© The Financial Times Ltd 2015 FT and 'Financial Times' are trademarks of The Financial Times Ltd.
December 3, 2012 7:00 pm
Companies are being urged by the government to declare publicly when they have suffered serious cyber attacks, as Whitehall is concerned that businesses are too reticent about such incidents for fear of losing competitiveness.
As the government unveiled details of its strategy to protect the public and private sectors from cyber threats, senior officials said that investors and shareholders must encourage company boards to go public when systems have been attacked or intellectual property lost.
Over the past year, the government has piloted an initiative to share information with industry about the cyber threat. The scheme involves 160 companies across the defence, finance, pharmaceuticals, energy and telecommunications sectors.
However, officials believe that companies need to talk publicly about the damage they have suffered from cyber espionage and crime if internet security standards across the private sector to be raised.
“The government would like to see more disclosure [by companies] because . . . that is helpful in putting out a sense of how much of this is going on, and giving companies something to benchmark themselves against,” said a senior Whitehall official. “If shareholders, analysts, institutions, insurers, get interested in that, too, that all helps the market dynamic, to drive up standards.”
Ministers do not want to make it compulsory for companies to disclose whether they have faced a damaging cyber attack. They fear this would merely create “perverse incentives” for those companies to turn a blind eye to the problem and not go looking for breaches of internet systems.
“We think it’s better to encourage investors, shareholders and insurers to ask for that information,” a senior Whitehall official said. “But we need to make it easier for those people to do that.”
The 2012 PwC information security breaches survey found that 93 per cent of large corporations and 76 per cent of small businesses had suffered a cybersecurity breach in the past year.
However, few companies go public about such attacks. Jonathan Evans, the director-general of MI5, said this year that a state-sponsored cyber attack against the computer systems of a large listed British company cost it £800m in lost potential revenues. He did not identify which company was involved.
To tackle this issue, Francis Maude, the minister for the Cabinet Office who is charged with developing the UK’s cybersecurity strategy, spelt out how the government wants the market to identify and reward good practice.
He said the government wants to work with a range of bodies – such as the Institute of Chartered Secretaries and Administrators, the Audit Committee Institute, the Association of General Counsel, Company Secretaries of the FTSE 100, and the International Corporate Governance Network – to establish cybersecurity as a serious business risk.
“These organisations are in a unique position to influence board room behaviour,” he said. “We will work with them and other risk and audit professionals to ensure the message is getting through.”
Unveiling the latest details of its cyber security strategy, the government also said that the Ministry of Defence will recruit a force of “cyber reservists’’ to bolster Britain’s online defences.
All three military services will bring in additional experts to support their work preventing cyber attacks. Details of the cyber reserve force will be announced by ministers next year.
Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.
Sign up for email briefings to stay up to date on topics you are interested in