Boards at some of the UK’s biggest companies still don’t understand the potential impact of cyber attacks, according to a new report from the British government.
Published on 5th March 2019, the Cyber Governance Health Check looks at the differing approaches taken by FTSE 350 companies to cyber security. The findings reveal that less than one-fifth (just 16 percent) of boards have a comprehensive understanding of the impact of losses or disruptions associated with cyber threats.
A large majority of businesses (96 percent) have a cyber security strategy in place, says the report, but this apparently leaves 14 of the UK’s 350 largest companies (by market capitalisation) without one.
Despite most companies having a cyber security strategy, only 46 percent of them have a dedicated budget for cyber security. The figures are similar for incident response plans: 95 percent of FTSE 350 businesses have such a plan in place, but only 57 percent test it regularly.
A significant majority of businesses (88 percent) say that the board reviews and challenges the information that it receives on cyber risk. This suggests that most FTSE 350 boards are engaged in cyber risk management. However, less than two-thirds of the UK’s biggest businesses (60 percent) report that their appetite for risk – the extent and type of risk that the business is willing to accept – is agreed and written down.
The good news is that awareness of the threat of cyber attacks has increased significantly, says the report. Almost three quarters (72 percent) of respondents now acknowledge that the risk from cyber attacks is high – a big improvement on the 54 percent saying this in 2017.
According to the government, the implementation of the EU’s General Data Protection Regulation (GDPR) in 2018 – cast into UK law under the Data Protection Act 2018 – has had a positive effect on the attention that boards are giving to cyber threats.
A spokesman from the Information Commissioner’s Office (ICO) said at a Westminster eForum GDPR conference in February that, thanks to GDPR, many businesses are now learning the basics of data protection.
Jonathan Bamford, Director of Strategic Policy (Domestic) at the ICO, said: “One of the most interesting things we’ve noticed is how many organisations woke up to data protection for the first time with GDPR. And a lot of the work we’ve had to do in terms of advice and complaints-handling has been on what I regard as core data protection issues. Not new things that have cropped up under GDPR, but data protection basics that organisations should have been on top of for a long, long time.”
Bamford told that conference that there had been a 93 percent year-on-year increase in enquiries to the Office, as UK organisations finally got up to speed. At the same time, there had been a 94 percent surge in the number of complaints about breaches. The ICO received some 43,000 of these between May 2018 (when GDPR was implemented) and the end of the year.
According to the new report, over three quarters (77 percent) of the organisations surveyed said that board-level discussion and management of cyber security had increased since GDPR. As a result, over half of those businesses had also put in place increased security measures.
Fifty-four percent of FTSE 350 companies now rate the board’s understanding of critical information, data assets, and systems as comprehensive, says the government. This compares to 43 percent in 2017 and just 32 percent in 2015-16.
But despite these growing levels of understanding, the report says that 77 percent of the FTSE 350 fail to recognise the potential security risks associated with businesses in the supply chain with which they have no direct contact.
Speaking at the launch, Digital Minister Margot James said, “Some common themes continue to be apparent in some of the largest cyber attacks, such as the failure to have a comprehensive understanding of business assets across multiple locations, or not understanding the importance of the supply chain to the overall security of the business.
“These are critical issues that need to be supported across an organisation – both by its professionals and its organisational leadership. cyber security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre [NCSC] and take up the government’s advice and training that’s available.”
Ciaran Martin, CEO of the NCSC, added, “Every company must fully grasp their own cyber risk, which is why we have developed the NCSC’s Board Toolkit to help them. cyber security is a mainstream business risk, and board members need to understand it in the same way they understand financial or health and safety risks.
“Companies should also ensure that cyber risks are taken into account in their business strategy and appoint a Chief Information Security Officer [CISO], or other appropriately placed staff members, who can clearly communicate information about cyber risks to the board.”
Where businesses have a CISO reporting directly to the board they are more likely to rate the information they receive as comprehensive, explains the report. In companies where the CISO does report to the board, 72 percent of boards describe the information they receive as comprehensive, compared with 47 percent of other businesses.
The 2018 Health Check finds that the CISO reports directly to the board in just over one-third (35 percent) of companies, suggesting that for a greater proportion of businesses the CISO (and, therefore, information about cyber security) is further removed from senior management.
Kevin Williams of the KPMG UK cyber security practice concluded, “cyber security is a business issue, not an IT issue. Some of the more successful companies ensure regular reporting on cyber risks directly to the board, creating clear line of sight between the business and the risk. They also ensure regular testing of their capabilities to respond to information security incidents.”
Be part of a discussion and connect with like-minded leaders in your sector at our exclusive event series on banking and RegTech.