FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

11
In our recent report examining U.S. public company cyber disclosures, 1 we focused on the Fortune 1000. In this special report, we begin a new series that further highlights specific industry groups. In this first offering, we feature the financial institutions sector. Financial institutions face unique risks due to the very individual activities they are involved in. The Fortune 1000 range from the largest international retail banks – holding huge amounts of personal and financial information – to a relatively small mortgage insurer at number 940 on the list, which may not have more than a few million personal records. In this report, we discuss banks, insurance companies and asset managers (or funds). Willis found that the “financial institution (FI)” sector was much more likely than other sectors to disclose types of risks across all categories, with cyber terrorism and regulatory risk identified at greater than double the rate of the Fortune 1000 companies as a whole. This may seem appropriate given the level of regulation of the financial institutions sector and the fact that they are major targets for domestic and foreign political groups or hacktivists. 2 WILLIS SPECIAL REPORT: FORTUNE 1000 CYBER DISCLOSURE BY FINANCIAL INSTITUTIONS Financial Industry Fortune 1000 80% 90% 70% 60% 50% 40% 30% 20% 10% 0 64% 80% 50% 78% 49% 71% 43% 68% 18% 40% 17% 44% 25% 27% 22% 27% 22% 12% 10% 4% 4% 1% 3% 1% 2% 4% Privacy/Loss of Confidential Data Reputation Risk Malicious Acts Liability Cyber Regulatory Risk Cyber Terrorism Error and Malfunction Business Interruption Outsourced Vendor Risk Loss of Intellectual Property Product or Service Failure Social Media Risk Actual Cyber Events REPORTED EXPOSURES F1000 VS FI INDUSTRY Hacktivisim is the act of hacking, or breaking into a computer system for a politically or socially motivated purpose. The individual who performs an act of hacktivisim is said to be hacktivist. http://searchsecurity. techtarget.com/ definition/hacktivism

Transcript of FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

Page 1: FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

In our recent report examining U.S. public company cyber disclosures,1 we focused on the Fortune 1000. In this special report, we begin a new series that further highlights specific industry groups. In this first offering, we feature the financial institutions sector.

Financial institutions face unique risks due to the very individual activities they are involved in. The Fortune 1000 range from the largest international retail banks – holding huge amounts of personal and financial information – to a relatively small mortgage insurer at number 940 on the list, which may not have more than a few million personal records. In this report, we discuss banks, insurance companies and asset managers (or funds).

Willis found that the “financial institution (FI)” sector was much more likely than other sectors to disclose types of risks across all categories, with cyber terrorism and regulatory risk identified at greater than double the rate of the Fortune 1000 companies as a whole. This may seem appropriate given the level of regulation of the financial institutions sector and the fact that they are major targets for domestic and foreign political groups or hacktivists.2

WILLIS SPECIAL REPORT: FORTUNE 1000 CYBER DISCLOSURE BY FINANCIAL INSTITUTIONS

Financial IndustryFortune 1000

80%

90%

70%

60%

50%

40%

30%

20%

10%

0

64%

80%

50%

78%

49%

71%

43%

68%

18%

40%

17%

44%

25%27%22%

27%22%

12% 10%4% 4%

1% 3% 1% 2%4%

Privac

y/Loss

of

Confide

ntial

Data

Reputat

ion Risk

Malicio

us Acts

Liabil

ity

Cyber R

egulat

ory Risk

Cyber T

erroris

m

Error a

nd M

alfun

ction

Busine

ss Int

errupti

on

Outsourc

ed Vend

or Risk

Loss

of Intelle

ctual

Property

Product

or Servi

ce Fa

ilure

Socia

l Media

Risk

Actual

Cyber E

vents

REPORTED EXPOSURES F1000 VS FI INDUSTRY

Hacktivisim is the act of

hacking, or breaking into

a computer system for

a politically or socially

motivated purpose. The

individual who performs

an act of hacktivisim is

said to be hacktivist.

http://searchsecurity.techtarget.com/ definition/hacktivism

Page 2: FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

Willis North America | Special Report • 10/13 2

THE SECTOR’S CYBER EXPOSURES

In the U.S., the “banking and financial sector” has been designated by the federal government as a critical infrastructure sector because every organization and virtually all individuals are reliant to some degree on financial products. This dependency stretches across a broad array of products, services and institutions, ranging from the largest banks with assets of more than a trillion dollars to the smallest local insurance company or private equity firm.

