Out-Law News 2 min. read

Most FTSE 350 companies have not acted on or even viewed Government's cyber security guidance


The majority of FTSE 350 companies in the UK have either not seen or not discussed guidance the Government has issued on cyber security, according to a new survey.

Almost half (47%) of the company secretaries at the 53 FTSE 350 businesses that responded to the survey said their board had not discussed the Government's guidance, whilst a further 28% said that their board had not seen it.

The survey was undertaken on behalf of the Financial Times (FT) and the Institute of Chartered Secretaries and Administrators (ICSA). The results of the survey have been detailed in the third FT-ICSA Boardroom Bellwether report. (16-page / 1.42MB PDF)

Last year the Department for Business, Innovation and Skills (BIS), the Centre for the Protection of National Infrastructure and UK intelligence agency GCHQ produced joint new guidelines on cyber security. The guidance included ten steps that businesses can take to reduce cyber risks.

However, according to the report, just 13% of FTSE 350 boards have discussed the Government's cyber security guidelines and acted upon them. A further 8% said they had discussed the guidelines but not acted on them. The remainder of the respondents (4%) said that the guidance was not applicable to their company.

In addition, only about one in five (21%) of the company secretaries surveyed said that their board had identified the company's "key information assets", thoroughly assessed their vulnerability to cyber attack, and been successful in mitigating the risk. A further 19% said that their board plan to identify their key assets and make a vulnerability assessment but that this had yet to happen.

A further 23% said their board need external assistance to allow them to progress from their assessment and a quarter of respondents said their boards had discussed identifying the assets and making the vulnerability assessment but had not found a "clear way forward". The process was deemed not required by company secretaries representing 13% of the FTSE 350.

"Almost all boards think their company’s specific exposure to cyber risk is increasing – yet only 21% of companies have taken action and significantly mitigated the risk. Boards do not appear to be giving this high-profile and increasingly-visible risk the attention it requires, with only 13% of boards having discussed and acted on the Government’s published Cyber Security Guidance, and with around 75% reporting that boards had either not discussed/nor even seen this Guidance," the FT-ICSA Boardroom Bellwether report said.

Earlier this year a report by the National Audit Office (NAO) said that the Government should show willing to applying its own advice and guidance on cyber security if it wants businesses to likewise engage with the issue.

The NAO interviewed "lead officials, industry representatives, academics and citizens’ groups during July to October 2012 and held a round table with leading cyber academics" and said that the view was that Government had to show leadership in implementing good cyber security practices before businesses would follow suit.

"Interviewees ... stated that the government needed to demonstrate the progress it was making in applying the cyber advice and guidance it gives to business, to improving the protection of its own systems and data," the NAO report said. "This was considered necessary for government to maintain its leadership role and engagement with business and the public."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.