Two months before the introduction of the general data protection regulations (GDPR), only a minority of FTSE 100 companies are currently reporting in detail on their plans to demonstrate strong cyber security, according to analysis by Deloitte
The firm says that while 57% of FTSE 100 companies disclose in their annual report regular testing of overall crisis management, contingency or disaster recovery plans, only 20% disclose details of specific cyber risk testing, such as ‘ethical hacking’, to find vulnerabilities in their IT systems.
Phill Everson, head of cyber risk services at Deloitte UK, said: ‘Would-be hackers look for weaknesses in a system to gain access, so testing remains vital in ensuring strong cyber resilience.
‘As we see GDPR regulations introduced from 25 May this becomes even more important as they require regulators to be notified within 72 hours of a breach.’
Deloitte’s research found that just 21% of companies disclosed in their annual report that they provided cyber security updates to the board on a regular, monthly to bi-annual, basis.
Despite the small proportion of FTSE 100 companies providing security updates to the board, 89% recognise cyber as a ‘principal risk’ and identified a number of consequences in the event of a breach. Disruption to business and operations was of greatest concern, flagged by 70%, followed by data loss (58%), reputational damage (56%) and financial loss (54%).
Everson said: ‘An area that has had less recognition in the past is the insider threat, but it is mentioned by 23 companies this year, and 17% of companies identified malware as a threat, up from 12% last year. In future we expect to see more companies go into greater depth on their strategies to mitigate against employee risk and the threats posed by malware.’
Deloitte’s analysis also suggests companies are starting to provide more clarity on who is internally responsible for cyber risk. Over the last two years, one in five companies disclosed the creation of a brand new role or body to have overall accountability on cyber.
Everson said: ‘This shows that companies are upgrading their approach to match the raised level of threat. This brings the total number of FTSE 100 companies with a clearly identified person or team with cyber security responsibility to 38, but we would like to see 100%, and expect investors would as well.’
By comparison, just 5% of companies last year disclosed having a member of the board with specialist technology or cyber security experience. This has gone up to 8% this year, a figure matched by the number of companies that also disclose having a chief information security officer (CISO) in the executive team this year.
Report by Pat Sweet