The term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Executive Order 13636 of February 12, 2013,Improving Critical Infrastructure Cybersecurity

The financial sector is critically reliant upon technology to keep records, process transactions and facilitate day-to-day activities. It is among the most highly regulated sectors and spends more than most industries, as a percentage of revenue, on information technology (IT) security. However, this does not mean it is less likely to be the victim of an attack. The sector is third among all industries in the number of records lost for all years tracked by Risk Based Security, Inc.3

DISTRIBUTION OF AFFECTED RECORDS BY SECTOR

Technology 35.7%

Retail 15.2%

Financial 15.1%

Other 13.5%

Medical 10.0%

Business 7.2%

Government 2.1%

Education 1.2%

A successful, widespread attack on the financial industry could reduce confidence in the banking system. One can imagine the worst-case scenario in which financial records cannot be trusted – putting institutions in a position where they can no longer verify account balances and trading positions. Such an event could freeze transactions between financial institutions causing a liquidity crisis in the interbank market.

For insurance companies, the largest fear may be of a massive privacy information breach, which, while not quite as catastrophic to the economy as a whole as the example above, could be devastating to the institution. Companies in the insurance industry hold combinations of personal, health care, credit card and financial data; having a large-scale breach might result in liability losses that would match or surpass the largest impacts we have seen to date.

Cyber risk in the funds sector is more company-specific, depending on the strategy of the particular institution. Funds that rely on sophisticated algorithms or high speed trading to implement their strategies may be the most exposed. We have already seen failures and losses

Page 3: FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

Willis North America | Special Report • 10/13 3

due to “glitches,” both at exchanges and at investing institutions, caused by programming and other errors that can result in large losses. One capital markets participant lost its independence (was acquired) because of a loss of confidence brought about by trading anomalies caused by a technology failure.

EXTENT OF CYBER LOSS

Most of the institutions in our study were circumspect in their approach to disclosure,with most hesitant to describe their potential cyber risks in the most serious terms. Only 2% of banks described their exposure as critical, and 59% found that the exposure was less than material or serious, with 8% silent as to the possible extent of their cyber loss. Similarly, 8% of insurance companies were silent on their cyber exposure. We expect, as disclosure becomes accepted, that all these companies with large amounts of personal data will be more forthcoming regarding the extent of their cyber risks.

Silent Would “impact” or “adversely impact” operations Significant

CriticalWould “materially” or “seriously” harm operations

EXTENT OF CYBER RISK FI VS F1000

17% 41% 4% 36%

19% 38% 7% 34%

8% 43% 8% 39%

5%11% 29% 53%

2%

2%

2%

3%

33% 50% 17%

0% 20% 40% 60% 80% 100%

F1

Fortune 1000

FinancialServices

FinancialServices

FinancialServices – Funds

One might expect, due to the number of attacks on financial institutions, especially banks, that they may have a significantly higher sensitivity to cyber attacks and thus be more likely than the average Fortune 1000 company to describe their risk as critical, material or serious. But we found that most FIs disclosed their risk in similar terms or levels as other Fortune 1000 companies.

We can speculate that, because of the investment in large information technology (IT) security teams (some banks have 300 people or more working on their IT security staff ) and redundancies, banks feel they have invested enough to minimize the possibility that they will be “materially” affected by a cyber attack. Financial institutions may also believe that they can continue to run their businesses without their systems for a period of time by going to manual backups. After all, many functions of financial institutions, such as payments of insurance premiums or loan payments, do not stop because the institutions’ systems are down.

Notably, within the financial institutions sector, it was insurers that reported the highest levels of concern about the risk of a cyber event, with 60% disclosing the risk as critical, serious, material or significant – a higher rate than banks or funds. Only 49% of banks and only 17% of funds indicated the same levels of significance.

