FTSE 100 firms are upgrading their approach to cyber risks by appointing IT security experts to executive boards but only a fifth are reporting on how they test for cyber risks internally.

Testing how IT systems deal with cyberattacks is a vital part of protecting company operations and data from the threat of malware, ransomware and phishing attacks. Yet only a fifth of the UK's biggest firms disclose details in their annual report of specific, regular cyber risk testing. Companies use techniques such as ‘ethical hacking’ to find vulnerabilities in their IT systems. The study by Deloitte - Governance in focus: Cyber risk reporting in the UK - found that, while the majority (57 per cent) of FTSE 100 companies disclose regular testing of overall crisis management, contingency or disaster recovery plans, just 20 per cent disclose details of specific cyber risk testing.

More disclosure needed

And only 21 per cent regularly share security updates with the board. The report highlights how the need to provide regular security updates to the board will become even more important when the General Data Protection Regulation (GDPR) comes into force in less than eight weeks. From 25 May this year, companies dealing with data owned by a EU citizen/company will need to notify regulators within 72 hours of a data breach. Phill Everson, head of cyber risk services at Deloitte UK, said: “In preparation, companies will be looking at their processes for delivering security updates to the right people in a timely manner. However, with just two months to go to GDPR, our analysis shows there is still some work to do. Just 21 per cent of companies disclosed in their annual report that they provided cyber security updates to the board on a regular, monthly to bi-annual, basis. However, greater disclosure of this in reports could identify more companies doing so.”

Despite the relatively low proportion of FTSE 100 companies providing security updates to the board, 89 per cent see cyber as a ‘principal risk’ and noted that some of the serious consequences include: disruption to business and operations, data loss, reputational damage and financial loss.

Chain of responsibility

The report also highlights growing concern over insider threats and risk of malware. At the same time, companies haare providing more clarity on who is internally responsible for cyber risk and are now more likely to appoint board members with specialist IT knowledge and cybersecurity experience, as well as appointing a chief information security officer. Everson adds: “Over the last two years, one in five companies disclosed the creation of a brand new role or body to have overall accountability on cyber. This shows that companies are upgrading their approach to match the raised level of threat. This brings the total number of FTSE 100 companies with a clearly identified person or team with cyber security responsibility to 38, but we would like to see 100 per cent, and expect investors would as well.”