The government may want the UK to be a “global tech superpower”, but it seems the country’s companies struggle to disclose their cyber security measures to meet investor needs.
A report from the country’s governance watchdog says many disclosures from companies are “boilerplate” and “overly static”.
Experts point to a number of reasons why this may be happening, but watchdogs and government ministers appear concerned. Mark Babington, executive director of regulatory standards at the Financial Reporting Council (FRC), says: “Every company is now digital, so providing useful, relevant and focused disclosure on digital security is critical.”
Meanwhile, digital minister Matt Warman underscores the £2.6bn government has ploughed into the national cyber security strategy. But he adds: “Businesses can do more to bolster their online defences and improve transparency and reporting around cyber security.”
The warnings come at a time when there is heightened concern—driven in part by fears of Russian cyber attacks—with high-profile security breaches making the news on a regular basis.
Under attack
This month the UK government’s cyber breaches survey estimated that 39% of businesses have identified a cyber attack in the last 12 months, though there may be under-reporting, especially from companies with less “mature” cyber security set-ups. A little more than four out of five of those assaults are classified as “phishing” attacks, while around a fifth report more sophisticated incursions, such as denial-of-service, malware or ransomware attacks.
Only 54% of businesses have moved over the last year to identify cyber security risks, down on the 64% in 2020. A mere 19% of businesses are reported to have a formal “incident response plan”. And this despite the fact that surveys show executives place cyber security among their top priorities.
There is wider parliamentary concern about security. MPs on the House of Commons Digital, Culture, Media and Sport Committee have been taking evidence on security in new technology in advance of a report expected later this year. The conclusions will make for an interesting read.
But it is the geopolitical landscape that is causing increased anxieties. Britain’s support for Ukraine has intensified, as has anticipation of institutions and organisations here becoming targets for Russian cyber aggression.
At the beginning of July, the National Cyber Security Centre (NCSC) issued a statement warning companies of an “extended period of heightened threat” . Paul Maddinson, NCSC’s director for national resilience, said it was “now clear that we’re in this for the long haul and it’s vital that organisations support their staff through this demanding period of heightened cyber threat”.
Company disclosures give stakeholders an idea of whether corporate leaders are doing enough to combat cyber risk, especially from data breaches.
The FRC says corporate reporting teams and audit committees need to up their game in a number of areas. They need to detail how cyber is “important to the company’s current and future business model, strategy and environment”. They also need to describe the “governance structures, culture and processes” used to support cyber security and identify their digital and cyber security risks faced now and in the future.
Lastly, companies should report on attacks. In short, they should “highlight the impact of internal and external events and the actions and activities that respond to these”.
Cyber house rules
Ask the experts and there is broad agreement that not all companies are at the same point, either in their cyber security measures or their reporting.
According to Dr Ali Al-Sherbaz, a professor and cyber security expert at the University of Gloucestershire, companies have two problems to overcome in the current climate—finding the right people and providing the right training and information. Companies should also be sharing more data. “Many companies are struggling with growing cybersecurity demands,” he says.
Others caution against rushing to conclude that disappointing disclosures means falling short on the daily cyber security battle.
“I don’t think you can imply a correlation between poor reporting being linked to poor performance and a reluctance to open up about what’s going on,” says Sam De Silva, a technology lawyer and partner at the law firm CMS. “Reporting (especially accurate reporting) takes time and effort, so companies may be focusing on other things—such as the ‘doing’.”
Annual reporting is not the only disclosure responsibility. Other regulators demand reports too, not least the Information Commissioner’s Office (ICO).
Al-Sherbaz points out reporting responsibilities can be immense. “Covered” incidents need to be reported to the ICO, meaning some firms may be faced with compiling information on as many as 100,000 incidents in a single day. “This means automated reporting is the only solution,” he says. “Managing this is a constant challenge for industry.”
Competing pressures
That said, pressure to report to shareholders and stakeholders is likely to only increase. And executives are only too aware of the effects that security can have on the perception of their companies, according to Andrew Kakabadse, professor of governance and leadership at Henley Business School. Reputation and share prices are all on the line in the event of a cyber breach.
“Under these circumstances, what is likely to be disclosed is questionable, as share price is largely determined by soft factors such as trust and reputation, rather than tangible issues like products and services,” Kakabadse says.
“Top executives are treading a very fine line between disclosure and safeguarding the organisation through minimal reporting of cyber threats. This will increasingly threaten [to bring] legal repercussions for senior executives.”
Managers may have other concerns, too. Pressure may be growing for more transparency, but many executives may be weighing that against security, says De Silva.
“Depending on the contents of the disclosures, it could be argued that an organisation providing information about its cyber security practices (particularly if they are not adequate) could open the organisation up to nefarious actors.”
Cyber threats are here to stay and the balancing act between regulatory demands, reputations, share price and security concerns will continue. This will be an enduring question not only for company leaders, but for rule makers too.