More than half of Fortune 500 firms disclosing cyber riskvulnerability believe their firms would be seriously harmed by acyber-attack, but many are still unprepared for one, shows a WillisNorth America study.

The top three cyber risks identified by the study group aretheft of confidential information (65 percent), loss of reputation(50 percent), and direct loss from malicious acts by hackers andviruses (48 percent).

The Securities and Exchange Committee (SEC) guidelines say cyberrisk insurance is an appropriate consideration; however, only sixpercent of those surveyed buy it.

SEC Guidance issued in October 2011 asked U.S. listedcompanies to provide extensive disclosure on cyberexposures.

“D&O liability risk may be heightened for companies thatexperience cyber breaches if cyber risk disclosures are deemed notto meet SEC standards and a significant loss were to occur. Thismay be especially true if peers have provided more detaileddisclosure,” said Ann Longmore, executive vice president of FINEX,Willis North America and co-author of the report.

Thirty-eight percent of the Fortune 500 companies–chieflyrepresented by the energy, insurance, specialty retail, healthcareequipment and aerospace and defense sectors–say a potentialcyber event would “adversely” impact the business. Thirty-sixpercent state their company would face “material harm”, and twopercent call their cyber risk “critical”.

Half (52 percent) of these companies have technical safeguardsin place to guard against breach, but about as many provided nocomment on the state of their cyber risk protection strategy, and15 percent said that they do not have the resources to protect themselves from criticalattacks.

The insurance take-up rate for public companies has previouslybeen found to be higher among wealthy private enterprises: a reportby Chubb found that 35 percent of public companies purchase cyberinsurance and 71 percent have breach response plans set up.

“Many of the results are not surprising as we know firms areactively taking steps to assess and mitigate their cyber risk, evenif they have not been able to quantify a dollar amount associatedwith the risk,” said Chris Keegan, report co-author and seniorvice president of National Resource E&O and e-risk of WillisNorth America.

“However, we also see some surprising results which suggest somefirms may be overlooking critical exposures. For example, only oneout of five firms mention cyber-terror (20%) as a factor, despitethe heightened emphasis on cyber-terror by the U.S. government. Inaddition, only one out of ten firms detailed cyber threats causedby the acts of outsourced vendors. This runs contrary to what wesee in our day to day practice given the high frequency of cyberevents stemming from outsourced vendors,” he said.

The SEC recommends that cyber risk disclosures include thefactors of a firm's business operations that can let cyber risksget through the cracks, as well as their costs and consequences; alist of outsourced functions involving cyber data and how tightlythe exchanges are managed; a scan for previously undetected cyberleaks; and a description of any previously disclosed cyberincidents.