More than half of Fortune 500 firms disclosing cyber risk vulnerability believe their firms would be seriously harmed by a cyber-attack, but many are still unprepared for one, shows a Willis North America study.
The top three cyber risks identified by the study group are theft of confidential information (65 percent), loss of reputation (50 percent), and direct loss from malicious acts by hackers and viruses (48 percent).
Securities and Exchange Committee guidelines say cyber risk insurance is an appropriate consideration; however, only six percent of those surveyed buy it.
SEC guidance issued in October 2011 asked U.S. listed companies to provide extensive disclosure on cyber exposures.
“D&O liability risk may be heightened for companies that experience cyber breaches if cyber risk disclosures are deemed not to meet SEC standards and a significant loss were to occur. This may be especially true if peers have provided more detailed disclosure," said Ann Longmore, executive vice president of FINEX, Willis North America, and co-author of the report.
Thirty-eight percent of the Fortune 500 companies--chiefly represented by the energy, insurance, specialty retail, healthcare equipment and aerospace and defense sectors--say a potential cyber event would “adversely” impact the business. Thirty-six percent state their company would face “material harm”, and two percent call their cyber risk “critical”.
Half (52 percent) of these companies have technical safeguards in place to guard against breach, but about as many provided no comment on the state of their cyber risk protection strategy, and 15 percent said that they do not have the resources to protect themselves from critical attacks.
The insurance take-up rate for public companies has previously been found to be higher among wealthy private enterprises: a report by Chubb found that 35 percent of public companies purchase cyber insurance and 71 percent have breach response plans set up.
"Many of the results are not surprising as we know firms are actively taking steps to assess and mitigate their cyber risk, even if they have not been able to quantify a dollar amount associated with the risk," said Chris Keegan, report co-author and senior vice president of National Resource E&O and e-risk of Willis North America.
"However, we also see some surprising results which suggest some firms may be overlooking critical exposures. For example, only one out of five firms mention cyber-terror (20%) as a factor, despite the heightened emphasis on cyber-terror by the U.S. government. In addition, only one out of ten firms detailed cyber threats caused by the acts of outsourced vendors. This runs contrary to what we see in our day to day practice given the high frequency of cyber events stemming from outsourced vendors," he said.
The SEC recommends that cyber risk disclosures include the factors of a firm’s business operations that can let cyber risks get through the cracks, as well as their costs and consequences; a list of outsourced functions involving cyber data and how tightly the exchanges are managed; a scan for previously undetected cyber leaks; and a description of any previously disclosed cyber incidents.
For previous coverage of this topic, see Disconnect on Cost of Cyberattacks.