Brunswick surveys Italy’s Risk and Audit Committees

There is a gap between awareness and action of Cyber Risk.

Cyber threats to the security of companies are growing at a dizzying rate and the question is not whether a company hacker will hit, but when. The defense consists of governance, communication and training as proposed by the members of the Italian Board of Directors part of the Risk and Audit Committees, who took part in a survey carried out by Brunswick in collaboration with Nedcommunity*.  

The survey asked a sample of Italian companies - equal to 48% of the market value of the FTSE MIB index** and equal to 37% of the market value of companies in the Italian stock market - noted that there is a very strong perception that protection against cyber risk is not just a technological issue, but a matter of governance, reputation, flow of communication and training.

But there is also a contradiction between this perception, the expectations of board members and the concrete actions by companies. "There is a reasonable level of awareness of cyber risk, and its importance and priority over other corporate risks both on the part of the members of the committees and on the part of the boards. However, it emerges that the governance policies implemented by top management to contain corporate risk are considered ineffective and that therefore there is a gap to be filled between awareness and action", explains Alessandro Iozzia, Head of Office of Brunswick in Italy. He adds that "the same gap is recorded on corporate governance, the role of communication and crisis preparation through reputational assessment and crisis exercises".

Among the factors considered most important for mitigating the risk of cyber attacks are training (score of 3.88/4), computer security (3.82/4) and the protection of reputation together with the preparation to face the crisis (3.75/4). "These elements are considered, together with information security and the training of people, very important for the mitigation of the cyber risk", says Iozzia, "but once again it emerges that companies must, in practice, still go a long way to develop targeted activities in this sense. The survey suggests that we need to move from theory to practice, from awareness to action - quickly". In particular, the top three risks considered most important for a company by the members of the Risk and Audit Committees are: the overarching cyber risk, reputational risk and financial risk.

Looking at the results, Iozzia explains that: "on the one hand there is a strong sensitivity on the part of board members to the issue of cybersecurity (71% consider the risk of a cyber attack very high compared to others), the need of staff training (76% think that it is very important to conduct a cyber-type exercise to test the procedures for responding to a cyber attack and verify the gaps to improve internal processes) and unanimous importance is given to communication (88% declare the importance of communication very high, 12% quite important). On the other hand, the concrete evidence of how companies boards respond to the issue is still uncertain: only 23% of independent directors assess the awareness by the board of directors of the financial, legal and reputation consequences of a cyber attack as very high, while 53% consider it high and 24% low or very low. The degree of effectiveness of cyber risk containment policies is considered very high by only 12% of the sample while 65% consider it quite high. When asked if a reputational risk assessment has been made, 53% say no, 18% cannot answer and only 29% answer positively".

On the contrary, the assessment of reputational risk in the cyber field is considered very important by the members of the Risk and Audit Committees, as well as the activities of communication and crisis exercise in the cyber field. Once again it emerges that the road to cyber security is still a long one.


*The Italian association of non-executive and independent directors  

 ** The first four in terms of value: Eni, Enel, Intesa Sanpaolo and Generali