In today's report by Willis North America (“The Willis Fortune 1000 Cyber Disclosure Report, 2013” available here: http://blog.willis.com/downloads/cyber-disclosure-fortune-1000-2013/) the top three cyber risks identified by the Fortune 1,000 are:
- Privacy/loss of confidential data
- Reputation risk
- Malicious acts.
The report examined the Fortune 1,000 using 20 industry groups to compare industry views with respect to the disclosures of each risk, weighing the scope of the risk; how the exposure would manifest; and what protections were being employed to mitigate the risk. Key takeaways include:
- With respect to “perceived risk,” the report found that health care is the industry most concerned about cyber risk, closely followed by technology, insurance, telecom, life science and retail sectors. In contrast, real estate, financial services funds, conglomerates, and the energy and mining sectors expressed the least concern for cyber risk.
- Financial institutions and technology companies rise to the top of the list disclosing distinct cyber exposures and the extent of such exposure
- With respect to cyber insurance protection, the funds sector (33 percent) followed by utilities (15 percent), the banking sector and conglomerates (14 percent) reported the greatest levels of insurance. Insurance and technology sectors both disclosed the purchase of insurance coverage at 11 percent.
- In evaluating loss-control measures, the industry groups that disclosed the greatest number of technical protections against cyber risk—firewalls, intrusion detection, and encryption, etc.—include the technology, health care, professional services and financial institution sectors.
- Cyber terrorism and intellectual property risks ranked lower than expected among the Fortune 1,000 given the focus of the federal government on these areas of risk and their importance to the health of the U.S. economy overall, the report said.
- The disclosure of actual cyber events remains at 1%, a seemingly low number given the number of attacks that appear in the press on a regular basis, the report said.
- Critically, among the Fortune 501 to 1,000, 22 percent remained silent on cyber risk. According to the report, “The reason for this may be as companies get smaller, they see themselves as less likely targets of an attack, or it may be that smaller companies needed more time to identify their cyber exposures.”
This study reveals a great deal about which industries are dealing with cyber risks proactively (identifying risk, taking technical protections, purchasing insurance) versus entities which still need to properly evaluate and address such risks.