In a multiregional survey by KPMG, the Cayman Islands indicated the least preparation among 28 countries against cybersecurity threats. Analysis found no publicly traded company in the islands had mentioned cybersecurity in their annual reports.
“This result is surprising,” the KPMG survey says.
Cayman Islands businesses performed the worst in the assessment of 800 companies across the Caribbean, the Mediterranean and Europe. A quarter of companies in the global survey dedicated at least a paragraph to cybersecurity in their annual reports, compared to none of six companies surveyed in Cayman.
KPMG cyber security principal Micho Schumann said the data on Cayman was limited due to the study’s requirements. The report only analyzed companies with headquarters in Cayman that are publicly traded and that release an annual report. Only six businesses met all three criteria.
Mr. Schumann said annual reports are a good indicator of how seriously businesses approach cybersecurity. Such reports send a message to shareholders about the company’s priorities.
Given high profile cases of ransomware and hacking, Mr. Schumann said businesses that have formed cybersecurity plans are likely to publicize their efforts in order to assuage the concerns of stakeholders.
“The annual reports are management’s letter to shareholders. We’re seeing a trend in the U.S. and Europe where it’s being mentioned because stakeholders are asking to know about cyber security,” he said.
In the Caribbean, however, he said companies are not yet moving in the same direction and many boardrooms have not publicly acknowledged the issue.
The Cayman Islands fared worse than other Caribbean nations in the survey. In both Barbados and Trinidad and Tobago, 11 percent of companies had mentioned cybersecurity in their annual reports.
Overall, the survey found poor results across regions.
Western Europe provided the best results of regions surveyed, with 39 percent of companies mentioning cybersecurity in their annual reports. The Caribbean was the lowest-performing region with 11 percent.
KPMG said it had been “mild” in its overall analysis of risk management efforts.
“Note that we have been mild by not reviewing whether each company covered threats, risks, countermeasures and risk appetite. The results would have been worse. We have only considered boardroom responsibility for cyber risk if it is explicitly addressed in the annual report,” the study says.
The report determined 56 percent of companies paid insufficient attention to cybersecurity. Less than 20 percent of companies surveyed considered cyber risks a boardroom responsibility.
Ton Diemont, senior manager with KPMG Netherlands, encouraged boardrooms to take a more active approach to prevent cybercrimes like ransomware attacks.
“The boardroom is responsible for cyber risk. Companies have to have a top risk assessment approach to address information security and cyber risk. Cybersecurity is a first line of defense responsibility, supported by the second line which is risk management and the third line which is audit,” he said.