The government's annual Cyber Governance Health Check Report has found that only 6% of the UK's FTSE 350 are completely prepared for GDPR compliance, with many citing concerns around the requirement to be able to entirely delete an individual's personal data.
The research, which has been carried out every year since 2013, shows an upward trend in awareness and preparedness amongst the UK's top companies for major cyber incidents. However, having said that, only just over half of all Boards view cyber risk as a top/group risk when compared with all the risks faced by their company.
This may come as a surprise, given the increasing threat and prevalence of major cyber attacks in both the public and private sector, which when not handled correctly, have proven to cause both reputational and financial losses.
However, it is the results on GDPR compliance that are the most concerning, given that the law will come into effect in the UK - in the form of the new Data Protection Bill - on 28th May 2018, less than a year away.
GDPR has a number of requirements, which include:
- a requirement for consent - businesses will need to ensure that all customers know that you have their data and that they consent to the business having that data
- businesses will have three days to report data breaches to both the authorities and customers
- the Right to be Forgotten - customers will have the right to ask businesses to delete all of their data, and to prove that they have
- data portability - the aim being to create an environment where businesses can easily swap their data between different providers, whilst ensuring the data is erased from the old provider's systems.
- hefty fines for data breaches will be introduced - up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater.
Whilst over a third of respondents (37%) to the government's Cyber Governance Health Check Report said that they were very aware of the forthcoming GDPR requirements, the majority of respondents (60%) reported being at best somewhat or slightly aware.
And as noted above, only 6% of respondents are completely prepared. The majority (over 60%) said that they were "somewhat prepared", whilst around 15% said that they were "slightly prepared". This is slightly concerning, given that GDPR requires a comprehensive understanding of how data is used in a company and compliance is required in approximately seven months time.
The two biggest concerns for companies, with regards to GDPR, are an individual's right to personal data deletion (with over 40% of respondents citing it as their top concern), and tightening of consent requirements (over 40%).
These were followed by an individual's right to data portability and the increase in supplier liability when data breaches occur.
Commenting on the results of the survey, Minister of State for Digital, Matt Hancock, said:
An increasing number of organisations who responded to the survey relayed the importance of cyber security in terms of the need to protect their services, reassure the public on the safety of their personal data and measure their organisation's own exposure to cyber risk. Decisions about cyber are increasingly being taken at the board level, which reflects a significant, positive culture shift amongst FTSE 350s since the launch of the scheme.
However, cyber maturity among FTSE 350s needs to improve at a faster rate to ensure we can stay ahead of future cyber security challenges. This year's report shows that a small number of FTSE 350 businesses are continuing to operate without plans in place for managing cyber incidents.
This is increasingly irresponsible. Furthermore, as we approach the deadline to introduce new regulation such as the General Data Protection Regulation, businesses should continue to prepare themselves for the responsibilities that come with these new requirements.
Still not good enough
Whilst the government's report puts a positive spin on the results received, with regards to the board's perception of cyber as a risk and its ability to effectively deal with any threat, given that results show an upward trend on previous years, it's still evident that a large proportion of FTSE 350 Boards are not taking this threat seriously.
For example, whilst for the first time the majority (53%) of respondents indicated that their boards were clearly setting and understanding their company's appetite for cyber risk, both for existing business and for new digital innovations, over 40% of respondents said that their board had only "loosely" or "not really" done this.
So whilst the majority appear to be taking a proactive approach, almost half are still unaware of the risk involved.
Equally, whilst 54% of respondents saw cyber as a top/group risk, again over 40% saw it as either low/operational or medium/segment risk.
And over 45% of respondents said that their board does not review and challenge reports on the security of their customer data, with over 40% also stating that they "listen occasionally" about cyber requirements.
Most concerning, however, is that one-tenth of FTSE-listed companies responding to the Health Check currently operate without a cyber incident plan. The report notes:
Boards representing this 10% of respondents should consider prioritising the development of a cyber incident response plan as soon as possible, given that their organisations are likely to be subject to regular attempts at cyber breaches owing to their high-profile status.
Also, the figures show that over a quarter of boards currently have no role in any organisational response to a cyber incident.
The results indicating the UK's top companies' lack of preparedness for GDPR are of particular concern, given the time that these companies have left to get their house in order.