Most top UK firms fail to disclose cyber risk testing details

Although 57% of FTSE 100 companies disclose, in their annual report, regular testing of overall crisis management, contingency or disaster recovery plans, only 20% reveal details of specific cyber risk testing, such as ethical hacking, to find vulnerabilities in their IT systems, according to professional services firm Deloitte, although more than 20% may conduct such testing without reporting it.

Phill Everson, head of cyber risk services at Deloitte UK, said would-be hackers look for weaknesses in a system to gain access, so testing remains vital to ensure strong cyber resilience.

“The 20% of companies that disclosed testing for these vulnerabilities in our analysis demonstrate to investors that the company has ways to continually and proactively test for flaws, while also showing commitment in fixing them if identified,” he said.

With just two months to go before the compliance deadline for the EU’s General Data Protection Regulation (GDPR) and the introduction of GDPR-aligned new UK data protection legislation, Deloitte found there is still a lot of work to do for some of the UK’s top companies.

In the light of these new data protection requirements, Everson said companies should ensure they can meet data breach disclosure deadlines and can deliver security updates to the right people in a timely manner.

“Just 21% of companies disclosed in their annual report that they provided cyber security updates to the board on a regular, monthly to biannual, basis,” he said. “However, if greater disclosure was required, we might see a higher number of companies disclosing updates to boards.”

Despite the small proportion of FTSE 100 companies providing security updates to their boards, Deloitte found that 89% recognise cyber as a “principal risk” and identified a number of consequences in the event of a breach. Of the impacts noted, disruption to business and operations was of greatest concern, flagged by 70%, followed by data loss (58%). Reputational damage and financial loss were also identified by 56% and 54% of companies, respectively.

“An area that has had less recognition in the past is the insider threat, but it is mentioned by 23% companies this year, while 17% identified malware as a threat, up from 12% last year,” said Everson. “In future, we expect to see more companies go into greater depth on their strategies to mitigate against employee risk and the threats posed by malware.

“Elsewhere, we are also seeing companies provide more clarity on who is internally responsible for cyber risk. Over the past two years, one in five companies disclosed the creation of a brand new role or body to have overall accountability on cyber.

“This shows that companies are upgrading their approach to match the raised level of threat, and brings the total number of FTSE 100 companies with a clearly identified person or team with cyber security responsibility to 38%, but we would like to see 100%, and expect that investors would as well.”

By comparison, just 5% of companies disclosed having a member of the board with specialist technology or cyber security experience in 2017, which has increased to 8% this year, a figure matched by the number of companies that also disclose having a chief information security officer (CISO) in the executive team.

Stephen Bonner, cyber risk partner at Deloitte, said the survey shows that boards continue to grow in the topic of cyber risk.

“They are increasingly disclosing the steps to manage risk to investors, regulators and broader stakeholders,” he said, noting that transparency builds trust, and the best boards are providing recommendations and need to think about what is missing from their disclosures.

“If your disclosure does not look strong enough after taking credit for what the company is already doing, it is time to ask whether you are actually doing enough to manage cyber risk,” he said. “FTSE companies are moving rapidly to transparency, and we expect the trend to continue as they seek to build trust.”