Large companies are more robustly embracing cyber riskdisclosure than smaller corporations, shows a Willis study of dataculled from U.S. public company filings in response to a U.S.Securities and Exchange Commission call for e-exposurereporting.

The Willis-authored report found that in 2013, 22 percent ofFortune 501-1000 companies stayed silent of cyber risk, compared to12 percent of Fortune 500 companies.

According to Willis, the reason behind the divide may be thatsmaller companies see themselves as likely to be overlooked byhackers, or they may lack the time to thoroughly identify theircyber exposures.

“This is concerning because the view that firms may seethemselves as less likely targets of an attack runs contrary to ourexperience, and in fact, many of these firms are sitting at thecenter of the bulls eye,” says Ann Longmore, executive vicepresident of FINEX, Willis North America and a co-author of thereport.

Smaller successful companies aren't oblivious to this moderndanger: 37 percent of Fortune 501-1000 companies say a cyber attackwould adversely impact their business, compared to 30 percent ofFortune 500 companies. Also, more Fortune 501-1000 companies thantheir larger peers say cyber risks pose “significant” liabilitiesto their business.

Mostly, all the companies converged on their top exposures.Sixty-eight percent of Fortune 500 and 61 percent of F501-1000companies named loss of privacy or confidential data as an cyberexposure; 52 percent of Fortune 500 and 48 percent of F501-1000companies put reputational risk at their attention, and 49 percentof both sizes of corporations agreed on malicious acts as a cyberliability.

However, cyber terrorism was only selected by 21 percent ofFortune 500 companies and by 15 percent of F501-1000 companies as atop exposure, which Willis says is “lower than we expected”, giventhe government's attention to them, and their potential adverseeffects on the U.S. economy.

“Action taken at the U.S. federal level clearly shows thatcyber-security disclosure is high on the federal agenda and willcontinue to pose a unique challenge for public companies,” saidChris Keegan, senior vice president, National Resource E&O ande-risk, Willis North America and report co-author. “Governmentauthorities may require companies to step out of their comfort zonefor disclosure in order to bolster IT security for the entire U.S.,opening up greater liability to directors and officers in theprocess,” he said.

The industries more likely to protect against cyber breach withfirewalls, intrusion detection and encryption are the technology,healthcare, professional and financial institution sectors—whichincludes insurance companies, Willis notes.

Financial funds services are the Fortune 1000 corporationsdisclosing the greatest level of insurance bought for cyber risks(33 percent), followed by utilities (15 percent) and the bankingsector and conglomerates (14 percent).

Only 1 percent of either Fortune 500 or Fortune 1000 companiesreported any actual cyber breaches in their disclosure forms.