KPMG Cyber's research describes the current state of Cyber reporting in annual reports issued by more than 800 companies, the largest in 28 countries, including Romania.
Cyber security is a strategic risk for every organisation. No organisation can operate without IT, and many companies are digitising their existing business model. Consequently, the topic should be on every board’s agenda. We see that more and more boards are regularly discussing cyber security.
Investors, governments, and global regulators are increasingly challenging board members to actively demonstrate diligence in cyber security. Regulators expect personal information to be protected and systems to be resilient to both accidents and deliberate attacks. Value chain partners expect a trustworthy and transparent approach to risks. Customers expect that services should be available and data protected when it is being stored or processed by reputable organisations. The annual report provides an opportunity for organisations to inform the public and other stakeholders about the cyber security risks that the organisation encounters and the measures it takes to protect against them.
During our assessment of the annual reports, different elements of cyber security reporting were reviewed:
We have not reviewed whether companies have actually devoted attention to threats, risks, countermeasures and risk appetite. Our research results would most likely have presented a more negative picture if we had considered whether the companies surveyed took action on all these issues.
The headline figures for the main results of KPMG Cyber’s research into cyber security reporting in the annual reports of 800 companies across 28 countries are:
The study provides an overview below of the following topics: responsibility assumed at boardroom level for cyber security risks, differences between regions (Western Europe, Northern Europe, Eastern Europe, Mediterranean and Caribbean), a comparison of different industries and the cyber security topics that are discussed in the annual reports.
The results of the study position Eastern Europe behind the average:
Few Romanian organizations dedicate space to cyber security in their annual reports. Furthermore they dedicate even less space than their counterparts in other Eastern Europe countries and in many other geographical areas.
“Traditionally, in Romania, cyber security has not been a proactive focus for most organizations. Instead business have tended to be compliance driven, with the process being managed by Security Officers or IT Managers. In the last few years, however, we have noted that this approach has started to change. More proactive cyber security processes have been adopted, while top management has started to become involved,” comments Richard Perrin, Head of Advisory, KPMG in Romania.
“We know that organizations from several industries carry out cyber security projects but have not mentioned these in their annual reports. Are Cyber activities not being made public for fear of a perception that the existence of cyber security related processes might create the impression that there is a security issue or does this lack of reporting simply reveal how cyber is still perceived at Board level in Romania? Is this mostly considered as a technical issue which needs to be managed by technical people?” asks Gabriel Mihai Tanase, KPMG Director responsible for Cyber services.
Please see full results of our study at
Global overview: http://www.kpmgcyberbenchmark.com/global
Romania details: http://www.kpmgcyberbenchmark.com/romania