In January the Department for Business, Innovation and Skills (DBIS) released its second annual review of the FTSE 350 companies’ preparedness for potential cyber attacks. The DBIS report, entitled “FTSE 350 Cyber Governance Health Check Tracker Report”, revealed a number of interesting trends:
- It is apparent that cyber threats are now considered to be ubiquitous after nearly all the companies surveyed from each sector (retail, travel and leisure, real estate and support services, technology, communications and healthcare, utilities and resources, financial services, industrial goods and services, and consumer goods) reported serious concern. From 2013 to 2014, the proportion of companies which reported cyber risk as being part of their overall risk profile rose 30% (from 58% to 88%). Moreover, “When asked about the importance of cyber risk to the business, just over half of respondents (53%) ranked cyber risks as being of moderate importance. Of the rest, 36% stated it as being extremely important and 10% of limited importance. Those in the retail, travel and leisure industries and financial services attached the greatest importance to cyber risks.”
- Business leaders are making the inherent connection between strong cybersecurity and share price after 66% of respondent companies reported shareholder value was significantly dependent on securing critical information assets. Furthermore, “Near half (45%) of respondent boards have outlined their approach to cybersecurity clearly in their annual reports and on their websites, with a view to reassuring investors.”
- Companies are tasking higher profile executives within their boards to take ownership of the issue. From 2013 to 2014, the Head of IT was 9% less likely to be in control of cybersecurity strategy, while the CIO or CEO was 15% more likely.
- However, companies are yet to get to grips with the necessary information for cyber risk decision-making and reach consensus regarding best practice:
- When dealing with third parties, “Nearly half (48%) of all respondents used contract clauses to address cyber risks with suppliers with (44%) utilising pre-contract due diligence. A third (33%) of companies practiced third party audits while a quarter (25%) used third party self-assessments. However, 24% of respondents did not know what methods their companies used.”
- Perhaps surprisingly, 65% of boards rarely or never review their key information, data assets and personal data to confirm the legal, ethical and security implications of retaining them; and
- Only 24% of companies based their cyber risk discussion on comprehensive or robust management information.
Read the full report here.