Most of the FTSE 350 companies place cyber risk on the board agenda, with over half accounting for cyber risk in their strategic risk register, a cyber governance health check has revealed.
In July 2013, the heads of the UK’s intelligence agencies and the Department for Business, Innovation and Skills called on the country’s top 350 listed companies to take part in the exercise.
An analysis by KPMG’s cyber response team showed that companies vital to the UK’s economic growth and crucial to national security were leaking data that can be used by cyber attackers.
The first phase of the health check assessed how well FTSE 350 boards and audit committees understand and oversee risk management measures and address their cyber security threats.
The results show that, while cyber security has the board's attention in most companies, many organisations need a more mature approach to cyber risk management.
While many respondents can identify key data assets, most (56%) say their boards “never” or “rarely” review the information to confirm the legal, ethical and security implications of retaining them.
Read more about cyber security
- UK takes cyber threats to infrastructure seriously
- UK government sets up cyber security fusion cell
- Cyber attacks top banking risk, says Bank of England
- UK to launch public cyber security awareness campaign
- Israel launches cyber warfare training programme
- Half of companies lack cyber threat knowledge
- Top cyber threats underline need for security awareness
- Cyber security at US energy agency found wanting
Only 19% regularly receive intelligence about who might be targeting the organisation, or what their methods and motives are, from their company’s senior cyber risk executive.
For almost three-quarters of respondents, cyber risks do not feature regularly on their organisations’ board update.
Only 17% feel their boards have clearly set and understood the appetite for cyber risk and half believe they lack enough skills or are only barely qualified to manage risk in the digital age.
More than a third of respondents said they were “anxious” or “very anxious” about their company’s approach.
Richard Horne, cyber security partner at PwC, said that, while it was encouraging to see that most of the FTSE 350 companies acknowledge the cyber security risk to their enterprises, it appears that in many companies more needs to be done to drive true management of that risk.
“Given the dynamic nature of the risk, boards need to be reviewing threats and vulnerabilities on a regular basis,” he said.
According to Horne, companies also need to develop the skills and capability to understand how the risk could impact their organisation and what strategic response is required.
“All businesses are increasingly dependent on digital processes, transactions and information. Ensuring that enterprises are secure in the face of an increasing threat to those digital assets is now a core element of business management and oversight,” he said.
Cyber security in the boardroom
The second phase of the health check planned for later in 2013 will involve a cyber diagnostic component.
In response to the government’s Cyber Governance Health Check report, KPMG is urging company and audit committee chairmen of the FTSE 350 to prioritise cyber security in the boardroom.
The call for cyber action comes in the light of research showing that only 20% of large organisations detected that outsiders had successfully penetrated their network in the past 12 months and that just 21% of audit committees are satisfied with the information they receive about cyber security risks.
Malcolm Marshall, head of information protection and business resilience at KPMG said the government report shows the true scale of the threat facing UK firms and reveals just how prepared they are.
“The hope must be that it will be used by organisations to track their progress over time,” he said.
Moving security up the agenda
According to Marshall, the cyber health check has succeeded in moving cyber security up the boardroom agenda, leading one FTSE 350 chairman to tell KPMG that it “has raised the significance of cyber security which the board is considering and will action”.
Marshall said KPMG found a wide range of board level views, with some senior executives seeing cyber security as boring, some see it as sexy, others seeing it as over-hyped and still more as a necessary evil.
“The one consistency is that they are struggling to find the right balance between managing risk and making investments in a world where the threats constantly change,” he said.
At the same time, the government has announced the outcome of its recent consultation on organisational standards for cyber security and indicated its preferred standard.
“The government announcement on organisational standards and their proposed approach is a welcome addition to UK company defences, but the more advanced businesses recognise that complying with a standard is one stop on the journey along the cyber security road, rather than the final destination. There is much more to getting this right than following a standard,” he said.