Management information on cyber security eludes boards | KPMG | UK

Management information on cyber security still eludes FTSE 350 boards

Management information on cyber security eludes boards

Cyber security as an issue has made it to the Boardroom for FTSE 350 companies, but the lack of management information and an understanding of their critical assets still eludes boards.


Also on

Cyber security as an issue has made it to the Boardroom for FTSE 350 companies, but the lack of management information and an understanding of their critical assets still eludes boards. 

In a survey carried out by KPMG as part of the Government’s Cyber Governance Health Check, nearly half (49 per cent) of businesses place cyber risk as a top/group risk when comparing with other risks that a company faces – up from the 29 per cent who did so in 2014.  Boards are also more likely to explicitly set their appetite for cyber risk than in previous years. One third (33 per cent) had this “clearly set and understood”, an improvement on the 18 per cent who did so in 2014.

However, it’s clear that it remains stubbornly difficult for boards to get good management information to support their risk discussions. Only 21 per cent of respondents said that they received “comprehensive, generally informative” management information on cyber treats, whilst 17 per cent received “very little insight”.

David Ferbrache, Technical Director in KPMG’s cyber security practice, said: “Cyber-attacks continue to pose a growing threat to business. While cyber security has made it onto the Board’s agenda, board judgements on risk are often based on incomplete and partial management information. Many boards believe they now have a handle on the issue, but can often focus on governance and driving compliance. Taken to extremes, this can stand in the way of a flexible and agile response to an evolving threat and actually increase risk.

Frustratingly, for just over a half of boards (54 per cent), cyber risk is a subject that they hear about occasionally – either bi-annually or when something has gone wrong. This is a similar proportion to 2014. On a plus point, the message that cyber security isn’t just a technical issue is getting through. Only 15 per cent of boards said they have either heard about it once or twice, or view cyber risk as a technical topic that does not warrant board level discussions. A major improvement from the 26 per cent in 2014 and 46 per cent in 2013 who thought that way.

“We need to guard against complacency. Cyber security is getting boardroom time, but that is far from the end of journey. Businesses need to understand what their risk profile really looks like and set their risk appetite in a way that it can be tested and monitored. Most of all, they need to understand how to improve the cyber resilience of their organisation and make sure they are ready to respond to a rapidly changing cyber threat, quickly and confidently,” said Ferbrache. 

The survey also found that:

  • 63 per cent of boards clearly set out their risk management approach in their annual reports
  • 16 per cent of boards have a very clear understanding of where the company’s key information/data assets are shared with third parties -  up from 11 per cent in 2014 
  • 49 per cent of boards have a clear understanding of the potential impact of loss/disruption of key information and data assets

“Board members need to take collective responsibility for cyber security and consider it in every aspect of the business. If they can do that, then perhaps cyber security will become mainstream and a vital component of doing business in our digital world,” concluded Ferbrache.


For media enquiries, please contact:

Nahidur Rahman, PR Manager

T: +44 (0) 20 7694 8812

M: + 44 (0) 788191 6975


Follow us on twitter: @kpmguk

KPMG Press Office: +44 (0)207 694 8773

Notes to Editors:

About KPMG

KPMG LLP, a UK limited liability partnership, operates from 22 offices across the UK with approximately 12,000 partners and staff.  The UK firm recorded a revenue of £1.96 billion in the year ended September 2015. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. It operates in 155 countries and has 174,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity.  Each KPMG firm is a legally distinct and separate entity and describes itself as such.

Connect with us


Request for proposal