Cyber Governance, Operational Resilience, and Market Confidence in Financial Institutions: A Systematic Review and Normative Analysis
Keywords:
Cyber Governance, Operational Resilience, Market Confidence, Financial Institutions, Institutional AccountabilityAbstract
Cyber risks in financial institutions can no longer be regarded as a separate technical issue, as they directly impact the design of governance, accountability, the continuity of critical functions, and trust in digitally mediated markets. However, the literature remains fragmented across governance studies, resilience studies, and market-based studies, meaning that the institutional links between cyber governance, operational resilience, and market confidence have not yet been adequately synthesised. This article addresses this gap by conducting a systematic literature review combined with a normative analysis to examine how these three domains are conceptualised, linked, and evaluated within financial institutions. Using PRISMA 2020 and PRISMA-S as procedural frameworks, this review identifies and synthesises 50 peer-reviewed studies, selected through a transparent screening process and eligibility criteria. The findings suggest that cyber governance is best understood as an architecture of accountability, operational resilience as the capacity for continuity and recovery, and market confidence as a trust-based institutional outcome. This review further argues that market confidence should not be reduced to post-incident market reactions, but must be understood as an ex ante institutional condition shaped by credible governance and effective resilience, and subsequently tested when disruptions occur. Conceptually, this article develops an integrated institutional framework linking these three domains. Normatively, it argues that financial institutions should be evaluated not only on the basis of formal cyber controls or disclosure practices, but also on the basis of their observable institutional preparedness to maintain critical functions and trust amidst digital disruptions.
References
Abaidoo, R., & Agyapong, E. K. (2026). Operational resilience, macroeconomic uncertainty and exposure to liquidity shocks among US commercial banks. Studies in Economics and Finance, 1–22. https://doi.org/10.1108/SEF-05-2025-0362
Alodat, A. Y., Hao, Y., Nobanee, H., Ali, H., Mansour, M., & Al Amosh, H. (2025). Board characteristics and cybersecurity disclosure: Evidence from the UK. Electronic Commerce Research, 25, 4717–4735. https://doi.org/10.1007/s10660-024-09867-w
Anand, K., Duley, C., & Gai, P. (2026). Cybersecurity and financial stability.
Ayre, J., & McCaffery, K. J. (2022). Research note: Thematic analysis in qualitative research. Journal of Physiotherapy, 68(1), 76–79. https://doi.org/10.1016/j.jphys.2021.11.002
Baatwah, S. R., Asiri, M., Bajaher, M. S., Alyafai, A., & Baajajah, S. (2025). Thriving post-cyberattacks: The power of control, disclosure, and IT maturity. Electronic Commerce Research, 26, 1705–1743. https://doi.org/10.1007/s10660-025-09958-2
Brignardello-Petersen, R., Santesso, N., & Guyatt, G. H. (2025). Systematic reviews of the literature: An introduction to current methods. American Journal of Epidemiology, 194(2), 536–542. https://doi.org/10.1093/aje/kwae232
Bruno, E., Pistolesi, F., & Teti, E. (2025). Cybersecurity policy, ESG and operational risk: a virtuous relationship to improve banks’ performance.
Buttigieg, C. P., & Zimmermann, B. B. (2024). The digital operational resilience act: challenges and some reflections on the adequacy of Europe’s architecture for financial supervision.
Calderon, T. G., & Gao, L. (2022). Changes in corporate cybersecurity risk disclosures after SEC comment letters.
Cele, N. N., & Kwenda, S. (2025). Do cybersecurity threats and risks have an impact on the adoption of digital banking? A systematic literature review. Journal of Financial Crime, 32(1), 31–48. https://doi.org/10.1108/JFC-10-2023-0263
Chang, K. C., Gao, Y. K., & Lee, S. C. (2020). The effect of data theft on a firm’s short-term and long-term market value. Mathematics, 8(5), 808. https://doi.org/10.3390/math8050808
Chen, C., Hartmann, C., & Gottfried, A. (2022). The Impact of Audit Committee IT Expertise on Data Breaches.
Cheong, A., Yoon, K., Cho, S., & No, W. G. (2021). Classifying the Contents of Cybersecurity Risk Disclosure through Textual Analysis and Factor Analysis.
Corbet, S., & Gurdgiev, C. (2019). What the hack: Systematic risk contagion from cyber events. International Review of Financial Analysis, 65, 101386. https://doi.org/10.1016/j.irfa.2019.101386
Cumming, D., Nguyen, M., Pham, A. V, & Samarasinghe, A. (2026). Banking system stability: a global analysis of cybercrime laws.
