Majority of U.S. Fortune 500 companies say they would face serious harm from a cyber attack

More than half of Fortune 500 companies in the United States say that their firms would face “serious harm” or be “adversely impacted” due to a cyber attack, according to a new report from Willis North America.

The majority of those companies are following guidelines set out by the Securities and Exchange Commission (SEC) in October 2011, by disclosing certain cyber exposures their companies face, Willis says in its report published this week.

While as of April of this year, 88% of those companies are providing “some level” of disclosure, some companies that are likely to have certain exposures aren’t necessarily reporting them, Willis says.

Notably, among those that were silent on certain exposures was an insurance company, according to Willis.

A pharmaceutical company, restaurant chain and healthcare firm were also silent, even though they all “would seem to have some level of cyber risk when compared to the disclosures of their peers,” the report notes.

Among the top risks identified by the companies were loss or theft of confidential information, loss of reputation, and direct loss from malicious attacks, the report says.

“Many of the results are not surprising as we know firms are actively taking steps to assess and mitigate their cyber risk, even if they have not been able to quantify a dollar amount associated with the risk,” Chris Keegan, senior vice president of Willis North America’s National Resource E&O and e-risk business noted in a statement on the report.

“However, we also see some surprising results which suggests some firms may be overlooking critical exposures,” added Keegan, who co-authored the report.

“For example, only one out of five firms mention cyber-terror (20%) as a factor, despite the heightened emphasis on cyber-terror by the U.S. government,” he said.

“In addition, only one out of ten firms detailed cyber threats caused by the acts of outsourced vendors. This runs contrary to what we see in our day to day practice given the high frequency of cyber events stemming from outsourced vendors.”

In terms of cyber coverage, only 6% of companies said they had purchased insurance to cover cyber risks, which is contrary to other market surveys that show significantly higher rates among public companies, according to Willis.

Just over half (52%) also indicated they have some kind of technical solutions in place, but 15% said they don’t have the resources to protect themselves against critical attacks, according to the report.

“D&O liability risk may be heightened for companies that experience cyber breaches if cyber risk disclosures are deemed not to meet SEC standards and a significant loss were to occur,” Ann Longmore, executive vice president of FINEX at Willis North America and co-author of the report noted. “This may be especially true if peers have provided more detailed disclosure,” she said.

Willis said it will continue examining the issue and expand its analysis to Fortune 1000 companies.