4. Does the company identify a named person at senior management or executive committee level with overall responsibility for information management and cyber security?

5. Is the board or board committee responsible for cyber security issues?

Only a third of companies said they have a chief information officer (CIO) or similar. Company reporting in many cases did not specify that cyber security was a critical part of the role of the CIO alongside other IT development duties. Nearly 60% of companies did not indicate that their board or board sub-committee was responsible for cyber security-related issues.

Investor relevance: as the number of cyber security incidents continues to rise – and take new forms – it is vital that companies have robust governance measures in place to manage and address risks. Having a person or committee directly accountable for this area is a key first step for companies. When companies allocate responsibility to a senior executive, they signal to investors that there is internal expertise to appropriately allocate investments, staff time and resources. Board oversight is another important area of focus for investors. Investors increasingly expect cyber security issues to fall within the remit of company boards and their sub-committees given the potential physical and economic implications of a cyber security incident on business operations. Where corporate disclosure is lacking, investors may encourage better articulation of where responsibility for cyber security lies within the business.

Good practice: companies that provided good disclosure on responsibility and oversight most commonly referred to their audit and risk committees or a separate board sub-committee with a technology focus. For instance, the chair of the technology committee at BT Group indicated in its annual report: “The committee also receives regular updates on cyber security, to better understand how we are protecting our people and customers […] As a result (of cyber risks), we have taken immediate action where possible to reinforce our defences, and have a wider programme in place to ensure our systems and networks remain resilient to future potential threats.” Similarly, Morgan Stanley disclosed that its operations and technology committee oversees technology strategy “including information security and cyber security risks, and the steps management has taken to monitor and control such exposures”.

Although companies may adopt different models depending on what is most appropriate for their business and in line with existing governance structures, it is important that they communicate where ultimate responsibility for cyber issues sits within the company.