Page 4: FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

Willis North America | Special Report • 10/13 4

The lower concern at funds companies may be explained by the lower exposure most funds companies have to loss or disclosure of PII (personally identifiable information). Many funds companies hold their accounts in the name of the investment company and do not hold any details of the individuals that are the primary investors, thus significantly lowering any risk of disclosing personal information.

CYBER LOSS EXPOSURES IDENTIFIED

Financial institutions lead other industries in the number of exposures identified. Like most of the Fortune 1000, they identify privacy and loss of personal information as the most concerning exposure, with 80% of companies specifically referring to that risk, closely followed by reputation and malicious acts.

FI INDUSTRY REPORTED EXPOSURES IN ORDER OF OCCURENCE

No. of Companies Percentage of Companies

80

70

60

50

40

30

20

10

0

80%

90%

70%

60%

50%

40%

30%

20%

10%

0

80

76 74

67 65

4238

26 2621

4 4 3 2

78

7168

4440

27 2722

4 4 3 2

Reputa

tion R

isk

Malicio

us Acts

Liabil

ity

Cybe

r Reg

ulator

y Risk

Cybe

r Ter

rorism

Error

and M

alfun

ction

Busine

ss Int

erru

ption

Outsou

rced V

endo

r Risk

Loss

of Int

ellec

tual P

roper

ty

Produc

t or S

ervic

e Fail

ure

Socia

l Med

ia ris

k

Actual

Cybe

r Eve

nts

Privac

y/Los

s of

Confid

entia

l Data

NEW OR EVOLVING EXPOSURES: SOCIAL MEDIA RISKS

Although currently at the low end of disclosed exposures, risks from the use of social media have been coming into focus for regulators, as the use of Twitter, Facebook and other sites have skyrocketed in the last few years, and companies have had no choice but to move onto these new platforms. In response to requests from industry participants, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve (Board), Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Consumer Financial Protection Bureau (CFPB) and the State Liaison Committee (SLC) are issuing guidance to address the applicability of existing federal consumer protection and compliance laws, regulations, and policies to activities conducted through social media by banks, savings associations and credit unions, as well as by nonbank entities supervised by the CFPB. When you consider that social media may be used to facilitate a consumer’s use of payment systems or as a portal through which consumers access their accounts at a financial institution, the potential for a cyber event becomes clearer.

The use of social media by a financial institution to attract and interact with customers can impact a financial institution’s risk profile. The increased risks can include the risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk.4

Federal Financial Institutions Examination Council

Page 5: FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

Willis North America | Special Report • 10/13 5

FORTUNE 1000 – NUMBER OF CYBER EXPOSURES DISCLOSED

When it comes to the number of exposures that were disclosed, the banking and insurance sectors topped the chart within the Fortune 1000 (coming in at 1 and 2 respectively) with funds taking fourth place. This clearly signals the FI sector’s disclosure dominance at reporting multiple potential exposures.

AVERAGE EXPOSURE F1000 VS FI INDUSTRY

0 2 31 4 5

Funds

Banking

FI

Insurance

F 1000

4.00

4.90

4.55

4.48

3.29

CYBER RISK REGULATIONS

Because of its role at the center of the economy, the FI sector has a much higher level of government oversight than most other industries in the Fortune 1000.

The Federal Financial Institutions Examination Council (FFIEC)5 has been active in setting standards and promoting best practices in cybersecurity. There are also “suggested” protections, such as the Federal Deposit Insurance Corp.’s (FDIC) series of guidance (including one that underlines the risk posed by sensitive information to be found in photocopiers, fax machines and printers) suggesting that financial institutions implement written policies and procedures to ensure that a hard drive or flash memory containing sensitive information is erased, encrypted or destroyed prior to the device being returned to the leasing company, sold or disposed of ).6 The Bank Service Company Act (BSCA), the FDIC and other federal financial regulators also have oversight, including the authority to regulate and examine technology service providers (TSP) for FDIC-insured financial institutions.7

The Graham-Leach-Bliley Act8 (GLBA) includes provisions requiring financial services companies to establish privacy safeguards to protect consumer information and to alert consumers in the event of a data breach.

