3i, Barclays and Worldpay praised in Deloitte report on cyber risk

Cyber crime is growing more rapidly than cyber security and most companies are failing to disclose how they are testing for, and reporting, the risks.

Only 5% of FTSE boards appears to have a director with specialist expertise in cyber risk, despite the fact that 87% of FTSE companies’ annual reports pulled out one or more elements of cyber risk as principal risks in their disclosures, according a report published by consultants Deloitte.

The findings, based on a study of annual reports, revealed that only 22% of FTSE 100 companies had some form of vulnerability testing, penetration testing or other cyber risk-specific testing performed during the year.  Disclosure on testing is particularly helpful, said Deloitte, as it demonstrates that a company has  a way of identifying and addressing flaws in their existing protections.

But while the majority of large UK businesses are clearly behind the curve in dealing with cyber risk – or at least failing to report how they are dealing with it – three FTSE 100 financial firms were singled out as examples of good practice by  Deloitte.

Investment group 3i was singled out as one company that provides “better disclosures” to its board and shareholders. In its 2016 annual report, 3i said that its audit and compliance committee had received two presentations from its IT director on cyber security risk management during the year and that it had also engaged external advisers in late 2015 to further assess cyber threats.

Barclays meanwhile acknowledged the key problem that cyber crime is growing more rapidly than cyber security in its 2015 report. “The risk posed by cyber attacks continues to grow,” said the bank. “The proliferation of online marketplaces trading criminal services and stolen data has reduced barriers of entry for criminals to perpetrate cyber attacks, while at the same time increasing motivation.” Barclays noted “a marked increase of denial of service attacks” in the annual report.

Finally, Worldpay Group’s 2015 annual report was a good example of how a company can describe the impact of increased cyber risk on data security. Worldpay said it had upgraded its protection against DDoS attacks on its core data centre, employed additional anti-malware, and had also taken steps to migrate off-host application services away from RBS to its own data centres.

The Deloitte report can be found here.

Tweet about this on TwitterEmail this to someoneShare on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>