What are we doing about cyber in the boardroom? (Pic: ThinkStock)
What are we doing about cyber in the boardroom? (Pic: ThinkStock)

Only a handful of FTSE 100 companies have board members with specialist technology or  cyber-security experience.

Just one-in-twenty boards (five percent) appear to have any cyber-security experience among their members, according to Deloitte which analysed the annual returns of the FTSE 100 companies and the biographies of their board members.

Meanwhile, it found that most companies list cyber as a principal risk, and 11 percent of companies said they have create a new role or body responsible for cyber-risk.

Ten percent of companies delivered cyber-risk training to their board members.

Phill Everson, head of cyber-risk services, Deloitte UK said: “With the pervasive nature of technology and the focus on cyber-risk, it is alarming that only one in twenty boards disclose that they currently have board members with specialist technology or cyber background and only a handful more disclose that they have advisors to the board with this experience. This is not sustainable, but also reinforces the importance of disclosing such information to investors.”

The Financial Conduct Authority, which has responsibility for overseeing the UK's banking industry (many of which would be listed in the FTSE 100), was rapped on the knuckles in November by Steve Baker MP because it didn't have any board members with cyber-security experience. The chairman of the FCA, John Griffith-Jones, said the board was “not over-endowed with technical expertise but we have, in response to the increased threat in this area, recruited a special adviser”.

Deloitte found in its survey that boards of directors were often aware of problems but had not shown evidence that they were tackling them. For instance, more than half of companies mentioned cyber-contingency, crisis management or disaster recovery plans in their annual report, but only 58 percent disclosed that these plans had been simulated in test scenarios over the year.

William Touche, leader of Deloitte's centre for corporate governance, Deloitte UK said: “The potential damage of cyber-attacks is a significant threat so annual report disclosure of cyber-risk, mitigations such as planning, training and testing and even cyber-breaches within the annual report is important information for shareholders as it highlights the risks and lets them know how seriously companies are taking it. It also demonstrates a company's understanding of the cyber-threats that they face. Our survey revealed a wide range in the quality of disclosure made by companies. Some do this very well, but the majority could make improvements.”

Deloitte's analysis proposes seven principles to improve cyber disclosure when finalising reporting:

  1. Every sector, although not every company, identifies cyber as a principal risk – think carefully if you have not done so.

  2. The value destruction capability of cyber-risk is very high, ranging from remediation demands to huge reputational damage. Detailed disclosure is therefore worthwhile to highlight the risks to shareholders and let them know you are taking it seriously.

  3. The better disclosures are company-specific, year-specific and provide sufficient detail to give meaningful information to investors and other stakeholders.

  4. Boards and board committees are increasingly educating themselves about the cyber-threat and challenging management on how they are dealing with the risk.

  5. Companies should take credit for what they are doing, including describing who has executive responsibility, board level responsibilities, the policy framework, internal controls, and disaster recovery plans.

  6. Boards should think about what could be missing from their disclosures, for example a clear indication of the main threats facing the company, who poses those threats, the likelihood, possible impact and detail about what the company – and the board – is doing to manage or mitigate those particular risks.

  7. Finally, if your disclosure does not look strong enough after taking credit for what the company is doing already, it is time to ask whether you are actually doing enough to manage cyber-risk.