Next Article in Journal
Uncertainty in Pricing and Risk Measurement of Survivor Contracts
Previous Article in Journal
A Bivariate Model for Correlated and Mixed Outcomes: A Case Study on the Simultaneous Prediction of Credit Risk and Profitability of Peer-to-Peer (P2P) Loans
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:

The Impact of Cyber Governance Quality on Dividend Policy in Mitigating Cybersecurity Breaches

Business School, The University of Jordan, Amman 11942, Jordan
Risks 2025, 13(2), 34;
Submission received: 10 December 2024 / Revised: 8 February 2025 / Accepted: 13 February 2025 / Published: 17 February 2025


This study investigates the relationship between cyber risks and dividend policy, as well as how boards, as a governance mechanism, affect the dividend policy under cyber risk. This study collected firm-level financing, corporate governance, and control variables from the Bloomberg database during the period 2013–2022. This paper measures of cyber risk through publicly available corporate disclosures on Form 10-K. The findings confirmed that cyber risks significantly impact dividend policy by posing challenges to corporate technical communication and financial transparency. Effective boards play a critical role in guiding companies toward governance strategies that enhance dividend policy and improve cybersecurity. This study involves policy and practical implications, where research findings suggest the need to strengthen regulatory frameworks that encourage the adoption of strong governance practices and advanced cybersecurity practices within companies. On the practical level, companies should adopt a proactive approach to managing cyber risks by enhancing investments in this area and developing flexible dividend policies.

1. Introduction

In the rapidly evolving digital age, companies face various opportunities and challenges that require them to adapt to maintain their competitiveness continuously (Romanosky et al. 2014; De Bruijn and Janssen 2017). Digital transformation, through the digitisation of information and data, contributes to improving the efficiency of firms’ operations, expanding their customer base, reducing costs, and supporting data-driven decision-making (Abbasi et al. 2016; Uddin et al. 2023). However, this transformation brings with it significant cybersecurity risks as hackers exploit vulnerabilities in digital systems for their own gain. The “Cybersecurity Solutions for a Riskier World” study by ThoughtLab (2022) reveals that approximately 41% of CEOs and information security officers struggle to keep pace with the rapidly accelerating digital transformation.
With the increasing reliance on online services, cybersecurity becomes more important than ever, as companies’ reputations and financial stability depend heavily on the security of their digital systems (Gutiérrez-Ponce et al. 2023). Any breach in these systems can destroy a company’s reputation and disrupt its development path (Haislip et al. 2019; Garg 2020; Boasiako and Keefe 2021). Therefore, risk management in the digital age requires significant attention to cybersecurity to protect companies from potential threats (Amir et al. 2018).
Despite continuous improvements in cybersecurity, the risk of hacking persists due to the constant evolution of hackers’ skills (Young et al. 2007; Kamiya et al. 2021). This raises questions about the feasibility of funding cybersecurity and how to allocate the necessary resources. Companies have multiple options for financing improvements in this area, but these options may affect liquidity and future growth opportunities (Haislip et al. 2019). Dividend policy is another challenge, as companies tend to avoid cutting dividends to avoid negative investor reactions, which complicates allocating resources to cybersecurity (Chauhan et al. 2019).
Cyber risk is one of the most pressing issues in corporate governance today, posing a significant challenge to boards of directors and senior management, particularly concerning dividend distribution. While cybersecurity threats can undermine an organisation’s financial stability and affect its ability to sustain dividend payouts, the extent of this impact varies across industries due to differing dividend policies. High-tech firms, for instance, often reinvest profits in innovation and growth rather than pay dividends, whereas financial institutions, such as banks and insurers, emphasise dividend payouts as a key attraction for investors (Denis and Osobov 2008). These industry-specific norms influence how firms respond to financial pressures, including cybersecurity risks (Uddin et al. 2020). In sectors where dividends play a crucial role in investor retention, companies may prioritize maintaining payouts despite rising cybersecurity threats—potentially at the expense of security investments (Srinidhi et al. 2015). Conversely, industries with more flexible dividend policies may adjust distributions more readily to accommodate cybersecurity spending. So, industry standards affect how companies balance the costs of security with the money they give back to shareholders.
Therefore, this study aims to examine the impact of cybersecurity risks on corporate dividends; it draws on attachment theory, signalling theory, and stakeholder theory to examine the relationship between cybersecurity risks and corporate dividends. It also highlights the role of corporate governance in protecting shareholder interests by preventing opportunistic practices, such as reducing the cybersecurity budget to align with managers’ interests, which could lead to increased exposure to breaches. Therefore, this study relies on Florackis et al.’s (2023) cybersecurity risk measure to measure firm-level cybersecurity risks through publicly available corporate disclosures on Form 10-K, using a sample of US-listed companies between 2013 and 2022. This measure allows investors to independently assess a company’s exposure to cyber risks.
Based on previous studies, the results can be expected about the firms’ intention to reduce their dividends when facing increased cyber risks by improving cybersecurity and activating a more flexible dividend policy (e.g., Srinidhi et al. 2015; Chauhan et al. 2019; Uddin et al. 2020). The study contributes to the existing literature in several ways, including by providing a first examination of the impact of cybersecurity risks on corporate dividends and by highlighting the role of corporate governance in protecting shareholders’ dividends from management threats.
The rest of the paper is organised as follows: Section 2 presents a literature review; Section 3 describes the methodology and data used. Section 4 presents the study results, followed by a discussion of the findings in Section 5. Finally, Section 6 concludes the paper and shows the most crucial policy and practical implications.

