WILLIS FORTUNE 1000 CYBER DISCLOSURE REPORT



Similar documents
FIRE PROTECTION SYSTEM INSPECTION, TESTING AND MAINTENANCE PROGRAMS

Investing in Stocks WHAT ARE THE DIFFERENT CLASSIFICATIONS OF STOCKS? WHY INVEST IN STOCKS? CAN YOU LOSE MONEY?

RISK TRANSFER FOR DESIGN-BUILD TEAMS

client communication

How to read A Mutual Fund shareholder report

ODBC. Getting Started With Sage Timberline Office ODBC

GOOD PRACTICE CHECKLIST FOR INTERPRETERS WORKING WITH DOMESTIC VIOLENCE SITUATIONS

Wells Fargo Insurance Services Claim Consulting Capabilities

One Goal. 18-Months. Unlimited Opportunities.

Flood Emergency Response Plan

How To Find FINANCING For Your Business

CCH Accountants Starter Pack

summary of cover CONTRACT WORKS INSURANCE

A GUIDE TO BUILDING SMART BUSINESS CREDIT

Security Functions and Purposes of Network Devices and Technologies (SY0-301) Firewalls. Audiobooks

Basic Current Account

Prescribing costs in primary care

Assessment of the Board

CCH CRM Books Online Software Fee Protection Consultancy Advice Lines CPD Books Online Software Fee Protection Consultancy Advice Lines CPD

Amendments to employer debt Regulations

Introducing Your New Wells Fargo Trust and Investment Statement. Your Account Information Simply Stated.

CREATIVE MARKETING PROJECT 2016

France caters to innovative companies and offers the best research tax credit in Europe

Baan Service Master Data Management

How To Write A Privacy Policy For A Busiess

Bajaj Allianz General Insurance Company Limited

Information Security Compliance

Making training work for your business

leasing Solutions We make your Business our Business

INVESTMENT PERFORMANCE COUNCIL (IPC) Guidance Statement on Calculation Methodology

Professional Networking

TIAA-CREF Wealth Management. Personalized, objective financial advice for every stage of life

LEASE-PURCHASE DECISION

Agency Relationship Optimizer

FPO. A global telecom s strategy. for Canada

Safeguarding Taxpayer Data A GUIDE FOR YOUR BUSINESS

PRICE BAILEY CHARITIES & NOT FOR PROFIT THE RIGHT ADVICE FOR LIFE

Xantaro Maintenance Services & Operations. XTAC User Guide. UK Edition

(VCP-310)

facing today s challenges As an accountancy practice, managing relationships with our clients has to be at the heart of everything we do.

STUDENTS PARTICIPATION IN ONLINE LEARNING IN BUSINESS COURSES AT UNIVERSITAS TERBUKA, INDONESIA. Maya Maria, Universitas Terbuka, Indonesia

auction a guide to selling at Residential

Configuring Additional Active Directory Server Roles

A guide to School Employees' Well-Being

Putting Cloud security in perspective

Anti-Money Laundering

IT Support n n support@premierchoiceinternet.com. 30 Day FREE Trial. IT Support from 8p/user

How to use what you OWN to reduce what you OWE

Comparing Credit Card Finance Charges

For customers Key features of the Guaranteed Pension Annuity

PENSION ANNUITY. Policy Conditions Document reference: PPAS1(7) This is an important document. Please keep it in a safe place.

Securing your business

I apply to subscribe for a Stocks & Shares NISA for the tax year 2015/2016 and each subsequent year until further notice.

Optimize your Network. In the Courier, Express and Parcel market ADDING CREDIBILITY

REFURBISHMENTS AND AUGMENTATIONS

Is Your Data Recovery Solution a Data Security Problem? How to Protect Your Critical Data When Working With a Data Recovery Vendor

Information about Bankruptcy

Domain 1: Designing a SQL Server Instance and a Database Solution

BUY TO LET MORTGAGE APPLICATION FORM

Engineering Data Management

INVESTMENT PERFORMANCE COUNCIL (IPC)

WHERE CHANGE IS POSSIBLE

*The most important feature of MRP as compared with ordinary inventory control analysis is its time phasing feature.

