More than half of FTSE 100 companies have cyber contingency, crisis management or disaster recovery plans in their annual report. Of these, however, only 58% disclosed these plans had been tested through cyber focused exercises over the year, according to an analysis of annual reports by Deloitte.
Only 5% of companies disclosed having a director with specialist technology or cyber security experience. This is despite cyber risk being identified as a principal risk by the vast majority of them. Of the type of cyber attacks disclosed as a threat, unauthorised access to systems ranked most common (19%), followed by hacking (13%) and malware (13%). Distributed denial of service (DDoS) attacks were only mentioned by five companies, despite Deloitte predictions that we could see ten million DDoS incidents in 2017.
This is Deloitte’s first survey of cyber reporting practices covering the full FTSE 100. It has been designed to identify examples of good practice and offer insight to all listed companies about how to keep the users of annual reports better informed.
The report includes suggested principles to improve cyber disclosure when finalising reporting, as well as comments from Regester Larkin by Deloitte partner, Dominic Cockram.