2. Literature Review and Hypothesis Development

2.1. Theoretical Background

The cybersecurity philosophy is based on the attachment theory developed by Bowlby (1973, 1980, 1982). An individual’s attachment to his job, company, or community fosters a sense of security, which over time, turns into a willingness to confront risks before they occur to restore that feeling. This idea crystallised in the technical field when the first US patent for cybersecurity was registered in September 1983, when the Massachusetts Institute of Technology (MIT) was granted a patent for a public-key cryptography system, which is the cornerstone of modern cybersecurity. Cybersecurity is a global phenomenon and a complex social and technical challenge facing governments and companies alike (De Bruijn and Janssen 2017).
Cybersecurity breaches are signals of a growing threat to companies, as they can impose significant costs on their operations and directly impact dividend decisions. Nadeem et al. (2023), on the relationship between cybersecurity investments and firm value, pointed out that security breaches increase systematic risk and lead to higher equity costs and information asymmetry while showing limited impact on debt costs. Moreover, market response varies based on the size of security investments, which impacts the company’s value differently, according to Damodaran and Liu (1993). In this context, in-depth research in cybersecurity and cybercrime theory reflects the dynamics of interaction between cybersecurity and cybercrime in the context of rapid technological development, as these cyber threats affect the context of profit distribution and investment decision-making, as confirmed by Castellano and Scaccia (2012); and Malliouris (2021).
In the context of modern business, corporate governance quality is an essential element in guiding organizational behaviour and improving performance, as it seeks to ensure transparency and accountability within organisations, according to IE (2023). Corporate governance is based on a key concept, the stakeholder theory, which states that companies’ responsibilities go beyond merely serving the interests of shareholders to include obligations towards a broader set of stakeholders, as confirmed by Mhlanga and Moloi (2020). This approach promotes the values of integrity and accountability and emphasizes the role of sustainability as a key factor in achieving long-term success. Kamiya et al. (2021) indicated that stakeholder theory plays a crucial role in this context of cyber risk. Companies must take stakeholder interests into account when managing risk by looking at the frequency and severity of potential losses and making informed decisions about how much to invest in improving cybersecurity to mitigate these risks. Alodat et al. (2024) asserted that, with the increasing digital transformation of business operations, issues of cybersecurity and data privacy have become pivotal and of increasing importance to boards of directors and executives. Therefore, companies are required to direct significant investments in advanced security measures and develop comprehensive data protection policies to ensure the protection of sensitive information and enhance stakeholder confidence within good governance in the evolving digital environment, according to Gutiérrez-Ponce et al. (2023).

2.2. Literature Review

Cyber risks are one of the major challenges facing companies in the digital age, with their impact increasingly affecting various aspects of corporate governance quality, including dividend policy. Current literature examines the relationship between cyber risks and dividend policy by exploring how cyber risks affect corporate financial decisions and the role of boards of directors in enhancing governance quality to ensure financial sustainability and improve cybersecurity. De Bruijn and Janssen (2017) indicated the importance of framing cybersecurity in a way that makes it more communicable to the public and employees, leading to the development of effective policies to address cyber risks. Failure to frame cybersecurity appropriately leads to the absence of appropriate measures and thus negatively affects companies’ financial policies, including dividend policies.
Amir et al. (2018) showed that companies may hide information about cyberattacks to avoid a negative impact on stock values, leading to reduced investor confidence and lower stock prices. This dynamic underscores the need for boards to play an active role in overseeing the disclosure of such information to enhance transparency and ensure the preservation of stock value and dividend policy. In the same context, Garg (2020) found that companies increase their cash holdings after being exposed to a cyberattack. This precautionary behaviour directly affects dividend policy as companies prefer to retain cash rather than distribute it as bonuses to shareholders, which may be under the supervision and approval of boards of directors.
Uddin et al. (2023) investigated the impact of data breach disclosure laws on cash policies in US firms and found that these laws lead to increased cash holdings and reduced reliance on external financing. This suggests that firms may adjust their dividend strategies in response to cybersecurity risks and under board oversight to ensure greater financial flexibility. On the other hand, Wei and Zhu (2024) examined the impact of data breach notification laws on corporate payout policies and found that companies reduce cash dividends and increase share buybacks in response to increased uncertainty related to cyber risks. This adjustment in dividend policy highlights the role of boards of directors in making financial decisions that ensure the stability of the company in the face of increasing risks.
Koo et al. (2017) examined the impact of financial reporting quality on dividend policy and found that higher-quality financial reporting is associated with higher dividend payouts. Boards of directors play a pivotal role in ensuring the quality of these reports as a governance mechanism, which enhances the ability of companies to balance cybersecurity investments with dividend payouts. Finally, Nolan et al. (2019) highlighted the importance of integrating cyber-governance quality into the overall corporate governance framework. They emphasize that boards of directors should be responsible for managing cyber risks as part of their responsibilities to maintain the company’s sustainability and financial resilience, which in turn impacts dividend policy.
The literature suggests that cyber risks significantly impact dividend policy by posing challenges to the financial transparency and cash stability of companies. Boards of directors play a critical role in guiding companies towards governance strategies that enhance cybersecurity and ensure sustainable financial decisions that balance dividend distribution with improving cybersecurity.

2.3. Hypothesis Development

Based on the theoretical background and literature review, the study hypotheses can be strengthened by linking cyber risks and corporate governance to their impact on dividend policy. Through a review of the literature, it appears that cybersecurity risks represent a real challenge that affects companies’ financial decisions, including dividend policy. Companies facing cyber threats are under pressure to increase their cash holdings as a precaution against these threats, which may reduce the company’s ability to distribute dividends. In addition, companies may have to allocate significant financial resources to improve their cybersecurity systems, which directly affects dividends. In this context, several studies indicated that companies may adjust their dividend strategies to maintain their financial stability in the face of cyber risks (Schoenmaker and Schramade 2019; Garg 2020). Accordingly, it can be assumed that companies facing increasing cyber risks may tend to reduce their dividends in favour of enhancing cybersecurity measures, reflecting a direct impact of these risks on dividend policy. Accordingly, this study hypothesizes:
Cybersecurity risks affect dividend policy in tune with fixed effects.
Corporate governance plays a crucial role in guiding companies’ financial decisions, especially in the context of cyber risk management. According to stakeholder theory, companies seek to balance the interests of shareholders with the risks they face, including cyber risks. Boards of directors play a key role in ensuring the implementation of effective governance policies that promote transparency and accountability, which directly impacts dividend policy. By overseeing disclosures related to cyberattacks and ensuring that appropriate measures are taken to protect the company, boards of directors seek to maintain investor confidence and sustain earnings. Numerous studies have shown that the quality of corporate governance, especially concerning cyber risk oversight, significantly influences dividend policy (Srinidhi et al. 2015; Nolan et al. 2019; Uddin et al. 2020; Kamiya et al. 2021; Malliouris 2021; IE 2023; Smaili et al. 2023; Uddin et al. 2023; Alodat et al. 2024). Accordingly, it can be assumed that companies with effective board-managed governance mechanisms may adopt a flexible dividend policy that balances enhancing cybersecurity with meeting shareholder expectations. Therefore, this study hypothesizes:
Board effectiveness affects dividend policy in tune with fixed effects.

