95% of FTSE 100 company boards lack cyber security skills

Just 5% of FTSE 100 companies have a board member with specialist technology or cyber security experience, despite 87% of companies identifying cyber as a principal risk.

That’s according to an analysis of annual reports by business advisory firm Deloitte, despite cyber risk being identified as a principal risk by the vast majority of them.

Of the type of cyber attacks disclosed as a threat, unauthorised access to systems ranked most common (19%), followed by hacking (13%) and malware (13%). Distributed denial of service (DDoS) attacks were only mentioned by five companies, despite Deloitte predictions that there will be ten million DDoS incidents in 2017.

Phill Everson, Head of Cyber Risk Services, Deloitte UK said: “In light of high profile breaches, companies understand more than ever that the event of a cyber attack is not a question of if, but when, by whom and by what degree. The vast majority of FTSE 100 reports acknowledge the principal risk, but our analysis shows there were wide variations in the disclosure of cyber risk management and mitigation strategies. Eleven per cent (11%) of the reports mentioned the creation of a new role or body to take overall accountability for cyber risk, demonstrating the increased focus on cyber risk in organisations. However, there is also a growing expectation for board involvement in cyber oversight, as evidenced by the 10% of companies that delivered cyber-related training to their board.

“With the pervasive nature of technology and the focus on cyber risk it is alarming that only one in twenty boards disclose that they currently have board members with specialist technology or cyber background and only a handful more disclose that they have advisors to the board with this experience. This is not sustainable, but also reinforces the importance of disclosing such information to investors.”

More than half of companies mentioned cyber contingency, crisis management or disaster recovery plans in their annual report. Of these, however, only 58% disclosed that these plans had been simulated in test scenarios over the year.

Everson continued: “The most commonly disclosed potential impacts of cyber breaches were business disruption (68%), reputational damage (58%), and data loss (45%).

“Clearly, the more frequently and stringently mitigation plans are tested, the more resilient and responsive the company. Interestingly, very few reports identified employee action as one of their cyber security threats. Company employees are, knowingly or unintentionally, the most common cause of a cyber breach.”