Most FTSE 100 companies are not being transparent with their board or the wider public about security strategy, according to new Deloitte research.
The global consultancy analyzed reporting practices on cyber-risk covering all FTSE 100 annual reports in the year ending 30 September 2017.
It found that just 21% disclosed that they provide cybersecurity updates to the board on a regular, monthly to bi-annual, basis. Even fewer (20%) disclosed details of specific cyber-risk testing, such as ethical hacking, designed to find vulnerabilities in their IT systems.
The research revealed that FTSE 100 firms are either under-investing in cybersecurity or failing to be transparent about their efforts, which could be a missed opportunity to reassure investors and customers they understand the online threat.
Organizations must focus their efforts on analyzing the business for any weaknesses which could be exposing them to hackers, argued Pete Banham, cyber-resilience expert at Mimecast.
“It has never been more imperative for businesses to implement a cyber resilience strategy,” he added. “This should include strong methods of protection, combined with a reliable archive and recovery strategy for data that will ensure uninterrupted access and use of vital systems like email in the event of a breach.”
The opacity in reporting highlighted by Deloitte will need to change when the GDPR lands in May, according to the firm’s head of cyber risk services, Phill Everson.
“As we see GDPR regulations introduced from May 25 this year this becomes even more important as they require regulators to be notified within 72 hours of a breach,” he explained. “In preparation, companies will be looking at their processes for delivering security updates to the right people in a timely manner. However, with just two months to go to GDPR, our analysis shows there is still some work to do.”
However, things are moving in a more positive direction. Some 89% of respondents claimed to recognize cyber threats as a “principal risk” and identified multiple impacts of a breach including disruption to business and operations (70%), data loss (58%), reputational damage (56%) and financial loss (54%).
“Over the past two years, one in five companies disclosed the creation of a brand new role or body to have overall accountability on cyber,” Everson continued. “This shows that companies are upgrading their approach to match the raised level of threat. This brings the total number of FTSE 100 companies with a clearly identified person or team with cybersecurity responsibility to 38, but we would like to see 100%, and expect investors would as well.”