ICAS ICAS logo

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Careers support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
  6. Find a CA
  7. ICAS events
    1. CA Summit
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Finance + Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Business and governance
    5. Charities
    6. Coronavirus
    7. Corporate and financial reporting
    8. Cyber security
    9. Ethics
    10. Insolvency
    11. ICAS Research
    12. Pensions
    13. Practice
    14. Public sector
    15. Sustainability
    16. Tax
  11. CPD - professional development
    1. CPD courses and qualifications
    2. CPD news and updates
    3. CPD support and advice
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

Cyber and data security disclosures in annual reports

  • LinkedIn (opens new window)
  • Twitter (opens new window)
By Alan Simpson CA

24 September 2020

Main points:

  • The likelihood of cyber-attacks and data security threats are key risks for every organisation.
  • The article summarises the disclosures relating to cyber-security risks in a sample of annual reports.
  • Our review found that the amount information disclosed on the risk of cyber-attack, and how it is mitigated, varies widely.

This article summarises our review of disclosures relating to cyber-security risks in the annual reports of UK listed companies

In business and all walks of life we now rely almost totally on computers, computer networks and systems with the information (or “data”) held on them. We also demand privacy and integrity of this data, in that it is not stolen, corrupted by a computer virus, altered or accessed inappropriately nor in any way illegally used by others for nefarious, fraudulent or destructive means.

The likelihood of attacks being attempted on its computer systems and data security is a key risk for every organisation. This risk is always present, and we must be constantly vigilant against attacks from hackers and scammers; they are relentless, amoral, versatile and ruthless. Their methods are constantly evolving. We must never be complacent and think that an attack won’t happen to us: it is only a matter of time before these criminals will try to penetrate the defences of our clients, employers or personal data. The possibility of an attack from within the organisation by a disaffected or embittered employee is another example of cyber-attack.

Recent media reports of the extent of cyber-crime found that in 2019, British companies had been the victim of 5,000 “ransomware” attacks which led them to pay hackers an estimated £200m in ransom in aggregate for the software to “decrypt” the infected systems. The ransom payments are often made in cryptocurrencies, at the insistence of the criminals, to ensure lack of traceability of the hackers. It is legal to pay a ransom in the UK, unless those making the payment knew that it was for the purpose of financing terrorism.

According to the annual Hiscox Cyber Readiness Report, British firms are 15 times more likely to suffer a cyber-attack than a fire or theft.

A successful attack could mean much expenditure of staff time; financial loss due to inability to meet customer needs; obloquy; financial penalties being imposed by regulators for data breaches (such as GDPR). At the extreme, the damage caused by a successful attack could hobble the organisation’s activities severely and even destroy it. Therefore, it is extremely important for ICAS members and CA students, whether they work in practice or business, to have at least a basic knowledge of what comprises current ”best practice” in effective security over computers and data networks (in other words “cyber-security”) and on the information held on an organisation’s computer systems. It is also important that they have the confidence to question the technical experts and to understand the broad implications of the responses given.

Summary of findings

We reviewed a sample of 12 FTSE100 company annual reports across a range of different sectors from 2018, 2019 and 2020 to see if these specifically identified cyber and data security as key/principal risks and, also, how the company disclosed the measures taken to mitigate the risk. All the companies in the sample declared that cyber and data security was one of their key risks, although they did not necessarily refer to them in these terms.

All the companies surveyed described the measures they had taken to mitigate the risk of cyber-crime and to safeguard data. The detail given by the companies varied and, understandably, they want to be circumspect as to the extent of the information they disclose on their defences.

Some interesting observations that emerged from the review in relation to specific companies. BAE Systems, for example, only included very minimal disclosures which may be expected from a group who are very large defence contractors and whose main customers are international governments.

The disclosures in Melrose Industries, however, were extensive as a result of the increased potential exposure to such risks in the year in question following their acquisition of a major listed UK company.

Wm. Morrison Supermarkets highlight that the risk environment is challenging, with increased levels of cyber-crime and of the regulatory requirements and responsibilities over the custody and control of data.

The disclosures around cyber risk in the BT 2020 annual report reflect the additional threat posed during COVID-19 with many people now working from home and the increased reliance on digital and online platforms.

Detailed findings

Detailed findings from the annual reports we reviewed can be found by expanding the section below:

Company findings

CompanyNature of the riskPotential impact of the riskMitigation of the risk
Anglo AmericanLoss or damage caused by malicious or mischievous cyber activity to technology and intellectual property.Financial loss and unplanned increased costs.
Reputational damage
A specialist third party is used to oversee network security.
Cyber-awareness programme in place for employees.
Associated British FoodsCyber threats or data loss thereby unable to meet stakeholder demands.Disruption and damage to business activities through data centre failures, cyber-attacks or IT failure
Loss or theft of data.
Access restrictions in place.
Disaster recovery plans in place for key applications.
Monitoring of cyber threats and suspicious or unusual IT activity.
AstraZenecaSecurity of intellectual property and data privacy (such as data for the test, development and research of new medicines).Reputational damage and adverse financial impacts.
The imposition by regulatory authorities of sanctions and penalties for noncompliance with laws and regulations.

