Retail Firms' 10K Disclosures Detail Key Cyber Exposures
Part of Willis Series Analyzing Cyber Risk Disclosure in Public Documents
NEW YORK, April 23, 2014 (GLOBE NEWSWIRE) -- A study of public documents reveals that the retail sector estimates their cyber exposures at higher levels than their non-retail peers in the U.S.-listed Fortune 1000; but some retail firms remained silent on the issue of cyber risk altogether, suggesting a potential shortfall by some firms in assessing cyber threats, according to Willis Group Holdings plc (NYSE:WSH), the global risk advisor, insurance and reinsurance broker.
Willis Special Report: 10K Disclosures – How Retail Companies Describe Their Cyber Liability Exposures, published today, examines the cyber risk disclosures made by the retail sector of the Fortune 1000. The study is part of an ongoing Willis series analyzing how U.S. public companies are describing their cyber risks in financial documents as required by the U.S. Securities and Exchange Commission (SEC) since October 2011.
When describing the extent of cyber risk, 57% of retail firms disclosed their cyber exposures as significant, serious, material or critical, according to the study. However, 9% of the firms did not disclose any risks related to cyber exposures, a result Willis views as "surprising" given that the retail industry has been the target of many of the highest profile system breaches to date, resulting in some of the largest losses, the report said.
Other key findings of the report include:
- The top three cyber risks identified by the retail sector of the Fortune 1000 include: privacy/loss of confidential data (74%); reputation risk (66%); cyber liability (61%) – a result Willis described as "expected." However, cyber risk at the hands of "outsource vendors" ranked at just 9%, a result Willis said was "surprising" given the level of outsourcing across the sector and the reliance on third-party technology partners.
- In detailing cyber risk remedies, 49% of the retail companies cited the use of technical safeguards – more than the Fortune 1000 as a whole (43%). However, 17% of retail companies reported inadequate resources to limit cyber losses, a potential "cause for concern," as technical protections may not be sufficient to contain the effects of some cyber or technology events, Willis said.
- 9% of the sector indicated they purchased insurance for cyber exposures. In Willis's view the actual rate of cyber insurance may be substantially higher based on additional Willis data obtained in collaboration with insurance underwriters.
- The increasing frequency of "point-of-sale" breaches and "do-not-track" class-action law suits are described as an evolving cyber exposure.
Commenting on the study, Chris Keegan, Senior Vice President, National Resource E&O and e-risk, Willis North America, and co-author of the report said, "Addressing the evolving set of cyber threats facing the retail sector must remain a top priority. It is encouraging to see some retail industry leaders take steps to better prepare for and defend against the increasing wave of targeted attacks via information sharing arrangements such as the Merchant and Retail Industry Information Sharing and Analysis Center (ISAC). However, in Willis's view the sector is slightly behind the curve in taking these pro-active steps."
"A series of recent high-profile cyber breaches have pointed a government spotlight at the sector and Willis expects this scrutiny to continue. Our advice for retailers is: don't wait for the SEC to come knocking on your door," Keegan added.
Ann Longmore, Executive Vice President, FINEX, Willis North America and co-author of the report said, "The results underscore a potential shortfall by some firms in the retail sector in assessing cyber threats. In addition to the potential impact a cyber-event could have on their operations, firms that fail to disclose known cyber risks in their public disclosures could face additional exposures in the form of Directors & Officers liability suits, should a loss occur," she cautioned.
A full copy of the recent report can be downloaded for free here: http://www.willis.com/Client_Solutions/Services/Cyber-Risk/.
Willis Group Holdings plc is a leading global risk advisor, insurance and reinsurance broker. With roots dating to 1828, Willis operates today on every continent with more than 18,000 employees in over 400 offices. Willis offers its clients superior expertise, teamwork, innovation and market-leading products and professional services in risk management and transfer. Our experts rank among the world's leading authorities on analytics, modelling and mitigation strategies at the intersection of global commerce and extreme events. Find more information at our Website, www.Willis.com, our leadership journal, Resilience, or our up-to-the-minute blog on breaking news, WillisWire. Across geographies, industries and specialisms, Willis provides its local and multinational clients with resilience for a risky world.