40pc of FTSE retailers ignoring cyber risks

Retail boards across the UK are not giving cyber security the attention it deserves, according to new analysis of annual reports by risk and insurance law firm BLM.

BLM looked for mentions of a range of words associated with digital risk – such as ‘cyber’, ‘information security’ and ‘data breach’ – in the annual reports of the 32 FTSE-listed retailers. In 40% of reports there was no mention of any of the identified terms, suggesting that cyber security is not yet classed as a top risk by the industry as a whole.

According to the British Retail Consortium’s latest retail crime survey, the majority of retailers reported an increase in cyber attacks in 2013-14 and claimed that they pose a critical threat to their business. However, this isn’t clearly reflected in these annual reports.

Helen Grimberg, partner and head of corporate sector at BLM said: “Although the research isn’t a scientific analysis of retailers’ security strategies, it provides a snapshot of how it is perceived by retail boards. The annual report is one of the few times the board can communicate with shareholders and go into detail about the risks and uncertainties facing the business. Not directly mentioning the threat or detailing the strategy in place to counter the risk is unacceptable – particularly when we consider some of the high-profile data breaches that have plagued the retail industry in recent years.”

BLM also found that just 38% of reports referenced ‘cyber’, while 16% mentioned ‘information security’. Only 9% used the word ‘hack’ and 3% used ‘data breach’. 13% of reports opt to mention ‘PCI’ and compliance with this payment card industry standard, but not one report makes reference to ‘DDoS’ – an attack which can bring down front-end websites and back-end systems (77% of retailers have been targeted by DDoS attacks according a Neustar report).

Nick Gibbons, partner and cyber risk specialist at BLM continued: “We’re not expecting every annual report to use the word ‘cyber’ but we should see sections or areas dedicated to addressing the risk. The focus still seems to be on compliance or general IT problems.

“Cyber security is a board-level issue and should be treated as such, rather just than being left to the security and IT teams. The potential consequences are such that it needs strategic direction and accountability from the c-suite.

“In five to ten years it’s very likely we’ll run this research again and see these numbers increase. Hopefully it will be due to more boards giving the risk the attention it deserves and being proactive about mitigation, rather than as a response to more devastating attacks in the sector.”

    Share Story:

YOU MIGHT ALSO LIKE


COMMUNICATING IN A CRISIS
Deborah Ritchie speaks to Chief Inspector Tracy Mortimer of the Specialist Operations Planning Unit in Greater Manchester Police's Civil Contingencies and Resilience Unit; Inspector Darren Spurgeon, AtHoc lead at Greater Manchester Police; and Chris Ullah, Solutions Expert at BlackBerry AtHoc, and himself a former Police Superintendent. For more information click here

Modelling and measuring transition and physical risks
CIR's editor, Deborah Ritchie speaks with Giorgio Baldasarri, global head of the Analytical Innovation & Development Group at S&P Global Market Intelligence; and James McMahon, CEO of The Climate Service, a S&P Global company. April 2023