Only 5% of companies on the FTSE 100 index have board members who are clued up on cyber risks, according to Deloitte.
In its first-ever analysis of UK cyber reporting – gleaned from disclosures filed in annual reports – the auditor learned that 87% of FTSE 100 firms had clearly identified at least one type of cyber risk as a principal threat.
Some 71% of firms on the index cited IT systems failure as a worry, and 72% highlighted the potential for cybercrime or cyberattacks. About a third of the firms said that data theft was a major cause for concern.
However, Deloitte found, for many FTSE 100 firms, there is still no clear “owner” of this “varied, often technical and always complex” issue.
“While many organisations may have a CISO, CTO or CIO,” the auditor notes, “there is often a lack of coherence in board leadership with the right level of understanding, accountability or authority.”
Deloitte’s findings have arrived in the wake of high-profile cyberattacks against a succession of blue-chip corporates: incidents that have seized the media spotlight since the large-scale email hack on Sony made headlines in late 2014.
In spring last year, cybersecurity specialist UpGuard warned several big-brand retailers – including Matalan, Tesco and Debenhams – that the risk safeguards on their commercial websites required “serious attention” to ensure they were fully effective.
Against that backdrop, the report noted, investors and regulators are increasingly training their attention on how the organisations they liaise with manage risk.
William Touche – head of Deloitte’s centre for corporate governance in the UK – said that firms should be as open as possible within their annual reports about a whole range of cybersecurity matters.
In his view, disclosures should encompass everything from potential cyber risks to mitigations – such as planning, training and testing programmes – and even any cyber breaches that the firms have suffered.
“[This] is important information for shareholders,” he noted, “as it highlights the risks and lets them know how seriously companies are taking it. It also demonstrates a company’s understanding of the cyberthreats that they face.”
He added: “Our survey revealed a wide range in the quality of disclosure made by companies. Some do this very well, but the majority could make improvements.”
With that in mind, Deloitte proposed seven principles that boards should follow when preparing their annual reports:
Download Deloitte's full report on cyberthreat reporting in the FTSE 100 here.