A majority of the U.S. listed Fortune 500 firms are following the U.S. Securities and Exchange Guidelines by providing some level of disclosure regarding cyber exposures, but disclosure is not universal, an insurance brokerage analysis reveals.
The Willis Fortune 500 Cyber Disclosure Report, 2013, by Willis North America, a unit of Willis Group Holdings, is the result of an effort launched last year to track organizations’ response to SEC Guidance issued in October 2011, asking U.S. listed companies to provide extensive disclosure on their cyber exposures.
The report found that 13 percent of Fortune 500 that filed annual 10-K reports were silent about their cyber disclosures. Another 2 percent didn’t file a 10-K, the Willis report reveals.
“Some companies within particular industries that would seem to have exposures, were silent,” Willis said in a statement released in conjunction with the report, listing an insurance company, a pharmaceutical company, a restaurant chain and a health care firm—”all of which would seem to have some level of cyber risk when compared to the disclosures of their peers.”
The report does not reveal the identities of these companies.
Responding to a question about insurance company disclosures in an e-mail to Carrier Management, Ann Longmore, executive vice president, FINEX, Willis North America and co-author of the report, said, “I wouldn’t say that insurance carriers as a group provided less information, but that some definitely surprised us.”
For an insurance buying and risk management perspective, Longmore noted that insurers are actually “highly attuned” to their cyber exposures.
Longmore also said that Willis is in the midst of analyzing the Fortune 1000, and as part of that analysis, will be providing more detail on separate industry groups, including insurers and other financial institutions.
Overall, the Fortune 500 report reveals that 95 percent of the companies that did provide cyber risk disclosures in their SEC filings were specific as to the type of risk. Breaking down the risks they specified, Willis said the top three identified were:
- Loss of theft of confidential information, disclosed by 65 percent of the 500 public companies
- Loss of reputation, disclosed by 50 percent
- Direct loss from malicious acts, such as hacks, by 48 percent
Commenting on the risks specified, Co-Author Chris Keegan, senior vice president, National Resource E&O and e-risk, said there were some surprising results here as well, noting that the disclosures suggest to Willis that some firms may be overlooking critical exposures, such as cyber-terror and outsourced vendor risk.
Only one-in-five firms, 20 percent, mention cyber-terror as a factor, despite the heightened emphasis on cyber-terror by the U.S. government, Keegan said. In addition, only one out of ten firms detailed cyber threats caused by the acts of outsourced vendors.
“This runs contrary to what we see in our day-to-day practice given the high frequency of cyber events stemming from outsourced vendors,” Keegan said in a statement about the report.
In a complete ranking of reported exposures (beyond the top 3 listed above), outsourced vendors came in at No. 10, with only 57 of 500 companies citing this as a potential issue in their filing disclosures.
Ranked even lower, at No. 11, is social media risk, with only 9 out of 500 mentioned this cyber risk issue.
Six companies reported actual cyber events in their disclosures.
The report also provides a breakdown of how firms characterized the extent of impact to their companies from a cyber event in their disclosure information, revealing that some 38 percent said an event might “impact” or “adversely impact” the business. Another 36 percent said they could face “material harm” from a cyber attack, and 8 percent described their potential risk as “critical.”
The accompanying pie chart summarizes these and the remaining disclosures regarding potential impact.
The report includes a chart summarizing the average number of the top 10 exposures cited by different industry groups. The financial services industry, which includes insurers, had the most specific disclosures in this regard, with FI firms disclosing seven of the top-10 risks, on average.
When it comes to protection against cyber risk, only 6 percent of all Fortune 500 companies mentioned that they purchased insurance to cover cyber risks “even though recent market surveys are showing significantly higher take up rates for cyber insurance among public companies,” Keegan said.