The research, commissioned by the Department for Science, Innovation and Technology (DSIT), aligns with the Government’s aim to better understand the quality of cyber disclosures in the annual reports of ‘large’ and ‘very large’ UK companies.

It highlights that 77% of large companies include some form of cyber security disclosure in their annual reports, with the highest prevalence in risk management (75%) and governance (52%).

However, the quality of these disclosures remains low. Just 15% of the main research sample (250 companies) met enhanced reporting standards for risk management disclosures.

Cyber security expert Paul Kelly, UK Head of Cyber Services at Azets, suggests this highlights a gap between regulatory requirements and meaningful reporting. He commented:

“It is unsurprising that a high proportion of large companies include some form of cyber security disclosure in their annual reports, given existing laws and regulations such as the Companies Act 2006.

“The disclosure requirements of the UK Corporate Governance Code have driven more widespread reporting, and our research shows that 92% of listed companies provided governance disclosures, compared with 39% of private companies.

“Increasing both the prevalence and quality of cyber security disclosures brings clear benefits. It helps investors, shareholders, and stakeholders understand key cyber security risks and contributes to improved ESG reporting.

“To achieve consistency and encourage businesses to report in a safe and secure way, clear guidance from the UK Government and regulators will be crucial.

“This guidance must strike the right balance – enhancing transparency while ensuring that disclosures do not inadvertently increase the risk of cyber-attacks.”

A full copy of the report is available here: https://www.gov.uk/government/publications/research-on-the-prevalence-and-quality-of-cyber-disclosures