FTSE 350 firms still have long way to go on cyber risk

Many FTSE 350 firms still have a long way to go to manage the risks of a cyber attack, a government-backed cyber governance health check has revealed

Many firms still have a long way to go to manage the risks of a cyber attack, the latest government-backed cyber governance health check has revealed.

In July 2013, UK intelligence agency heads and the Department for Business, Innovation and Skills called on the country’s top 350-listed companies to take part in regular assessments.

The call came after business consultancy firm KPMG published a report revealing cyber leaks at FTSE 350 firms were putting the UK’s economic growth and national security at risk.

The health checks are aimed at assessing how well FTSE 350 boards and audit committees understand and oversee risk management measures and address their cyber security threats.

The first governance health check in November 2013 found that, while cyber security has the board's attention in most companies, many firms needed a more mature approach to cyber risk management.

The latest assessment of FTSE 350 companies revealed a lack of communication between boards and business managers, and a growing reliance on legal remedies.

More on cyber security risk

A survey by KPMG showed that although 74% percent of companies believe their boards are taking cyber security very seriously, only 61% of board members think they have an acceptable understanding of their company’s key data, and only 55% said they understood the potential impact of losing any of it.

Less than a quarter of board members said they regularly reviewed the risk management around valuable company information and data assets, while 65% said they rarely or never did so.

A quarter of board members polled said they never receive regular high-level intelligence from company CIOs or heads of security on the types of online threats their businesses may face.

KPMG said that as a group, the FTSE 350 companies are lacking in direction about who should ultimately be responsible for cyber security.

Despite focusing on the importance of getting cyber security right only 16% said responsibility should lie with CEOs and 31% said CFOs. Only 15% believed the responsibility sat with the CIO.

Global leader of KPMG's cyber security practice, Malcolm Marshall, said although cyber security may be moving up the board agenda, clear communication between boards and management remains patchy at best.

“Regular board engagement on these issues is critical to ensuring companies remain alert to this growing threat," he said. "Alarmingly, just 39% of members saw cyber risk as an operational risk when comparing it to other threats their companies face.  

"This is a clear indication that boards have some way to go to understanding the consequences a cyber attack can have on the brand and bottom line.”

Rise in pre-contract due diligence 

However, KPMG analysis showed a major jump in the proportion of companies conducting third-party pre-contract due diligence in the past year. 

Board members need to take collective responsibility for cyber security and consider it in every aspect of the business

Malcolm Marshall, KPMG

The data also uncovered a rise in the number of companies inserting contract clauses to deal with suppliers and cyber risk. 

Almost half stated they conducted due diligence before signing contracts, up from only 7%, while 48% said they included clauses in their contracts covering cyber risk, up from 33%.

“It is fantastic to see such a huge jump in the number of companies pushing suppliers to review their cyber security – with each link in the supply chain being tightened, the chances of a breach diminish,” said Marshall.

“It is also clear that steps can be taken in a short space of time if organisations work together, giving real hope of progress for companies of all sizes,” he said.

However, Marshall said focusing on contractual obligations alone is not enough. “Board members need to take collective responsibility for cyber security and consider it in every aspect of the business," he said. 

"If they can do that, the baby steps made to date will turn into huge strides on the path towards great cyber security.”

More mature approach to cyber risk management needed

PricewaterhouseCoopers (PwC), which helped FTSE 350 companies complete the health check for a second year, noted that 88% have a cyber risk category in their strategic risk register.

However, with an increasing number of breaches in 2014, only 29% of companies thought cyber was a "top risk", suggesting companies need a more mature approach to cyber risk management.

Boards must develop the skills and capabilities to understand the impact of cyber threats on their organisation and shape the necessary strategic response

Richard Horne, PwC

Half the respondents said their company responded very or quite well to cyber compromises and occurrences over the past year and 93% felt employees were now comfortable with reporting these compromises.

But PwC noted that given the changing risk landscape there remains a degree of uncertainty around cyber threats, with some 49% of respondents feeling there is more their company can do to protect itself from cyber threats.

PwC cyber security partner Richard Horne said to prosper in the digital world, businesses have to manage their cyber security risk.

“Therefore it is encouraging to see that most FTSE 350 companies place cyber risk firmly on the board agenda. However, to truly manage cyber risk more needs to be done,” he said.

Horne said recent events have shown the cyber security threat landscape continues to evolve fast, which means boards must review their risk regularly and ensure the organisation is managing its vulnerabilities and keeping pace with the sophistication and scale of the threat.

“Boards must develop the skills and capabilities to understand the impact of cyber threats on their organisation and shape the necessary strategic response," he said.

“In today's digital world, securing key data and digital processes is now a core element of business management.”

Read more on IT risk management