Press releases

Only 20% of FTSE 100 companies disclose testing of cyber protection plans

Just 21% regularly share security updates with the Board

28 March 2018

57% of FTSE 100 companies disclose in their annual report regular testing of overall crisis management, contingency or disaster recovery plans, according to new analysis from Deloitte. However, just 20% disclose details of specific cyber risk testing, such as ‘ethical hacking’, to find vulnerabilities in their IT systems.

Phill Everson, head of cyber risk services at Deloitte UK, said: ”Would-be hackers look for weaknesses in a system to gain access, so testing remains vital in ensuring strong cyber resilience. The 20% of companies that disclosed testing for these vulnerabilities in our analysis demonstrate to investors that the company has ways to continually and proactively test for flaws, whilst also showing commitment in fixing them if identified.

“As we see GDPR regulations introduced from May 25th this year this becomes even more important as they require regulators to be notified within 72 hours of a breach. In preparation, companies will be looking at their processes for delivering security updates to the right people in a timely manner. However, with just two months to go to GDPR, our analysis shows there is still some work to do. Just 21% of companies disclosed in their annual report that they provided cyber security updates to the Board on a regular, monthly to bi-annual, basis. However, greater disclosure of this in reports could identify more companies doing so.”

Despite the small proportion of FTSE 100 companies providing security updates to the Board, 89% recognise cyber as a ‘principal risk’ and identified a number of consequences in the event of a breach. Of the impacts noted, disruption to business and operations was of greatest concern, flagged by 70%, followed by data loss (58%). Reputational damage and financial loss were also identified by 56% and 54% of companies, respectively.

Everson continues: “An area that has had less recognition in the past is the insider threat, but it is mentioned by 23 companies this year. 17% of companies this year identified malware as a threat, up from 12% last year. In future we expect to see more companies go into greater depth on their strategies to mitigate against employee risk and the threats posed by malware.

“Elsewhere, we are also seeing companies provide more clarity on who is internally responsible for cyber risk. Over the last two years, one in five companies disclosed the creation of a brand new role or body to have overall accountability on cyber. This shows that companies are upgrading their approach to match the raised level of threat. This brings the total number of FTSE 100 companies with a clearly identified person or team with cyber security responsibility to 38, but we would like to see 100%, and expect investors would as well.”

By comparison, just 5% of companies last year disclosed having a member of the board with specialist technology or cyber security experience. This has gone up to 8% this year, a figure matched by the number of companies that also disclose having a Chief Information Security Officer (CISO) in the executive team this year.


Notes to editors

About the survey
This is the second survey detailing reporting practices on cyber risk covering all FTSE 100 annual reports, for the most recent year-end as at 30 September 2017.

About Deloitte
In this press release references to “Deloitte” are references to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”) a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of DTTL and its member firms.

Deloitte LLP is a subsidiary of Deloitte NWE LLP, which is a member firm of DTTL, and is among the UK's leading professional services firms.

The information contained in this press release is correct at the time of going to press.

For more information, please visit

Member of Deloitte Touche Tohmatsu Limited

Cyber risk reporting in the UK, March 2018
Did you find this useful?