The Payment Card Industry Data Security Standard (PCI DSS) sets industry-issued security requirements for organizations that handle cardholder information for credit or debit card purchases. Noncompliance can result in significant monetary penalties against the organization in the event of a breach.

Page 6: FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

Willis North America | Special Report • 10/13 6

The Red Flags Rules (created by the Federal Trade Commission (FTC) along with other government agencies, such as the National Credit Union Administration (NCUA))are one of the most specific sets of requirements to help prevent identity theft. The Red Flags Rules provide all financial institutions and creditors “the opportunity” to design and implement an ID theft risk management program. The rules require the identification of relevant patterns, practices and specific forms of activity that are “red flags” signaling possible identity theft, that they incorporate those red flags into their program and that protections be continuously updated.

While banks and funds fall largely under federal scrutiny, the insurance sector is regulated at the state level. In May of this year, New York State’s governor requested data from 30 large insurance companies on their perceived cyber exposures.9 The data requested included:

Information on any cyber attacks the company has been subject to in the past three yearsThe cybersecurity safeguards the company has put in placeThe company’s information technology management policiesThe amount of funds and other resources dedicated to cybersecurity at their companyThe company’s governance and internal control policies related to cybersecurity

The governor’s approach of requiring insurance companies (including private firms) to divulge their cybersecurity practices, spending and history of attacks prior to any specific cyber incident affecting the business, closely follows the precedent established by the SEC in its guidance to U.S. publicly listed companies. Given New York’s leading position in insurance company regulation, we may see other states follow suit.

Health insurance companies have HIPAA or the federal Health Insurance Portability and Accountability Act to deal with. Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information (and sets out civil and criminal penalties for violations). HIPAA’s privacy rule regulates the use and disclosure of protected health information (PHI) by “covered entities” (which includes health insurers).10

Exposure under HIPAA’s privacy rules can run for a long time: in January of this year, HIPAA was updated and the protection of PHI was modified from an indefinite time period to 50 years after death.11 While the fines for health care privacy breaches will not likely threaten the existence of a company that stores health care information, such fines have become larger and more frequent in the past two years since the HITECH revisions. Claims against companies for health care breaches have recently included significantly larger demands than in the past. One recent class action against a NY area health care company is seeking $50 million in damages for the release of approximately 200 health care records.12

Additionally, all financial institutions operating internationally are subject to a myriad of laws and regulatory oversights that continue to grow.

Page 7: FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

Willis North America | Special Report • 10/13 7

INSURANCE COVERAGE FOR CYBER EVENTS (NUMBER OF COMPANIES)

The funds sector is the highest in the Fortune 1000 in disclosing they have insurance for cyber risks at 33%, followed by utilities (15%), then banking and conglomerates (both at 14%), trailed by the insurance and technology sectors (both at 11%).13

Yes Silent

INSURANCE COVERAGE F1000 VS F1

33% 67%

14% 86%

11% 89%

14%

6%

86%

94%

0% 20% 30%10% 40% 50% 70% 90%60% 80% 100%

Funds

Banking

Insurance

FI

F 1000

UNDER-REPORTING SUSPECTED

While formal disclosure suggests that only a small portion of financial institutions are buying cyber insurance, we believe that the rate, particularly among some sub-sectors, may be substantially higher. A recent informal survey of the life and health insurance companies conducted by Willis and cyber insurance underwriters found that in the F1000, more that 60% purchased stand-alone cyber coverage. Willis concludes that many companies may be under-reporting insurance covering cyber risks. In our experience, the health care sector has been one of the largest purchasers of stand-alone cyber insurance, but only 1% of this industry subset mentioned purchasing it in their 10-Ks.

When examining the actual F1000 disclosures relating to insurance, we noted that a number of companies described business interruption insurance (typically found in property programs) and professional liability insurance, while a third group mentioned cyber insurance, the coverage specifically designed to address the majority of exposures that companies identified.

While all of these types of insurance may respond, to a greater or lesser degree, no company within the Fortune 1000 made specific mention of Kidnap and Ransom or Commercial Crime (aka Fidelity) insurance. Both of these types of insurance may include coverage for some cyber-related threats.

Some firms mentioned that their existing insurance includes exclusions and other contract limitations that might prevent all or some from responding to any specific cyber event. No companies quantified the amount of insurance carried.

