CGI (TSX: GIB.A) (NYSE: GIB) today unveils the results of a newly commissioned research study which shows that 38% of C-suite executives in the telecoms, utilities, financial services and retail sectors, believe a cyber security breach at their organisation is likely over the next twelve months. These businesses estimate that if their most valuable data were lost or corrupted, the average total cost over a one year period would be £1.2 million. Incorporating economic analysis undertaken by the Centre for Economics & Business Research the study reveals that the telecoms and utilities sectors are significantly exposed when compared to other key sectors of the economy (banking, insurance and retail).
Cyber security governance immature across UK boardrooms
Today, on average, almost 30% of UK boardrooms in the UK’s key sectors of the economy (telecoms, utilities, finance and retail sectors) still view cyber security as an IT issue with, on average, only 35% of boardroom executives believing their board has a high level of personal expertise in cyber security. Worryingly this figure drops to just 23% for Non-Executive Directors (NEDs), suggesting the traditional role played by NEDs to offer ‘constructive challenge’ isn’t effective when it comes to managing cyber security risk. Less than half of UK boardrooms are confident in the IT security advice they receive today. Whilst boards in these key sectors rely on externally sourced cyber expertise for 15% of their requirements on average, 68% confirmed they plan to increase reliance on external consultants over the next few years.
The research, carried out in the wake of a recent high profile breach, confirms that such attacks have encouraged almost 81% of UK boardrooms across the UK economy’s key sectors, to increase cyber security scrutiny. However, cyber security only appears on the agenda of 48% of these boards ‘every few months’ with many covering it less than twice a year. Across the sectors surveyed, companies told us they currently assign ultimate responsibility for cyber security to CEOs (38%) and CIOs (31%) in the vast majority of cases, with specialist CISOs being empowered at just a handful of firms (3%). Interestingly, CEOs are the preferred choice for B2B companies whilst CIOs are overwhelmingly responsible at B2C firms.
Telecoms and utilities are the most ‘at risk’ sectors of the UK economy, relative to the other key sectors analysed
Econometric modelling of the anticipated severity of an attack and the likelihood of an attack, revealed that the telecoms sector is most at risk, closely followed by utilities. The model uses a combination of perceptions of the nature of sensitive information stored, the value of such data, the expenditure on defending against attacks and the overall awareness of risk to the company and sector to derive an objective risk rating.
Perhaps reflecting a loss of confidence following recent high profile incidents, the telecoms sector sees itself lagging behind others with the lowest level of boardroom cyber security expertise. Just 29% of telecom boards are viewed as having a high degree of expertise, whilst firms in this sector hold sensitive data with an average estimated value to the company of over £42 million. Relative to other key sectors of the economy examined, telecoms respondents were also the least confident about the risk of attack this year; with 52% believing their company was likely to experience a significant breach in the next 12 months. Perhaps in response, 76% of boards plan in this sector to increase their use of external cyber security expertise and on average, the sector plans to increase cyber security investment by boosting technology and personnel spend by 12% this year, compared to 7% in sectors such as retail and insurance that perceive cyber risk to be less urgent.
The utilities industry is also at relatively high risk, with boards discussing cyber security least often - in 40% of utilities firms the issue makes the boardroom agenda just twice each year. Companies in the sector hold sensitive data estimated at over £50 million on average but were found to be significantly behind other sectors in terms of having robust plans in place to handle a cyber event, with just 1 in 5 respondents confirming their firm’s cyber crisis management plan is well developed. This is surprising given that utilities firms have high resilience with good business continuity planning, perhaps showing a lack of maturity in the treatment of cyber security as a major business risk. Utilities firms plan to increase cyber security investment by 14%, the second highest increase after banking, and over 70% of utilities boards plan to look to external consultants to support their plans over the next few years.
Andrew Rogoyski, Head of cyber security, CGI in the UK commented: “UK boardrooms are struggling to get a handle on the cyber security issue. Boards know it is a risk but are uncertain in their approach, often failing to prioritise spend on cyber security. Unless more is done to improve understanding and governance at the highest level we can expect to see more high profile breaches.” He continued: “Encouragingly our research shows that boards do now appear to be taking cyber security more seriously with planned increases in scrutiny, investment and external advice. Based on Cebr’s analysis it is clear that the telecoms and utilities industries in particular must accelerate these efforts, which is consistent with recent UK, US and European government action to improve the protection of critical national infrastructure.”
CGI’s recommended seven steps to improved cyber security governance:
- Appoint a senior executive at board level to be responsible for cyber security with the authority and know-how to address the risks
- Include cyber security on every board agenda, reporting on: risk to the business, nature of sensitive data and mitigation progress at a minimum
- Treat cyber security as a company-wide business risk and assess as you would with other key business risks, encouraging a discussion about risk appetite, risk avoidance, risk mitigation and cyber security insurance.
- Ensure that the company understands the rapidly developing legal landscape that applies to cyber risk, including the emerging European legislation in the form of the general data protection regulation (GDPR) and the Network and Information Security Directive (NISD).
- Get specialist expertise to advise and inform the board, whether from internal teams or external advisors
- Set a programme of work to manage cyber risk, allowing a realistic time and budget
- Demand improved security from your IT suppliers, including products, systems and services
Over 150 UK C-level board members participated in this commissioned research, conducted by Opinium in partnership with Cebr, on behalf of CGI during December and January. Respondents were drawn from major UK companies with a minimum of 1,000 employees and from sectors including banking, insurance, utilities, telecoms and retail. The results were then analysed using Cebr’s risk profile modelling methodology to determine relative risk scores for the four key sectors of the UK economy.
Founded in 1976, CGI Group Inc. is the fifth largest independent information technology and business process services firm in the world. Approximately 65,000 professionals serve thousands of global clients from offices and delivery centers across the Americas, Europe and Asia Pacific, leveraging a comprehensive portfolio of services, including high-end business and IT consulting, systems integration, application development and maintenance and infrastructure management, as well as 150 IP-based services and solutions. With annual revenue in excess of C$10 billion and an order backlog exceeding C$20 billion, CGI shares are listed on the TSX (GIB.A) and the NYSE (GIB). Website: www.cgi.com.
Cebr is an independent consultancy, which advises some of the world’s largest companies. Cebr’s reputation for insightful economic analysis, award-winning forecasting and decisive business advice is based on innovative research by a renowned team of macro and micro-economists. Since its foundation in 1993, Cebr has been ‘making business sense’ by applying theoretical economics backed by quantitative evidence to real world decision for FTSE firms. It provides analysis, forecasts and strategic advice to major multinationals, financial institutions, government departments, charities and trade bodies.
Head of Communications
+44 7771 815428