3. Methodology

3.1. Data Sources

This study collected data from multiple sources to provide a comprehensive and reliable basis for analysis. Firm-level cybersecurity risk data were obtained from Florackis et al. (2023), who measured these risks using publicly available corporate disclosures on Form 10-K. This measure captures a firm’s specific exposure to cyber risks, allowing investors to independently assess a firm’s cybersecurity vulnerabilities.
Additional data on firm-level financing, corporate governance, and control variables were retrieved from the Bloomberg Financial databases for a total of 1975 firms from the Bloomberg Financial database. These variables include key financial measures such as total assets, leverage, profitability, and market-to-book ratio, as well as corporate governance attributes such as board independence, board experience, and frequency of meetings
To ensure the robustness and reliability of the data set, observations with missing data for key variables were excluded. This step ensured a consistent data set for analysis, reducing biases caused by incomplete information. Standard methods for finding outliers, like looking at Z-scores and interquartile ranges, were used to find and get rid of observations that had outliers that could change the results in a way that wasn’t necessary.
After data cleaning, the final dataset included 12,649 observations from 1723 unique US-listed firms, covering the period from 2013 to 2022. The dataset encompasses a wide spectrum of industries, guaranteeing the generalisability of the results. The data preprocessing and analysis were conducted using the STATA program.

3.2. Measuring Variables

Dividends policy: Dividends are the transfer of a portion of profits to shareholders by the company due to the participation of shareholders or investors in financing the firm’s operations (Munandar et al. 2023). The number of dividends distributed to shareholders is determined by the Annual General Meeting (AGM). When the balance is distributed to shareholders, the state of the company’s balance will decrease proportionally to the amount of the balance provided to shareholders. As a result, the implementation of the corporate dividend policy is a fundamental issue that requires attention (Nur 2023). Both continuous variables and dummy variables are used to capture dividend policy. Dividend yield (Nguyen and Bui 2019), dividend payout ratio (Chauhan et al. 2019; Bae et al. 2021; Albrecher et al. 2024), and propensity to pay dividends (Denis and Osobov 2008; Tangjitprom 2013; Dewasiri et al. 2019) are used as dependent variables.
Cyber risk: The cybersecurity risk measure used in this study is derived from Florackis et al.’s (2023) Cybersecurity Risk Index (CRI). This index was created by extracting information about corporate cybersecurity risks in 10-K filings using advanced text analysis. This index captures a company’s cyber risk exposure by assessing the similarity between the cybersecurity disclosures of a sample of companies chosen by this study and a training library of firms that have previously experienced a major cyberattack. Only major cyberattacks widely known to investors are considered, as only 69 of the 175 cyberattacks with cybersecurity risk disclosures were identified and considered as risk factors during 2005–2018 as major. The 69 disclosures that include cybersecurity risks are subjected to natural language processing (NLP) and machine learning algorithms to identify patterns, key phrases, and linguistic structures that indicate cybersecurity risks, depending on keywords and phrases relevant to previous cyberattacks. According to this index, a company’s cybersecurity risk is higher if its cybersecurity risk disclosures show a stronger aggregation of past disclosures from companies in the training library. Florackis et al. (2023) retested the results of the research using different validation methods, namely (a) placing all identified cyberattacks, regardless of their magnitude, in the training sample; (b) examining excerpts of cybersecurity risk disclosures; (c) analysing the language of cybersecurity risk disclosures; (d) delving into time series and industry characteristics; (e) evaluating company and 10-K characteristics; and (f) discussing company results. The research output remains unchanged after publishing all validations, indicating the reliability of the methodology applied to construct the proposed cybersecurity risk index by Florackis et al. (2023) at the firm level.
Corporate governance: Corporate governance essentially involves balancing the interests of a company’s many stakeholders. Thus, corporate governance is the system of rules and practices implemented by boards of directors to ensure that a company is directed and controlled in the best interests of shareholders (Gutiérrez-Ponce et al. 2024). Since cyber risk management is primarily a governance issue, it is the responsibility of boards to examine whether cyber risk disclosure in line with guidelines covering technical and non-technical solutions, as well as enhancing governance, adds value to firms because investors have a stake in managerial decisions that will affect their returns (Uddin et al. 2020). To capture cyber-governance quality, this paper depended on three proxies. Firms with more board independence and a high number of board meetings promote cybersecurity transparency (Alodat et al. 2024). Besides, the financial expertise of board members is of particular importance in assessing and managing risks, including cybersecurity, which is an increasingly important governance issue that requires expertise in technical, ethical, and financial areas (Smaili et al. 2023).
This study includes several control variables, as follows:
Firm size: Larger companies have larger operations. Therefore, they are more vulnerable to cyberattacks, requiring a larger board of directors with greater financial expertise to take responsibility for monitoring management actions (Nolan et al. 2019; IE 2023).
Leverage: Financial leverage is a determinant of equity risk (Ben-Zion and Shalit 1975), which directly affects dividend policy, operational volume, and reporting quality (Tran 2022). Therefore, highly leveraged companies may be more stringent in managing cyber risk (Erkan-Barlow and Nguyen 2024).
ROA: Previous studies have documented that profitability is linked to the development of operational processes, with the possibility of predicting any cyberattacks on the company in the short term (Malik and Islam 2019; Erin et al. 2020).
Reporting quality: While discretionary accruals are considered a proxy of earnings management, they are biased for certain non-random samples (Kothari et al. 2005). McNichols’s (2002) measure of earnings quality was adopted to examine the monitoring mechanisms of the quality of financial reporting and address potential bias in the estimates.
Fixed-effect variables: This paper considers firm-specific fixed effects, which should be correlated with time-specific effects ( γ   Y e a r ) to control economic fluctuations over different periods (e.g., pre- and post-COVID-19) because the study period is from 2013 to 2022. The industry-specific effects ( γ   I n d u s t r y ) also represent the firms operating in different sectors. This fixed factor regarding the type of industry has been adopted to highlight its effects on dividend policy, which depends more on the nature of the business than anything related to cybersecurity risk. For example, a Fintech company will surely be exposed to much higher cybersecurity risk compared to a catering, retail, or manufacturing business; therefore, its dividend policy could be affected. These fixed-effect factors are consistent with Florackis et al.’s (2023) assessment of cyberattack disclosures by delving into time series and industry characteristics. All variables are presented in Table 1 as follows.

