Title: Comparison of disclosures and legitimacy strategies employed after a cybersecurity incident: the case of Desjardins

Authors: Lionel Bahl; Vincent Gagné; Audrey Corriveau

Addresses: Department of Accounting, École de Gestion, Université de Sherbrooke, Sherbrooke, Canada ' Department of Accounting, École de Gestion, Université de Sherbrooke, Sherbrooke, Canada ' Université de Sherbrooke, Sherbrooke, Canada

Abstract: The magnitude of the personal data breach at Desjardins financial cooperative in 2019 raises legitimacy concerns for Desjardins and its peers. Our study examines changes in the scope of cybersecurity disclosures and the legitimation strategies used in Desjardins's annual reports and compares them to those of other Canadian companies in the financial, communications and technology sectors. Based on a content analysis grid developed by Héroux and Fortin (2020), our results for Desjardins show an increase in disclosures related to the incident to repair damages to the organisation's legitimacy, but little change otherwise. Other companies in the sample, which need to maintain their legitimacy, also had very few changes in their cybersecurity disclosures. Our results reveal legitimation strategies that differ from past reactions to comparable legitimacy threatening incidents. Our contributions highlight conformity strategies targeting the incident for Desjardins and reluctance to change cybersecurity disclosures both for Desjardins and for its peers.

Keywords: cybersecurity incident; cybersecurity disclosure; legitimacy theory; legitimacy strategies; annual report.

DOI: 10.1504/IJCM.2022.130708

International Journal of Comparative Management, 2022 Vol.4 No.2, pp.153 - 175

Received: 06 Sep 2022
Accepted: 16 Dec 2022
Published online: 03 May 2023 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article