Dupont, B. (2019). The cyber-resilience of financial institutions: Significance and applicability. Journal of Cybersecurity, 5(1), tyz013. https://doi.org/10.1093/cybsec/tyz013
Eisenbach, T. M., Kovner, A., & Lee, M. J. (2022). Cyber risk and the U.S. financial system: A pre-mortem analysis. Journal of Financial Economics, 145(3), 802–826. https://doi.org/10.1016/j.jfineco.2021.10.007
Flemming, K., & Noyes, J. (2021). Qualitative evidence synthesis: Where are we at? International Journal of Qualitative Methods, 20, 1609406921993276. https://doi.org/10.1177/1609406921993276
Florackis, C., Louca, C., Michaely, R., & Weber, M. (2023a). Cybersecurity risk. The Review of Financial Studies, 36(1), 351–407. https://doi.org/10.1093/rfs/hhac024
Foerderer, J., & Schuetz, S. W. (2022). Data breach announcements and stock market reactions: A matter of timing? Management Science, 68(10), 7298–7322. https://doi.org/10.1287/mnsc.2021.4264
Gao, L., & Calderon, T. G. (2025). Cybersecurity risk governance and companies’ cybersecurity risk disclosures in their 10-K filings. Journal of Accounting and Public Policy, 54, 107376. https://doi.org/10.1016/j.jaccpubpol.2025.107376
Gao, L., Calderon, T. G., & Tang, F. (2020). Public companies’ cybersecurity risk disclosures. International Journal of Accounting Information Systems, 38, 100468. https://doi.org/10.1016/j.accinf.2020.100468
Gordon, L. A., Loeb, M. P., & Sohail, T. (2010). Market value of voluntary disclosures concerning information security. MIS Quarterly, 34(3), 567–594. https://doi.org/10.2307/25750692
Gwebu, K. L., Wang, J., & Wang, L. (2018). The role of corporate reputation and crisis response strategies in data breach management. Journal of Management Information Systems, 35(2), 683–714. https://doi.org/10.1080/07421222.2018.1451962
Harel, Y., & Carmeli, A. (2025). A strategic cybersecurity oversight framework: A board’s imperative.
Héroux, S., & Fortin, A. (2022). Board of directors’ attributes and aspects of cybersecurity disclosure.
Ismail, E. A. A. (2024). The impact of cybersecurity disclosure on banks’ performance: the moderating role of corporate governance in the MENA region.
Jafri, J. A., Amin, S. I. M., Rahman, A. A., & Nor, S. M. (2023). A systematic literature review of the role of trust and security on Fintech adoption in banking. Heliyon, 10(1), e22980. https://doi.org/10.1016/j.heliyon.2023.e22980
Jančiūtė, L. (2025). Cybersecurity in the financial sector and the quantum-safe cryptography transition: In search of a precautionary approach in the EU Digital Operational Resilience Act framework. International Cybersecurity Law Review, 6(2), 145–154. https://doi.org/10.1365/s43439-025-00135-7
Jiang, W., Legoria, J., Reichelt, K. J., & Walton, S. (2022). Firm use of cybersecurity risk disclosures. Journal of Information Systems, 36(1), 151–180. https://doi.org/10.2308/ISYS-2020-067
Kamiya, S., Kang, J.-K., Kim, J., Milidonis, A., & Stulz, R. M. (2021). Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics, 139(3), 719–749. https://doi.org/10.1016/j.jfineco.2019.05.019
Leo, M. (2020). Operational resilience disclosures by banks: Analysis of annual reports. Risks, 8(4), 128. https://doi.org/10.3390/risks8040128
Lim, W. M., Kumar, S., & Ali, F. (2022). Advancing knowledge through literature reviews: What, why, and how to contribute. The Service Industries Journal, 42(7--8), 481–513. https://doi.org/10.1080/02642069.2022.2047941
Liu, C., & Babar, M. A. (2026). Corporate cybersecurity risk and data breaches: A systematic review of empirical research. Australian Journal of Management, 51(1), 62–92. https://doi.org/10.1177/03128962241293658
López, F. A., Jara-Sarrúa, L., Morales-Parada, F., & Palos-Sánchez, P. R. (2025). Cybersecurity disclosure in the financial sector: An examination of the influence of incident exposure, governance practices, and regulatory context. Electronic Commerce Research. https://doi.org/10.1007/s10660-025-10081-5
Makridis, C. A. (2021). Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018.
