Out-Law News 2 min. read

Boards not receiving all the information needed to discuss cyber risk, FTSE 350 survey finds


Directors at the UK's top 350 businesses are not always given all the information they need to discuss cyber risks posed to the company, according to a new survey.

Asked to what extent their board's discussion of cyber risk is based on up-to-date management information and threat intelligence, 53% of respondents to the FTSE 350 cyber governance health check 2017 (30-page / 2MB PDF) said they believe they only receive "some information". Less than a third said they receive "comprehensive, generally informative management information".

The survey captured the views of members of boards at 105 FTSE 350 companies, across sectors such as financial services, retail, telecoms, industrial goods and services, utilities and real estate, including chief executives, chief financial officers and chief information officers and non-executive directors that perform roles such as chair a FTSE 350 company's audit or risk committee.

According to the survey, most respondents said they have a "clear understanding" of the potential impact that a loss of or disruption to "key information and data" could have on their business, including their customers, share price or reputation.

Despite this, fewer than a half of respondents said boards have a clear understanding of what the company's  key information and data assets are, and what the value of those assets are to them, their rivals or criminals.

In addition, one in 10 FTSE 350 businesses still do not have a cyber incident response plan in place. Where such a plan is in place, in 27% of cases the board has no defined role in the response to incidents.

The survey also identified a potential cyber skills gap in the boardrooms of FTSE 350 companies -– 68% of respondents said their board had not received any "incident response training".

According to the survey, just 6% of boards at FTSE 350 companies feel their company is "completely prepared" to comply with the new General Data Protection Regulation (GDPR), with the majority believing their business is "somewhat prepared". The GDPR, finalised in 2016, will apply from 25 May 2018.

Dealing with a data subject's right to request the erasure of personal data held about them was the most commonly cited GDPR compliance issue that concerns were raised about, ahead of the tightening of rules on obtaining consent to the processing of personal data.

Discussions over GDPR are "not regular board business", 42% of directors said.

"An increasing number of organisations who responded to the survey relayed the importance of cybersecurity in terms of the need to protect their services, reassure the public on the safety of their personal data and measure their organisation’s own exposure to cyber risk," the UK's minister for digital Matt Hancock said.

"Decisions about cyber are increasingly being taken at the board level, which reflects a significant, positive culture shift amongst FTSE 350s since the launch of the scheme. However, cyber maturity among FTSE 350s needs to improve at a faster rate to ensure we can stay ahead of future cyber security challenges. This year’s report shows that a small number of FTSE 350 businesses are continuing to operate without plans in place for managing cyber incidents. This is increasingly irresponsible," he said.

According to another government-commissioned survey on cybersecurity published earlier this year, 68% of large UK companies, and 46% of all UK businesses in total, "identified at least one cybersecurity breach or attack in the last 12 months".

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.