Failure to identify and manage risk properly can have a negative impact both on the operational success of an organisation and a successful business sale.
In a highly digitally connected world, it is not a surprise that cyber security is consistently listed as one of the top risks today. UK Government research in 2022 found that around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, and 72% in charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. It does make me wonder about the other 18% and 28% respectively who do not see this even as a ‘fairly high’ priority.
At UHY we see cyber security risks in the risk assessment work we carry out for clients, we experience this as clients come under cyber-attack (39% of UK businesses experienced a cyber-attack in 2022), we observe an increasing amount of fraud arising from cyber-crime in the marketplace (the average attack in 2022 in UK costing £4,200, noting not every attack results in a negative outcome) and increasingly it is a key issue in due diligence.
The UK Government’s guidance “10 Steps to Cyber Security” breaks down the task of protecting an organisation into 10 key components:
- Risk management
- Engagement and training
- Asset management
- Architecture and configuration
- Vulnerability management
- Identity and access management
- Data security
- Logging and monitoring
- Incident management
- Supply chain security
If you are not already identifying and managing cyber security risk the Guidance is a helpful start. While it is aimed at medium and large organisations the principles are applicable to all organisations.
Despite cyber security being a major risk research has found, for example:
- only 54% of UK businesses have acted in the past 12 months to identify cyber security risks;
- limited board understanding means the risk was often passed on to outsourced cyber providers, insurance companies, or an internal cyber colleague;
- only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process; and
- incident management policy was limited with only 19% of businesses having a formal incident response plan and only 39% having assigned roles should an incident occur.
As well as working with external cyber security providers, organisations are likely to engage with insurers and 43% of businesses now have an insurance policy that they believe will cover cyber risks. On the other hand, only 6% of businesses, including UHY Hacker Young, have the Cyber Essential certification and 1% have Cyber Essentials plus, which is largely due to relatively low awareness.
Part of the Corporate Finance function at UHY Hacker Young is to provide risk assessment and management support not only for ongoing operational benefit but increasingly to ensure risk is properly managed for prospective business investors. Cyber security is only one of those potential risks.
The next step
If you have any further questions regarding this blog, please contact Michael Fitch.