Regular staff training on cyber-security.

Disaster and data recovery plans in place.

Security strategy over key systems and processes.

Cyber-security insurance cover in place.

BAE SystemsBusiness disruption.
Possible damage to the IT infrastructure.
Illegal attempts to get access to very highly classified information.
Damage to reputation.
Disruption to business operations.
Negative impact on the results and financial condition.
Minimal disclosure - only that there are a broad range of measures in place to monitor and mitigate the risk.
BunzlCyber-security failure
Use of e-commerce and digital platforms increases risk of occurrence of cyber-attack.
Adverse financial impact.
Inability to fully serve customer demands.
Reputational damage.
Fines and penalties imposed on the organisation for breaches of by data protection or security legislation.
Cyber-security awareness campaigns for staff.
IT disaster recovery plans are in place and tested.
Continual improvements made policies and controls around cyber threats.
DiageoCyber threat and the theft, loss or misappropriation of digital assets and data.Financial loss.
Operational disruption.
Reputational damage.
Mandatory global e-learning for employees on cyber threats.
Use of ethical hacking to highlight weaknesses.
Advanced malware detection and blocking measures are in use.
Intelligence-led, pro-active hunting and monitoring of cyber-attack threats.
High–risk IT systems are stress-tested for resilience to cyber- attacks.
HSBC HoldingsUnauthorised access to systems.
Risk of financial crime risk environment.
Data management.
The group operates in what is an increasingly hostile cyber threat environment.
Key threats include unauthorised access to online customer account and advanced malware attacks causing service disruption.
Cyber risk is a key risk and is reported at Board level.
Cyber-awareness training for staff.
IT and other controls are regularly updated and improved.
Melrose IndustriesInformation security and cyber threats are an increasing priority across all industries.Potential misappropriation of confidential information.
Loss of reputation, termination of contracts and financial loss.
External security consultants engaged to aid prevention, identification and mitigation of cyber-attack.
Progress is monitored on a quarterly basis.
Wm. Morrison SupermarketsA security breach leading to a loss of confidential data.Significant reputational damage.
Regulatory fines.
Information security procedures and policies are in place.
Continual investment in cloud technology making the group’s information systems more resilient.
Business continuity and disaster recovery exercises are carried out.
PearsonRisk of a data privacy incident or other non-compliance with data privacy regulations and standards.Negative impact on customer experience.
Reputational damage.
Breach of regulations and financial loss.
ISO 27001 controls which include strong encryption, patching, monitoring, and access controls.
Regular audits
Automated tools
Published policies, processes and guidelines, global training and awareness.
TescoIT system or infrastructure failure resulting in loss of information and service.
The failure to comply with regulatory requirements relating to data security and data privacy in the course of the group’s business activities.

Potential loss of operating capability due to lack of investment in and implementation of new technology.
Resulting in reputational damage, regulatory fines or other financial penalties.

Team established to detect report and respond timeously to security incidents.
Third-party supplier assurance programme focusing on data security and privacy risks.
Significant investment to ensure compliance with the legal requirements around data protection.
Regular reporting on security and privacy programmes to governance and oversight committees.
A privacy compliance programme established.

British Telecom

Successful penetration of defences against cyber-attack.Loss of market share.
Regulatory sanctions and fines.
Potential financial loss due to contract termination.
Service disruption at a time when telecommunications are vital to the global fight against the Covid-19 pandemic.
Sharing information with governments and companies about emerging cyber threats.
Use of ethical hackers to test effectiveness of cyber defences.
Awareness training on cyber-security for all staff.

Conclusion

Cyber and data security is seen as being very much a key risk by all companies in the sample and they list the likely impact of a successful cyber-attack upon them in terms such as:

  • Reputational damage in their industry and markets to their organisation.
  • Financial loss.
  • Loss of operating capacity.
  • Impairing the fight against the coronavirus pandemic.
  • Loss of competitive advantage.
  • Damage to customer confidence and experience.
  • Termination of contracts.
  • Sanctions and financial penalties being imposed by regulatory bodies (think GDPR).
  • Theft of intellectual property, customer data and commercially confidential information.

In general, the amount information they disclose on the risk of cyber-attack, and how it is mitigated,   varies widely: on the one hand, some companies were being extremely circumspect on the extent of their disclosure whilst, on the other hand, others gave much more information.

Header

Daisy-Chaining, Wardriving and Logic Bombs - 10 computer hacker terms

By Alan Simpson CA

21 March 2018

Technology: Risks and opportunities

By Marie Gardner CA, Head of Research at ICAS

3 September 2020

2-23-marsh 2-23-marsh
ICAS logo

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

ICAS logo

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: