The government has published its 2017 cyber health check report.
Overall there is some good news with more than 50% of boards indicating, for the first time, that they had a clear understanding of the potential impacts resulting from the loss of (or disruption to) key information or data assets and regarded cyber risk as a top/group risk. The report also indicated that more boards (31%) now receive comprehensive and informative management information in relation to cyber risks.
However, of concern, 10% of boards still do not have a plan in place to respond to a cyber incident and 68% said that they had not received any training to deal with a cyber incident.
Matt Hancock, the Minister of State for Digital, said that the failure of even a small number of FTSE 350 businesses to operate without a cyber incident response plan was “increasingly irresponsible”.
The survey was based on responses from 105 of the 350 FTSE businesses and as a result may not be entirely representative of all businesses in the group. Of particular concern is the fact that those who responded are potentially more likely to have engaged in the issues than those who did not and therefore the true figures may be far worse than those indicated in the report.
Of the respondees 23% came from the financial services sector, 17% from retail, travel & leisure, 15% came from real estate and support services, 14% from technology, communications and healthcare; 9% from utilities and resources, 15% from industrial goods and services and 7% from consumer goods.
In terms of the management of cyber risk, there was an increase in boards explicitly setting their appetite for cyber risk (53% compared to 33%). This shows a substantial year-on-year increase of 20% and indicates that assessment of cyber risk now forms a formal part of risk strategies.
Whilst the majority of boards considered cyber risk at least twice a year the number who considered cyber risk regularly or actively managed it was less than 45%.
In relation to the 10% of FTSE related companies that currently had no cyber incident response plan, the Government indicated that the boards involved should consider prioritising the development of a cyber incident response plan as soon as possible as the organisations concerned are likely to be the subject of regular attempts at cyber breaches owing to their high profile status.
Whilst more than 50% of businesses felt that the board had a role to play in incident response, nearly 30% felt that the board had no role to play. The report indicates that board members who do not currently have a role should ask why this is the case and should consider how they can offer support to their organisations should they suffer a cyber-attack.
In terms of the General Data Protection Regulations (GDPR), the two requirements causing the most concern were:
the right for individuals to request that their personal data be deleted; and
consent requirements (both about 45%).
The right to data portability and increased supply liability when breaches occur were of concern to about 30% of respondents. Interestingly, notification of breaches within 72 hours was only a cause of concern for approximately 23% of businesses.
Only 13% of businesses were regularly considering GDPR at board level and 4% felt that GDPR would not apply to them in circumstances where the Government report says that GDPR will almost certainly apply to all respondents to the survey and all those within the FTSE 350. The report indicates that a board should now have GDPR as a regular agenda item in their discussions.
There is good news and bad news in the report.
The good news is that boards are increasingly engaging with cyber risk, it is appearing on the agenda, it has been identified as a serious risk and boards are increasingly talking about it on a regular basis and are being provided with substantive management information about it.
The bad news is that there is still a level of ignorance over the requirements of data protection legislation. It is of real concern that there are businesses in the FTSE 350 that do not consider that the GDPR will apply to them in circumstances where that is exceptionally unlikely that this is the case. It is also of significant concern that 10% of businesses (and given the fact that the large number of businesses who did not respond are likely to have a much higher lack of engagement with cyber risk) had no cyber response plan. In addition, a further concern is the fact that even if boards are becoming more aware of cyber risk they are receiving no training in it or how to deal with cyber incidents.
The report highlights the fact that there is a potential need for boards to be provided with support and training around cyber risk. This may well be an area where the insurance industry and its suppliers can provide support to their customers. In addition, the growing awareness of cyber risk and the need to address will, it is to be hoped, create further opportunities for the insurance industry to engage with businesses to assist them in managing this area of risk.