3.3. Econometric Model

The econometric model in this study analyses multiple variables within the context of panel data. Panel data allows for tracking of dependent, independent, and control variables across time and industry fixed effects, enhancing the robustness of the analysis. We specifically use a fixed effects model, which effectively examines relationships over time and accounts for unobserved variance across entities. This method fits with the study’s hypotheses (H1 and H2), which were to find out how cybersecurity risk and dividend policy are related and how boards of directors, which are part of corporate governance, affect this relationship. We design the model to ensure that financial decisions consider both earnings stability and the need to enhance cybersecurity. Therefore, this study developed its econometric model as follows:
D P j , i , t = β 0 + β 1 C R i , t + β 1 + n C G k ,   i , t + Σ C o n t r o l s i , t + γ   I n d u s t r y + γ   Y e a r + ε i , t
Dividend policy ( D P ), the dependent variable, includes three variables representing ( j ): (i) The dividend yield is the most used measure of dividend policy, calculated as dividends per share divided by the share price. This measure avoids issues related to negative earnings values. In addition, this study uses alternative measures. (ii) The dividend payout ratio is the cash dividends paid this year divided by the net income. (iii) The final alternative is the propensity to pay dividends, which indicates whether a firm pays dividends each year and zero otherwise. Cybersecurity risk ( C R ), is operationalized using the framework developed by Florackis et al. (2023). This variable quantifies the level of risk associated with a firm’s cybersecurity practices. A corporate governance mechanism (CG), i.e., board effectiveness, is the independent variable that impacts dividend policy. This variable includes three variables representing ( k ): ( k 1 ) board independence, ( k 2 ) the board’s financial expertise, and ( k 3 ) the frequency of board meetings. That is, there are 3 linear regressions; each dependent variable took the three independent variables. Besides, the symbol “i” refers to the company, and “t” refers to the time/year. To account for fixed effects across industries and time trends, the time-specific effect is γ   Y e a r , and the industry-specific effect is γ   I n d u s t r y , which help reduce the outlier effect by decoupling all continuous variables in the study.

4. Results

4.1. Descriptive Statistics

Foremost, the data are described both as measures of central tendency and dispersion. The data description is not an attempt to conclude the sample but rather to report the main features of the variables used in this study, as shown in Table 2.
The results from Table 2 indicated that dividend policy ( D P ) does not seem to be a regular practice in most sampled US firms since the median values of all proxies of dividends (e.g., Dividend yield, Dividend payout ratio, and Propensity to pay dividends) equal zero, and only about 47% of sampled firms distribute dividends to their shareholders. Furthermore, the Cyber risk ( C R )’s mean value is 0.28, and its standard deviation is 0.22, which shows that data points are narrowly distributed, meaning the US firms, regardless of their industry, suffer from the same cyber risk. Most US companies seem to ensure that a large portion of their board members are independent, have financial expertise and hold regular meetings, as the mean values of all corporate governance proxies ( C G ) are somewhat far from the standard deviation.

4.2. Hypothesis Testing

Table 3, including three panels, shows the Pearson correlation coefficient used to detect an association between variables as follows:
According to the results in Table 3, there is a negative correlation between the dividend policy ( D P ) and the Cyber risk ( C R ) at the significance level of 1% (p < 0.01), indicating that the dividend policy of US firms tends to reduce their cash dividend when cyber risks increase. Furthermore, the results indicated a positive correlation between the dividend policy ( D P ) and the corporate governance proxies ( C G ) at the significance levels of 1% (p < 0.01) and 5% (p < 0.05). To achieve the main objective of this study about exploring the relationship between cyber risks and dividend policy and how board effectiveness, as a governance mechanism, affects this context, the econometric model of measuring the dividend policy in the US firms according to the study variables with the presence of fixed effects is tested, and their robustness is shown as follows in Table 4:
In Table 4, the results of the study of the impact of CR on DP, the influence of the boards in US firms on this relationship, the control variables, and fixed effects are presented. First, the cyber risk estimates in the regressions for all the above earnings policy proxies are −0.006, −0.114, and −0.764, respectively, at the significance level of 1% (p < 0.01). These negative estimates suggest a negative relationship between dividend policy and cybersecurity risk at the firm level and support the first hypothesis (H1) that firms reduce dividends in the face of increased cybersecurity risks. Since higher cybersecurity risks mean a greater likelihood of intrusion into corporate cyber systems, firms must spend more resources to patch their cyber systems to keep their risk profile low.
Second, the board independence estimates in the regressions for all the above dividend policy proxies are 0.003, 0.041 and 0.474, respectively, at the significance level of 5% (p < 0.05). These positive estimates indicate a positive relationship between dividend policy and board independence at the firm level in terms of guiding firms towards governance strategies that promote sustainable financial decisions that balance dividend distribution with improved cybersecurity. This result was also confirmed for both proxies for the dividend policy, which supports the second hypothesis (H2) by enhancing the dividend policy in the face of increased cybersecurity risks.
Additional robustness tests are presented in Table 4 to further validate the vulnerability of the finding to the heteroscedasticity and serial correlation problems using three econometric methods: Prais-Winsten, Newey-West and Driscoll-Kraay estimators. However, the overall result still holds up qualitatively through these tests.

