Over a third of Fortune 500 companies said their exposure to cyber-risk was “material” or “serious,” according to a report released Monday by Willis Group, a global risk advisor, insurance and reinsurance broker. Two percent of firms called their level of risk “critical,” suggesting a breach could threaten the company’s continued operations.
In October 2011, the Securities and Exchange Commission issued guidance on disclosing cybersecurity risks and incidents at public companies. The SEC noted that while there is no existing disclosure requirement that explicitly refers to cybersecurity risks and incidents, other “disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.”
Willis Group examined 10-K forms submitted to the SEC by Fortune 500 companies for the report.
Willis found that as of April 2013, 85% of Fortune 500 companies were providing some level of disclosure to the SEC. However, nearly 40% didn’t elaborate on the size of their exposure to risk, or said only that a cyber-event would have an impact on the company without describing what that impact might be.
The most common type of cyber risk reported was a loss of confidential information, reported by nearly two-thirds of companies. Over half said they could suffer a hit to their reputation and half said there was a risk of loss from malicious acts by hackers or viruses.