UK Boards not receiving sufficient information to discuss and consider cyber risk
August 23, 2017 |
According to a very recent report titled FTSE 350 Cyber Governance Health Check Report 2017, of directors at the top 350 UK firms Directors at the UK’s top 350 businesses are not always given all the information they require to discuss cyber risks posed to their operations. Given those directors are responsible for maintaining proper data security and usually responsible for the internal spend on data protection, usually in the form of IT expenditure, that is a worry.
There is no reason to assume Australian companies are any better advised. The picture is probably worse here given the weak state of regulation.
From the report, based on a survey, it appears that:
- most respondents said they have a “clear understanding” of the potential impact that a loss of or disruption to “key information and data” could have on their business, including their customers, share price or reputation.
- less half have a clear understanding of what the company’s key information and data assets are, and what their value is to their rivals or criminals.
- 10% businesses have no cyber incident response plan in place.
- 27% of companies with a cyber incident response plan incorporates no defined role for the board in the response to incidents.
- 68% of respondents said their board had not received any “incident response training”
There is little of any surprise to practitioners in this field. There is a disconnect between the c suite and IT as far as data security is concerned.
[…] UK Boards not receiving sufficient information to discuss and consider cyber risk […]