Get advice now. Are you worried about your mortgage? New edition

AGC s SUPERVISORY TRAINING PROGRAM

I apply to subscribe for a Stocks & Shares ISA for the tax year 20 /20 and each subsequent year until further notice.

Credit Suisse Healthcare Conference

Patentability of Computer Software and Business Methods

Solutions Library. AMGA/AVATAR CAHPS for PQRS Survey Program. Leslie Babecki, CAHPS Manager, Avatar Solutions

CCH Document Management

My first gold holdings. My first bank. Simple. Transparent. Individual. Our investment solutions for clients abroad.

There s Wealth in Our Approach.

About our services and costs

auction a guide to buying at Residential

Material Management and

Audit of Assumptions for the March 2001 Budget. REPORT BY THE COMPTROLLER AND AUDITOR GENERAL HC 304 Session : 7 March 2001

Document Control Solutions

The BBC s management of strategic contracts with the private sector

Harnessing Natural and Human Capital

Advancement FORUM. CULTIVATING LEADERS IN CASE MANAGEMENT


A Guide to Better Postal Services Procurement. A GUIDE TO better POSTAL SERVICES PROCUREMENT

Safe Driver Guide. Your Safe Driver unit Installation. Document Inspection

Packages: Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N Y Y N Y Y N Y Y N Y Y N Y Y N Y Y N Y Y N Y Y

Transcription:

Securig cyberspace is oe of the most importat ad urget challeges of our time. I light of the growig threat ad the atioal security ad ecoomic ramificatios of successful attacks agaist America busiesses, it is essetial that corporate leaders kow their resposibility for maagig ad disclosig iformatio security risk. 1 WILLIS FORTUNE 1000 CYBER DISCLOSURE REPORT I. OVERVIEW Letter from Seator Joh D. Rockefeller IV, et al. to Chairma, Securities ad Exchage Commissio, May 11, 2011 I this secod i a series of reports examiig U.S. public compay cyber disclosures, Willis expads the scope of the review to iclude the Fortue 1000. The earlier Willis Fortue 500 Cyber Disclosure Report reviewed the 10-Ks or aual reports filed by the Fortue 500 i 2012, the period immediately after the U.S. Securities ad Exchage Commissio (SEC) published its guidace that public compaies might best iclude more extesive disclosures relatig to their cyber exposures. 2 The iitial study addressed three importat questios o the public disclosures of those compaies: 1) The size or extet of the risk 2) The types of exposures idetified 3) The steps beig take to reduce cyber risks This updated study asks the same questios of the wider pool of compaies ad highlights idustry groups. The SEC s suggested guidace was that U.S. public compaies iclude the ature of the risks ad how each risk might affect the firm, recommedig that these disclosures be uique ad specific to each firm, ot geeric. Quite a tall order for U.S. public compaies ad for the SEC, which reviewed, ad i some cases commeted o, the reports prior to releasig them to the public. May of our largest public compaies face iterdepedet exposures ad were largely uable to review

the disclosures of their tradig parters ad vedors at the time they were filig their ow reports. Respodig to the SEC s guidace for the first time had to have bee a challege. II. BIG VERSUS BIGGER: COMPARING THE FORTUNE 501-1,000 TO THE FORTUNE 500 QUANTIFYING THE RISK While there are sigificat differeces i the idustry makeup of the Fortue 500 ad the Fortue 501 to 1,000, remarkable similarity exists betwee the two groups i their disclosures o the size or extet of their cyber exposures. The most sigificat differece we foud was i the umber of compaies that remaied silet o their cyber risk: 12% i the F500 segmet was silet, compared to 22% i the F501-1000 (see Chart 1 below). The reaso for this may be that, as compaies get smaller, they may see themselves as less likely targets of a attack, or it may be that smaller compaies eeded more time to idetify their cyber exposures. CHART 1 REPORTED EXTENT F500 v F501-1000 40% 35% 30% 37 % 30 % 36 % 35 % PERCENTAGE OF COMPANIES 25% 20% 15% 10% 12 % 22 % 5% 8 % 5 % 2 % 3% 6 % 6 % 0% Silet o Cyber risk Cyber risk would impact or adversely impact the busiess Cyber risk sigificat Cyber risk material harm or seriously harm Cyber risk Critical No SEC Filigs (No Disclosure + No Recet Disclosure) F500 F501-1000 While the SEC s guidace is just that, advice o what public compaies might disclose, it comes from their Divisio of Corporatio Fiace the divisio that selectively reviews public compay securities filigs to esure compliace with relevat disclosure ad accoutig requiremets. Whe they speak, public compaies usually liste. 2 Willis North America 08/13

