Willis Group Holdings (NYSE: WSH), the global insurance broker, said today it launched a proprietary study to monitor how U.S. public companies are responding to the U.S. Securities and Exchange Commission’s (SEC) new guidance on cyber exposure disclosures.
The recent formal guidance from the SEC’s Division of Corporate Finance calls on public companies to address their exposure to cyber attacks and disclose how they will respond financially to the potential loss.
In Willis’ view, for the SEC to single out any one area of exposure for specific financial disclosure by public companies is rare, making the formal guidance that public companies provide detailed information about their potential exposure to cyber attacks a major event – and possibly a game changer for some public firms as it impacts how firms view and measure “materiality.” The SEC intended the new disclosures to help investors understand the risk/reward relationship in the enterprises in which they potentially invest. The Commission’s guidance includes a non-exclusive list of specific, detailed elements for cyber exposure disclosure both pre- and post-attack.
Willis is launching its study to coincide with the first round of financial disclosures for accelerated filers, representing roughly 750 firms, including some of the biggest U.S. companies. The study will continue through 2012 and beyond, eventually capturing information from all U.S. public companies with respect to cyber disclosure. The initiative is part of Willis’ strategy to help organizations better understand and evaluate cyber risk, while adding to a firms’ ability to understand where they sit when measured against their peers. In Willis’ view there are real risks to organizations related to cyber exposure and potentially additional risks to directors and officers with this new disclosure guidance. One goal of the Willis study is to help organizations track the emerging disclosure standards being applied.Willis will monitor key Information and data points including:
- How the cyber exposures of each organization are quantified in terms of the impact on the firm’s business and reputation
- Whether new disclosures of past cyber hacking events (possibly due to a broader interpretation of materiality in the SEC’s guidance) are required
- The role of interdependencies among clients, customers and vendors
- The challenges and costs of remediation
- How (and if) relevant insurance coverage is disclosed