Only 20% of FTSE 100 companies disclose testing of cyber protection plans


Fifty-seven per cent of FTSE 100 companies disclose in their annual report regular testing of overall crisis management, contingency or disaster recovery plans, according to new analysis from Deloitte. However, just 20% disclose details of specific cyber risk testing, such as ‘ethical hacking’, to find vulnerabilities in their IT systems.

Phill Everson, head of cyber risk services at Deloitte UK, said: ”Would-be hackers look for weaknesses in a system to gain access, so testing remains vital in ensuring strong cyber resilience. The 20% of companies that disclosed testing for these vulnerabilities in our analysis demonstrate to investors that the company has ways to continually and proactively test for flaws, whilst also showing commitment in fixing them if identified.

“As we see GDPR regulations introduced from May 25th this year this becomes even more important as they require regulators to be notified within 72 hours of a breach. In preparation, companies will be looking at their processes for delivering security updates to the right people in a timely manner. However, with just two months to go to GDPR, our analysis shows there is still some work to do. Just 21% of companies disclosed in their annual report that they provided cyber security updates to the Board on a regular, monthly to bi-annual, basis. However, greater disclosure of this in reports could identify more companies doing so.”

Despite the small proportion of FTSE 100 companies providing security updates to the Board, 89% recognise cyber as a ‘principal risk’ and identified a number of consequences in the event of a breach. Of the impacts noted, disruption to business and operations was of greatest concern, flagged by 70%, followed by data loss (58%). Reputational damage and financial loss were also identified by 56% and 54% of companies, respectively.

Everson continues: “An area that has had less recognition in the past is the insider threat, but it is mentioned by 23 companies this year. 17% of companies this year identified malware as a threat, up from 12% last year. In future we expect to see more companies go into greater depth on their strategies to mitigate against employee risk and the threats posed by malware.

“Elsewhere, we are also seeing companies provide more clarity on who is internally responsible for cyber risk. Over the last two years, one in five companies disclosed the creation of a brand new role or body to have overall accountability on cyber. This shows that companies are upgrading their approach to match the raised level of threat. This brings the total number of FTSE 100 companies with a clearly identified person or team with cyber security responsibility to 38, but we would like to see 100%, and expect investors would as well.”

By comparison, just 5% of companies last year disclosed having a member of the board with specialist technology or cyber security experience. This has gone up to 8% this year, a figure matched by the number of companies that also disclose having a Chief Information Security Officer (CISO) in the executive team this year.

Speaking at a Cyber update lunch in Cambridge, Stephen Bonner, partner within Deloitte’s Cyber Risk Services, discussed the practical aspects of managing cyber and related data protection issues.

Image: Stephen Bonner, Deloitte Cyber Risk Services with Paul Schofield


The Deloitte Cambridge office comprises 7 Partners and over 250 staff who deliver a full range of professional services to the East Anglian region. As well as focussing on the life sciences and technology sectors for which the region has become so renowned, the office has long standing specialisms in other sectors including the professions, consumer business and agriculture.

Deloitte LLP