FTSE 350 boards are growing more confident in their investments to mitigate cyber risks, but they are also aware of the huge scale of the challenges ahead, according to the results of the FTSE 350 ‘Cyber Governance Health Check’. Just 1% of companies surveyed feel their board is fully informed and skilled enough to manage innovation and risk in the digital world.
For the second year, PwC has helped FTSE 350 companies complete the health check run by MI5, GCHQ and the Department for Business, Innovation and Skills (BIS), which assessed how well FTSE 350 boards and audit committees understand and oversee risk management measures and address their cyber security threats.
Cyber security is clearly on the board's agenda with the vast majority of companies, 88%, having a cyber risk category within their strategic risk register. However, with an increasing number of breaches in 2014, only 29% of companies thought cyber was a "top risk", suggesting that companies need a more mature approach to cyber risk management.
Whilst the majority (92%) of respondents say their boards have a clear or acceptable understanding of the value of key information and data assets, one in three say the risks associated with maintaining this information is “never” reviewed. This is compounded by 25% of firms reporting that boards never receive intelligence about who might be targeting the organisation from their company’s senior cyber risk owner.
On a more positive note, half the respondents said their company responded very or quite well to cyber compromises and occurrences over the last year and almost all (93%) felt that employees were now comfortable with reporting these compromises. The cyber risk responsibility is placed firmly with the board, 74% of which are said to take the risk very seriously.
However, given the changing risk landscape there remains a degree of uncertainty around cyber threat with some 49% of respondents feeling there is more their company can do to protect itself from cyber threats.
Richard Horne, cyber security partner at PwC, said:
“To prosper in the digital world, businesses have to manage their cyber security risk and so it is encouraging to see that most FTSE 350 companies place cyber risk firmly on the board agenda. However, to truly manage cyber risk more needs to be done.
“As recent events have shown, the cyber security threat landscape continues to evolve fast. Boards must review their risk regularly and ensure that the organisation is managing its vulnerabilities and keeping pace with the sophistication and scale of the threat. Boards must develop the skills and capabilities to understand the impact of cyber threats on their organisation and shape the necessary strategic response.
“In today's digital world, securing key data and digital processes is now a core element of business management.”
108 companies completed the ‘Cyber Governance Health Check'
Logos, product and company names mentioned are the property of their respective owners.