According to the results of the FTSE 350 Cyber Governance Health Check, FTSE 350 Boards of Directors are growing more confident in their investments to mitigate cyber risks but they’re also aware of the huge scale of the challenges ahead. Just 1% of those companies surveyed feel their Board is fully informed and skilled enough to manage innovation and risk in the digital world.
For the second year, PwC has helped FTSE 350 companies complete the Health Check which is run by MI5, GCHQ and the Department for Business, Innovation and Skills. The process assesses how well FTSE 350 Boards of Directors and Audit Committees understand and oversee risk management measures and subsequently address their cyber security threats.
Cyber security is clearly on Boardroom agendas, with the majority of companies (88% of those surveyed, in fact) having a cyber risk category within their strategic risk register.
However, with an increasing number of cyber breaches occurring in 2014, only 29% of the 108 companies that completed the Cyber Governance Health Check believe cyber is a ‘top risk’, suggesting that companies need a more mature approach to cyber risk management.
While most (92%) of respondents say their Boards have a clear or acceptable understanding of the value of key information and data assets, one-in-three state the risks associated with maintaining this information is “never” reviewed. This issue is further compounded by 25% of firms taking part in the survey reporting that Boards never receive intelligence from their company’s senior cyber risk owner about who might be targeting the organisation.
On a more positive note, half the respondents to the Cyber Governance Health Check said their company has responded ‘Very well’ or ‘Quite well’ to cyber compromises and occurrences over the last year, while almost all (93%) felt that employees were now comfortable with reporting such compromises.
The cyber risk responsibility is placed firmly with the Board. 74% of Boards are said to take cyber risk very seriously.
However, given the ever-changing risk landscape there remains a degree of uncertainty around cyber threat with some 49% of respondents feeling there’s more companies can do to protect themselves from cyber threats.
Managing cyber risk: “More needs to be done”
Speaking about the survey results, Richard Horne (cyber security partner at PwC) explained: “To prosper in the digital world businesses absolutely have to manage their cyber security risk. It’s encouraging to see that most FTSE 350 companies place cyber risk firmly on the Board agenda. That said, in order for them to truly manage cyber risk more needs to be done.”
Elaborating on that last point, Horne commented: “As recent events have shown, the cyber security threat landscape continues to evolve at a fast pace. Boards of Directors must review their risk on a regular basis and ensure that the organisation is both managing its vulnerabilities and keeping pace with the sophistication and scale of the threat. Boards must develop the skills and capabilities to understand the impact of cyber threats on their organisations and shape the necessary strategic response.”
Importantly, Horne asserted: “In today’s digital world, securing key data and digital processes is now a core element of business management.”
Horne has also responded to the recent announcement concerning the establishment of a joint US and UK ‘cyber squad’. “As Prime Minister David Cameron and US President Barack Obama have pointed out, cyber attacks are a real threat to all businesses. In the digital world we now live in, all businesses rely on processes and data that’s stored electronically. Protecting that data and those processes is fundamental.”
Horne continued: “In helping global businesses build their defences and respond to breaches, we see the impact that a breach can have on a company that’s unprepared. However, it’s not an unmanageable risk. While attacks are becoming more sophisticated, so too are the defence mechanisms. With focused investment, preparation and the right skills companies can defend themselves by both preventing the majority of breaches and reacting rapidly and appropriately when incidents do happen.”
According to Horne, the financial costs of not acting can be crippling. “The average cost of an organisation’s worst security breach is rising significantly year on year,” he urged. “For smaller organisations, the worst breaches cost between £65,000 and £115,000 on average. For large organisations, that statistic is somewhere between £600,000 and £1.15 million.*
Due to the global nature of cyber risk, Horne is adamant that collaboration between the UK and US Governments is “paramount” when it comes to combating the threat.