Report says Fortune 1000 cyber-risk disclosure lacks detail

Requirements by US government agencies that companies provide more detailed disclosures on their cyber-risks in order to fortify IT security for the entire country will open up greater liability to directors and officers, according to a new report by Willis Group Holdings released on September 3. 

To protect themselves, companies may want to be more forthcoming in how they describe cyber-risks in their public documents. But they could put themselves more at risk if they disclose a large exposure and only limited resources to combat it, the report says. 

The Willis Fortune 1000 Cyber Disclosure Report, 2013, is the second in a series of reports that analyze the filings of public companies in response to guidance by the Securities and Exchange Commission in 2011 requesting extensive disclosures by listed companies on their cyber-exposures. The new report examines a larger group of companies, focusing on the Fortune 1000 and also looks at the responses of various industry groups, while the first report reviewed disclosures by the Fortune 500 in their 2012 filings. 

One key difference between the Fortune 500 and the Fortune 501-1000 is the increase in the percentage of the companies that were silent on cyber-risk in their SEC filings -- 12 percent of the Fortune 500 did not report cyber-risk compared to 22 percent of the Fortune 501-1000. This may be because, as the report says, the smaller companies among the 1,000 largest believe themselves to be less likely targets of an attack, ‘or it may be that smaller companies needed more time to identify their cyber-exposures.’  

Among the Fortune 1000, cyber-terrorism and intellectual property risk disclosures were lower than Willis expected given the government’s focus on these risk areas for their potential impact on the US economy overall. In view of the regularity with which cyber-attacks are reported in the press, the disclosure of actual cyber-events remained surprisingly low at 1 percent, with none of the companies that disclosed actual attacks including the associated costs despite SEC guidance requests for such data, the report said.

Willis divided the Fortune 1000 into 20 industry groups to compare the disclosures of each risk, assessing the scope of the risk, how the exposure would manifest and any protections being used to reduce the risk. The report found that with regard to ‘perceived risk,’ the health care, technology, insurance, telecom, life science and retail industries appeared most concerned about cyber-risks, while real estate firms, financial services funds, conglomerates, energy and mining companies expressed the least concern for cyber-risk.

Instead of issuing new regulations, the US government is trying to bolster security against cyber-attacks through tougher SEC disclosure requirements intended to illuminate some of the risks raised by IT security breaches, says Chris Keegan, senior vice president, National Resource E&O and e-risk at Willis North America. Keegan co-wrote the report with Ann Longmore, executive vice president of FINIX at Willis North America. 

‘What gets disclosed in 10Ks is usually broad and general. They’re pushing companies to be specific with respect to what they’re disclosing,’ he says. 

Additional steps the SEC is taking outside the 10K process include sending letters to 50 of the nation’s largest companies asking them for further disclosure of details around cyber-security risk, Keegan adds.  

Ultimately, however, the SEC is hamstrung by its lack of information as to the actual risks that companies have. 

‘The government is relying on occasions where there is a breach to see whether the company has appropriately disclosed that risk in its 10K.’ he says. ‘They’re trying to use that fear tactic to have disclosures be broader by setting a higher standard and publishing what the SEC thinks the standard should be.’

The SEC’s challenge is that much greater because risks vary even among companies that may look the same from the outside, explains Keegan. How companies use technology, their reliance on it and the types of exposures they have can vary significantly.

When it comes to IT security, corporate secretaries and other compliance professionals need to pay as much attention to process as to technical solutions, says Keegan. 

‘So many breaches are due to people within a company clicking on the wrong email [sent in] a pure phishing expedition. You don’t protect yourself with a pure technical solution [when someone has] stolen an identity and is already in your system,’ he says. It’s critical to train employees not to click on certain emails and to be suspicious of people making certain kinds of requests. Social media policies have also become a key defense tool against cyber threats, he says.