In a study of public documents, Willis Group Holdings plc said it has “found that technology and telecommunications companies estimated their cyber exposures at higher levels than others in the Fortune 1000, an indication that those firms may be underestimating their cyber risk exposure.”
The Willis Special Report: 10K Disclosures – How Technology and Telecom Companies Describe Their Cyber Liability Exposures, published today, examines cyber risk disclosures made by the technology and telecommunications (tech/telecom) sector of the Fortune 1000. The study is part of an ongoing Willis series reporting on how U.S. public companies are describing their cyber risks in financial documents.
Ann Longmore, the head of D&O, Fiduciary, and EPL Products for Willis FINEX in North America and co-author of the study, said: “We looked at how tech companies estimate their own cyber exposures, and they’re seeing higher frequency and severity of exposure than others in the Fortune 1000. Significantly, they are twice as concerned about outsourced vendor risk,” she added.
The study found that “tech/telecom companies reported concerns about the potential for outsourced vendor risk at a rate more than double other large corporations (25 percent versus 12 percent). Outsourced vendors are comprised of any organization providing data, IT or security services.”
“We find this compelling because these companies are by and large the cyber vendors for the rest of the Fortune 1000. They’re seeing a big risk involving their own kind,” Longmore said.
Christopher Keegan, Senior Vice President, National Resource E&O and e-risk, Willis FINEX in North America and co-author of the study, commented: “Technology and telecommunications providers that are at the heart of our cyber infrastructure – which, increasingly, is our business infrastructure – are indirectly telling us that our dependencies on vendors may make us more vulnerable than many companies realize. The awareness of that vulnerability – or lack of awareness – may have a bearing on liability in this area as well.”
The results suggest a potential shortfall by others in the Fortune 1000 in assessing cyber risk, Keegan explained. “If you’re a passenger in an airplane and you see the pilot putting on a parachute, it’s probably a good idea to take notice,” he added.
Other key findings of the study include the following:
— The tech/telecom sector disclosed several cyber exposures at a significantly higher rate than the Fortune 1000, including: loss or disclosure of confidential information, loss of reputation, malicious acts and cyber liability.
— In detailing cyber risk remedies, 44 percent of tech/telecom companies cited the use of technical safeguards. However, 20 percent of tech/telecom companies report inadequate resources to limit cyber losses. This indicates that technical protections may not be sufficient to contain some cyber or technology threats.
— 11 percent of the sector indicated they purchased insurance for cyber exposures. In Willis’s view the rate of cyber insurance may be substantially higher, particularly among some sub-sectors.
Commenting on the study, Sara Benolken, Willis’s Global Industry Leader for Technology, Media and Telecommunications said, “The issue of cyber vulnerability through vendors has been thrust into the spotlight following news reports that a recent breach at a major retailer was through a vendor’s access to the retailer’s systems. Awareness of outsourced vendor exposure needs to be high on the radar of all tech and telecom firms.”
Source: Willis Group Holdings