The retail sector estimates their cyber exposures are greater than their non-retail peers listed in the Fortune 1000, according to recent research. However, some retailers have remained silent concerning the issue of cyber risks altogether, suggesting that there may be a shortfall in assessing cyber risk threats in the retail industry.
Part of an ongoing effort to examine cyber risk in the retail sector, Willis published their recent report, “How Retail Companies Describe their Cyber Liability Exposures,” which details cyber risk disclosures made by the retail sector of the Fortune 1000.
The study, which is part of an ongoing analysis of financial documents for major retailers, revealed that 57% of retail firms disclosed their cyber exposures as significant, serious, material or crucial. At the same time, 9% of the firms did not disclose any risks related to cyber exposures, a result that Willis views as “surprising,” given that the retail industry has been the target of some of the highest profile system breaches in recent years, resulting in the many of the largest losses.
“The results underscore a potential shortfall by some firms in the retail sector in assessing cyber threats,” said Ann Longmore, executive vice president of FINEX, Willis North America and co-author of the report. “In addition to the potential impact a cyber-event could have on their operations, firms that fail to disclose known cyber risks in their public disclosures could face additional exposures in the form of Directors & Officers liability suits, should a loss occur.”
According to Willis’ findings, the top three cyber risks identified in the retail sector include the privacy and loss of confidential data (74%); reputation risk (66%) and cyber liability (61%). However, cyber risk at the hands of “outsource vendors” was a concern for only 9%. Given the level of outsourcing across the sector and an overall dependence on third-party technology partners, this result is surprising.
In combatting cyber risks, the survey revealed that almost half of the respondents cited the use of technical safeguards, which is greater than the rest of the Fortune 1000. Despite this, 17% of retail companies reported inadequate resources to limit cyber losses. This is a potential cause for concern, Willis suggests, as technical protections may not be able to effectively contain the effects of some cyber or technological events. Similarly, only 9% of the sector indicated they have purchased insurance for cyber exposures.
“Addressing the evolving set of cyber threats facing the retail sector must remain a top priority. It is encouraging to see some retail industry leaders take steps to better prepare for and defend themselves against the increasing wave of targeted attacks via information sharing arrangements,” said senior vice president of National Resource E&O for Willis, Chris Keegan.
At the same time, however, Keegan indicates that there is room for improvement.
“In Willis’ view, the sector is slightly behind the curve in taking proactive steps,” he said. “A series of recent high-profile cyber breaches have pointed a government spotlight at the sector and Willis expects this scrutiny to continue. Our advice for retailers is: don’t wait for the SEC to come knocking on your door.”
Willis’ Special Report, “10K Disclosures – How Retail Companies Describe their Cyber Liability Exposures” is part of an ongoing Willis series analyzing how U.S. public companies describe their cyber risks in financial documents required by the U.S. Securities & Exchange Commission since October 2011.