5. Discussions

This study aims to explore the relationship between cyber risks and dividend policy and how boards of directors, as a governance mechanism, influence dividend policy in the context of cyber risks. In discussing the results related to the hypotheses tested, it is clear from the results that there is a negative relationship between cybersecurity risks and dividend policy, and the first hypothesis (H1) was confirmed, which states that companies tend to reduce their profits when facing increased cyber risks. These results are in line with previous studies that indicated that companies facing security threats tend to allocate additional financial resources to enhance their cybersecurity, which negatively affects the ability to distribute dividends (Schoenmaker and Schramade 2019; Garg 2020).
Theoretically, this behaviour can be explained by attachment theory, where companies seek to maintain their financial stability in the face of cyber risks by reducing profits and allocating resources to improve cybersecurity. This precautionary behaviour reflects the increasing interest of companies in maintaining their reputation and financial stability in the face of increasing cyber threats, which was confirmed by studies that showed that companies increase their cash holdings after being exposed to cyberattacks (Abbasi et al. 2016; Uddin et al. 2023).
As for the second hypothesis (H2), the results showed a positive relationship between board independence and dividend policy. This result reinforces the crucial role played by the board of directors in guiding companies’ financial decisions to achieve a balance between dividend distribution and enhancing cybersecurity. This is consistent with previous literature that indicated that highly efficient boards of directors tend to implement effective governance policies that enhance transparency and accountability, leading to sustainable financial decisions that take cyber risks into account (Srinidhi et al. 2015; Nolan et al. 2019; Uddin et al. 2020).
These results emphasize the importance of corporate governance quality in influencing dividend decisions, as boards of directors play a pivotal role in ensuring the implementation of financial policies that enhance companies’ resilience in the face of increasing cyber risks. The results also indicate that companies with strong and independent governance tend to adopt flexible dividend policies that balance cybersecurity with meeting shareholder expectations (Kamiya et al. 2021).
While this study provides valuable insights, it is not without limitations. First, the study is limited to a specific geographic and legislative environment, which may limit its applicability to other nations with different corporate governance frameworks and cybersecurity challenges. Second, a particular framework is used to measure cybersecurity risk (Florackis et al. 2023), which may not encompass all cyber risks across businesses. Third, the study employs firm-level panel data, which may not completely account for external macroeconomic shocks or sector-specific nuances that could affect dividend policy and cyber threats. Future studies could examine broader geographic contexts, different cybersecurity risk measures, and industry-specific analyses to understand this complex relationship better.
Overall, the results support the theory that companies facing high cyber risks may need to reconsider their dividend strategies and allocate resources to enhance cybersecurity to ensure the long-term sustainability of the company. This study contributes to the literature by providing new evidence on the impact of cyber risks on dividend policy and highlighting the role of corporate governance in effectively managing this relationship.

6. Conclusions

This study examines the impact of cybersecurity risks on corporate dividends. It also highlights the role of corporate governance in protecting shareholders’ interests by preventing opportunistic practices, such as reducing cybersecurity budgets to suit managers’ interests, which can lead to increased exposure to breaches. The empirical evidence from this study confirms a negative relationship between cyber risks and dividend policy, indicating that companies facing increasing cyber threats tend to reduce dividends in favour of strengthening cybersecurity improvements. This precautionary behaviour reflects firms’ commitment to maintaining their financial stability and protecting them from risks that could lead to significant losses or even collapse. According to attachment theory, this strategy is not just a short-term reaction but rather part of a long-term approach aimed at preserving the corporation’s reputation and financial sustainability. The results also indicate that boards of directors play a crucial role in guiding dividend policy in the face of cyber risks. Effective board independence reflects the ability to implement strong governance policies that balance enhancing cybersecurity with meeting shareholder expectations. These results highlight the importance of corporate governance as a key mechanism for ensuring transparency and accountability in cyber risk management, which enhances investor confidence in the company’s sustainability.
Overall, this study provides strong evidence that cyber risk management and corporate governance are not just operational challenges but are fundamental strategic aspects that directly impact companies’ sustainability and ability to sustainably distribute dividends. By enhancing cybersecurity and adopting strong governance practices, firms can not only protect themselves from increasing threats but also enhance their ability to achieve their financial goals and meet the expectations of their stakeholders.

Theoretical, Policy and Practical Implications

From a theoretical perspective, this study contributes to attachment theory by demonstrating how firms prioritise financial stability and long-term sustainability when faced with cyber risks. Empirical evidence highlights firms’ precautionary behaviour, including cutting dividends to allocate resources to enhance cybersecurity. This is consistent with the theory’s emphasis on maintaining stability during periods of uncertainty. Furthermore, the study extends corporate governance theory by demonstrating how independent boards influence financial policies to balance cybersecurity with shareholder interests. These findings enrich the existing literature by providing a nuanced understanding of governance mechanisms in the context of cybersecurity risks.
From a public policy and regulatory perspective, these findings suggest the need to strengthen regulatory frameworks that encourage the adoption of strong governance practices and advanced cybersecurity practices within companies. Legislators and decision-makers can develop policies that encourage firms to allocate sufficient resources to improve their cyber infrastructure by providing tax incentives or financial support dedicated to cybersecurity investments. Governments can foster public-private collaboration to develop industry-wide solutions, share intelligence on cyber threats, and provide tools to improve cybersecurity infrastructure.
On the practical level, companies should adopt a proactive approach to managing cyber risks by enhancing investments in this area and developing flexible dividend policies that allow for adjustments based on the firm’s cybersecurity needs and risk exposure and help maintain financial stability while addressing emerging risks. Firms should also enhance the capabilities of their boards of directors by training board members to better understand and manage cyber risks.
These implications could yield recommendations. Policymakers, regulators, and practitioners can enhance corporate resilience to cyber threats and ensure the sustainability of financial policies. These practical insights not only address the challenges highlighted in this study but also pave the way for further improvements in the interplay between cybersecurity and governance in financial decision-making.


