The Government's FTSE350 Cyber Governance Health Check Report 2017 shows increasing awareness of cyber risks but a need for improvement in incident response plans and Board level training

The Government has published the results of its FTSE350 Cyber Governance Health Check Report 2017. This year's results show that the majority of Boards now have a clear understanding of the possible negative impact that might result from a cyber-attack. However, one in ten companies still have no plan in place to respond to a cyber incident and 68% of Boards are yet to receive any training on how to deal with a cyber security breach. This alert summarises the Government's key findings and the full version of the Report is available here.

Increasing awareness of cyber risks

The 2017 results demonstrate that companies are increasingly aware of cyber security risks and the damage and disruption that a cyber-attack might cause to their business. Key findings include:

  • 57% of respondents said their company had a clear understanding of the potential impact that may result from the loss of data or disruption to data assets;
  • The majority of Boards (54%) indicated that cyber risks are now seen as a top or group-level risk in their organisations, with only 13% of respondents saying that these risks are categorised as low or operational-level. This is likely to be a result of recent high profile and widely reported cyber-attacks, such as the WannaCry and Petya ransomware attacks that affected a large number of organisations in the first half of 2017;
  • The Report shows a split as to whether Boards are actively involved in the management of cyber security issues; 50% of respondents said that their Board reviews and challenges reports about customer data, while 46% indicated that their Boards currently do not get involved in this process.

Nonetheless, cyber security issues are generally being discussed more frequently at Board level. In responding to the first survey in 2013, the most common response on this issue was that Boards had heard about cyber issues "once or twice" but did not consider it to be regular Board business. This year, the most common response (44%) was that Boards listen occasionally (for example, a bi-annual update, plus being told when something has gone wrong) while 33% of Boards now regularly consider cyber risk and take cyber issues into account when make decisions (for example, in relation to investment policies). Despite this positive shift, there should be continued progress in governance standards so that Boards actively manage the company's cyber risk profile throughout the year.

Incident response and training

The vast majority of respondents (90%) reported having a plan in place to respond to a cyber incident faced by their company. However, of the companies that do have a plan, there is typically little Board level involvement in its development - 17% of respondents said their Board had a major role in their organisation's incident response, with 52% of Boards having only a minor role and 27% having no role at all.

Of particular note is the fact that 68% of Boards have not received any incident response training, with 26% having received some training and only 2% having received comprehensive training relating to cyber incident response. The Government emphasises the importance of having a Board member trained to handle a cyber incident, as this sends a positive message throughout a business on the importance of being prepared to handle such problems. The Report suggests that companies should consider designating a Board lead on cyber incidents, or facilitating training for all Board members if deemed necessary.

Readiness for GDPR

The Report also assesses the extent to which companies are prepared to meet the requirements of the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.

The results show that almost all respondents have some level of awareness about the GDPR and its new requirements, ranging from organisations being very aware (37%) to somewhat aware (45%) and slightly aware (15%). Almost three-quarters of respondents (71%) said they were somewhat prepared to meet the new compliance requirements under the GDPR, though only 6% of companies reported being completely prepared to meet these requirements. Companies were asked about their greatest concern in terms of complying with the GDPR and 45% of respondents cited an individual's rights to deletion of personal data.

In terms of Board level consideration being given to the GDPR, the most common response was that the matter was discussed once or twice at Board-level but was not regular Board business. Only 13% of companies said that GDPR was regularly considered by their Board.

The Government makes the point that it is now crucial for companies to be stepping up their preparations for meeting GDPR compliance requirements, given the upcoming implementation date in less than a year's time. The Report suggests that Boards should now have GDPR as a regular agenda item in their Board discussions to ensure that these requirements are met.

Commentary

Cyber security is one of the greatest risks threatening businesses today. While it may not be possible to prevent an attack, how you respond once it hits will be key to ensuring your business - and its reputation - recover as quickly as possible. Key to that is not only having an incident response plan in place, but ensuring that the plan is tried and tested and that your team has undergone the training to equip them to handle a cyber crisis.