Less than a fifth of FTSE 350 companies understand impact of cyber threats

The UK Government has earlier today published the latest FTSE 350 Cyber Governance Health Check report, indicating that UK Boards of biggest firms must do more to be cyber aware.

The 2018 Health Check concludes that boards are making progress in acknowledging, understanding and responding to cyber threats, with a positive trend towards improved governance throughout the areas covered by the Health Check. However, there remains room for improvement, particularly in assessing and dealing with risks in the supply chain, and testing incident response plans to ensure they are and continue to be fit for purpose.

The 2018 Health Check shows acknowledgement of cyber threats has increased substantially in 2018, and an increasing majority of businesses now recognise cyber security as a strategic risk management issue. Almost three quarters (72%) of respondents to the latest Health Check report that the board considers the risk of cyber threats to be high or very high in comparison to all risks that the business faces. This compares to just 54% of boards in 2017.

However, only a minority of businesses (16%) report that their board has a comprehensive understanding of the impact of loss or disruption associated with cyber threats on the types of impact tested in the 2018 Health Check, i.e. customers, share price and reputation.

The General Data Protection Regulation (GDPR) has contributed to a greater level of board engagement in cyber security issues.

GDPR appears at least partly responsible for the increased attention boards are giving to cyber threats. Out of all respondents, 77% reported that board discussion and management of cyber security had increased since GDPR, with more than half of these businesses also introducing increased security measures as a result.

The proportion of businesses that have a cyber incident plan has increased from an already high level (90%) in 2017 to 95% in 2018. However, this still suggests as many as 1 in 20 businesses may not have a cyber indent plan. Furthermore, many businesses may not know whether their plans are fit for purpose, with only just over half of businesses (57%) testing their crisis incident response plans on a set regular basis and only one quarter of businesses using external audits to obtain assurance that their incident plans are fit for purpose. Additionally, 1 in 5 boards have undertaken a crisis simulation on cyber risk in the last 12 months.

Meanwhile, more work is being done to improve the cyber resilience of business, and a new project has been announced that will help companies understand their level of resilience. The cyber resilience metrics will be based on a set of risk-based principles to allow firms to measure and benchmark the extent to which they are managing their cyber risk profile effectively.

Once developed these indicators will provide board members with information to understand where further action and investment is needed.

Speaking of cyber security, let’s note research from City-headquartered law firm RPC has shown that the number of data breaches reported by UK financial services firms to the Financial Conduct Authority (FCA) increased 480% in 2018, reaching 145.

This number compares to just 25 such reports in 2017, RPC notes. Across segments, the retail banking sector registered the largest percentage increase in the number of data breach reports, rising to 25 in 2018 from only one in 2017. RPC says that wholesale financial markets firms, such as investment banks, reported the most data breaches to the FCA in 2018, reporting 34 times, up from just three in 2017.

Other sectors within financial services that saw large increases in data breach reports include:

• Insurers – 33 in 2018, up from seven in 2017;
• Consumer retail lending – 21 in 2018, up from four in 2017;
• Retail investments – 11 in 2018, up from none in 2017.