This research received no external funding. The APC was funded by the author herself.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author(s). The data is not publicly available due to Bloomberg’s subscription-based access and licensing restrictions, which prohibit public sharing.

Conflicts of Interest

The author declares no conflicts of interest.


  1. Abbasi, Ahmed, Suprateek Sarker, and Roger H. L. Chiang. 2016. Big data research in information systems: Toward an Inclusive Research Agenda. Journal of the Association for Information Systems 17: 1–32. [Google Scholar] [CrossRef]
  2. Albrecher, Hansjörg, Pablo Azcue, and Nora Mule. 2024. Optimal dividend strategies for a catastrophe insurer. Frontiers of Mathematical Finance 3: 304–44. [Google Scholar] [CrossRef]
  3. Alodat, Ahmad Yuosef, Yunhong Hao, Haitham Nobanee, Hazem Ali, Marwan Mansour, and Hamzeh Al Amosh. 2024. Board characteristics and cybersecurity disclosure: Evidence from the UK. Electronic Commerce Research, 1–19. [Google Scholar] [CrossRef]
  4. Amir, Eli, Shai Levi, and Tsafrir Livne. 2018. Do firms underreport information on cyber-attacks? Evidence from capital markets. Review of Accounting Studies 23: 1177–206. [Google Scholar] [CrossRef]
  5. Bae, Kee-Hong, Sadok El Ghoul, Omrane Guedhami, and Xiaolan Zheng. 2021. Board reforms and dividend policy: International evidence. Journal of Financial and Quantitative Analysis 56: 1296–320. [Google Scholar] [CrossRef]
  6. Ben-Zion, Uri, and Sol S. Shalit. 1975. Size, leverage, and dividend record as determinants of equity risk. The Journal of Finance 30: 1015–26. [Google Scholar] [CrossRef]
  7. Boasiako, Kwabena A., and Michael O’Connor Keefe. 2021. Data breaches and corporate liquidity management. European Financial Management 27: 528–51. [Google Scholar] [CrossRef]
  8. Bowlby, John. 1973. Attachment and Loss: Separation: Anxiety and Anger. New York: Basic Books, vol. 2. [Google Scholar]
  9. Bowlby, John. 1980. Attachment and Loss: Sadness and Depression. New York: Basic Books, vol. 3. [Google Scholar]
  10. Bowlby, John. 1982. Attachment and loss: Attachment, 2nd ed. New York: Basic Books, vol. 1. [Google Scholar]
  11. Castellano, Rosella, and Luisa Scaccia. 2012. CDS and rating announcements: Changing signaling during the crisis? Review of Managerial Science 6: 239–64. [Google Scholar] [CrossRef]
  12. Chauhan, Jahangir, Mohd Shamim Ansari, Mohd Taqi, and Mohd Ajmal. 2019. Dividend policy and its impact on performance of Indian information technology companies. International Journal of Finance and Accounting 8: 36–42. [Google Scholar]
  13. Damodaran, Aswath, and Crocker H. Liu. 1993. Insider trading as a signal of private information. The Review of Financial Studies 6: 79–119. [Google Scholar] [CrossRef]
  14. De Bruijn, Hans, and Marijn Janssen. 2017. Building cybersecurity awareness: The need for evidence-based framing strategies. Government Information Quarterly 34: 1–7. [Google Scholar] [CrossRef]
  15. Denis, David J., and Igor Osobov. 2008. Why do firms pay dividends? International evidence on the determinants of dividend policy. Journal of Financial Economics 89: 62–82. [Google Scholar] [CrossRef]
  16. Dewasiri, N. Jayantha, Weerakoon Banda Yatiwelle Koralalage, Athambawa Abdul Azeez, P. G. S. A. Jayarathne, Duminda Kuruppuarachchi, and V. A. Weerasinghe. 2019. Determinants of dividend policy: Evidence from an emerging and developing market. Managerial Finance 45: 413–29. [Google Scholar] [CrossRef]
  17. Erin, Olayinka Adedayo, Adebola Daniel Kolawole, and Abdurafiu Olaiya Noah. 2020. Risk governance and cybercrime: The hierarchical regression approach. Future Business Journal 6: 12. [Google Scholar] [CrossRef]
  18. Erkan-Barlow, Asligul, and Trung Nguyen. 2024. Cybersecurity and executive compensation: Can inside debt-induced risk aversion improve cyber risk management effectiveness? International Review of Financial Analysis 93: 103173. [Google Scholar] [CrossRef]
  19. Florackis, Chris, Christodoulos Louca, Roni Michaely, and Michael Weber. 2023. Cybersecurity risk. The Review of Financial Studies 36: 351–407. [Google Scholar] [CrossRef]
  20. Garg, Priya. 2020. Cybersecurity breaches and cash holdings: Spillover effect. Financial Management 49: 503–19. [Google Scholar] [CrossRef]
  21. Gutiérrez-Ponce, Herenia, Julián Chamizo González, and Manar Al-Mohareb. 2023. Sustainable finance in cybersecurity investment for future profitability under uncertainty. Journal of Sustainable Finance & Investment 13: 614–33. [Google Scholar] [CrossRef]
  22. Gutiérrez-Ponce, Herenia, Julián Chamizo-González, and Manar Moffadi Awad Al-Mohareb. 2024. Does corporate governance influence readability of the report by the chairman of the board of directors? The case of Jordanian listed companies. Corporate Social Responsibility and Environmental Management 31: 3535–50. [Google Scholar] [CrossRef]