Page 8: FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

Willis North America | Special Report • 10/13 8

CYBER PROTECTIONS

Financial institutions were more likely to report that they had safeguards in place than the Fortune 1000 companies as a whole, but they also reported that they may not have resources to limit the effects of a cyber loss at a higher rate. These comments usually indicate that technical protections may not be sufficient to contain the effects of some cyber events. Nearly a quarter (21%) of financial institutions reported that they operated with this constraint.

RISK PROTECTIONS F1000 VS FI

43%

56%

16%21%

6%

14%

51%

34%

F 1000 F1

0%

10%

20%

30%

40%

50%

60%

Reference to Technical

Safeguards

Cyber Risks Are Coveredby Insurance

No Comments on Risk Protection

Reference to Inability to Have the Resource to

Limit Loss

INDUSTRY-LED, CRITICAL INFRASTRUCTURE SECURITY FRAMEWORK

Due to the threats, impacts and risk to the U.S. nation’s economic and national security of the cyber exposures of critical infrastructure organizations, on February 12, 2013, the president issued Executive Order, “Improving Critical Infrastructure Cybersecurity.”14 The Executive Order called for the creation of a voluntary, risk-based cybersecurity framework that is “prioritized, flexible, repeatable, performance-based, and cost-effective,” and is developed and implemented in partnership with owners and operators of the nation’s critical infrastructure.

The goal is for the Framework to be based on practices developed, managed and updated by industry, evolving with technological advances and aligning with business needs. It would establish a common structure for managing cybersecurity risk, and help firms identify and understand the organization’s dependencies with its business partners, vendors and suppliers.

The Department of Homeland Security (DHS) is the U.S. federal government’s top agency for coordinating the protection, prevention, mitigation and recovery from cyber incidents. Sector-specific agencies (SSAs) are responsible for helping to characterize risks and threats unique to critical infrastructure entities in their respective sectors.15

Every organization providing critical infrastructure services, including most, if not all, of the financial institutions in the Fortune 1000, was invited to be an active participant in the development, validation and implementation of the Cybersecurity Framework.

Page 9: FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

Willis North America | Special Report • 10/13 9

RESILIENCY AND INTERDEPENDENCY

A number of public and private groups have the stated goal of addressing evolving threats and the risks presented by the FI sector’s interdependence. Two of the top groups are:

The Financial and Banking Information Infrastructure Committee (FBIIC) Charged with improving communications and coordination among the financial regulators and enhancing the sector’s resiliency.16

The Financial Services-Information Sharing and Analysis Center (ISAC) A private sector organization with the goal of sharing specific threat and vulnerability information – including cyber – and to share best practices on incident response.17

One important fact that these IT risk management organizations have recognized is that large financial organizations are reliant upon other sectors and vendors to keep their technology operating. Four key sector dependencies have been identified: 1) energy, 2) information technology, 3) transportation systems and 4) communications.18 This is further complicated by the fact that the sector as a whole is also heavily reliant on an extensive supply chain which often includes third-party vendors from outside the U.S.

THE FUTURE

With financial institutions at the center of the world’s economic activity, they are perceived by terrorists, state-sponsored and otherwise, hactivists, cyber criminals, disgruntled employees and hackers as a prime targets. They have been the object of some of the most widely publicized cyber attacks in the last year. As networks become more sophisticated and the level of technology required by consumers grows, we can reasonably expect the level of cyber activity to continue to grow and risks to expand accordingly.

Organizations of all sizes in the financial institution sector are currently exposed, from the very largest, in our report, to those not as heavily capitalized.19

Congress has been unable to bring legislation to set standards acceptable to either corporations or politicians to a successful conclusion. We will therefore likely see all branches of government with a vested interest in keeping financial institutions safe from cyber criminals work with whatever levers of influence are available to them. The SEC is one part of a diversified governmental approach that we anticipate will continue to build in order to keep financial institutions and others safe from a cyber meltdown. Willis will provide further information on these developments and report on the important milestones as they occur.

