Six surprising stats about FTSE 100 cyber security disclosures from their annual reporting

 
Lynsey Barber
Follow Lynsey
GERMANY-IT-TELECOM-INTERNET-CEBIT
Cyber risks are growing but firms are not showing shareholders the action they are taking (Source: Getty)

Just a handful of FTSE 100 companies say they have a special technology or cyber security expert on their board, despite the growing risk to business a new analysis reveals - just one of several surprising stats about how the biggest firms in the UK inform shareholders about the issue.

Only five per cent of board level individuals with such direct expertise are disclosed, Deloitte's Cyber Risk Reporting study found.

Read more: Tyrie calls for national cyber centre to ensure finance is "high priority "

“In light of high profile breaches, companies understand more than ever that the event of a cyber attack is not a question of if, but when, by whom and by what degree," said Deloitte UK's head of cyber risk services Phil Everson.

Six surprising stats about FTSE 100 cyber security

5 - the percentage of board level expertise on cyber security disclosed by FTSE 100 firms

18 - per cent disclosing "regular" receipt of cyber updates

27 - the percentage of firms identifying a person or team with responsibility for cyber

39 - percentage of boards disclosing at least a yearly report on cyber security

64 - the percentage of firms indentifying cyber as a principal risk and saying it was growing

87 - percentage of FTSE 100 firms saying cyber is a principal risk

"With the pervasive nature of technology and the focus on cyber risk it is alarming that only one in twenty boards disclose that they currently have board members with specialist technology or cyber background and only a handful more disclose that they have advisors to the board with this experience. This is not sustainable, but also reinforces the importance of disclosing such information to investors.”

The report also highlights the contrasting methods of FTSE 100 firms when it comes to reporting on the issue of cyber security.

Only 64 per cent of firms disclosed that the board received at least one report a year on cyber security, while just 18 per cent did so on a "regular" basis, although this varied from monthly to biannually. Meanwhile, only 27 per cent of of Britain's top businesses clearly identified a person or team with responsibility for cyber security.

Some 87 per cent of firms said cyber risks were one of their principal risks and of that, nearly two-thirds identified this risk as a growing one.

Read more: European authorities to follow UK lead on cyber stress tests

“The potential damage of cyber attacks is a significant threat so annual report disclosure of cyber risk, mitigations such as planning, training and testing and even cyber breaches within the annual report is important information for shareholders as it highlights the risks and lets them know how seriously companies are taking it," said Deloitte's centre for corporate governance leader William Touche.

"It also demonstrates a company’s understanding of the cyber threats that they face. Our survey revealed a wide range in the quality of disclosure made by companies. Some do this very well, but the majority could make improvements.”

Related articles