Large companies in the UK are failing to make enhanced disclosures about the cyber threats they face due to concerns that the information may be used as the basis of cyber attacks. 

Research into cyber disclosures in the annual reports of large and very large organisations has found that the larger the company, the higher the prevalence of reporting. However, the quality of cyber disclosures remains low. Supply chain cyber security has the lowest levels of disclosures, even though the supply chain emerges as one of the biggest areas of concern in cyber security, and despite supply-chain risk itself being disclosed. 

The study, commissioned by the Department for Science, Innovation and Technology and conducted by accountancy firm Azets, set out to establish the prevalence of current reporting in the annual reports of large and very large organisations, and the effectiveness of current reporting on digital security risks. 

Governance and cyber incidents

The research found that 77% of very large companies made cyber disclosures compared with 56% of large companies. However, the quality of cyber disclosures is lacking, with governance and cyber incidents emerging as the only areas where at least 10% of the sample achieved enhanced disclosures. 

Although senior security management interviewed as part of the study recognised the importance of disclosing cyber security as a significant business risk and felt comfortable disclosing oversight and governance arrangements, they expressed concern about disclosing excessive information in relation to cyber security. 

In particular, there was little enthusiasm for disclosing specific details of digital security risks and the mitigating actions being taken. This also extended into disclosing plans to improve cyber resilience through strategy, programmes or projects. They said there was a fine line in achieving better-quality reporting and placing information in the public domain, which could be used by cyber security threat actors as the basis of a cyber attack. 

Driven by existing reporting requirements

Higher prevalence and quality of cyber and digital security risk disclosures is most likely driven by existing reporting requirements, Azets suggests. Where disclosures were made, these were most often due to cyber security being recognised as a key risk to the business and referenced within the ‘Principal Risks’ section of the annual report. 

Three-quarters (75%) of the sample made cyber disclosures under the theme of Risk Management and this was the highest disclosed theme. However, only 5% of them achieved enhanced reporting levels. 

Although a large number of companies provide a short statement to confirm that risk management processes are in place, or reference cyber security as a key risk to the business, most provide limited information on areas such as how risk is managed, the presence of an information security management system or the assurances received over risk mitigation controls. 

This suggests that companies are most likely to disclose the minimum information necessary to comply with the Companies Act 2006 requirements or do not understand what high-quality disclosures would look like. The Companies Act 2006 applies to all UK companies and sets out the need for companies to include details of principal risks and uncertainties within their annual report. 

By-product of wider risk reporting

Governance also had the highest percentage of enhanced disclosures. Better frequency and quality of reporting on governance is likely to be a by-product of wider risk reporting, particularly for listed companies that must comply with the UK Corporate Governance Code. A quarter of the main sample were listed companies.

Sally Baker, ICAEW Head of Corporate Reporting Strategy, says achieving the balance between high-quality, entity-specific disclosures on cyber risk while protecting the entity against the threat of cyber attack is an understandable challenge. “Nevertheless, preparers need to remember the requirements to disclose principal risks and uncertainties in their strategic report and must not shy away from providing information on how they are managing this increasingly significant risk to investors and other stakeholders. 

“As well as finding the Financial Reporting Council’s 2022 Digital Security Risk Disclosure Report beneficial, preparers may wish to look across the pond to their US counterparts, where strict cyber disclosure rules have been in place since the end of 2023, for examples of good practice.”

Supply-chain responsibilities

Esther Mallowah, ICAEW Head of Tech Policy, says it was surprising that although the supply chain was one of the biggest areas of concern in cyber security, it had the lowest levels of disclosures, despite supply-chain risk itself being disclosed.

“This may partly be due to businesses not understanding their responsibilities for overseeing suppliers’ cyber risk management arrangements and the significant complexity of supply chains, which may make visibility of all relevant actors tricky. It often goes back to governance; businesses must understand their key suppliers, the cyber risks they pose and how these risks are managed. Boards and employees must also be educated on their roles and responsibilities in relation to supply chain cyber security.”