Major companies underreport cyber-risks, study finds

Large technology and telecommunications providers are twice as concerned about cyber-risks from outsourcing vendors and are twice as likely to report those concerns in public financial documents than the vast majority of the Fortune 1000, new research has found.

According to the study, “Willis Special Report: 10K Disclosures – How Technology and Telecom Companies Describe Their Cyber Liability Exposures,” released today by Willis Group Holdings plc, the technology and telecommunications companies that provide the infrastructure services for all other sectors of the economy disclosed concerns about cyber-risks stemming from outsourced vendor services at a significantly higher rate than other members of the Fortune 1000.

“Technology and telecommunications providers that are at the heart of our cyber-infrastructure – which, increasingly, is our business infrastructure – are indirectly telling us that our dependencies on vendors may make us more vulnerable than many companies realize,” said Christopher Keegan, a senior vice president with Willis North America and co-author of the study.

The results suggest a large percentage of the companies that make up the Fortune 1000 fail to report the same critical cyber-risks that their service providers are reporting, Keegan said.


“If you’re a passenger in an airplane and you see the pilot putting on a parachute, it’s probably a good idea to take notice,” he said.

The study found technology and telecommunications companies reported concerns about the potential for outsourced vendor risk at a rate more than double of other large corporations (25 percent versus 12 percent). Outsourced vendors are identified in the study as any organization providing data, IT or security services.

“We find this compelling because these companies are by and large the cyber-vendors for the rest of the Fortune 1000,” said Ann Longmore, the head of Willis’ executive risk practice and co-author of the study. “They’re seeing a big risk involving their own kind.”

The study comes on the heels of several large data breaches at major retailers, including Target and Neiman Marcus. The Target breach, which led to the theft of credit card and personal information of more than 110 million consumers, began with an email phishing attack against one of Target’s service providers — a Pennsylvania-based heating, air conditioning and refrigeration company that had access to the retailer’s network.

The Willis report, however, found the tech/telecom sector disclosed individual cyber-risks at rates higher than the Fortune 1000 as a whole. The exposures disclosed at significantly higher rates were: loss or disclosure of confidential information, loss of reputation, malicious acts and cyber-liability.


“If a company is a heavy user of outsourced IT services, then perhaps they should be reporting these risks at levels similar to the service providers themselves, as the vendors’ risks or failures could also be experienced by the consumer company should there be a vendor incident,” the report states. “Though a customer’s risk assessment may differ depending upon the criticality of the service or technology, individual companies must evaluate whether their procured vendor services are material.”


Latest Podcasts