A recent survey from the UK Government’s Department for Business, Innovation & Skills has highlighted that the majority of FTSE 350 firms are not regularly taking cyber risks into account in their decision making. Despite a growing international trend in cyber crime targeted at businesses, the survey showed that only 14 percent of FTSE 350 companies regularly consider cyber threats, and nearly half of those surveyed do not even include cyber risks on their company’s strategic risk register.
On the positive side, however, a significant number of company leaders surveyed acknowledged that they had “more to do” in relation to cyber threats, and 62 percent of companies surveyed think their board members are taking cyber risk very seriously. It is important, therefore, that this awareness at the top level filters down to the management and operational level, to ensure that businesses are dealing with cyber threats effectively in their day-to-day activities.
These results echo some of the concerns discussed at a cyber security seminar which Hogan Lovells recently hosted at its London offices.
In an effort to improve awareness of cyber security issues, the UK Government is currently working to develop an industry-led “cyber standard” to encourage businesses to embrace best-practices in relation to cyber risk management whilst improving the information available to those buying cyber-security products. A Computer Emergency Response Team (CERT-UK) is also due to be launched early next year.
However, these initiatives may be impacted by the proposals contained within the current draft EU Directive for Network and Information Security. A recent UK Government consultation on the Directive highlighted that the current proposal would impose a double duty in relation to reporting data security breaches, as well as increased security costs for affected businesses. The Directive is still being negotiated by the Council of the EU, the European Parliament and the Commission.