Only 1 in 5 FTSE 100 firms have cyber risk testing programmes
Information Security / Only 1 in 5 FTSE 100 firms have cyber risk testing programmes
28 March 2018
Despite 89% of FTSE 100 companies recognising cyber as a principal risk that could entail a number of consequences including disruption to business and operations, only 21% of such companies have mentioned details of specific cyber risk testing in their annual reports.
A recent study of annual reports of FTSE 100 companies by Deloitte revealed how the importance of cyber security has increased over the years. Based on their annual reports, Deloitte noted that more FTSE 100 companies have specialists with cyber security experience in the board than in the past and a lot of them are now focussing on strategies to mitigate against employee risk and the threats posed by malware.
The study also revealed that 89% of FTSE 100 companies now recognise cyber as a principal risk that could entail a number of consequences. While 70% of those surveyed by Deloitte said that their greatest concern was disruption to business and operations, 58%, 56% and 54% highlighted data loss, reputational damage, and financial damage as their greatest concerns respectively.
Only 1 in 5 FTSE 100 firms disclosed cyber risk testing
Despite such concerns, only 21% of FTSE 100 companies have mentioned details of specific cyber risk testing in their annual reports. According to Phill Everson, head of cyber risk services at Deloitte UK, disclosure of cyber risk testing to investors and customers dmonstrates that a firm has ways to continually and proactively test for flaws, whilst also showing commitment in fixing them if identified.
“As we see GDPR regulations introduced from May 25th this year this becomes even more important as they require regulators to be notified within 72 hours of a breach. In preparation, companies will be looking at their processes for delivering security updates to the right people in a timely manner.
“However, with just two months to go to GDPR, our analysis shows there is still some work to do. Just 21% of companies disclosed in their annual report that they provided cyber security updates to the Board on a regular, monthly to bi-annual, basis. However, greater disclosure of this in reports could identify more companies doing so,” he added.
While expecting that more FTSE 100 companies will start disclosing cyber risk testing in their annual reports, Everson also highlighted that 17% of companies this year identified malware as a threat, up from 12% last year and that in last two years, one in five companies disclosed the creation of a brand new role or body to have overall accountability on cyber.
“This shows that companies are upgrading their approach to match the raised level of threat. This brings the total number of FTSE 100 companies with a clearly identified person or team with cyber security responsibility to 38, but we would like to see 100%, and expect investors would as well,” he added.
Just 8% of FTSE 100 firms have CISOs
Last year, a similar study conducted by Deloitte has revealed that only a tiny minority (5%) of FTSE 100 companies had a Board member with specialist cyber security experience. This has increased to 8% so far, but still not sufficient enough to deter cyber attacks or to create fool-proof cyber security strategies. Following the publication of last year’s report, Jeremy Swinfen Green, the head of consulting at TEISS, had this to say:
“Cyber security is now widely accepted as having strategic importance. Data breaches can adversely affect reputation (including the reputations of Board members) as well as damaging an organisation’s competitive positioning. And there is a big moral dimension too: allowing personal data to leak out can cause individual consumers enormous difficulties, from cloned credit cards and frauds to wholesale identity theft.
“But all too often cyber security seems to be treated as a technical issue for overworked IT departments and cyber breaches are considered simply a cost of doing business. Perhaps that will change with the considerable fines available to regulators under the new European privacy regulation, the GDPR, which will come into force from May 2018.”