Following SEC guidance, U.S. publicly traded companies disclosed the magnitude and type of cyber exposures they face—and (today’s topic) their strategies for mitigating those risks. As the SEC stated,
…registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate…
The SEC specifically concluded that appropriate disclosures that a reasonable investor might consider important to an investment decision may include “relevant insurance coverage.”
Guarding the Castle
While half of the companies in our study referenced using technical safeguards to address their cyber exposures, a surprisingly 232 firms—almost half of the Fortune 500—did not include comments on cyber risk mitigation tools or strategies in their disclosures.
This silence may be particularly “loud,” as our study found that:
- 38% of firms indicated these exposures might “impact” or “significantly impact” operations
- 36% designated these risks could cause “materially harm” or “seriously harm” to the organization
- 8% disclosed the potential risk of cyber events was “significant”
- 2% said the results might be “critical” for the firm
Critically, whether or not technical safeguards were indicated, roughly 14% of the Fortune 500—the largest U.S. publicly traded companies—revealed that they may not have sufficient resources to limit the impact of their potential cyber exposures.
Going with the Flow: Insurance
Only 6% of those in our study chose to disclose that they purchase insurance against cyber-risk. This low percentage surprised us as it seems inconsistent with recent surveys showing a much higher purchase rate for cyber insurance among U.S. public companies.
Informal polling of our own in-house cyber insurance specialists indicated that, in some sectors, the rate of purchase of cyber insurance is above 50% for large public companies. It may be that some companies are reluctant to disclose cyber coverage because they believe it opens them up to attacks; but it would not seem likely that hackers and others with malicious intent would view this as a concern.
Examining the individual disclosures themselves, this percentage seems even more unexpected as a number of companies disclosed business interruption insurance coverage, rather than dedicated cyber insurance (although both could respond to different manifestations of cyber risks). A few companies commented that they understood cyber insurance to be either unavailable or priced disproportionally high compared to their exposures; this may have been based on prior experiences.
Still others cautioned that although they carry cyber insurance, there is no guarantee that the limits will be sufficient to handle a truly catastrophic event (…and that insurance policies have exclusions so that there is no guarantee that having insurance means that it will necessarily address every cyber scenario that might foreseeably occur). However, at least these companies have some coverage in place, as compared to the majority of companies that have no such coverage.