Report on cyber threat disclosures by Fortune 500 firms shows increased risk of lawsuits

In response to a call by the Securities and Exchange Commission to start disclosing exposure to cyber threats, more than half the Fortune 500 companies say they would either face ‘serious harm’ or be ‘adversely impacted’ by an attack, according to a report released on June 10 by Willis North America, a unit of Willis Group Holdings, a major insurance broker and global risk advisor. 

The findings of The Willis Fortune 500 Cyber Disclosure Report, 2013 suggest companies could face more lawsuits from shareholders and third-party service providers they do business with as a result of insufficient disclosure about cyber threats. Willis checked all companies’ 10-K filings for 2012 on the SEC’s EDGAR website rather than surveying them. Fifty of the companies got some pushback from the SEC for not disclosing enough, says Ann Longmore, head of D&O insurance for Willis North America and one of the report’s co-authors.

The report shows that, as of April 2013, 88 percent of companies are complying with the SEC’s October 2011 guidance, which urged them to disclose potential threats particular to their business or kind of business instead of generic risks applicable to any business. The top three cyber risks named were loss or theft of confidential information, loss of reputation and direct loss from malicious acts such as hacking or a virus.

The level of disclosure by many companies appears to fall short of the detail on the probability of cyber incidents occurring and their potential costs that the SEC requested.

None of the companies, for example, assigned any dollar value to potential attacks, says Longmore. That was due more likely to not wanting to cause alarm than an inability to do a risk analysis of the recent past and project future costs, she says.

There is reason to believe some companies may be courting more lawsuits by failing to provide any information on cyber threats, as 13 percent of the companies did, with an additional 2 percent of companies failing to file with the SEC at all, warns Longmore.

‘I hate to think it, but I see them getting hit when the claims come in,’ she says.

If a company were to suffer a cyber attack, its stock would get hit and people would rush to check the latest 10-K filing for any mention of such risk and find none. ‘In hindsight, it looks like it should have been included because it impacted valuation,’ she says. ‘That’s a blueprint on how to bring a D&O claim.’ 

Also noteworthy is that just 20 percent of the companies cited any vulnerability to cyber terror, even though the US government has drawn increased attention to such risks in recent years. Another unexpected result was that just 10 percent of the firms outlined threats stemming from actions by outsourced vendors, which runs contrary to what Willis has seen in its daily practice. 

Another surprise was that only 6 percent of companies said they had bought insurance to cover cyber risks despite recent market surveys showing much higher use of cyber insurance by public companies. While 52 percent of companies said they have put in place technical solutions, 15 percent said they don’t have the resources to protect themselves against serious threats.