Despite 87% of FTSE 100 companies identifying cyber threats as a principal risk, just 5% have disclosed having employed a director with specialist cyber security experience.
A recent study authored by Deloitte explained FTSE 100 firms acknowledge the principal risk, but there are wide variations in the disclosure of cyber risk management and strategies.
Just 11% of annual reports mentioned the creation of a new role or body to take overall accountability for cyber risk, with an increased focus on the issue expected to occur.
Phil Everson, head of cyber risk services at Deloitte UK, described the lack of resources within FTSE 100 companies for dealing with cyber threats as ‘alarming’.
“It is alarming that only one in twenty boards disclose that they currently have board members with specialist technology or cyber background and only a handful more disclose that they have advisors to the board with this experience,” he said.
In December last year, Nasdaq clearing and Nasdaq Stockholm were punished by authorities for failing to supervise and manage cyber risks.
The group was fined €5.6 million by Swedish regulators for not acquiring information from its outsourced cyber security provider to assess the quality of its services.
William Touche, leader of Deloitte’s centre for corporate governance at Deloitte UK, added companies should add planning, training and testing cyber breaches to annual reports.
“It demonstrates a company’s understanding of the cyber threats that they face. Our survey revealed a wide range in the quality of disclosure made by companies. Some do this very well, but the majority could make improvements,” he concluded.