CYBER EXPOSURES IDENTIFIED The compaies i both the F500 ad the F501-1000 groups used similar terms to explai the cyber exposures facig their orgaizatios. The most sigificat differeces betwee the two groups, as see i Chart 2, are: 1) A rise i the exposure to busiess iterruptio as a result of a cyber evet (from 21% for the F500 to 29% for the F501-1000) 2) A reductio i the perceived exposure to cyber terrorism (from 21% to 15%) 3) A reductio of itellectual property risks idetified (from 13% to 8%) For the Fortue 1,000, cyber terrorism ad itellectual property risk disclosures are lower tha we expected give the focus of the federal govermet o these areas of risk ad their possible effects upo the health of the U.S. ecoomy overall. We ote that the disclosure of actual cyber evets remais at 1%, a seemigly low umber give the umber of attacks that appear i the press o a regular basis. Furthermore, eve though the SEC guidace requests dollar costs of attacks that have occurred, oe of the compaies that disclosed actual attacks icluded the associated costs. CHART 2 REPORTED EXPOSURES F500 v F501-1000 Privacy/loss of cofidetial data 61 % 68 % Reputatio risk Malicious acts Liability 41 % 44 % 52 % 48 % 49 % 49 % Busiess Iterruptio Errors ad malfuctio Cyber terrorism 21 % 29 % 22 % 21 % 21 % Cyber regulatory risk Outsourced vedor risk Loss of itellectual property Product or service failure 2 % 5 % 15 % 18 % 15 % 13 % 12 % 13 % 8 % Social media risk Actual cyber evets 2 % 1 % 1 % 1 % F500 F501-1000 0 10% 20% 30% 40% 50% 605 70% 80% PERCENTAGE OF COMPANIES 3 Willis North America 08/13

LOSS CONTROL: RISK PROTECTIONS Aother sigificat differece betwee the two groups is the major drop i the disclosed use of techical risk protectios such as firewalls, itrusio detectio, ecryptio, etc. metioed by 52% of the F500 but oly 35% of the F501 1000 (see Chart 3). The disclosure of isurace for cyber risk remais steady at 6% for both groups (see more below), but the umbers of compaies that make o referece at all to the protectios they have i place rose from 45% i the F500 to 57%. This may be attributable to the higher percetage of compaies that are silet o the topic of cyber exposure i the F501-1000 group. CHART 3 REPORTED RISK MANAGEMENT F500 v F501-1000 70% 60% 57 % 52 % PERCENTAGE OF COMPANIES 50% 40% 30% 35 % 45 % 20% 15 % 17% 10% 6 % 6 % 0 Referece to techical safeguards Referece to iability to have the resources to limit loss Cyber risks are covered by isurace No commets o risk protectio F500 F501-1000 III. INDUSTRY FOCUS Willis divided the Fortue 1,000 ito 20 idustry groups to compare the disclosure of each. I doig so we recogize that while all idustries are importat, ot all are critical. I fact, the Presidetial Policy Directive o Critical Ifrastructure Security ad Resiliece has idetified 16 essetial idustry sectors as critical ifrastructure. 3 Most, but ot all, are icluded i our idustry focus o the Fortue 1,000. 4 Amog those critical sectors, some are hyper-critical, such as the techology ad telecom sector sice it serves a eablig fuctio across all other critical ifrastructure sectors. 5 Others are both critical ad highly iterdepedet such as the health care sector, where 4 Willis North America 08/13