Martins, A. M., Moutinho, N., & Cró, S. (2025). Stock market effects of major cyber-attacks: Evidence for breached and cybersecurity listed firms. Journal of Banking Regulation, 26, 868–877. https://doi.org/10.1057/s41261-025-00293-y
Muktadir-Al-Mukit, D., & Ali, M. H. (2025). The Dynamics of Stock Market Responses Following the Cyber-Attacks News: Evidence from Event Study.
Okat, D., Paaso, M., & Pursiainen, V. (2025). Trust in Traditional Finance and Consumer Fintech Adoption. The Review of Corporate Finance Studies, 14(2), 408–438. https://doi.org/10.1093/rcfs/cfae011
Opuni-Frimpong, J., Adefunso Dzorka, M., & Boadi, I. (2024). Governance’s role in bank performance: Cybersecurity committee assessment. Journal of Financial Reporting and Accounting, 23(2), 788–810. https://doi.org/10.1108/JFRA-12-2023-0774
Page, M. J., Moher, D., Bossuyt, P. M., Boutron, I., Hoffmann, T. C., Mulrow, C. D., Shamseer, L., Tetzlaff, J. M., Akl, E. A., Brennan, S. E., Chou, R., Glanville, J., Grimshaw, J. M., Hróbjartsson, A., Lalu, M. M., Li, T., Loder, E. W., Mayo-Wilson, E., McDonald, S., & McKenzie, J. E. (2021). PRISMA 2020 explanation and elaboration: Updated guidance and exemplars for reporting systematic reviews. BMJ, 372, n160. https://doi.org/10.1136/bmj.n160
Paul, J., Merchant, A., Dwivedi, Y. K., & Rose, G. M. (2021). Writing an impactful review article: What do we know and what do we need to know? Journal of Business Research, 133, 337–340. https://doi.org/10.1016/j.jbusres.2021.05.005
Peng, J., Zhang, H., Mao, J., & Xu, S. (2023). Repeated data breaches and firm value.
Radu, C., & Smaili, N. (2022). Board gender diversity and corporate response to cyber risk: Evidence from cybersecurity related disclosure. Journal of Business Ethics, 177, 351–374. https://doi.org/10.1007/s10551-020-04717-9
Rethlefsen, M. L., Kirtley, S., Waffenschmidt, S., Ayala, A. P., Moher, D., Page, M. J., & Koffel, J. B. (2021). {PRISMA-S}: An extension to the {PRISMA} statement for reporting literature searches in systematic reviews. Systematic Reviews, 10(1), 39. https://doi.org/10.1186/s13643-020-01542-z
Rosati, P., Cummins, M., Deeney, P., Gogolin, F., van der Werff, L., & Lynn, T. (2017). The effect of data breach announcements beyond the stock price: Empirical evidence on market activity. International Review of Financial Analysis, 49, 146–154. https://doi.org/10.1016/j.irfa.2017.01.001
Sauer, P. C., & Seuring, S. (2023). How to conduct systematic literature reviews in management research: A guide in 6 steps and 14 decisions. Review of Managerial Science, 17, 1899–1933. https://doi.org/10.1007/s11846-023-00668-3
Schmitz, J., & Leoni, G. (2019). Accounting and Auditing at the Time of Blockchain Technology: A Research Agenda. Australian Accounting Review, 29(2), 331–342. https://doi.org/https://doi.org/10.1111/auar.12286
Smaili, N., Radu, C., & Khalili, A. (2023). Board effectiveness and cybersecurity disclosure. Journal of Management and Governance, 27(4), 1049–1071. https://doi.org/10.1007/s10997-022-09637-6
Smith, M., & Miller, S. (2025). Technology, institutions and regulation: Towards a normative theory. AI & Society, 40, 1007–1017. https://doi.org/10.1007/s00146-023-01803-0
Uddin, M. H., Ali, M. H., & Hassan, M. K. (2020a). Cybersecurity hazards and financial system vulnerability: A synthesis of literature. Risk Management. https://doi.org/10.1057/s41283-020-00063-2
Uddin, M. H., Ali, M. H., & Hassan, M. K. (2020b). Cybersecurity hazards and financial system vulnerability: A synthesis of literature.
Zheng, G., Xia, Z., He, F., & Xiao, Z. (2025). The audit committee’s IT expertise and its impact on the disclosure of cybersecurity risk.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 GENIUS INSIGHT ECONOMICS
This work is licensed under a Creative Commons Attribution 4.0 International License.
CC BY 4.0
