South Africa is a prime target for cyberattacks, the need for cybersecurity is heightened (Interpol 2021).

The King IV Report (IoDSA 2016) furthermore guides JSE-listed companies in terms of cybersecurity disclosures, thereby possibly contributing to the observed increase in disclosure volume of cybersecurity since its publication in 2017. By 2022, the average number of paragraphs were 13 versus 8 in 2017. In contrast, Radu and Smaili (2021) reported that Canadian firms had approximately five cybersecurity-related paragraphs per analysed integrated report pre-2020.

The Technology industry showed the largest increase in the number of cybersecurity-related paragraphs. As Technology companies are primary users and providers of IT and cyberspace services, the considered Technology companies arguably enhanced their disclosures given the rapidly developing cyber-related risks and security concerns post-2020.

The outcomes of the sequential ANOVA and the Fisher’s LSD tests show the significance of the observed trends for disclosure presence over the entire period and per annum in Table 3 and Table 4, respectively.

As seen in Table 3, the mean number of cybersecurity keyword occurrences in the analysed integrated reports differed significantly over the entire research period (F-value: 4.51; p-value: 0.00). No significant differences occurred in the average number of cybersecurity-related keyword occurrences before the onset of the COVID-19 pandemic, as shown by the p-value of 0.16 for the difference between 2017 and 2018, and the p-value of 0.19 for the difference between 2018 and 2019 in Table 4. Yet post-2020, most of the annual differences were significant. Further investigation showed that these significant differences were ascribed to increases of three or more cybersecurity-related keyword occurrences per annum.

Scholars and practitioners confirm that cybercrime increased drastically given the increased use of cyberspace in business operations since 2020 (Dolley 2021; KPMG 2022). The COVID-19 pandemic practically forced companies to accelerate their adoption of Technology and cyberspace in their day-to-day business activities (Soni et al. 2020).

A growing number of the sampled companies evidently enhanced their disclosures on prevalent and material cyber risks, and the security-related implications post-2020 to ultimately enhance their legitimacy (Suchman 1995). Such companies showcased to their stakeholders that they have given due consideration to cybersecurity matters, thereby protecting private information and enhancing data security.

The outcomes of the ANOVA and Fisher’s LSD analyses for disclosure level (mean coverage scores) for the overall period and annual differences are provided in Table 5 and Table 6, respectively.

The disclosure level of cybersecurity also differed significantly over the entire research period (F-value: 5.96; p-value: < 0.01) as shown in Table 5, similar to the results reported for disclosure presence in Table 3. Furthermore, most of the yearly differences in the coverage score were statistically significant, as indicated in Table 6. When the COVID-19 pandemic emerged, many companies lacked appropriate cybersecurity systems to facilitate safe and effective remote working. Several companies consequently fell prey to cyberattacks and cybercrimes. Unique cyber risks also became more prevalent (PwC 2022). Post-2020, the sampled companies consequently expanded their reporting on unique cybersecurity matters, as shown by the significant differences in their coverage scores in Table 6.

The non-significant differences between 2018 and 2019 (p-value: 0.79) and 2021 and 2022 (p-value: 0.80) are ascribed to the minimal changes in the mean coverage scores during these years. The descriptive outcomes show that the mean coverage score only increased with 0.17% between 2018 and 2019, while there was only a 0.01% increase in the mean coverage score from 2021 to 2022. The outcomes of the difference tests for disclosure volume of cybersecurity are provided in Table 7 and Table 8 for the overall period and per annum, respectively.

Perusal of Table 7 shows that the average number of paragraphs containing cybersecurity keywords also increased noticeably over the entire period under review (F-value: 3.24; p-value: 0.01). Given the escalation in cybercrime following the onset of the COVID-19 pandemic (Dolley 2021; Interpol 2021; KPMG 2022), the significant difference from 2019 to 2020 (p-value: 0.00) in Table 8 was not unexpected. Figure 3 shows that the mean disclosure volume increased substantially between 2019 (10 paragraphs) and 2020 (13 paragraphs covering cybersecurity content).

Yet the average number of paragraphs then remained at 13 in 2021 and 2022, as shown in Figure 3. As such, no significant differences were observed between 2020 and 2021 (p-value: 0.65), and 2021 and 2022 (p-value: 0.70) in Table 8. Based on these results, stakeholders’ reporting demands were arguably already met in terms of disclosure volume in 2020, thereby enhancing the sampled companies’ pragmatic legitimacy (Suchman 1995). Post-2020, the sampled companies then expanded their focus to ensure that unique cybersecurity matters receive sufficient attention, as shown by the significant annual differences in the coverage scores in Table 6.