FTSE 100 companies not doing enough to tackle huge cyber risk

Cyber crime is on the rise but results from the first ever survey covering the full FTSE 100 suggests that executive boards are not doing enough to mitigate the risk, according to a Deloitte report.

Deloitte’s Governance in focus: Cyber risk reporting in the UK, compiled using information included in FTSE 100 companies’ annual reports, shows that while 87% of companies identified cyber as a principal risk, only 5% of the same boards appear to have a director with specialist expertise.

Most of the FTSE 100 mentioned an increase in cyber security breaches in their industry, while GlaxoSmithKline disclosed that ‘several GSK employees were indicted for theft of GSK research information.’

Only five FTSE 100 companies did not mention cyber risk in their annual report; four of these were in the mining industry and one in the construction industry.

William Touche, Vice‑Chairman and leader of Deloitte UK Centre for Corporate Governance, says: “It is not a question of whether there will be cyber attacks, it probably never was, but it is a question of when, by whom and with what degree of expertise your company will be attacked.”

Types of risk

The principal cyber risks were identified as crime (72%) failure of IT systems (71%), data protection risk (59%) and data theft or misappropriation (33%).

Some companies grouped cyber risks with the risk of catastrophic events in their annual report, due to their potential major impact.

64% of companies which included cyber as a principal risk also thought that the risk had continued to increase year-on-year.

Most experienced or perceived threat of cyber crime was identified as unauthorised access to systems (19%), while other threats included reference to hacking (13%), malware (13%), denial of service attacks (5%), targeted fraud (5%), acts of terrorism (3%) and a few mentions of foreign governments and geopolitical threats (4%).

The report advises that more detailed disclosures about the kind of cyber risk a company is exposed to helps demonstrate to investors and stakeholder groups that the directors and management understand the threats facing their organisation and is therefore better able to develop appropriate mitigation strategies.

Impact on business

The top three perceived impacts of cyber risk were highlighted as the potential disruption of business, reputational damage and financial loss. Financial loss was classified as distinct from theft or fraud leading to funds being misappropriated.

A substantial minority of reports cited potential penalties arising from regulatory non‑compliance and other legal consequences, such as contractual damages or inability to meet contractual obligations, according to the research.

Board ownership

Deloitte’s report goes on to investigate how boards deal with the cyber risk identified in their companies’ annual report.

It found that while 87% of FTSE 100 companies identify cyber security as one of their principal risks, 11% fewer than this mention cyber security in their corporate governance statement.

Despite the executive and boardroom focus on this risk, shockingly only 5% of FTSE 100 boards appear to have a director with IT expertise, when looking at executive or non-executive directors described as having experience in cyber security or CIO, CTO, CISO or IT director roles.

Dominic Cockram, Partner at Regester Larkin observes: “In light of so many cyber events in the news, corporate boardrooms are beginning to understand the complexities and reputational risks they face; however, for some there is still no clear ‘owner’ of this varied, often technical, and always complex issue.

“While many organisations may have a CISO, CTO or CIO there is often a lack of coherence in Board leadership with the right level of understanding, accountability or authority”

The report also uncovered that cyber security was most often mentioned as a matter covered by the audit or risk committee. However, in almost every case, cyber security was not specifically identified as a matter to be dealt with by one of these committees, in the summary of their terms of reference provided in the annual report.

Communication on cyber threat was also revealed to be low, with 39% of FTSE boards or committees receiving one annual report on cyber security, while only 18% disclosed receiving ‘regular’ updates on cyber security, the frequency of these varying from monthly to bi‑annually.

Mitigating activities

In light of the perceived risk of cyber crime and its impact on the business, it would seem natural that mitigating activities would follow suit fairly quickly.

However, only 11% of the FTSE 100 mentioned that they created a new role or body to tackle cyber risk during the previous year and only 27% of FTSE 100 annual reports clearly identify a person or team with responsibility for cyber security, according to the data.

FTSE 100 companies have been more proactive in creating plans to deal with cyber risk, with more than half mentioning contingency plans, crisis management or disaster recovery plans in their annual reports, but only 58% of these reported actually testing them during the year.

Within their own company, only 29% mentioned having internal policies on cyber and data security, while a mere 8% mentioned updating internal policies to cover cyber security.

Compounding this, only 38% of companies mentioned internal controls as a mitigating factor for cyber risk and only 7% disclosed any changes to improve internal controls for cyber risk.

A 2016 Regester Larkin survey showed that almost half of corporate communication teams did not have a cyber communications plan or guidelines in place for a cyber incident. This further underlines the need for board level focus.

Other targeted measures included training for staff and the board, cyber insurance, external assurance, systems testing and continuous monitoring of systems and vulnerabilities, while 9% of the FTSE 100 disclosed external assurance activities for cyber risk.

Easyjet mentioned ‘quarterly vulnerability scanning’, a good example of continuous monitoring.

Final thoughts

‘Because of the importance of cyber risk, its constant evolution and the scale of potential impact, we would expect it to be a focus area on every board’s agenda’ writes William Touche, vice-chairman of Deloitte UK and leader of its centre for corporate governance.

Ciaran Martin, CEO of the UK’s National Cyber Security Centre, says: “We know that with new opportunities come new vulnerabilities. So alongside the ability to transact, process and store data on an unprecedented scale so comes the risk of being compromised on an unprecedented scale”

Related reading