Most Fortune 500 companies concerned about cyber risks: SurveyReprints
A majority of Fortune 500 companies said cyber risks pose “serious harm” or would “adversely impact” their business, according to a new report released Monday by Willis North America Inc.
The study, “Willis Fortune 500 Cyber Disclosure Report,” reviewed each 10-K filed by Fortune 500 firms with the U.S. Securities and Exchange Commission, tracking the organizations' responses to the SEC's guidance and disclosure requirements on cyber exposures.
As of April, 85% of Fortune 500 companies are following the SEC guidelines providing some level of disclosure regarding cyber risks, the unit of London-based Willis Group Holdings P.L.C. said in the report.
According to the study, 180 companies — or 36% — of the Fortune 500, disclosed that a cyber attack may cause “material harm” to the business. Thirty-eight percent of companies said a potential cyber event might “impact” or “adversely impact” business, according to the study.
Only 2%, or 12 companies out of 500, used a stronger term, such as “critical,” to describe their cyber risks, while 13% of companies were silent on the issue.
Fortune 500 companies identified loss or theft of confidential information, loss of reputation and direct loss from malicious acts as the top three cyber risks, at 65%, 50% and 48%, respectively.
“Many of the results are not surprising as we know firms are actively taking steps to assess and mitigate their cyber risk, even if they have not been able to quantify a dollar amount associated with the risk,” said Chris Keegan, senior vice president of national resource errors and omissions and e-risk at Willis North America, in a statement accompanying the report.
Still, some firms may be overlooking critical exposures related to cyber risks, he said.
One out of five firms describes cyber terror as a risk factor despite the heightened emphasis on cyber terror by federal authorities, but only one out of 10 companies detailed cyber threats caused by outsourced vendors, Mr. Keegan said.
“This runs contrary to what we see in our day-to-day practice given the high frequency of cyber events stemming from outsourced vendors,” he said.
When it comes to insurance coverage, only 6% of companies indicated that they purchase coverage to cover cyber risks, also inconsistent with other surveys showing higher takeup rates for the coverage, Mr. Keegan said in the statement.
Download the free report here.