Just 5% of FTSE 100 firms have cyber-savvy directors

Auditor cites “lack of coherence in board leadership” on cyberthreat matters, despite widespread fears of hacks and attacks

Only 5% of companies on the FTSE 100 index have board members who are clued up on cyber risks, according to Deloitte.

In its first-ever analysis of UK cyber reporting – gleaned from disclosures filed in annual reports – the auditor learned that 87% of FTSE 100 firms had clearly identified at least one type of cyber risk as a principal threat.

Some 71% of firms on the index cited IT systems failure as a worry, and 72% highlighted the potential for cybercrime or cyberattacks. About a third of the firms said that data theft was a major cause for concern.

However, Deloitte found, for many FTSE 100 firms, there is still no clear “owner” of this “varied, often technical and always complex” issue.

“While many organisations may have a CISO, CTO or CIO,” the auditor notes, “there is often a lack of coherence in board leadership with the right level of understanding, accountability or authority.”

Deloitte’s findings have arrived in the wake of high-profile cyberattacks against a succession of blue-chip corporates: incidents that have seized the media spotlight since the large-scale email hack on Sony made headlines in late 2014.

In spring last year, cybersecurity specialist UpGuard warned several big-brand retailers – including Matalan, Tesco and Debenhams – that the risk safeguards on their commercial websites required “serious attention” to ensure they were fully effective.

Against that backdrop, the report noted, investors and regulators are increasingly training their attention on how the organisations they liaise with manage risk.

William Touche – head of Deloitte’s centre for corporate governance in the UK – said that firms should be as open as possible within their annual reports about a whole range of cybersecurity matters.

In his view, disclosures should encompass everything from potential cyber risks to mitigations – such as planning, training and testing programmes – and even any cyber breaches that the firms have suffered.

“[This] is important information for shareholders,” he noted, “as it highlights the risks and lets them know how seriously companies are taking it. It also demonstrates a company’s understanding of the cyberthreats that they face.”

He added: “Our survey revealed a wide range in the quality of disclosure made by companies. Some do this very well, but the majority could make improvements.”

With that in mind, Deloitte proposed seven principles that boards should follow when preparing their annual reports:

1. Every sector, although not every firm, identifies cyber as a principal risk. Think carefully if you have not done so.
2. The value destruction capability of cyber risk is very high, ranging from remediation demands to huge reputational damage. Detailed disclosure is therefore worthwhile to highlight the risks to shareholders and let them know you are taking it seriously.
3. The best disclosures are company specific and year specific. They also provide sufficient detail to give meaningful information to investors and other stakeholders.
4. Boards and board committees are increasingly educating themselves about cyberthreats. They are also challenging management on how they are dealing with the relevant risks.
5. Firms should take credit for what they are doing. That includes describing who has executive responsibility, board level responsibilities, the policy framework, internal controls and disaster recovery plans.
6. Boards should think about what could be missing from their disclosures. For example, a clear indication of the main threats facing the company, who poses those threats, the likelihood, possible impact and detail about what the company – and the board – is doing to manage or mitigate those particular risks.
7. Does your disclosure still not look strong enough after taking credit for what the company is already doing? Then it’s time to ask whether you are actually doing enough to manage cyber risk.

Download Deloitte's full report on cyberthreat reporting in the FTSE 100 here.