Willis: retail sector particularly exposed to cyber risk

Cyber risks facing the retail sector are at far higher levels than those of their non-retail peers in the US-listed Fortune 1000, a report by Willis has found.

Some retail firms have however remained silent regarding the issue of cyber risk, suggesting that many are downplaying the risk in their assessment of cyber threats, said Willis.

In its special report 10K Disclosures – How Retail Companies Describe Their Cyber Liability Exposures, Willis has examined cyber risk disclosures made by the retail sector of the Fortune 1000.

The study is part of an ongoing Willis series analysing how US public companies are describing their cyber risks in financial documents as required by the US Securities and Exchange Commission (SEC) since October 2011.

When looking at the extent of cyber risk, 57 percent of retail firms disclosed their cyber exposures as significant, serious, material or critical, according to the study.

However, 9 percent of firms did not disclose any risks related to cyber exposures, a result Willis views as “surprising” given that the retail industry has been the target of many of the highest profile system breaches to date, resulting in some of the largest losses.

The report also found that 9 percent of the sector indicated they purchased insurance for cyber exposures. In Willis’s view the actual rate of cyber insurance may be substantially higher based on additional Willis data obtained in collaboration with insurance underwriters.

Ann Longmore, executive vice president, FINEX, Willis North America and co-author of the report says: “The results underscore a potential shortfall by some firms in the retail sector in assessing cyber threats.”

“In addition to the potential impact a cyber-event could have on their operations, firms that fail to disclose known cyber risks in their public disclosures could face additional exposures in the form of directors & officers liability suits, should a loss occur.” she cautions.