Only 5 percent of large U.K. companies say their boards include directors with expertise in information technology or cyber security, even though the vast majority identify hacking and other digital threats as serious risks, a report showed.

In the event of a cyber attack, more than half of companies in the FTSE 100 stock index cited contingency, crisis management, or disaster-recovery plans in their annual reports, according to the survey, published Monday by consulting firm Deloitte LLP. Yet many companies lack board-level skills to deal with such crises or are paying insufficient attention to the risks, the firm said.

“With the pervasive nature of technology and the focus on cyber risk it is alarming that only one in 20 boards disclose that they currently have board members with specialist technology or cyber background,” said Phill Everson, head of cyber risk services at Deloitte.

Deloitte’s analysis of U.K. companies’ disclosure on digital security follows high-profile data breaches at companies ranging from Sony Corp. to Yahoo Inc., as well as the Democratic Party in the U.S. Eighty-seven percent of FTSE 100 companies identified cyber attacks as a “principal” risk, Deloitte said.

More than half of companies disclosed business disruption and reputational damage as potential risks from security breakdowns. While U.S. intelligence officials have accused Russian cyber warriors of infiltrating the Democrats’ computer systems, Deloitte says the most common cause of company data breaches are a firm’s own employees.