Cyber and data security disclosures in annual reports
This article summarises our review of disclosures relating to cyber-security risks in the annual reports of UK listed companies
In business and all walks of life we now rely almost totally on computers, computer networks and systems with the information (or “data”) held on them. We also demand privacy and integrity of this data, in that it is not stolen, corrupted by a computer virus, altered or accessed inappropriately nor in any way illegally used by others for nefarious, fraudulent or destructive means.
The likelihood of attacks being attempted on its computer systems and data security is a key risk for every organisation. This risk is always present, and we must be constantly vigilant against attacks from hackers and scammers; they are relentless, amoral, versatile and ruthless. Their methods are constantly evolving. We must never be complacent and think that an attack won’t happen to us: it is only a matter of time before these criminals will try to penetrate the defences of our clients, employers or personal data. The possibility of an attack from within the organisation by a disaffected or embittered employee is another example of cyber-attack.
Recent media reports of the extent of cyber-crime found that in 2019, British companies had been the victim of 5,000 “ransomware” attacks which led them to pay hackers an estimated £200m in ransom in aggregate for the software to “decrypt” the infected systems. The ransom payments are often made in cryptocurrencies, at the insistence of the criminals, to ensure lack of traceability of the hackers. It is legal to pay a ransom in the UK, unless those making the payment knew that it was for the purpose of financing terrorism.
According to the annual Hiscox Cyber Readiness Report, British firms are 15 times more likely to suffer a cyber-attack than a fire or theft.
A successful attack could mean much expenditure of staff time; financial loss due to inability to meet customer needs; obloquy; financial penalties being imposed by regulators for data breaches (such as GDPR). At the extreme, the damage caused by a successful attack could hobble the organisation’s activities severely and even destroy it. Therefore, it is extremely important for ICAS members and CA students, whether they work in practice or business, to have at least a basic knowledge of what comprises current ”best practice” in effective security over computers and data networks (in other words “cyber-security”) and on the information held on an organisation’s computer systems. It is also important that they have the confidence to question the technical experts and to understand the broad implications of the responses given.
Summary of findings
We reviewed a sample of 12 FTSE100 company annual reports across a range of different sectors from 2018, 2019 and 2020 to see if these specifically identified cyber and data security as key/principal risks and, also, how the company disclosed the measures taken to mitigate the risk. All the companies in the sample declared that cyber and data security was one of their key risks, although they did not necessarily refer to them in these terms.
All the companies surveyed described the measures they had taken to mitigate the risk of cyber-crime and to safeguard data. The detail given by the companies varied and, understandably, they want to be circumspect as to the extent of the information they disclose on their defences.
Some interesting observations that emerged from the review in relation to specific companies. BAE Systems, for example, only included very minimal disclosures which may be expected from a group who are very large defence contractors and whose main customers are international governments.
The disclosures in Melrose Industries, however, were extensive as a result of the increased potential exposure to such risks in the year in question following their acquisition of a major listed UK company.
Wm. Morrison Supermarkets highlight that the risk environment is challenging, with increased levels of cyber-crime and of the regulatory requirements and responsibilities over the custody and control of data.
The disclosures around cyber risk in the BT 2020 annual report reflect the additional threat posed during COVID-19 with many people now working from home and the increased reliance on digital and online platforms.
Detailed findings from the annual reports we reviewed can be found by expanding the section below:
|Company||Nature of the risk||Potential impact of the risk||Mitigation of the risk|
|Anglo American||Loss or damage caused by malicious or mischievous cyber activity to technology and intellectual property.||Financial loss and unplanned increased costs.|
|A specialist third party is used to oversee network security.|
Cyber-awareness programme in place for employees.
|Associated British Foods||Cyber threats or data loss thereby unable to meet stakeholder demands.||Disruption and damage to business activities through data centre failures, cyber-attacks or IT failure|
Loss or theft of data.
|Access restrictions in place.|
Disaster recovery plans in place for key applications.
Monitoring of cyber threats and suspicious or unusual IT activity.
|AstraZeneca||Security of intellectual property and data privacy (such as data for the test, development and research of new medicines).||Reputational damage and adverse financial impacts.|
The imposition by regulatory authorities of sanctions and penalties for noncompliance with laws and regulations.
