A survey of annual reports published by 800 companies from around the world found that most companies are not providing enough data on their cybersecurity strategies and few consider it a boardroom issue.
The Cyber security benchmark 2017 by KPMG found that:
- 56 per cent of the companies surveyed pay insufficient attention to cybersecurity in their annual reports;
- only a quarter of the companies dedicate at least a paragraph to cybersecurity in their annual reports; and
- fewer than than 20 per cent of companies consider cyber risks a boardroom responsibility.
Hot cyber topics
The report also highlighted some of the 'hot cyber topics' for corporates, including:
- Board awareness: The importance of promoting cybersecurity awareness at all levels of the company, among employees as well as among the board. “Investors, governments, and global regulators are increasingly challenging board members to actively demonstrate diligence in the area of cyber security.”
- Privacy: Data privacy is an important topic that can help reassure customers and is now in the spotlight as the General Data Protection Regulation (GDPR) will come into effect from 25 May 2018.
- Security monitoring: Investment in security monitoring (for example through a security information and event management – SIEM – system) is a way of demonstrating awareness and commitment to addressing cybersecurity risks.
- Threat intelligence: Gathering intelligence on cybersecurity threats is also an important part of preparing for such attacks but few companies mention this in their annual report.
- Vendor risk: As companies are increasingly dependent on their supply chain, vendor risk management is an important factor to consider – and to demonstrate awareness of the risk by stating actions taken in an annual report.
- Industrial Control Systems (ICS) are designed to support industrial processes, but they are also susceptible to malware, hacking and network disruptions. Companies that depend on or use these systems should show their awareness of this cybersecurity risk in their annual reports.
Eastern Europe lags in cybersecurity reporting
The study also highlighted the reporting practices of companies in Eastern Europe with regards to cybersecurity, showing that only 3 per cent consider it to be a board-level responsibility, while more than three-quarters failed to mention cybersecurity at all in their annual reports. Reporting on cybersecurity in Eastern European companies – and particularly in Romania – is therefore considered to be less of a priority than for companies in other regions.
Gabriel Mihai Tanase, KPMG director responsible for cyber services, said: “We know that organizations from several industries carry out cyber security projects but have not mentioned these in their annual reports. Are cyber activities not being made public for fear of a perception that the existence of cyber security related processes might create the impression that there is a security issue or does this lack of reporting simply reveal how cyber is still perceived at board level in Romania? Is this mostly considered as a technical issue which needs to be managed by technical people?”
Like this item? Get our Weekly Update newsletter. Subscribe today