Fortune 500 security policies are a mixed bag

The Willis Fortune 500 Cyber Disclosure Report 2013 found that an insurance company, a pharmaceutical company, a restaurant chain and a health care firm – “all of which would seem to have some level of cyber risk when compared to the disclosures of their peers,” the report said – remained silent.

The report found that 88% of the Fortune 500 are following SEC Guidelines as of April 2013 and providing “some level” of disclosure regarding cyber exposures. Other results though weren’t so rosy.

More than half indicated their firms would face “serious harm” or be “adversely impacted” due to a cyber-attack, and 52% of firms referred to technical solutions they have in place. Yet a significant number (15%) also indicated they do not have the resources to protect themselves against critical attacks, the report said.

There’s also evidence that companies aren’t fully aware of the threat landscape. The top three cyber risks identified by the Fortune 500 include the loss or theft of confidential information (65%); loss of reputation (50%); and direct loss from malicious acts (hackers and viruses) (48%).

“Many of the results are not surprising as we know firms are actively taking steps to assess and mitigate their cyber risk, even if they have not been able to quantify a dollar amount associated with the risk,” said Chris Keegan, senior vice president at Willis North America and co-author of the report, in a statement. “However, we also see some surprising results which suggests some firms may be overlooking critical exposures.”

He noted that only one out of five firms mention cyber-terror (20%) as a factor, despite the heightened emphasis on cyber-terror and espionage by the US government. “In addition, only one out of ten firms detailed cyber threats caused by the acts of outsourced vendors,” he said. “This runs contrary to what we see in our day-to-day practice given the high frequency of cyber events stemming from outsourced vendors.”

When it comes to protection against cyber risk, only 6% of companies mentioned that they purchased insurance to cover cyber risks “even though recent market surveys are showing significantly higher take up rates for cyber insurance among public companies,” Keegan said.

What’s Hot on Infosecurity Magazine?