A lack of communication between boards and management tiers in FTSE 350 companies mean UK companies still have a long way to managing cyber risks, research has indicated.
A survey carried out by KPMG as part of the government’s Cyber Governance Health Check found that while 74% of companies thought that their boards were taking cyber security very seriously, on a number of important measures the results proved otherwise.
For example, 61% of board members said they have an acceptable understanding of their company’s key information and data assets, and a further 55% said they understood the potential impact of losing any of it. However, when pressed further, only 24% said they regularly reviewed the risk management around valuable company information and data assets.
>See also: The 2015 cyber security roadmap
Surprisingly, 65% said they rarely or never did so. A quarter of respondents said they never receive regular high-level intelligence from company CIOs or heads of security on the types of online threats their businesses may face.
Indeed, as a group, the FTSE 350 were lacking in direction about who should ultimately be responsible for cyber security. Despite focusing on the importance of getting cyber security right, only 16% said responsibility should lie with CEOs and 31% said CFOs. Only 15% believed that the responsibility sat with the CIO.
Malcolm Marshall, global leader of KPMG’s cyber security practice, said: “Cyber security may be moving up the board agenda but clear communication between boards and management remains patchy at best. Regular board engagement on this issues is critical to ensuring companies remain alert to this growing threat.
“Alarmingly, just 39% of board members saw cyber risk as an operational risk when comparing it to other threats their companies face. This is a clear indication that boards have some way to go to understanding the consequences that a cyber-attack can have on the brand and bottom-line.”
One particular trend revealed by the numbers was a major jump in the proportion of companies conducting third party pre-contract due diligence, in the past year.
The data also uncovers a rise in the number of companies inserting contract clauses in order to deal with suppliers and cyber risk. Nearly half (44%) stated they conducted due diligence before signing contracts, up from only 7% in 2014. Meanwhile 48% said they included clauses in their contracts covering cyber risk, up from 33% last time.