Back in February 2013 I spent some time (armed with coffee) going through every annual report of each Financial Times Stock Exchange 100 (FTSE100) company to determine which of them were giving a mention to cybersecurity / information security, typically in their principal risks and uncertainties section as a risk, but also elsewhere in the report.
The objective for this was two-fold. Firstly, to understand whether cybersecurity was actively being discussed at a board level. Secondly, to identify and understand any trends that may be apparent based on the results – for example, are specific industries really good at acknowledging all things cyber while others not so much, and to try and ask (and answer) the question as to why this might be.
The results were interesting, and probably not that surprising to anyone who worked in the field of information security at the time. The highlights were:
- In total, 49 percent of companies highlighted cyber risk.
- Telecommunications, technology and banking companies fared well.
- Health care and basic materials (with some exceptions) gave cyber risk little to no mention.
- The only real surprise was that four consumer services firms did not make a more explicit mention of cyber risk.
A year is a long time in information security, so with that, a year later in February 2014 I spent some more time with the updated annual reports of the 51 FTSE100 companies which previously didn’t refer to cyber in any shape or form, with the one burning question – had there been any progress made in getting cyber onto the corporate menu? The high notes were:
- The situation had improved, but only slightly from the previous year (up 11%) – a total of sixty percent of FTSE100 companies now highlighted cybersecurity in their annual report.
- All industries showed an increase in cybersecurity awareness at the board level, with the exception of the utilities industry, which remained unchanged.
- The most dramatic increases were in the industries of consumer goods, health care, and oil and gas. In health care, the number of companies taking cybersecurity seriously has doubled from the previous year. The consumer goods industry fell just short of repeating this performance, but the trend was clear to see.
Fast forward now on seven years to 2021 and the world is a very different place than it was back then (in almost every way!). But cyber now gets mainstream media coverage on an hourly basis. Hacks, breaches, ransomware attacks and phishing are very much on an ‘upward’ trend and that’s putting it politely. That burning question… how are all of these FTSE100 companies and their boardrooms coping with these cyber challenges now?
I filled the coffee up to the brim once again and took a walk down memory lane, Annual Report Avenue to be exact. DRUM ROLL PLEASE
You’ll be pleased to know that all FTSE100 companies (yes, all 100 of them!) now make reference to the newer (some may say cooler) “cyber” term or the more matured and old school (but just as equal) “information security” term in their latest annual report. CUE LIGHTING OF FIREWORKS
I could leave it there, but I won’t don’t worry. I’m going to dig a little deeper.
As I was going through the reports, probably from about 20 reports in, it was clear that companies (and with that, boards) were starting to pay attention to cybersecurity. It was becoming clear at 20 reports in that it may be a good assumption to make that we’d have 100% ‘compliance’ with cyber, but I would of course verify this. I instead changed tact, I wanted to get some quantifiable data out of this one, to be able to tell the middle part of the story – and hopefully uncover some trends, and you got it, ask (and answer) the question as to why these exist. The approach I took was this:
- Record the number of instances the word “cyber” featured in the annual report
- Record the number of instances the words “information security” (together) featured in the annual report
- Record this against the “subsector” in which the company exists using the new updated Industry Classification Benchmark
- Average the collective total of all the companies in the same “subsector”
This time I’ve gone a little deeper with the analysis than in the previous years – I’m using the “subsector” Industry Classification Benchmark definitions which, to be fair, didn’t exist last time around, however, it provides us the ability to really drill down into the specific industry further.
Surprise surprise (well not really!) with banks coming in at the top of the list for an average of 47.6 (we’ll call it 48) instances of “cyber” or “information security” in their annual reports. The financial industry in the UK is probably the second most regulated industry, after health. The threat of fines and other such punishments for breaches has historically and continues to be a real thing in this industry. I think that this fact alone helps focus minds at a board level on investment in cybersecurity. This industry is very mature when it comes to cybersecurity, really leading the way with intelligence-led red teaming through the creation of CREST CBEST/STAR-FS engagements which have board level stakeholder buy in.
One massive thing which has arrived onto the scene since I last carried out this research is, CUE TRUMPET SOUND, the EU’s General Data Protection Regulation (or “GDPR” to you and me) in 2018, related to the processing of UK and EU residents’ personal data. This has been implemented into UK law so even Brexit can’t touch this one. Maximum fines of about £18 million or 4% of annual global turnover (whichever is greater) for infringements. I think this has focused the minds of every remaining FTSE100 company who previously wanted to stay out of the cyber party. This is probably why we have compliance across the board now.
At the opposite end of the scales there are what I would class as the more traditional or industrial companies. The instances of all things cyber don’t even make it out of single figures! I think these industries have been a bit slower to react (based on the external perspective of this from the annual report anyway) and perhaps have other more pressing priorities based on their principal risks and uncertainties, of which the board has decided needs more investment and attention.
On a positive note, overall, the direction of travel is the correct way. I honestly didn’t know what I would find revisiting this research 7 years on. It is good to see we’ve made some progress with getting cyber discussed in the boardroom.
2020 Trustwave Data Security Index
The 2020 Trustwave Data Security Index report depicts how technology trends, compromise risks and regulations are shaping how organizations’ data is stored and protected. The report is based on a recent survey of 966 full-time IT professionals who are cybersecurity decision makers or security influencers within their organizations. Over 75% of respondents work in organizations with over 500 employees in key geographic regions including the United States, United Kingdom, Australia and Singapore.