Regular staff training on cyber-security.
Disaster and data recovery plans in place.
Security strategy over key systems and processes.
Cyber-security insurance cover in place.
|BAE Systems||Business disruption.|
Possible damage to the IT infrastructure.
Illegal attempts to get access to very highly classified information.
|Damage to reputation.|
Disruption to business operations.
Negative impact on the results and financial condition.
|Minimal disclosure - only that there are a broad range of measures in place to monitor and mitigate the risk.|
Use of e-commerce and digital platforms increases risk of occurrence of cyber-attack.
|Adverse financial impact.|
Inability to fully serve customer demands.
Fines and penalties imposed on the organisation for breaches of by data protection or security legislation.
|Cyber-security awareness campaigns for staff.|
IT disaster recovery plans are in place and tested.
Continual improvements made policies and controls around cyber threats.
|Diageo||Cyber threat and the theft, loss or misappropriation of digital assets and data.||Financial loss.|
|Mandatory global e-learning for employees on cyber threats.|
Use of ethical hacking to highlight weaknesses.
Advanced malware detection and blocking measures are in use.
Intelligence-led, pro-active hunting and monitoring of cyber-attack threats.
High–risk IT systems are stress-tested for resilience to cyber- attacks.
|HSBC Holdings||Unauthorised access to systems.|
Risk of financial crime risk environment.
|The group operates in what is an increasingly hostile cyber threat environment.|
Key threats include unauthorised access to online customer account and advanced malware attacks causing service disruption.
|Cyber risk is a key risk and is reported at Board level.|
Cyber-awareness training for staff.
IT and other controls are regularly updated and improved.
|Melrose Industries||Information security and cyber threats are an increasing priority across all industries.||Potential misappropriation of confidential information.|
Loss of reputation, termination of contracts and financial loss.
|External security consultants engaged to aid prevention, identification and mitigation of cyber-attack.|
Progress is monitored on a quarterly basis.
|Wm. Morrison Supermarkets||A security breach leading to a loss of confidential data.||Significant reputational damage.|
|Information security procedures and policies are in place. |
Continual investment in cloud technology making the group’s information systems more resilient.
Business continuity and disaster recovery exercises are carried out.
|Pearson||Risk of a data privacy incident or other non-compliance with data privacy regulations and standards.||Negative impact on customer experience.|
Breach of regulations and financial loss.
|ISO 27001 controls which include strong encryption, patching, monitoring, and access controls.|
Published policies, processes and guidelines, global training and awareness.
|Tesco||IT system or infrastructure failure resulting in loss of information and service.|
The failure to comply with regulatory requirements relating to data security and data privacy in the course of the group’s business activities.
Potential loss of operating capability due to lack of investment in and implementation of new technology.
|Team established to detect report and respond timeously to security incidents.|
Third-party supplier assurance programme focusing on data security and privacy risks.
Significant investment to ensure compliance with the legal requirements around data protection.
Regular reporting on security and privacy programmes to governance and oversight committees.
A privacy compliance programme established.
|Successful penetration of defences against cyber-attack.||Loss of market share.|
Regulatory sanctions and fines.
Potential financial loss due to contract termination.
Service disruption at a time when telecommunications are vital to the global fight against the Covid-19 pandemic.
|Sharing information with governments and companies about emerging cyber threats.|
Use of ethical hackers to test effectiveness of cyber defences.
Awareness training on cyber-security for all staff.
Cyber and data security is seen as being very much a key risk by all companies in the sample and they list the likely impact of a successful cyber-attack upon them in terms such as:
- Reputational damage in their industry and markets to their organisation.
- Financial loss.
- Loss of operating capacity.
- Impairing the fight against the coronavirus pandemic.
- Loss of competitive advantage.
- Damage to customer confidence and experience.
- Termination of contracts.
- Sanctions and financial penalties being imposed by regulatory bodies (think GDPR).
- Theft of intellectual property, customer data and commercially confidential information.
In general, the amount information they disclose on the risk of cyber-attack, and how it is mitigated, varies widely: on the one hand, some companies were being extremely circumspect on the extent of their disclosure whilst, on the other hand, others gave much more information.