FTSE 100 Retailers showing signs of cyber security apathy, despite growing risks
Law firm’s research points to retailers being ill-prepared for dangers of AI
New research suggests that some of the UK’s largest retailers might need to urgently step up their activity in relation to tackling cyber security.
The Beyond Words study by law firm Irwin Mitchell has analysed the latest Annual Reports of the largest and highest profile retailers in the UK and discovered those in the FTSE 100 on average refer to ‘cyber security’ 12.5 times. This compares to 19.7 mentions per report across the entire FTSE 100.
The sector didn’t perform any better when retailers across the FTSE 350* were assessed. Here the average score relating to cyber security mentions was 12.4.
The study also compared the most recent annual reports with the previous editions and found that the number of references was 6.5% lower in the latest versions amongst FTSE 350 retailers. This compares to Leisure & hospitality where businesses operating in this sector increased cyber security related mentions by 27.6% to an average of 19.8 per report.
The findings follow high profile cyber security breaches last year on WH Smith and JD Sports. In the case of JD Sports, the business said the attack could have put data relating to 10 million customers at risk.
Irwin Mitchell’s concerns are backed up by the latest statistics from the Information Commissioner’s Office (ICO).Their data security incident trends dashboard shows that retailers and manufacturers experienced more cyber incidents affecting over 100,000 data subjects in the first three quarters of 2023 than in the whole of 2022.
Commenting on the findings, Graham Thomson, chief information security officer at Irwin Mitchell, said:
“Our analysis in relation to retail is a red flag for the sector and particularly worrying as they are at a higher risk of cyber-attack due to the large amount of data that they hold on their customers. Although these figures relate to FTSE-listed retailers, these organisations represent a significant proportion of the high street in the UK and it’s vital that they take a lead for smaller operators.
“In 2024, the primary cyber security risk stems from the escalating sophistication of AI-aided attacks. Generative AI tools are being weaponised to improve phishing scams – which has been the biggest cyber-threat for some years and remains so.
“The misuse of AI in cybercrime is growing, and we can expect more businesses to fall victim to these attacks. Cybercriminals are utilising AI to create more convincing scams in any language and generate realistic fake voices and videos. The simplicity and lucrative nature of these attacks mean they’re likely to increase.”
Cyber security was just one area of investigation by Irwin Mitchell in this study. Beyond Words also examined other areas of ESG**, including climate change and diversity & inclusion.
In relation to the environment, the data pointed to more positive news for the sector. References to ‘Scope 3 emissions’, the category of greenhouse gas emissions that are indirect discharges resulting from the activities of an organisation but occur from sources that it doesn’t own or control, increased year-on-year in retail’s FTSE 350 by over 70%.
The retail sector in the FTSE 100 performed similarly to the rest of the UK’s largest companies. The average number of mentions of scope 3 per report in the FTSE 100 was 21.7 whilst the figure for retail it was marginally lower at 20.4.
* Environmental, Social & Regulation
** The FTSE 350 is the 350 largest companies by market capitalisation on the London Stock Exchange. It consists of the FTSE 100 and FTSE 250