  23. Haislip, Jacob, Kalin Kolev, Robert Pinsker, and Thomas Steffen. 2019. The economic cost of cybersecurity breaches: A broad-based analysis. Proceedings of the 2019 Workshop on the Economics of Information Security (WEIS), Boston, MA, USA, June 3–4; pp. 1–37. [Google Scholar]
  24. IE, Sofia Lopez. 2023. Corporate governance and ethics in modern business. Center for Management Science Research 1: 9–18. [Google Scholar]
  25. Kamiya, Shinichi, Jun-Koo Kang, Jungmin Kim, Andreas Milidonis, and René M. Stulz. 2021. Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics 139: 719–49. [Google Scholar] [CrossRef]
  26. Koo, David S., Santhosh Ramalingegowda, and Yong Yu. 2017. The effect of financial reporting quality on corporate dividend policy. Review of Accounting Studies 22: 753–90. [Google Scholar] [CrossRef]
  27. Kothari, S. P., Andrew J. Leone, and Charles E. Wasley. 2005. Performance matched discretionary accrual measures. Journal of Accounting and Economics 39: 163–97. [Google Scholar] [CrossRef]
  28. Malik, Muhammad Shoukat, and Urooj Islam. 2019. Cybercrime: An emerging threat to the banking sector of Pakistan. Journal of Financial Crime 26: 50–60. [Google Scholar] [CrossRef]
  29. Malliouris, Dennis D. 2021. Finance & Cyber Security: Uncovering Underlying and Consequential Costs of Security Breaches and Investments. Doctoral dissertation, University of Oxford, Oxford, UK. [Google Scholar]
  30. McNichols, Maureen F. 2002. Discussion of the quality of accruals and earnings: The role of accrual estimation errors. The Accounting Review 77: 61–9. [Google Scholar] [CrossRef]
  31. Mhlanga, David, and Tankiso Moloi. 2020. The stakeholder theory in the fourth industrial revolution. International Journal of Economics and Finance Studies 12: 352–68. [Google Scholar]
  32. Munandar, Aris, Siti Fatimah, Pandu Adi Cakranegara, Asri Kunda, and Andiena Nindya Putri. 2023. Examining the impact managerial ownership and financial performance on dividend policy. Jurnal Ekonomi 12: 66–70. [Google Scholar]
  33. Nadeem, Mudasar Ali, Sumaira Hashmi, and Muhammad Abbas Khan. 2023. Exploring the interplay of cybersecurity and cybercrime in Pakistan’s digital landscape. Contemporary Issues in Social Sciences and Management Practices 2: 207–22. [Google Scholar] [CrossRef]
  34. Nguyen, Trang Thi Ngoc, and Phuong Kim Bui. 2019. Dividend policy and earnings quality in Vietnam. Journal of Asian Business and Economic Studies 26: 301–12. [Google Scholar] [CrossRef]
  35. Nolan, Christopher, Glenn Lawyer, and Ryan Marshall Dodd. 2019. Cybersecurity: Today’s most pressing governance issue. Journal of Cyber Policy 4: 425–41. [Google Scholar] [CrossRef]
  36. Nur, Dhani Ichsanuddin. 2023. Leverage and dividend policy: Evidence from the Indonesian stock exchange. Journal of Economics, Management and Trade 29: 1–11. [Google Scholar] [CrossRef]
  37. Romanosky, Sasha, David Hoffman, and Alessandro Acquisti. 2014. Empirical analysis of data breach litigation. Journal of Empirical Legal Studies 11: 74–104. [Google Scholar] [CrossRef]
  38. Schoenmaker, Dirk, and Willem Schramade. 2019. Investing for long-term value creation. Journal of Sustainable Finance & Investment 9: 356–77. [Google Scholar]
  39. Smaili, Nadia, Camélia Radu, and Amir Khalili. 2023. Board effectiveness and cybersecurity disclosure. Journal of Management and Governance 27: 1049–71. [Google Scholar] [CrossRef]
  40. Srinidhi, Bin, Jia Yan, and Giri Kumar Tayi. 2015. Allocation of resources to cyber-security: The effect of misalignment of interest between managers and investors. Decision Support Systems 75: 49–62. [Google Scholar] [CrossRef]
  41. Tangjitprom, Nopphon. 2013. Propensity to pay dividends and catering incentives in Thailand. Studies in Economics and Finance 30: 45–55. [Google Scholar] [CrossRef]
  42. ThoughtLab. 2022. Cybersecurity Solutions for a Riskier World. Available online: (accessed on 17 August 2024).
  43. Tran, Ly Thi Hai. 2022. Reporting quality and financial leverage: Are qualitative characteristics or earnings quality more important? Evidence from an emerging bank-based economy. Research in International Business & Finance 60: 101578. [Google Scholar] [CrossRef]
  44. Uddin, Md. Hamid, Md. Hakim Ali, and Mohammad Kabir Hassan. 2020. Cybersecurity hazards and financial system vulnerability: A synthesis of literature. Risk Management 22: 239–309. [Google Scholar] [CrossRef]
  45. Uddin, Md. Hamid, Sabur Mollah, Nazrul Islam, and Md Hakim Ali. 2023. Does digital transformation matter for operational risk exposure? Technological Forecasting and Social Change 197: 122919. [Google Scholar] [CrossRef]
  46. Wei, Zuobao, and Yicheng Zhu. 2024. Data Breach Notification Laws and Corporate Payout Policy. Available online: (accessed on 9 September 2024).
  47. Young, Randall, Lixuan Zhang, and Victor R. Prybutok. 2007. Hacking into the minds of hackers. Information Systems Management 24: 281–87. [Google Scholar] [CrossRef]
Table 1. Variables used in the study.
Table 1. Variables used in the study.
Dividend yieldAnnual cash dividends this year are divided by the total market value in the preceding year.Bloomberg