collaboratio ad iformatio sharig betwee the public ad private sectors is essetial ad which is highly depedet o other idustry sectors for cotiuity of operatios ad service delivery. 6 I our idustry focus, we addressed the same questios as we did i our origial study o the Fortue 500: 1) the size or extet of risk, 2) how the exposure would maifest ad 3) what protectios were beig employed. To measure the level of cocer of each idustry, Willis assiged a score for the extet of cyber risk each compay disclosed. Usig this score, health care is the idustry most cocered about cyber risks, closely followed by the techology, isurace, telecom ad retail sectors (see Chart 4). The sectors that disclosed the least level of cocer are real estate ad, perhaps more surprisigly, fiacial services-fuds, coglomerates ad the eergy ad miig sectors. EXTENT OF THE RISK BY INDUSTRY There are sigificat differeces i the disclosures ivolvig the size or extet of the cyber risk faced by differet idustries i the F1000. Some of the variatio may be as a result of the small umber of compaies i some idustry groups but clearly, some idustries are more exposed to the issue tha others. 7 CHART 4 FORTUNE 1000 INDUSTRY POINT SCORE EXTENT OF RISK Health Care Techology/Telecoms Fiacial Services Isurace Life Scieces Retail/Distributio Hospitality ad Travel Utilities Fiacial Services Bakig Media Maufacturig High Tech/Aerospace Maufacturig Cosumer Trasport Professioal Services Miscellaeous Services Costructio Maufacturig Heavy Idustry Eergy/Miig Coglomerates Fiacial Services Fuds Real Estate 0.69 2.14 2.09 2.08 2.00 1.98 1.97 1.96 1.84 1.66 1.65 1.63 1.56 1.56 1.51 1.45 1.35 1.16 1.14 1.00 0.00 1.00 2.00 3.00 5 Willis North America 08/13

Idustries that are aturally more reliat o techology ad ope etworks such as bakig, techology, aerospace, health care ad utilities are more likely to disclose sigificat or material impact as the likely result of a cyber evet (see Chart 5 below). The limited umber of compaies that describe their exposure to a cyber evet as critical are scattered throughout the idustry sectors with professioal services firms stadig out as the sector that most ofte describes the exposure as critical, with 11% of the idustry puttig cyber risk i that category. Otherwise, there is o discerible patter amog compaies or groups that ote the risk as critical. 62% of real estate compaies did ot have ay commet o cyber risk 38% of the eergy ad miig sector remaied silet as to cyber exposure CHART 5 FORTUNE 1000 EXTENT OF LOSS BY INDUSTRY Life Scieces Maufacturig - High Tech/Aerospace Techology/Telecoms Fiacial Services Bakig Utilities Retail/Distributio Health Care Hospitality ad Travel Media Fiacial Services Isurace Maufacturig Cosumer Professioal Services Miscellaeous Services Trasport Costructio Coglomerates Maufacturig Heavy Idustry Fiacial Services Fuds Eergy/Miig Real Estate 50% 35% 5% 60% 35% 5% 35% 10% 44% 5% 8% 43% 8% 39% 2% 9% 38% 6% 43% 4% 9% 34% 9% 47% 1% 10% 29% 4% 53% 4% 10% 35% 3% 52% 10% 45% 17% 24% 3% 11% 29% 5% 53% 3% 20% 38% 4% 36% 3% 22% 44% 22% 11% 23% 37% 9% 29% 3% 26% 29% 9% 32% 3% 27% 32% 9% 32% 29% 43% 14% 14% 33% 33% 3% 28% 3% 33% 50% 17% 38% 34% 4% 21% 2% 62% 15% 15% 8% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Silet o cyber risk Cyber risk would impact or adversely impact the busiess Cyber risk sigificat Cyber risk material harm or seriously harm Cyber risk critical 6 Willis North America 08/13

CYBER RISK EXPOSURES BY INDUSTRY To provide a differet perspective, we totaled the umber of differet types of risks that compaies disclose i their 10-Ks ad averaged them for each. Looked at it this way, fiacial istitutios ad techology compaies rise to the top of the list with the bakig sector disclosig a average of 4.90 distict cyber exposures (see Chart 6). Iterestigly, fuds compaies, featured at the low ed of the scale whe describig the extet of their cyber risk exposure, are close to the top of the chart whe it comes to describig the umber of differet types of cyber risks that they face. While the small umber of compaies i the fuds group (3) may accout for the discrepacy, the differece may be due to a level of cautio i a idustry that is risk-maagemet focused but does ot have a large exposure to persoally idetifiable iformatio, which is usually kept at the retail ivestmet compay level. CHART 6 FORTUNE 1000 INDUSTRIES NUMBER OF EXPOSURES DISCLOSED Fiacial Services Bakig Fiacial Services Isurace Techology/Telecoms Fiacial Services Fuds Life Scieces Media Maufacturig - High Tech/Aerospace Hospitality ad Travel Professioal Services Retail/Distributio Miscellaeous Services Health Care Costructio Maufacturig Cosumer Utilities Coglomerates Trasport Real Estate Maufacturig Heavy Idustry Eergy/Miig 1.66 2.73 2.67 2.62 2.43 2.24 2.23 2.12 4.55 4.28 4.00 4.00 3.83 3.80 3.68 3.67 3.61 3.43 3.18 4.90 0.00 1.00 2.00 3.00 4.00 5.00 Idustries at the lower ed of the chart (reportig fewer exposures) iclude eergy ad utilities. Surprisig, give that both have bee idetified as critical to the ecoomy ad covered i the press as objects of cyber attacks. 7 Willis North America 08/13

