A survey of FTSE 100 firms finds that over two-thirds (64 percent) of the United Kingdom’s top listed companies recognize that cyber risk is increasing year on year.
The survey, conducted by Deloitte, is the first ever to focus on cyber risk and draws on information given in company annual reports.
It focuses on what companies say in their annual reports about cyber risk, paying particular attention to whether they identify it as a principal risk, how they categorize it, and describe its effects.
The area of cyber risk most often mentioned by FTSE 100 companies as a principal risk was cyber crime or cyber attack. Image: pixabay 1979478
Four areas of cyber risk
In a report about the findings, Deloitte say they found companies mostly mentioned four main areas of cyber risk: cyber crime (or cyber attack), IT systems failure (not necessarily in connection with cyber crime), protection of data and “sensitive” information, and data theft.
The results show that 87 percent of FTSE 100 companies picked one or more these four areas of cyber risk as a principal risk in the information they disclosed in their annual reports.
The area of cyber risk most often mentioned as a principal risk was cyber crime or cyber attack (mentioned by 72 percent of FTSE 100 companies), closely followed by IT systems failure (71 percent).
Protection of data and sensitive information – for instance to comply with data protection regulations – was mentioned as a principal risk by 59 percent of the FTSE 100.
Only 33 percent of companies identified data theft or misappropriation (including theft of intellectual property or IP) as a principal risk in their annual reports, but Deloitte suggest some companies might categorize this as cyber crime.
‘Employees are one of the biggest threats to cyber security’
In a discussion on the nature of threats to cyber security, the report notes that:
“A company’s own employees remain one of the biggest threats to cyber security, intentional or otherwise, but very few companies publicly acknowledge this fact.”
The survey finds AstraZeneca is one of the few companies to allude to this risk. In their 2015 annual report, the British-Swedish biopharma mentions that their increasingly complex systems are potentially vulnerable to security breaches from “attacks by malicious third parties, or from intentional or inadvertent actions by our employees or vendors.”
GlaxoSmithKline’s (GSK’s) 2015 annual report also mentions that some employees have been indicted for theft of GSK research information. The report defines the area of risk, its potential impact, and notes that as far as the company can discern, the breach has not damaged R&D activity or ongoing business. GSK also outline the steps and procedures they follow to mitigate such breaches.
Deloitte say they would like to see more UK companies acknowledging employee actions – “inadvertent or otherwise” – as a source of cyber risk and reporting on how they are dealing with it.
Companies need to acknowledge and report on cyber security issues
William Touche, Vice‑Chairman of Deloitte UK and head of the company’s centre for corporate governance, says the growing threat to cyber security “comes at a time when there is also increasing focus from investors and regulators on how organizations manage risk.”
In a recent letter to audit committees and finance directors, the UK Financial Reporting Council wrote they would encourage companies to look at a broad range of factors when considering the main risks facing their business, and give the example of “cyber security.”
Touche says they conclude from their survey that companies should think carefully if they have not identified cyber as a principal risk. Cyber breaches can do a lot of damage – incurring not only the cost of repair but also loss of reputation. He remarks:
“The better disclosures are company specific, year specific and provide sufficient detail to give meaningful information to investors and other stakeholders.”