The government last week announced plans for new laws on the disclosure of corporate risk, potentially tying up IT departments in more red tape.

Under proposals for the Operating and Financial Review, which is due to be introduced into company law next year, listed firms would have to publish details in their annual reports of all risks to their business, including those involving IT systems. Failure to comply could lead to unlimited fines.

"There may be sectors where technology is part of the competitive advantage of the business - the technology sector or financial services, for example," said David Phillips, value reporting partner at PricewaterhouseCoopers.

"For banks, if their firewall gets breached and news gets out then that could cause damage to their reputation."

Gavin Houlgate of consultancy KPMG said that risks relating to IT should appear in firms' reports, and companies must therefore have procedures to track their IT systems. "Firms need to have their internal processes right to be able to spot where potential difficulties could come," he said. "That obviously does stretch down to your IT systems."

The proposals are intended to improve the transparency of corporate governance, giving shareholders a better idea of how directors are managing risk.

However, it will be left up to individual directors to decide which risk factors should be mentioned in a firm's annual report.

A consultation process will run until August, and industry body the Accounting Standards Board plans to publish guidance on the proposed law later this year.