Research conducted by business advisory firms Corporate Board Member and FTI Consulting into the views of more than 11,000 public company directors and almost 2,000 general counsels in the US showed that data security was the most prominent concern of those surveyed.
"Increasingly, corporate America is operating in a world where connectivity is high and there are few physical barriers," the organisations' annual 'Legal Risks on the Radar' report said. "Accordingly, for the first time, data security was earmarked by the largest percentage of responding directors (48%) and general counsel (55%) as an issue of concern."
The report (8-page /856KB PDF) detailed that a third of the lawyers surveyed had expressed the view that their firms' boards were "not effective at managing cyber risk". Fewer than half of the directors questioned said that their companies had "a formal, written crisis management plan" to turn to in the event of a cyber attack, although 77% of directors and lawyers said that they believe their company would detect such an attack if one occurred.
However, president of Corporate Board Member, TK Kerstetter, said that the anomaly between the individuals' confidence in their firms' "preparedness" and the lack of formal written plans in some cases was a "cause for concern".
"I hate to say this, but I think it is going to take several well-publicised security breaches before a supermajority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster," Kerstetter said. "Cyber risk and social media developments only increase the odds that it will happen to your organisation – so boards should take steps to protect their company’s reputation".
Concerns about data security topped other anxieties listed by the directors and lawyers surveyed, which included in relation to "operational risks" involved in running a corporate business as well as the risk to firms' reputation.
The European Commission is planning to draft new laws on cyber security that could introduce a requirement for EU businesses to report when their "essential" systems, including the internet, have been disrupted due to "cyber incidents". It launched a consultation in July seeking the views of Governments, businesses and others and said the views would help it form its legislative plans.
The Commission said that the number of cyber incidents is increasing and that there had been a "five-fold increase in companies reporting security incidents with a financial impact between 2007 and 2010". It said its aim is to "enhance preparedness, strengthen the resilience of critical infrastructure as well as to foster a cyber-security culture in the EU."