As part of our research we reviewed a total of 150 Annual Reports to see whether they included cyber breach as a potential risk. All FTSE 100 companies were examined, whilst a sample of 50 was taken from the FTSE 250.
Our findings revealed that 22% of the FTSE 100 don’t list cyber attacks as a risk at all, 10% mentioned it but it is not explicit or obvious and 67% explicitly mentioned cyber risk as a potential threat.
In our sample of the FTSE 250, 50% did not list cyber attacks as a risk, 16% mentioned the risk but not explicitly and 34% mentioned it as a risk and potential threat. As almost 80% of the FTSE 100 companies included cyber risk as a potential threat in some way, there is a clear divide between those companies listed in the FTSE 100 and the FTSE 250 sample.
Progress, however, is being made in recognising the need for tighter cybersecurity. In their 2014 article, EY reported that the average number of risks disclosed increased from eight in 2013 to eleven in 2014. Furthermore, governmental policies are quickly being introduced to try and curb the likelihood of cyber attacks. The Digital Economy Minister Ed Vaizey has urged FTSE 350 companies to partake in a Cyber Health Check to help people understand and improve their security levels. Additionally, in November 2015 the Chancellor announced he was almost doubling investment in the Cyber Security budget to £1.9 billion by 2020. This increase would allow for 1,900 new staff members and also enable the establishment of the first National Cyber Centre which would be the home to the UK’s first ‘Cyber Force’.
Cyber attacks are a risk that are not only going to continue, but will most likely develop and increase. As a result, it is important that company stakeholders are aware of this threat. If you need help communicating this risk within your reports, contact our team to see how we can help.