Board communication within FTSE 350 remains biggest hurdle to cyber risk awareness

21st January 2015


Lack of communication between Boards and management tiers in FTSE 350 companies, and a growing reliance on legal remedies mean UK companies still have a long way to go to proactively manage the risks of a cyber attack. In a survey carried out by KPMG as part of the Government’s Cyber Governance Health Check, 74 percent of companies thought that their Boards were taking cyber security very seriously, yet on a number of important measures the results proved otherwise.





For example, 61 percent of Board members believe they have an acceptable understanding of their company’s key information and data assets, and a further 55 percent said they understood the potential impact of losing any of it. However, when pressed further only 24 percent said they regularly reviewed the risk management around valuable company information and data assets. Surprisingly, 65 percent said they rarely or never did so. A quarter of respondents said they never receive regular high level intelligence from company CIOs or Heads of Security on the types of online threats their businesses may face. 

Indeed, as a group, the FTSE 350 were lacking in direction about who should ultimately be responsible for cyber security. Despite focusing on the importance of getting cyber security right only 16 percent said responsibility should lie with Chief Executive Officers and 31 percent said Chief Financial Officers. Only 15 percent believed that the responsibility sat with the Chief Information Officer. 

Malcolm Marshall, global leader of KPMG’s cyber security practice, says: “Cyber security may be moving up the Board agenda but clear communication between Boards and management remains patchy at best. Regular Board engagement on this issues is critical to ensuring companies remain alert to this growing threat. 

“Alarmingly, just 39 percent of Board members saw cyber risk as an operational risk when comparing it to other threats their companies face.  This is a clear indication that Boards have some way to go to understanding the consequences that a cyber-attack can have on the brand and bottom-line.” 

One particular trend revealed by the numbers was a major jump in the proportion of companies conducting third party pre-contract due diligence, in the past year.  The data also uncovers a rise in the number of companies inserting contract clauses in order to deal with suppliers and cyber risk. Nearly half (44 percent) stated they conducted due diligence before signing contracts, up from only 7 percent in 2014. Meanwhile 48 percent said they included clauses in their contracts covering cyber risk, up from 33 percent last time. 

Marshall said: “It’s fantastic to see such a huge jump in the number of companies pushing suppliers to review their cyber security as, with each link in the supply chain being tightened, the chances of a breach diminish.  It’s also clear that steps can be taken in a short space of time if organisations work together, giving real genuine hope of progress for companies of all sizes. However, focusing on contractual obligations alone isn’t enough.  Board members need to take collective responsibility for cyber security and consider it in every aspect of the business.  If they can do that, the baby steps made to date will turn into huge strides on the path towards great cyber security.”