LOSS CONTROL BY INDUSTRY The idustry groups that disclosed the greatest umber of techical protectios agaist cyber risk (firewalls, itrusio detectio, ecryptio etc.) are the techology, health care, professioal services ad fiacial istitutio sectors with the isurace idustry i the lead (see Chart 7). Isurace compaies refer to techical risk protectios 63% of the time. CHART 7 FORTUNE 1000 RISK PROTECTION (%) Coglomerates Maufacturig Heavy Idustry Real Estate Fiacial Services Fuds Hospitality ad Travel Eergy/Miig Costructio Life Scieces Maufacturig Cosumer Utilities Trasport Miscellaeous Services Techology/Telecoms Retail/Distributio Fiacial Services Bakig Health Care Media Professioal Services Maufacturig - High Tech/Aerospace Fiacial Services Isurace 14% 14% 71% 29% 4% 2% 71% 31% 15% 8% 69% 33% 17% 33% 50% 35% 13% 3% 58% 36% 16% 2% 59% 36% 18% 59% 38% 13% 50% 39% 6% 2% 61% 40% 19% 15% 49% 41% 9% 3% 56% 43% 31% 9% 46% 44% 20% 11% 44% 49% 17% 9% 46% 53% 24% 14% 39% 55% 26% 1% 41% 55% 10% 10% 41% 56% 11% 10% 33% 60% 25% 5% 30% 63% 18% 11% 24% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Referece to techical safeguards Cyber risk are covered by isurace Referece to iability to have the resources to limit loss No commets o risk protectio 8 Willis North America 08/13

The idustries withi the Fortue 1,000 that most frequetly state they have isufficiet resources to limit the cosequeces of a cyber attack are miscellaeous services (31%) 7, health care (26%), high tech/aerospace (25%) ad bakig (24%). As the Fortue 1,000 icludes the very largest U.S. public compaies, this may be a serious cocer. LOSS PROTECTION INSURANCE The idustries i our study that disclose they have the greatest level of isurace of cyber risks for their sectors are the fuds sector (33%), followed by utilities (15%), the bakig sector ad coglomerates (14%). The isurace ad the techology sectors both disclose the purchase of isurace coverig cyber risk at the 11% level (see Chart 8 below). A recet iformal survey of life ad health isurace compaies coducted by Willis ad key cyber isurace uderwriters foud that i the F1000, more that 60% of this sector purchased stad-aloe cyber coverage. Willis cocludes that may compaies may be uder-reportig isurace coverig cyber risks. I our experiece, the health care sector has bee oe of the largest purchasers of stad-aloe cyber isurace, but oly 1% of the idustry metioed purchasig it i their 10-Ks. CHART 8 INSURANCE COVERAGE NUMBER OF COMPANIES Maufacturig Cosumer Retail/Distributio Maufacturig Heavy Idustry Eergy/Miig Techology/Telecoms Health Care Fiacial Services Bakig Utilities Fiacial Services Isurace Trasport Miscellaeous Services Hospitality ad Travel Media Costructio Maufacturig - High Tech/Aerospace Real Estate Life Scieces Professioal Services Coglomerates Fiacial Services Fuds 44 7 39 8 34 4 33 1 33 2 30 1 26 3 22 19 1 12 1 2 12 1 8 8 1 6 1 4 2 72 1 118 2 106 10 92 2 88 2 88 11 0 20 40 60 80 100 120 Silet Yes 9 Willis North America 08/13

