Willis Report: Some Fortune 1000 Retailers Remain Silent on Cyber
Retail Firms’ 10K Disclosures Detail Key Cyber Exposures
Part of Willis Series Analyzing Cyber Risk Disclosure in Public
NEW YORK, April 23, 2014 – A study of public documents reveals that the retail sector
estimates their cyber exposures at higher levels than their non-retail peers in the U.S.-listed
Fortune 1000; but some retail firms remained silent on the issue of cyber risk altogether,
suggesting a potential shortfall by some firms in assessing cyber threats, according to Willis
Group Holdings plc (NYSE: WSH), the global risk advisor, insurance and reinsurance broker.
Willis Special Report: 10K Disclosures – How Retail Companies Describe Their Cyber Liability
Exposures, published today, examines the cyber risk disclosures made by the retail sector of
the Fortune 1000. The study is part of an ongoing Willis series analyzing how U.S. public
companies are describing their cyber risks in financial documents as required by the U.S.
Securities and Exchange Commission (SEC) since October 2011.
When describing the extent of cyber risk, 57% of retail firms disclosed their cyber exposures as
significant, serious, material or critical, according to the study. However, 9% of the firms did not
disclose any risks related to cyber exposures, a result Willis views as “surprising” given that the retail industry has been the target of many of the highest profile system breaches to date,
resulting in some of the largest losses, the report said.
Other key findings of the report include:
- The top three cyber risks identified by the retail sector of the Fortune 1000 include:
privacy/loss of confidential data (74%); reputation risk (66%); cyber liability (61%) – a
result Willis described as “expected.” However, cyber risk at the hands of “outsource
vendors” ranked at just 9%, a result Willis said was “surprising” given the level of
outsourcing across the sector and the reliance on third-party technology partners.
- In detailing cyber risk remedies, 49% of the retail companies cited the use of technical
safeguards – more than the Fortune 1000 as a whole (43%). However, 17% of retail companies reported inadequate resources to limit cyber losses, a potential “cause for
concern,” as technical protections may not be sufficient to contain the effects of some cyber or technology events, Willis said.
- 9% of the sector indicated they purchased insurance for cyber exposures. In Willis’s view the actual rate of cyber insurance may be substantially higher based on additional Willis data obtained in collaboration with insurance underwriters.
- The increasing frequency of “point-of-sale” breaches and “do-not-track” class-action law
suits are described as an evolving cyber exposure.
Commenting on the study, Chris Keegan, Senior Vice President, National Resource E&O and e-
risk, Willis North America, and co-author of the report said, “Addressing the evolving set of
cyber threats facing the retail sector must remain a top priority. It is encouraging to see some
retail industry leaders take steps to better prepare for and defend against the increasing wave of
targeted attacks via information sharing arrangements such as the Merchant and Retail Industry
Information Sharing and Analysis Center (ISAC). However, in Willis’s view the sector is slightly
behind the curve in taking these pro-active steps.”
“A series of recent high-profile cyber breaches have pointed a government spotlight at the
sector and Willis expects this scrutiny to continue. Our advice for retailers is: don’t wait for the
SEC to come knocking on your door,” Keegan added.
Ann Longmore, Executive Vice President, FINEX, Willis North America and co-author of the
report said, “The results underscore a potential shortfall by some firms in the retail sector in
assessing cyber threats. In addition to the potential impact a cyber-event could have on their
operations, firms that fail to disclose known cyber risks in their public disclosures could face
additional exposures in the form of Directors & Officers liability suits, should a loss occur, ”she
A full copy of the recent report can be downloaded for free here:
Willis Group Holdings plc is a leading global risk advisor, insurance and reinsurance broker.
With roots dating to 1828, Willis operates today on every continent with more than 18,000
employees in over 400 offices. Willis offers its clients superior expertise, teamwork, innovation
and market-leading products and professional services in risk management and transfer. Our
experts rank among the world’s leading authorities on analytics, modelling and mitigation
strategies at the intersection of global commerce and extreme events. Find more information at
our Website, www.Willis.com, our leadership journal, Resilience, or our up-to-the-minute blog on breaking news, WillisWire. Across geographies, industries and specialisms, Willis provides its
local and multinational clients with resilience for a risky world.
# # #