Cyber security is a strategic risk for every organisation. No organisation can operate without IT, and many companies are digitising their existing business model. Consequently, the topic should be on every board’s agenda. We see that more and more boards are regularly discussing cyber security.

Investors, governments, and global regulators are increasingly challenging board members to actively demonstrate diligence in cyber security. Regulators expect personal information to be protected and systems to be resilient to both accidents and deliberate attacks. Value chain partners expect a trustworthy and transparent approach to risks. Customers expect that services should be available and data protected when it is being stored or processed by reputable organisations. The annual report provides an opportunity for organisations to inform the public and other stakeholders about the cyber security risks that the organisation encounters and the measures it takes to protect against them.

During our assessment of the annual reports, different elements of cyber security reporting were reviewed:

• The depth and extent of addressing cyber security.
• Cyber security topics that were mentioned.
• Whether the board explicitly accepts ultimate responsibility for cyber security risks.

We have not reviewed whether companies have actually devoted attention to threats, risks, countermeasures and risk appetite. Our research results would most likely have presented a more negative picture if we had considered whether the companies surveyed took action on all these issues.

The headline figures for the main results of KPMG Cyber’s research into cyber security reporting in the annual reports of 800 companies across 28 countries are:

• 56% of the companies surveyed pay insufficient attention to cyber security.
• Only a quarter of the companies dedicate at least a paragraph to cyber security in their annual reports.
• Less than 20% of companies consider cyber risks a boardroom responsibility.

The study provides an overview below of the following topics: responsibility assumed at boardroom level for cyber security risks, differences between regions (Western Europe, Northern Europe, Eastern Europe, Mediterranean and Caribbean), a comparison of different industries and the cyber security topics that are discussed in the annual reports.

The results of the study position Eastern Europe behind the average:

• 12% of the companies surveyed dedicated at least a paragraph to cyber security in their annual reports.
• 77% did not mentioned cyber security risks at all in their annual reports.
• 3% of companies consider cyber risks to be a boardroom responsibility.

Few Romanian organizations dedicate space to cyber security in their annual reports. Furthermore they dedicate even less space than their counterparts in other Eastern Europe countries and in many other geographical areas.

“Traditionally, in Romania, cyber security has not been a proactive focus for most organizations. Instead business have tended to be compliance driven, with the process being managed by Security Officers or IT Managers. In the last few years, however, we have noted that this approach has started to change. More proactive cyber security processes have been adopted, while top management has started to become involved,” comments Richard Perrin, Head of Advisory, KPMG in Romania.

“We know that organizations from several industries carry out cyber security projects but have not mentioned these in their annual reports. Are Cyber activities not being made public for fear of a perception that the existence of cyber security related processes might create the impression that there is a security issue or does this lack of reporting simply reveal how cyber is still perceived at Board level in Romania? Is this mostly considered as a technical issue which needs to be managed by technical people?” asks Gabriel Mihai Tanase, KPMG Director responsible for Cyber services.

Please see full results of our study at 

Global overview: http://www.kpmgcyberbenchmark.com/global 

Romania details: http://www.kpmgcyberbenchmark.com/romania