The SEC has required disclosure of cybersecurity exposure since October 2011, yet 9 percent of retailers fail to mention the issue in their filings, according to a study released earlier this month. Fifty seven percent of retail companies characterize their risk as “significant,” “serious,” or “critical.”
The reporting of cybersecurity risk disclosure is the subject of a study by Willis Group Holdings, a risk adviser and insurance broker. The study examined retailers among the Fortune 1000.
“A series of recent high-profile cyber breaches has pointed a government spotlight at the sector, and Willis expects this scrutiny to continue,” report co-author and SVP for e-risk at Willis North America Chris Keegan told Dark Reading. “Our advice for retailers is: Don’t wait for the SEC to come knocking on your door.”
To comply with SEC regulations the 9 percent will have to report their exposure, but to avoid attracting negative analyst and investor attention, those companies need to implement protection. Retailers reported protections including “technical safeguards” by 49 percent and insurance by 9 percent, though the study authors suspect the latter is under reported.
Privacy/loss of confidential data is cited as an area of exposure by the largest number of retailers at 74 percent, followed by reputation risk at 66 percent, liability at 61 percent and malicious acts at 55 percent.
Concern about intellectual property loss is lower among retailers than the rest of the Fortune 1000, as is concern for outsourced vendor risk, despite that being the source of the highly publicized Target breach in December 2013.
Investors have shown confidence in the cybersecurity industry in 2014. Bit9 raised over $38 million earlier this year, and Hacksurfer picked up $3.5 million to expand its security platform earlier this week.
With 9 percent of the world’s largest retailers as potential customers, those and similar investments may soon yield lucrative returns.