Dividend payout ratioAnnual cash dividends paid this year are divided by the net income in the preceding year.Bloomberg
Propensity to pay dividendsEquals one if a firm pays cash dividends and zero otherwise.Bloomberg
CRCybersecurity risk.Florackis et al. (2023)
Board independenceThe proportion of independent directors on the board.Bloomberg
Board’s financial expertiseThe proportion of directors with financial experience on the board.Bloomberg
Number of board meetingsNumber of meetings per year.Bloomberg
Firm sizeThe natural logarithm of the total assets of a firm in the preceding year.Bloomberg
LeverageDebt this year is divided by the total assets in the preceding year.Bloomberg
ROANet income this year is divided by the total assets in the preceding year.Bloomberg
Reporting qualityMcNichols’s (2002) accruals qualityBloomberg
Table 2. Descriptive analysis.
Table 2. Descriptive analysis.
Dividend yield12,6490.0110.0070.018
Dividend payout ratio12,6490.2170.0280.535
Propensity to pay dividends12,6490.4690.0310.499
CR t−112,6490.2790.3530.216
Board independence t−112,6490.7760.800.124
Board’s financial expertise t−112,6490.1150.1110.107
Number of board meetings t−112,6494.884.9590.186
Firm size t−112,64920.6220.6162.005
Leverage t−112,6490.2320.1790.259
Return on assets t−112,649−0.030.0470.368
Reporting quality t−112,649−0.075−0.0340.126
Table 3. Correlation matrix of total sample.
Table 3. Correlation matrix of total sample.
Panel A: First proxy of dividend policy (Dividend yield)
1Dividend yield1
2CR t−1−0.052 **1
3Board independence t−10.606 *0.054 *1
4Board’s financial expertise t−10.388 **0.023 *−0.412 **1
5Number of board meetings t−10.529 **0.093 *0.415 **0.392 **1
6Firm size t−10.025 *0.062 *0.088 *−0.373 *−0.145 *1
7Leverage t−10.258 **−0.0040.693 **−0.383 **0.488 *0.161 *1
8Return on assets t−1−0.450 **−0.03 *−0.772 **0.343 *0.491 *0.183 *−0.885 **1
9Reporting quality t−10.138 *0.0560.35 *0.068 **0.4330.206 *0.081−0.21
Panel B: Second proxy of dividend policy (Dividend payout ratio)
1Dividend payout ratio1
2CR t−1−0.023 **1
3Board independence t−10.573 **0.102 *1
4Board’s financial expertise t−10.405 **0.012 **−0.411 **1
5Number of board meetings t−10.538 **0.034 *−0.399 **0.4285 **1
6Firm size t−10.017 **0.027 **0.116 *−0.361 **0.151 *1
7Leverage t−10.563 **0.063 *0.682 **−0.418 **−0.504 **0.522 **1
8Return on assets t−1−0.341 **−0.093 *−0.714 **0.354 **0.493 **0.212 **−0.892 **1
9Reporting quality t−10.159 *0.051 **0.421 *0.266 *0.7230.167 *0.266 *−0.3181
Panel C: Third proxy of dividend policy (The propensity to pay dividends)
1Propensity to pay dividends1
2CR t−1−0.124 **1
3Board’s financial expertise t−10.681 **−0.05461
4Number of board meetings t−10.344 **0.053 **−0.414 **1
5Number of board meetings t−10.505 *0.235 **−0.450 **0.301 **1
6Firm size t−10.037 **0.139 *0.025 *−0.400 **−0.1291
7Leverage t−10.044 **−0.166 *0.715 **−0.296 **−0.447 **0.0421
8Return on assets t−1−0.14−0.07 **−0.34 **−0.38 *−0.25 *−0.06−0.05 **1
9Reporting quality t−10.138 *0.0830.117 *0.068 **0.4330.206 *0.0810.841 *1
Note: (*) and (**) indicate a significant correlation at the 0.05 and 0.01 levels, respectively.
Table 4. Fixed effects regression results and their robustness.
Table 4. Fixed effects regression results and their robustness.
VariableMultivariate RegressionsRobustness
Dividend YieldDividend Payout RatioPropensity to Pay DividendsPrais-Winsten EstimatorNewey-West EstimatorDriscoll-Kraay Estimator
CR t−1−0.006 ***−0.114 ***−0.764 ***−0.003 ***−0.006 ***−0.007 ***
Board independence t−10.003 **0.041 **0.474 **−0.005 **−0.004 **−0.008 **
Board gender diversity t−10.008 ***0.148 **0.705 ***0.005 ***0.008 ***0.012 ***
Number of board meetings t−10.001 ***0.018 **0.099 *0.0010.001 **0.001 ***
Firm size t−10.002 ***0.031 ***0.234 ***0.002 ***0.002 ***0.002 ***
Leverage t−1−0.002−0.006−0.547 ***−0.001−0.002 *−0.002 **
Return on assets t−10.002 **0.034 **1.729 ***0.0020.002 ***0.003 ***
Reporting quality t−1−0.000 ***0.0310.566 **−0.002−0.002 *0.004 ***
Constant−0.026 **−1.049 ***−5.919 ***−0.030 ***−0.026 ***−0.030 ***
Industry FEYesYesYesYesYesYes
Year FEYesYesYesYesYesYes
Cluster to firmYesYesYesYesYesYes
Adjusted R20.1260.06570.240.0612-----0.09
Number of groups1980
Note: * p < 0.10; ** p < 0.05; *** p < 0.01.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Al-Mohareb, M. The Impact of Cyber Governance Quality on Dividend Policy in Mitigating Cybersecurity Breaches. Risks 2025, 13, 34.

AMA Style

Al-Mohareb M. The Impact of Cyber Governance Quality on Dividend Policy in Mitigating Cybersecurity Breaches. Risks. 2025; 13(2):34.

Chicago/Turabian Style

Al-Mohareb, Manar. 2025. "The Impact of Cyber Governance Quality on Dividend Policy in Mitigating Cybersecurity Breaches" Risks 13, no. 2: 34.

APA Style

Al-Mohareb, M. (2025). The Impact of Cyber Governance Quality on Dividend Policy in Mitigating Cybersecurity Breaches. Risks, 13(2), 34.

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop