FTSE 100 firms are upgrading their approach to cyber risks by appointing IT security experts to executive boards but only a fifth are reporting on how they test for cyber risks internally.
Testing how IT systems deal with cyberattacks is a vital part of protecting company operations and data from the threat of malware, ransomware and phishing attacks. Yet only a fifth of the UK's biggest firms disclose details in their annual report of specific, regular cyber risk testing. Companies use techniques such as ‘ethical hacking’ to find vulnerabilities in their IT systems. The study by Deloitte - Governance in focus: Cyber risk reporting in the UK - found that, while the majority (57 per cent) of FTSE 100 companies disclose regular testing of overall crisis management, contingency or disaster recovery plans, just 20 per cent disclose details of specific cyber risk testing.
More disclosure needed
And only 21 per cent regularly share security updates with the board. The report highlights how the need to provide regular security updates to the board will become even more important when the General Data Protection Regulation (GDPR) comes into force in less than eight weeks. From 25 May this year, companies dealing with data owned by a EU citizen/company will need to notify regulators within 72 hours of a data breach. Phill Everson, head of cyber risk services at Deloitte UK, said: “In preparation, companies will be looking at their processes for delivering security updates to the right people in a timely manner. However, with just two months to go to GDPR, our analysis shows there is still some work to do. Just 21 per cent of companies disclosed in their annual report that they provided cyber security updates to the board on a regular, monthly to bi-annual, basis. However, greater disclosure of this in reports could identify more companies doing so.”
Despite the relatively low proportion of FTSE 100 companies providing security updates to the board, 89 per cent see cyber as a ‘principal risk’ and noted that some of the serious consequences include: disruption to business and operations, data loss, reputational damage and financial loss.
Chain of responsibility
The report also highlights growing concern over insider threats and risk of malware. At the same time, companies haare providing more clarity on who is internally responsible for cyber risk and are now more likely to appoint board members with specialist IT knowledge and cybersecurity experience, as well as appointing a chief information security officer. Everson adds: “Over the last two years, one in five companies disclosed the creation of a brand new role or body to have overall accountability on cyber. This shows that companies are upgrading their approach to match the raised level of threat. This brings the total number of FTSE 100 companies with a clearly identified person or team with cyber security responsibility to 38, but we would like to see 100 per cent, and expect investors would as well.”
Complacency and competitors: what’s behind DDoS attacks
The 'It won't happen to me' mentality is misplaced and complacent when it comes to cyberattacks that disrupt business operations – and many firms believe competitors are behind DDoS attacks
Beware potential risks in big data
Big data enables far more detailed, tailored analysis of performance, behaviour and markets – but what are the potential risks? A report highlights some of the dangers – as well as the benefits
GDPR and NIS: Risks and opportunities in data security
GDPR is just 10 weeks away but many organisations are not doing all they can to protect data privacy – and some are even missing out on opportunities through fear of collecting too much data