Health care, technology and insurance sectors most concerned about cyber risk

A Willis review of Fortune 1,000 companies in the United States shows that firms in the health care, technology and insurance sectors are most concerned about cyber threats, yet more than a fifth remain silent on the issue.

Willis Fortune 1000 Cyber Disclosure Report, 2013, released Tuesday, found that with respect to “perceived risk,” health care is the industry most concerned about cyber risk, closely followed by technology, insurance, telecom, life science and retail sectors.

That compares to real estate, financial services funds, conglomerates and the energy and mining sectors, which expressed the least concern for cyber risk, notes a statement from Willis, a unit of global risk advisor, insurance and reinsurance broker, Willis Group Holdings.

The newly released report is the second in a series of reports examining U.S. public companies filings in response to U.S. Securities and Exchange Commission guidance issued in 2011, asking U.S.-listed firms to provide extensive disclosures on their cyber exposures. The first report, Willis Fortune 500 Cyber Disclosure Report, was released previously.

Smaller companies may regard their firms as less likely targets of cyber attacks, new findings suggest, with 22% of the surveyed Fortune 501-1,000 companies remaining silent on cyber risk. This represents a “significant” increase compared to 12% of the Fortune 500 firms that remained silent in their disclosures as noted in the previous report.

“The reason for this may be as companies get smaller, they see themselves as less likely targets of an attack, or it may be that smaller companies needed more time to identify their cyber exposures,” notes the new report.

Ann Longmore, report co-author and executive vice president of FINEX, Willis North America, suggests that remaining silent is worrisome. “This is concerning because the view that firms may see themselves as less likely targets of an attack runs contrary to our experience, and in fact, many of these firms are sitting at the centre of the bulls eye,” Longmore cautions in the Willis statement.

Beyond the increase in firms being silent on cyber risk, a comparison of responses from the earlier and current reports show the following:

• cyber risk would “impact” or “adversely impact” the business – 37% compared to 30%;
• cyber risk “significant” – 8% compared to 5%;
• cyber risk “material harm” or “seriously harm” – 36% compared to 35%; and
• cyber risk “critical” – 2% compared to 3%.

A chart in the latest review identifies the top reported exposures as follows: privacy/loss of confidential data, 68%; reputation risk, 52%; malicious acts, 49%; liability, 41%; business interruption, 21%; errors and malfunction, 22%; cyber terrorism, 21%; cyber regulatory risk, 18%; outsourced vendor risk, 13%; loss of intellectual property, 13%; product or service failure, 2%; social media risk, 2%; and actual cyber events, 1%.

Further, the chart indicates that – comparing percentages of responses in the new and previous reports – all increased or stayed the same except for liability (down from 44% to 41%), business interruption (down from 29% to 21%) and product or service failure (down from 5% to 2%).

Looking specifically at loss control measures, the new report shows the industry groups disclosing the greatest number of technical protections against cyber risk – including firewalls, intrusion detection and encryption – include the technology, health care, professional services and financial institution sectors. Within financial services firms, insurance companies refer to technical risk protection 63% of the time.

The disclosure of actual cyber events remains at 1%, a seemingly low number given the number of attacks that appear in the press on a regular basis, the report states.

“Government authorities may require companies to step out of their comfort zone for disclosure in order to bolster IT security for the entire U.S., opening up greater liability to directors and officers in the process,” Chris Keegan, report co-author and senior vice president of national resource E&O and e-risk, Willis North America, adds in the Willis press release.

With regard to cyber insurance protection, the funds sector (33%) followed by utilities (15%), the banking sector and conglomerates (14%) reported the greatest levels of insurance.

Insurance and technology sectors both disclosed the purchase of insurance coverage at the 11% level, notes the statement from Willis. That said, the report adds many companies may be under-reporting the level of cyber insurance coverage based on Willis data and other industry data indicating higher take-up rates, particularly for the health care sector.

Other key findings in the new report include the following:

• cyber terrorism and intellectual property risks ranked lower than expected among the Fortune 1,000 given the focus of the U.S. federal government on these areas of risk and their importance to the health of the U.S. economy overall; and
• when describing the “extent” of cyber risk exposures, financial institutions and technology companies rise to the top of the list disclosing distinct cyber exposures whereas firms in the energy and utility sector report the fewest distinct exposures.

Beyond looking at Fortune 1,000 companies, the new report also divided the firms into 20 industry groups to compare disclosures of each risk, weighing the scope of the risk; how the exposure would manifest; and what protections were being employed to mitigate the risk.

The next issue of Willis’ ongoing study will feature separate, in-depth industry reports on unique cyber disclosures of the Fortune 1,000 subgroupings.