Willis Report: Among Fortune 1000, Many Public Companies Remain Silent on Cyber Risk
Health Care, Technology & Insurance Companies Top List of Industry Groups Most Concerned About Cyber Threats
NEW YORK, September 3, 2013 – Fortune 1,000 firms in the health care, technology and insurance sectors
top the list of industry groups most concerned about cyber threats, according to a recent report
by Willis North America, a unit of Willis Group Holdings (NYSE: WSH), the global risk advisor,
insurance and reinsurance broker.
The Willis Fortune 1000 Cyber Disclosure Report, 2013, published today, is the second in a series
of reports examining U.S. public companies filings in response to U.S. Securities and Exchange Commission guidance
issued in 2011, asking U.S. listed firms to provide extensive disclosures on their cyber exposures. For
this report, Willis expanded the scope of the review to a wider pool of companies, focusing
on the Fortune 1,000 while examining the responses of various industry groups.
The report found that among the Fortune 501-1,000, 22% remained silent on cyber risk. A “significant” increase
compared to 12% of the Fortune 500 firms who remained silent in their disclosures, Willis said.
“The reason for this may be as companies get smaller, they see themselves as less likely
targets of an attack, or it may be that smaller companies needed more time to identify
their cyber exposures,” the report said.
Commenting on the firms that remained silent, Ann Longmore, Executive Vice President, FINEX, Willis North America and
co-author of the report cautions, “This is concerning because the view that firms may see themselves
as less likely targets of an attack runs contrary to our experience, and in fact, many
of these firms are sitting at the center of the bulls eye.”
The report also divided the Fortune 1,000 into 20 industry groups to compare the disclosures of each
risk, weighing the scope of the risk; how the exposure would manifest; and what protections were
being employed to mitigate the risk. With respect to “perceived risk,” the report found that health
care is the industry most concerned about cyber risk, closely followed by technology, insurance, telecom, life
science and retail sectors. Meanwhile, real estate, financial services funds, conglomerates, and the energy and mining
sectors expressed the least concern for cyber risk.
Other key findings include:
The top three cyber risks identified by the Fortune 1,000 include: privacy/loss of confidential data, reputation
risk and malicious acts.
Cyber terrorism and intellectual property risks ranked lower than expected among the Fortune 1,000 given the
focus of the federal government on these areas of risk and their importance to the health
of the U.S. economy overall, the report said.
When describing the “extent” of cyber risk exposures, financial institutions and technology companies rise to the
top of the list disclosing distinct cyber exposures. Meanwhile, firms in the energy and utility sector
report the fewest distinct exposures.
In evaluating loss control measures, the industry groups that disclosed the greatest number of technical protections
against cyber risk, including firewalls, intrusion detection, and encryption, include the technology, health care, professional services
and financial institution sectors. Within financial services firms, insurance companies refer to technical risk protection 63%
of the time.
With respect to cyber insurance protection, the funds sector (33%) followed by utilities (15%), the banking
sector and conglomerates (14%) reported the greatest levels of insurance. Insurance and technology sectors both disclosed
the purchase of insurance coverage at the 11% level. However, the report indicated that many companies
may be under-reporting the level of cyber insurance coverage based on Willis data and other industry
data indicating higher take up rates, particularly for the health care sector.
The disclosure of actual cyber events remains at 1%, a seemingly low number given the number
of attacks that appear in the press on a regular basis, the report said.
“Action taken at the U.S. federal level clearly shows that cyber-security disclosure is high on the federal
agenda and will continue to pose a unique challenge for public companies,” said Chris Keegan, Senior
Vice President, National Resource E&O and e-risk, Willis North America and co-author of the report. “Government
authorities may require companies to step out of their comfort zone for disclosure in order to
bolster IT security for the entire U.S., opening up greater liability to directors and officers in
the process,” he said.
Willis’ unique study also features examples of cyber disclosures to demonstrate both the level of detail, and
lack of detail supplied to the SEC; tracks actions by the U.S. Federal Government to stem
rising cyber exposures; and features expert commentary by Willis’ leading cyber and executive risk professionals.
The study is on-going and the next issue will feature separate, in-depth industry reports on unique cyber
disclosures of the Fortune 1,000 subgroupings. An upcoming webinar series, which starts this month, will present
the survey results in more detail and consider the impact both on Directors and Officers and
Cyber liability insurance.
A full copy of the Willis Fortune 1000 Cyber Disclosure Report, 2013 can be downloaded for free
Willis Group Holdings plc is a leading global risk advisor, insurance and reinsurance broker. With roots dating
to 1828, Willis operates today on every continent with more than 17,000 employees in over 400
offices. Willis offers its clients superior expertise, teamwork, innovation and market-leading products and professional services in
risk management and transfer. Our experts rank among the world’s leading authorities on analytics, modelling and
mitigation strategies at the intersection of global commerce and extreme events. Find more information at our
website, www.willis.com, our leadership journal, Resilience, or our up-to-the-minute blog on breaking news, WillisWire. Across geographies, industries and specialisms, Willis provides its local and multinational clients with resilience for
a risky world.
# # #