A majority of the U.S. listed Fortune 500 firms are following the U.S. Securities and Exchange Guidelines by providing some level of disclosure regarding cyber exposures, with more than half indicating their firms would face "serious harm" or be "adversely impacted" due to a cyber-attack, according to a recent report by Willis North America, a unit of Willis Group Holdings, a leading global risk advisor, insurance and reinsurance broker.
The Willis Fortune 500 Cyber Disclosure Report, 2013, published today, are the results of an effort launched last year to track organizations' response to SEC Guidance issued in October 2011, asking U.S. listed companies to provide extensive disclosure on their cyber exposures.
The report found that 88% of the Fortune 500 are following SEC Guidelines as of April 2013 and providing "some level" of disclosure regarding cyber exposures. However, some companies within particular industries that would seem to have exposures, were silent, Willis said. Among those silent were: an insurance company, a pharmaceutical company, a restaurant chain and a health care firm - "all of which would seem to have some level of cyber risk when compared to the disclosures of their peers," the report said.
The top three cyber risks identified by the Fortune 500 include:
- Loss of theft of confidential information (65%)
- Loss of reputation (50%)
- Direct loss from malicious acts (hackers, virus) (48% )
Commenting on the survey, Chris Keegan, Senior Vice President, National Resource E&O and e-risk, Willis North America and co-author of the report, said "Many of the results are not surprising as we know firms are actively taking steps to assess and mitigate their cyber risk, even if they have not been able to quantify a dollar amount associated with the risk."
"However, we also see some surprising results which suggests some firms may be overlooking critical exposures," Keegan said. "For example, only one out of five firms mention cyber-terror (20%) as a factor, despite the heightened emphasis on cyber-terror by the U.S. government. In addition, only one out of ten firms detailed cyber threats caused by the acts of outsourced vendors. This runs contrary to what we see in our day to day practice given the high frequency of cyber events stemming from outsourced vendors," he said.
When it comes to protection against cyber risk, only 6% of companies mentioned that they purchased insurance to cover cyber risks "even though recent market surveys are showing significantly higher take up rates for cyber insurance among public companies," Keegan said. Meanwhile 52% of firms referred to technical solutions they have in place, but a significant number (15%) also indicated they do not have the resources to protect themselves against critical attacks, the report said.
Ann Longmore, Executive Vice President, FINEX, Willis North America and co-author of the report cautions about the other potential impacts of cyber risk, particularly on Directors and Officers Liability. "D&O liability risk may be heightened for companies that experience cyber breaches if cyber risk disclosures are deemed not to meet SEC standards and a significant loss were to occur. This may be especially true if peers have provided more detailed disclosure," she said.