Research on cyber security disclosures in company annual reports
Published 23 February 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/research-on-cyber-security-disclosures-in-company-annual-reports/research-on-cyber-security-disclosures-in-company-annual-reports
1. Summary
The Department for Science, Innovation and Technology (DSIT) has commissioned Azets to carry out research into the prevalence and quality of cyber disclosures. The fieldwork will take place over telephone and online from February 2023 to March 2023. During this period some organisations will be contacted by Azets from their Edinburgh office (an 0131 number) or Glasgow office (an 0141 number) inviting them to take part. You may also receive an email to let you know Azets called and inviting you to reply. You may be offered the option of completing the interview online, and if so, you will receive the survey link via email from Azets: cyberdisclosures.research@azets.co.uk
Taking part is completely confidential and voluntary for all individuals and organisations. The interview is not technical and participants do not need any specific IT knowledge.
For more information, please see the document above.
2. Context
One of the barriers to companies enhancing their cyber resilience is the lack of accountability and transparency to key stakeholders. One way in which we plan to address this issue is through the introduction of the Resilience Statement. This policy was proposed as part of the Department for Business and Trade’s wider reform of audit and corporate reporting and formed part of their public consultation on audit and corporate governance (p.48). The Resilience Statement will be a statement that forms part of a company’s annual report and will set out how a company is managing risk and building or maintaining business resilience over the short, medium and long-term. It will apply to all UK listed and private companies with 750 employees or more and £750m turnover or more. This includes companies traded on the Alternative Investment Market but not Limited Liability Partnerships, nor Public Bodies.
This research will support DSIT’ aim to better understand the effectiveness of current cyber disclosures by large organisations. The results of the research may be used to inform the supporting guidance for the cyber related aspect of the Resilience Statement, as well as informing wider government policy on cyber resilience. This will support the government’s work with industry and charities to make the UK the safest place to live and work online.
3. Who will take part?
A sample of UK listed and private companies with 750 employees or more and £750m turnover or more. This may include companies traded on the Alternative Investment Market but not Limited Liability Partnerships, nor Public Bodies.
If you have any other questions, please feel free to contact evidence@dcms.gov.uk