June 11, 2013

Third of Fortune 500 Companies Have ‘Material’ Cyber-Risk

Loss of confidential information most common type of risk

Over a third of Fortune 500 companies said their exposure to cyber-risk was “material” or “serious,” according to a report released Monday by Willis Group, a global risk advisor, insurance and reinsurance broker. Two percent of firms called their level of risk “critical,” suggesting a breach could threaten the company’s continued operations.

In October 2011, the Securities and Exchange Commission issued guidance on disclosing cybersecurity risks and incidents at public companies. The SEC noted that while there is no existing disclosure requirement that explicitly refers to cybersecurity risks and incidents, other “disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.”

Willis Group examined 10-K forms submitted to the SEC by Fortune 500 companies for the report.

Willis found that as of April 2013, 85% of Fortune 500 companies were providing some level of disclosure to the SEC. However, nearly 40% didn’t elaborate on the size of their exposure to risk, or said only that a cyber-event would have an impact on the company without describing what that impact might be.

The most common type of cyber risk reported was a loss of confidential information, reported by nearly two-thirds of companies. Over half said they could suffer a hit to their reputation and half said there was a risk of loss from malicious acts by hackers or viruses.

Six percent of firms said on their 10-K that they purchased insurance to cover cyber events, but other research by Willis’ cyber and E&O team has found more than 50% of large public companies in some sectors purchase cyber insurance. Financial, media, utility and energy companies were most likely to purchase insurance.

Furthermore, 15% of firms don’t have the resources to protect themselves if they are attacked, the report found.

Although the SEC requested specific information in its guidance, many companies didn’t provide it, according to Willis. For example, none of the firms provided the potential or actual cost of cyber events. Only 1% of firms reported an actual cyber event.

---

Check out Small Firms at Greater Risk From Cyberthreats on ThinkAdvisor.

Reprints Discuss this story
This is where the comments go.