The Government has released the findings from its 2017 review of the FTSE 350's cyber governance.

This is the 4th year that this report has been carried out, and there are some interesting trends appearing.

  •  57% of respondents said that they have a clear understanding of the potential impact of loss of, or disruption to, key information (the first time this has happened, and up from a low of around 40% in 2014)
  •  53% of respondents said that their Board explicitly sets the appetite for cyber risk (up from around 17% in 2013)
  • the largest proportion (50%) of respondents said that their Board reviews and challenges reports on security of customer data (the first time this has happened)
  •  those reporting cyber risk as a 'low or operational risk' is now less than 15% (compared with 39% in 2014)
  •  33% of respondents say that their business makes investment decisions on their cyber security at Board level (compared with 8% in 2014)
  • around 70% of respondents said that their Board has not received training as to how to deal with a cyber incident in their business.
  • 10% of respondents don't have a plan in place to respond to a cyber incident
  •  only 6% of respondents said that they are completely prepared for GDPR
  •  the two main concerns around GDPR are on the right of the data subject to request their data is deleted, and the tightening up of consent requirements.


The GDPR figures are interesting and perhaps don't tell the whole story - the majority of respondents (around 70%) said that they are "somewhat prepared" which could cover a whole range of approaches including those currently undertaking business reviews and compliance projects, or those quite far down the track who are waiting for further guidance on specific changes or compliance issues.  Still with just 9 months to go until the rule changes come into force, this is not something to be distracted from.  

Whichever statistic you wish to focus on, this report does highlight the growing upwards trend in the importance of both cyber security and data protection at Board level.