DETAILS PLEASE I its guidace, the SEC suggested that U.S. public compaies iclude a level of detail ot previously see i most public compay disclosures. They suggested disclosure o: The aspects of the firm s busiess or operatios that might give rise to material cybersecurity risks ad the related potetial costs ad cosequeces Where outsourced fuctios have material cybersecurity risks, descriptios of those fuctios ad how the compay addresses those risks Risks related to cyber icidets that may remai udetected for a exteded period Disclosure of cyber icidets experieced by the firm that idividually, or i the aggregate, are material, icludig the costs ad other cosequeces Descriptio of relevat isurace coverage As our report reveals, durig the first wave of disclosures after the SEC s guidace, there was a rage of resposes, eve from compaies of the same size i the same idustry. Examples of the rage of cyber disclosures: 9 EXAMPLE #1 Risks facig the compay might arise from the failure to adequately maitai security ad prevet uauthorized access to electroic ad other cofidetial iformatio ad data breaches could materially adversely affect our fiacial coditio ad operatig results. The firm has become icreasigly cetralized ad depedet upo automated IT processes. Furthermore, a portio of our busiess is doe over the Iteret, icreasig the risk of viruses that could cause system failures ad disruptios of operatios. A failure to maitai the security of our customers cofidetial iformatio, or data belogig to ourselves or our suppliers, could put us at a competitive disadvatage, result i deterioratio i our customers cofidece i us, ad subject us to potetial litigatio, liability, fies ad pealties, resultig i a possible material adverse impact o our fiacial coditio ad results of operatios. Our computers ad those of our suppliers are vulerable to iterruptio by fire, atural disaster, power loss, telecommuicatios failure, terrorist attacks ad acts of war, Iteret failures, computer viruses ad cyber attacks. The occurrece of ay of these evets could sigificatly disrupt our operatios or result i a sigificat iterruptio i the delivery of our good ad services which might harm our reputatio ad lead to the loss of some of our existig customers as well as impact our ability to compete for ew busiess EXAMPLE #2 Risks iclude the impact o the firm s locatios ad operatios due to a terrorist attack, cybersecurity threats ad other catastrophic evets 10 Willis North America 08/13

Durig the first roud of fiacial reportig, compaies failig to meet the level of disclosure deemed sufficiet by the SEC might receive a commet letter from the agecy as has happeed to approximately 50 public compaies askig them to supplemet or amed their filigs where appropriate. http://blog.willis.com/2013/06/cyber-disclosuresof-the-fortue-500-how-compaies-rate-their-cyber-exposure-for-the-sec/ OUTSOURCED VENDORS AND THE CLOUD Oe of the key areas that the SEC asked compaies to address, both i its origial guidace ad i its subsequet commet letter, was the potetial risk represeted by outsourced vedors. The request seems particularly apt i the cotext of the balacig act that IT departmets have to maitai betwee the costs ad beefits of usig the cloud ad outsourced vedors agaist the risks of havig iformatio ad operatios i the hads of third parties. The exposure may be heighteed by the fact that most techology service cotracts severely limit the ability of compaies to recover agaist vedors after a breach or failure of systems. Cloud computig [is] a model for eablig coveiet, o-demad etwork access to a shared pool of cofigurable computig resources (e.g., etworks, servers, storage, applicatios, ad services) that ca be rapidly provisioed ad released with miimal maagemet effort or service provider iteractio. 10 The Natioal Istitute of Stadards ad Techology Remarkably, oly 13% of the compaies i the F500 ad 12% of compaies i the F501-1000 metio vedor risk. Whe they do, the disclosure usually simply metio that the risk exists, but the fails to delve ito the fuctios of the compay that may be affected if the outsourced vedors are breached. IV. THE FUTURE ACTION BY THE FEDERAL GOVERNMENT S EXECUTIVE BRANCH O February 12, 2013, Presidet Obama siged a ew Executive Order etitled Improvig Critical Ifrastructure Cybersecurity which authorizes the dissemiatio of cyber itelligece reports to owers ad operators of certai eterprises. 11 It also directs the collaborative developmet ad implemetatio of risk-based cybersecurity stadards. Recet ews from the White House idicates that the admiistratio ad the Departmet of Homelad Security (DHS) are cosiderig tax breaks, isurace perks (so far uidetified) ad other legal beefits for busiesses that make meaigful improvemets to their digital defeses. 12 Two types of cyber itelligece ca be delivered to compaies: (1) Reports of cyber threats to the U.S. homelad that idetify a specific targeted etity (2) Reports which idetify critical ifrastructure where a Cybersecurity icidet could reasoably result i catastrophic regioal or atioal effects o public health or safety, ecoomic security, or atioal security. 11 Willis North America 08/13

