Willis Group Holdings, the global insurance broker, released its proprietary study monitoring how U.S. public companies are responding to the U.S. Securities and Exchange Commission’s (SEC) new guidance on cyber exposure disclosures.The recent formal guidance from the SEC's Division of Corporate Finance calls on public companies to address their exposure to cyber attacks and disclose how they will respond financially to the potential loss.
In Willis’ view, for the SEC to single out any one area of exposure for specific financial disclosure by public companies is rare, making the formal guidance that public companies provide detailed information about their potential exposure to cyber attacks a major event – and possibly a game changer for some public firms as it impacts how firms view and measure “materiality.” The SEC intended the new disclosures to help investors understand the risk/reward relationship in the enterprises in which they potentially invest. The Commission’s guidance includes a non-exclusive list of specific, detailed elements for cyber exposure disclosure both pre- and post-attack.
Willis is launching its study to coincide with the first round of financial disclosures for accelerated filers, representing roughly 750 firms, including some of the biggest U.S. companies. The study will continue through 2012 and beyond, eventually capturing information from all U.S. public companies with respect to cyber disclosure. The initiative is part of Willis’ strategy to help organizations better understand and evaluate cyber risk, while adding to a firms’ ability to understand where they sit when measured against their peers. In Willis’ view there are real risks to organizations related to cyber exposure and potentially additional risks to directors and officers with this new disclosure guidance. One goal of the Willis study is to help organizations track the emerging disclosure standards being applied.
Willis will monitor key Information and data points including:
• How the cyber exposures of each organization are quantified in terms of theimpact on the firm’s business and reputation
• Whether new disclosures of past cyber hacking events (possibly due to a broader interpretation of materiality in the SEC’s guidance) are required
• The role of interdependencies among clients, customers and vendors
• The challenges and costs of remediation
• How (and if) relevant insurance coverage is disclosed
The Willis Study will consider the variations in these initial disclosures between all filers as well as between companies in the same industry with similar corporate footprints. In addition, Willis will examine Fortune 500 companies both as a group and across industries as we consider the new disclosures in the energy, financial, health care, hospitality, manufacturing, retail, technology and transportation sectors, along with select subsectors.
Commenting on the survey, Geoffrey K. Allen, Executive Vice President, Cyber Risk and E&O Product Team Leader, FINEX, North America, said, “Willis believes this information– much of it never before disclosed – will yield some very interesting results and be an important guide for companies in assessing their exposures at a macro level. In addition, in the early stages of the development of cyber risk disclosure it is important for companies to understand what their peers are doing so they can be among the best.”
Willis intends to share detailed and sector-related summary report conclusions with clients on a quarterly basis, and will make executive summaries available publicly beginning May 2012. Individual companies will not be identified in the survey results.
Willis’ industry-leading Cyber Practice is supported by 18 professionals across North America. Teams of professionals work with organizations to develop strategic cyber risk management programs, model frequency and severity of privacy loss exposure (together with the relative cost/benefit of retaining or transferring risk to the insurance market using Willis’ proprietary PRISM tool), review and strengthen contracts with service provider and vendors and work with the insurance marketplace to develop innovative solutions to address the rapidly changing profile of cyber exposures.