Large companies are more robustly embracing cyber risk disclosure than smaller corporations, shows a Willis study of data culled from U.S. public company filings in response to a U.S. Securities and Exchange Commission call for e-exposure reporting.

The Willis-authored report found that in 2013, 22 percent of Fortune 501-1000 companies stayed silent of cyber risk, compared to 12 percent of Fortune 500 companies.

According to Willis, the reason behind the divide may be that smaller companies see themselves as likely to be overlooked by hackers, or they may lack the time to thoroughly identify their cyber exposures.

“This is concerning because the view that firms may see themselves as less likely targets of an attack runs contrary to our experience, and in fact, many of these firms are sitting at the center of the bulls eye,” says Ann Longmore, executive vice president of FINEX, Willis North America and a co-author of the report.

Smaller successful companies aren't oblivious to this modern danger: 37 percent of Fortune 501-1000 companies say a cyber attack would adversely impact their business, compared to 30 percent of Fortune 500 companies. Also, more Fortune 501-1000 companies than their larger peers say cyber risks pose “significant” liabilities to their business.

Mostly, all the companies converged on their top exposures. Sixty-eight percent of Fortune 500 and 61 percent of F501-1000 companies named loss of privacy or confidential data as an cyber exposure; 52 percent of Fortune 500 and 48 percent of F501-1000 companies put reputational risk at their attention, and 49 percent of both sizes of corporations agreed on malicious acts as a cyber liability.

However, cyber terrorism was only selected by 21 percent of Fortune 500 companies and by 15 percent of F501-1000 companies as a top exposure, which Willis says is “lower than we expected”, given the government's attention to them, and their potential adverse effects on the U.S. economy.

“Action taken at the U.S. federal level clearly shows that cyber-security disclosure is high on the federal agenda and will continue to pose a unique challenge for public companies,” said Chris Keegan, senior vice president, National Resource E&O and e-risk, Willis North America and report co-author. “Government authorities may require companies to step out of their comfort zone for disclosure in order to bolster IT security for the entire U.S., opening up greater liability to directors and officers in the process,” he said.

The industries more likely to protect against cyber breach with firewalls, intrusion detection and encryption are the technology, healthcare, professional and financial institution sectors—which includes insurance companies, Willis notes.

Financial funds services are the Fortune 1000 corporations disclosing the greatest level of insurance bought for cyber risks (33 percent), followed by utilities (15 percent) and the banking sector and conglomerates (14 percent).

Only 1 percent of either Fortune 500 or Fortune 1000 companies reported any actual cyber breaches in their disclosure forms.

Special Reports /

Willis: Smaller Companies Staying Silent on Cyber Risk

Related Stories

Recommended For You