More than half of Fortune 500 firms disclosing cyber riskvulnerability believe their firms would be seriously harmed by acyber attack, but many are still unprepared for one, shows a WillisNorth America study.
|The top three cyber risks identified by the study group aretheft of confidential information (65%), loss of reputation (50%)and direct loss from malicious acts by hackers and viruses(48%).
|The Securities and Exchange Committee guidelines say cyber riskinsurance is an appropriate consideration; however, only 6% ofthose surveyed buy it.
|SEC Guidance issued in October 2011 asked U.S. listedcompanies to provide extensive disclosure on cyberexposures.
|“D&O liability risk may be heightened for companies thatexperience cyber breaches if cyber-risk disclosures are deemed notto meet SEC standards and a significant loss were to occur. Thismay be especially true if peers have provided more detaileddisclosure,” said Ann Longmore, executive vice president of FINEX,Willis North America and co-author of the report.
|Thirty-eight percent of the Fortune 500 companies–chieflyrepresented by the energy, insurance, specialty retail, healthcareequipment and aerospace and defense sectors–say a potentialcyber event would “adversely” impact the business. Thirty-sixpercent state their company would face “material harm”, and twopercent call their cyber risk “critical”.
|Half (52%) of these companies have technical safeguards in placeto guard against breach, but about as many provided no comment onthe state of their cyber risk protection strategy, and 15% saidthat they do not have the resources to protect themselves from criticalattacks.
|The insurance take-up rate for public companies has previouslybeen found to be higher among wealthy private enterprises: a reportby Chubb found that 35% of public companies purchase cyberinsurance and 71% have breach response plans set up.
|“Many of the results are not surprising as we know firms areactively taking steps to assess and mitigate their cyber risk, evenif they have not been able to quantify a dollar amount associatedwith the risk,” said Chris Keegan, report co-author and seniorvice president of National Resource E&O and e-risk of WillisNorth America.
|“However, we also see some surprising results which suggest somefirms may be overlooking critical exposures. For example, only oneout of five firms mention cyber terror (20%) as a factor, despitethe heightened emphasis on cyber-terror by the U.S. government. Inaddition, only one out of 10 firms detailed cyber threats caused bythe acts of outsourced vendors. This runs contrary to what we seein our day-to-day practice given the high frequency of cyber eventsstemming from outsourced vendors,” he said.
|The SEC recommends that cyber risk disclosures include thefactors of a firm's business operations that can let cyber risksget through the cracks, as well as their costs and consequences; alist of outsourced functions involving cyber data and how tightlythe exchanges are managed; a scan for previously undetected cyberleaks; and a description of any previously disclosed cyberincidents.
|This article was originally posted at PropertyCasualty360.com,a sister site of Credit Union Times.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
- Exclusive discounts on ALM and CU Times events.
- Access to other award-winning ALM websites including Law.com and GlobeSt.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
