A significant minority of publicly traded growth companies see cyber security as a “technical topic” not warranting board level consideration, according to a survey out one month after the NHS “ransomware” crisis.
While almost nine out of 10 companies see cyber security as a substantial risk, a smaller proportion appear to “have their heads in the sand and are doing very little to manage this threat on behalf of their investors”, says the QCA/YouGov Small and Mid-Cap Sentiment Index by the Quoted Companies Alliance and YouGov. One firm said cyber risk is “not formally recognised in the organisation”.
Cyber threat is seen by 88% of companies as a medium or high risk and 60% of firms are either actively managing or at least regularly considering such hazards – but 6% see this as technical, with no requirement for director-level consideration.
Most companies (70%) have some form of cyber security training in place although 29% of company respondents said they had no such training. Worryingly, a significant number (42%) of companies do not ask their suppliers to meet their own cyber security standards. This exposes them to any failings that their suppliers might have.
Investors should consider asking companies about cyber risk, said the Quoted Companies Alliance (QCA), the independent membership organisation that champions the interests of small to mid-size quoted companies.
Asked about preparation for any digital threat, one respondent said, “Practically, very little. It will impact our contracting as all customers are focused on it.” Another said planning for such risks would “add significantly to our costs and achieve nothing. It’s another level of red tape designed to add burdens to the cost of enterprise and jobs”. More encouragingly, one respondent said: “It will strengthen our positioning, improve the industry, and enhance the security for our users.”
It is not clear that companies fully understand the impact and seriousness of the issues addressed by the EU’s forthcoming General Data Protection Regulation, designed to strengthen and unify data protection across the region. Despite Brexit, the UK will have to comply substantially with these.
In May a global ransomware cyberattack crippled the NHS, targeted the international transport firm FedEx and infected computers in 150 countries.
“It seems strange, bearing these responses in mind, that 84% of companies feel that they are prepared to some extent for the introduction of the GDPR next year,” said Tim Ward, QCA CEO.
One corporate adviser said: “Once companies recognise the risks involved in not reviewing or preparing for the new regime adequately, there will be many companies who will appreciate the importance of having the requisite staff and processes in place to deal with data going forward.”
Not enough people know that a data breach can result in fines up to 4% of annual worldwide turnover or EUR20 million, whichever is higher. It is seen by some as a procedural issue, not a real and present threat to businesses. Comments like “more governance, risk and compliance systems and procedures – i.e. more overhead cost” support this assertion.
Tim Ward added: “This is a very important issue that companies should expect investors to probe. If a serious cyber security attack were to hit a company our survey suggests that over 30% of its market value is at risk, not something that any investor would welcome. Companies need to up their cyber security game and allay the fears of investors, their customers, their employees and their suppliers.”