Search
Close this search box.

Top companies devoid of cyber-security at board level

Despite 87 percent of companies identifying cyber as a principal risk. Just a handful of FTSE 100 company boards disclose having a director with specialist technology or cyber security experience, according to an analysis of annual reports by Deloitte, the business advisory firm. Comment Phill Everson, Head of Cyber risk services – Deloitte UK.
Cryptocurrency

Despite 87 percent of companies identifying cyber as a principal risk. Just a handful of FTSE 100 company boards disclose having a director with specialist technology or cyber security experience, according to an analysis of annual reports by Deloitte, the business advisory firm. Comment Phill Everson, Head of Cyber risk services – Deloitte UK.

This is despite cyber risk being identified as a principal risk by the vast majority of them. Of the type of cyber attacks disclosed as a threat, unauthorised access to systems ranked most common (19 percent), followed by hacking (13 percent) and malware (13 percent). Distributed denial of service (DDoS) attacks were only mentioned by five companies, despite Deloitte predictions that we could see ten million DDoS incidents in 2017.

Phill Everson, head of cyber risk services, Deloitte UK said: “In light of high profile breaches, companies understand more than ever that the event of a cyber attack is not a question of if, but when, by whom and by what degree. The vast majority of FTSE 100 reports acknowledge the principal risk, but our analysis shows there were wide variations in the disclosure of cyber risk management and mitigation strategies. 11 percent of the reports mentioned the creation of a new role or body to take overall accountability for cyber risk, demonstrating the increased focus on cyber risk in organisations. However, there is also a growing expectation for board involvement in cyber oversight, as evidenced by the 10 percent of companies that delivered cyber related training to their board. With the pervasive nature of technology and the focus on cyber risk it is alarming that only one in twenty boards disclose that they currently have board members with specialist technology or cyber background and only a handful more disclose that they have advisors to the board with this experience. This is not sustainable, but also reinforces the importance of disclosing such information to investors.”

More than half of companies mentioned cyber contingency, crisis management or disaster recovery plans in their annual report. Of these, however, only 58 percent disclosed that these plans had been simulated in test scenarios over the year. Said Everson, “Testing is vital, as the nature of cyber attacks is developing rapidly, and organisations need to understand their resilience and adapt their defences. “The most commonly disclosed potential impacts of cyber breaches were business disruption (68 percent), reputational damage (58 percent), and data loss (45 percent)”, continues Everson. “Clearly, the more frequently and stringently mitigation plans are tested, the more resilient and responsive the company. Interestingly, very few reports identified employee action as one of their cyber security threats. Company employees are, knowingly or unintentionally, the most common cause of a cyber breach.”

William Touche, leader of Deloitte’s centre for corporate governance, Deloitte UK said: “Whilst the digitally connected world of course presents threats, it also presents huge opportunities for those nimble enough to embrace them. The opportunity is not just about new business models, but also about the increased engagement with customers and suppliers, enabling better information exchange, increased efficiency and greater value. The potential damage of cyber attacks is a significant threat so annual report disclosure of cyber risk, mitigations such as planning, training and testing and even cyber breaches within the annual report is important information for shareholders as it highlights the risks and lets them know how seriously companies are taking it. It also demonstrates a company’s understanding of the cyber threats that they face. Our survey revealed a wide range in the quality of disclosure made by companies. Some do this very well, but the majority could make improvements.”

Seven principles to improve cyber disclosure when finalising reporting: Every sector, although not every company, identifies cyber as a principal risk – think carefully if you have not done so. The value destruction capability of cyber risk is very high, ranging from remediation demands to huge reputational damage. Detailed disclosure is therefore worthwhile to highlight the risks to shareholders and let them know you are taking it seriously.

The better disclosures are company specific, year specific and provide sufficient detail to give meaningful information to investors and other stakeholders. Boards and board committees are increasingly educating themselves about the cyber threat and challenging management on how they are dealing with the risk. Companies should take credit for what they are doing, including describing who has executive responsibility, board level responsibilities, the policy framework, internal controls, and disaster recovery plans. Boards should think about what could be missing from their disclosures, for example a clear indication of the main threats facing the company, who poses those threats, the likelihood, possible impact and detail about what the company – and the board – is doing to manage or mitigate those particular risks. Finally, if your disclosure does not look strong enough after taking credit for what the company is doing already, it is time to ask whether you are actually doing enough to manage cyber risk.

Read more

Latest News

Read More

Rise in recruitment fraud must urgently be checked

28 March 2024

Newsletter

Receive the latest HR news and strategic content

Please note, as per the GDPR Legislation, we need to ensure you are ‘Opted In’ to receive updates from ‘theHRDIRECTOR’. We will NEVER sell, rent, share or give away your data to third parties. We only use it to send information about our products and updates within the HR space To see our Privacy Policy – click here

Latest HR Jobs

University of Cambridge – Judge Business SchoolSalary: £32,332 to £38,205 pa, pro rata

University of Cambridge – Judge Business SchoolSalary: £29,605 to £33,966 pa, pro rata

University of Oxford – Blavatnik School of GovernmentSalary: Grade 5: £28,759 – £33,966 per annum (with a discretionary range to £37,099)

Software Development Director (Exec Team Seat). Remote Working with Ellesmere Port Office-Based Minimum 1 Day Per Week. + Contribution towards membership fees. £120,000 – £140,000

Read the latest digital issue of theHRDIRECTOR for FREE

Read the latest digital issue of theHRDIRECTOR for FREE