Cyber risk is not translating into boardroom discussion

FTSE 100 companies that note cyber risk in their annual report
FTSE 100 companies that note cyber risk in their annual report

“My organization, GCHQ, now sees real and credible threats to cyber security of an unprecedented scale, diversity and complexity,” warns Iain Lobban, Director of GCHQ, in the government-produced 10 Steps to Cyber Security. “Responsibility to manage your company’s cyber risks starts and stops at Board level. You can never be totally safe.”

That this threat is recognized by business leaders is made clear in the World Economic Forum’s Global Risks Report 2013, published last week. Technological risks are one of the five major major risk categories surveyed among ‘1,000 experts from the World Economic Forum’s communities’ – the other categories are economic, environmental, geopolitical, and societal.

In the survey, the top ten technological threats are rated by impact and likelihood. The threat with the greatest impact is perceived to be ‘critical systems failure’. The threat most likely to happen is ‘cyber attacks.’ Since the latter might well cause the former, cyber security is clearly the greatest technological threat for 2013; well above other perceived threats such as a failure in the intellectual property regime, massive digital misinformation or unforeseen consequences of nanotechnology.

It would be reasonable to assume from this that major companies’ boardrooms are taking the cyber security threat seriously. Trustwave wanted to confirm this, and talked to Infosecurity about the results of a survey they will publish later this week. “Security is not a new issue,” John Yeo, EMEA director of Trustwave SpiderLabs, told Infosecurity, “so we wanted to find a way to validate that it really is already on the agenda.”

He and Tom Neaves, senior security consultant at SpiderLabs, chose to analyze the annual reports of each of the FTSE 100 companies. Since annual reports traditionally (although not as a legal requirement) contain a statement on the risks that might materially affect profitability in the future they decided that inclusion of a cyber-related threat statement would validate that cyber security is taken seriously at board level. What they found is that only 49% of FTSE 100 companies have such a risk statement.

Yeo and Neaves broke down the results by industry category. Only technology and telecommunications are unanimous in accepting the risk. Within the financial sector, banks fared well, but the rest of the finance industry did not. In consumer services, which will inevitably handle a large amount of personal data, nearly 60% made no mention of cyber security.

But the two areas that really leap out are health care and utilities. Given the continuous nature of data loss within the health industry, and the increasingly large and frequent fines levied by the Information Commissioner, it would be reasonable to expect more than a mere 25% of the companies to note cyber security as a risk in their annual report. Similarly, given the repeated government warnings of the potential for cyber terrorist attacks against the critical national infrastructure, it is surprising that 40% of the utilities within the FTSE 100 do not highlight security as a risk.

“Overall,” said Yeo, “49% of the FTSE 100 stated some appreciation of cyber risk and data loss in their annual report – just over half did not. We don’t know why; but it suggests that cyber risk is not really translating into boardroom discussion.”

What’s hot on Infosecurity Magazine?