Retail boards' directors not paying enough attention to cyber security

09 Oct 2015

Retail boards across the UK aren’t giving cyber security the attention it deserves, according to new analysis of annual reports by risk and insurance law firm BLM.

BLM looked for mentions of a range of words associated with digital risk – such as ‘cyber’, ‘information security’ and ‘data breach’ – in the annual reports of the 32 FTSE-listed retailers. In 40% of reports there was no mention of any of the identified terms, illustrating that cyber security is not yet classed as a top risk by the industry as a whole.

According to the British Retail Consortium’s latest retail crime survey, the majority of retailers reported an increase in cyber attacks in 2013-14 and claimed that they pose a critical threat to their business. However, this isn’t clearly reflected in these annual reports.

Helen Grimberg, partner and head of corporate sector at BLM said: “Although the research isn’t a scientific analysis of retailers’ security strategies, it provides a snapshot of how it is perceived by retail boards. The annual report is one of the few times the board can communicate with shareholders and go into detail about the risks and uncertainties facing the business. Not directly mentioning the threat or detailing the strategy in place to counter the risk is unacceptable – particularly when we consider some of the high-profile data breaches that have plagued the retail industry in recent years.”

BLM also found that just 38% of reports referenced ‘cyber’, while 16% mentioned ‘information security’. Only 9% used the word ‘hack’ and 3% used ‘data breach’. 13% of reports opt to mention ‘PCI’ and compliance with this payment card industry standard, but not one report makes reference to ‘DDoS’ – an attack which can bring down front-end websites and back-end systems (77% of retailers have been targeted by DDoS attacks according to a Neustar report).

Nick Gibbons, partner and cyber risk specialist at BLM continued: “We’re not expecting every annual report to use the word ‘cyber’ but we should see sections or areas dedicated to addressing the risk. The focus still seems to be on compliance or general IT problems.

“Cyber security is a board-level issue and should be treated as such, rather just than being left to the security and IT teams. The potential consequences are such that it needs strategic direction and accountability from the c-suite.

“In five to ten years it’s very likely we’ll run this research again and see these numbers increase. Hopefully it will be due to more boards giving the risk the attention it deserves and being proactive about mitigation, rather than as a response to more devastating attacks in the sector.”

About the research

BLM analysed the latest annual reports for the 32 retailers listed on the FTSE main market.

The following table details the search terms and their frequency.


Number of reports including term

Overall of term


12 (38%)


Information security

5 (16%)



4 (13%)



3 (9%)


Data breach

1 (3%)



0 (0%)


<< Back

Disclaimer: This document does not present a complete or comprehensive statement of the law, nor does it constitute legal advice. It is intended only to highlight issues that may be of interest to clients of BLM. Specialist legal advice should always be sought in any particular case.

Related Expertise

Related contacts

Nick Gibbons

Nick Gibbons


Helen Grimberg

Helen Grimberg


Who to contact

For more information about any of our news releases, please contact:

Natalie King
 +44 20 7638 2811
+44 20 7920 0361
Email Natalie

Jo Murray
+44 20 7638 2811
+44 20 7865 4849
Email Jo


Not what you are looking for? Click here!