It appears that ay compay that receives a DHS report is o otice that the DHS expects the compay to reiforce their resiliece to cyber attacks, develop capabilities for iformig themselves o whe ad where a attack may occur ad maagig the crises. Access to itelligece reports may be a two-edged sword. CURRENT ACTION BY THE OF THE FEDERAL GOVERNMENT (SEC) SEC Chairma Mary Jo White recetly asked her staff to evaluate the SEC s curret guidace for cybersecurity disclosures ad to cosider whether more striget requiremets are ecessary. 13 Seator Jay Rockefeller, who has ecouraged the SEC to provide further guidace o cybersecurity disclosures ad was at the forefrot of the SEC s iitial guidace, 14 was told i the letter, dated May 1, that the SEC Chair believes that the iitial guidace to compaies o cybersecurity has had a positive impact o better iformig the stakeholders of public compaies. 15 Our study o the iitial respose by the largest U.S. public compaies seems to cofirm this while suggestig that some improvemets may be possible. V. NEXT STEPS Actio take at the federal level clearly shows that cybersecurity disclosure by public compaies is high o the federal ageda ad will cotiue to pose a uique challege for public compaies. Govermet authorities may require compaies to step out of their comfort zoe for disclosures i order to bolster IT security for the etire U.S., opeig up greater liability to directors ad officers i the process. To protect themselves, compaies may wat to be more ope ad detailed i the way that they describe cyber risks i their public documets; but this could also play agaist them if they reveal a large exposure ad oly limited resources to protect themselves. Meawhile, we are workig o a series of separate, more i-depth idustry profiles o the uique cyber disclosures of the Fortue 1,000. 1 http://commerce.seate.gov/public/?a=files.serve&file_id=4ceb6c11-b613-4e21-92c7-a8e1dd5a707e 2 Securities ad Exchage Commissio, CF DisclosuF Disclosure Guidace, Topic No. 2: Cybersecurity, October 13, 2011, http://www.sec.gov/divisios/corpfi/guidace/cfguidace-topic2.htm 3 http://www.whitehouse.gov/the-press-office/2013/02/12/presidetial-policy-directive-criticalifrastructure-security-ad-resil, February 12, 2013. 4 Critical ifrastructure sectors such as the govermet facilities sector ad commercial facilities sector are two examples of sectors ot well represeted (or preset at all) i the Fortue 1,000. 5 http://www.dhs.gov/commuicatios-sector 6 http://www.dhs.gov/healthcare-ad-public-health-sector 7 E.g., there are oly eight compaies i the life scieces group, all of which disclose some level of cyber risk. 8 This is cocerig as the group icludes may o-tech vedors for large corporatios. 9 Please ote that these examples have bee modified from actual disclosures. 10 http://ifo.apps.gov/cotet/what-cloud 11 http://www.politico.com/story/2013/07/white-house-cosiders-breaks-for-boostig-cybersecurity- 94528.html 12 Icetives to Support Adoptio of the Cybersecurity Framework at http://m.whitehouse.gov/blog/2013/08/06icetives-support-adoptio-cybersecurity-framework 13 SEC Chairma Reviewig Compay Cybersecurity Disclosures, May 13, 2013 3:01 PM ET, http://www.bloomberg.com/ews/2013-05-13/sec-chairma-reviewig-compay-cybersecuritydisclosures.html 14 http://www.rockefeller.seate.gov/public/idex.cfm/press-releases?id=134e9dd2-9b6c-49c2-bcff- 073019bcd247 15 SEC Head Orders Review Of Cyberthreat Disclosure Guidace, May 14, 2013 http://www.law360.com/articles/441415/sec-head-orders-review-of-cyberthreat-disclosure-guidace 12 Willis North America 08/13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information