Abstract

Empirical research at the intersection of Environmental Social and Governance (ESG) features and cybersecurity relies heavily on disclosure-based data. Both ESG scores and cyber indicators (e.g., data breaches) reflect publicly reported information rather than underlying organizational conditions. As a result, observed relationships may capture transparency and reporting mechanisms rather than true cybersecurity performance. This study examines whether ESG features are associated with the observability of cyber-related information. We ask whether firms with higher ESG scores are more likely to have observable breaches and cybersecurity disclosures. The novelty of this study lies in a distinction between true cyber risk and disclosed cyber risk. Cybersecurity data are conceptualized as information-system artifacts shaped by detection, governance, and disclosure processes, and embedded in firms’ reporting regimes and information environments (Christensen et al., 2021), as well as in institutional disclosure mechanisms that determine which cyber incidents become publicly observable (Romanosky et al., 2011). Methodologically, this study proposes an observability-first design that model’s visibility before outcomes. We analyze a panel of 210 publicly listed insurance firms from the EU, UK, and US (2015–2025). The empirical strategy consists of three steps: (1) modeling breach observability using logistic regression; (2) analyzing disclosure behavior; and (3) examining breach intensity conditional on observability, including inverse-probability weighting. The results indicate that Social pillar is strongly associated with observability of breaches and cyber-risk disclosure, suggesting a transparency-driven mechanism. The Governance pillar is associated with lower reported breach intensity conditional on observability. These findings indicate that in the insurance sector the level of ESG score primarily affects what becomes visible in public cyber data. The proposed study contributes conceptually by reframing ESG-cyber relationships as visibility-dependent. Methodologically, it provides a framework for addressing selection bias in disclosure-based datasets. Empirically, it offers pilot evidence from the insurance sector. For researchers, the results highlight the need to distinguish between true and disclosed cyber risk. For practitioners and regulators, they suggest that publicly observed cyber exposure may reflect transparency rather than vulnerability. Future research will integrate objective cybersecurity measures and extend the analysis beyond insurance firms.

Share

COinS