Page 10: FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

Willis North America | Special Report • 10/13 10

ACRONYMS

The Bank Service Company Act (BSCA)The Consumer Financial Protection Bureau (CFPB)The Department of Homeland Security (DHS)The Federal Deposit Insurance Corporation (FDIC)The Federal Financial Institutions Examination Council (FFIEC)The Financial and Banking Information Infrastructure Committee (FBIIC)The Graham-Leach-Bliley Act (GLBA)The Health Insurance Portability and Accountability Act of 1996 (HIPAA)Information technology (IT)The National Credit Union Administration (NCUA)The New York State Department of Financial Services (DFS)The Office of the Comptroller of the Currency (OCC)The Payment Card Industry Data Security Standard (PCI DSS)Personally identifiable information (PII)Protected health information (PHI)Sector specific agencies (SSAs)The State Liaison Committee (SLC)Technology service providers (TSPs)

______________________________________________________________________________________________1 The disclosure was in response to guidance from the U.S. Securities and Exchange Commission,

as found in CF Disclosure Guidance, Topic No. 2: Cybersecurity, October 13, 2011. http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

2 A recent example of this would include the denial of service attacks against large banks allegedly in retaliation for the Stuxnet worm attack on Iranian nuclear facilities. http://www.pcworld.com/article/205827/was_stuxnet_built_to_attack_irans_nuclear_program.html

3 Source information licensed from Risk Based Security, Inc. using the information from their DataLossDB database. http://www.riskbasedsecurity.com/about/; http://datalossdb.org/

4 Federal Financial Institutions Examination Council, Docket No. FFIEC-2013-0001, Social Media: Consumer Compliance Risk Management Guidance.

5 FFIEC prescribes uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB).

6 Financial Institution Letter, FIL-56-2010, September 15, 2010.7 http://www.fdicoig.gov/reports06/06-015-508.shtml8 The Financial Modernization Act of 1999.9 This was done through the New York State Department of Financial Services (DFS) which

sent “308 Letters” to the largest insurance companies that DFS regulates, “308 letters” are requests for information to which insurers are legally required to respond. It should also be noted that earlier in the year, DFS sent similar inquiries to the largest banks that it regulates. http://www.governor.ny.gov/press/05282013-cuomo-launches-inquiry-cyber-threats-insurance-companies

Page 11: FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by ...

Willis North America | Special Report • 10/13 11

10 All employer sponsored health plans are also subject to HIPAA and its privacy rule, but health insurers have the PHI of its clients as well as its own employees, vastly expanding this potential cyber-privacy exposure.

11 http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html12 Abdale et al v. North Shore-Long Island Jewish Health System, Inc. et al.

http://healthitsecurity.com/2013/02/07/patients-sue-hospital-for-health-data-breach-damages/

13 But note that the number of firms in this group was very small and this may have influenced the outcome.

14 Order 13636 at http://www.archives.gov/federal-register/executive-orders/2013.html15 http://www.dhs.gov/enhanced-cybersecurity-services16 http://www.fbiic.gov17 http://www.fsisac.com18 This identification comes from the Department of the Treasury and the FBIIC. Note that the

Department of the Treasury was named as the sector’s Federal Government’s Sector Specific Agency in the Homeland Security Presidential Directive 7. See: National Infrastructure Protection Plan; Banking and Finance Sector at www.dhs.gov/nipp

19 Mid and small size institutions, without the most sophisticated tools to fight incursions, are the likely target of specialized attacks taking advantage of the technology gap.

OTHER SUGGESTED READING

Download the Willis Fortune 1000 Cyber Disclosure Report: http://blog.willis.com/downloads/cyber-disclosure-fortune-1000-2013/

Download the Willis Fortune 500 Cyber Disclosure Study, 2013:http://blog.willis.com/downloads/cyber-disclosure-fortune-500/

http://blog.willis.com/2013/06/cyber-disclosures-of-the-fortune-500-how- companies-rate-their-cyber-exposure-for-the-sec/

http://blog.willis.com/2013/06/cyber-disclosures-of-the-fortune-500-how-cyber- exposures-are-likely-to-manifest/

http://blog.willis.com/2013/06/cyber-disclosures-of-the-fortune-500-how- companies-are-mitigating-their-cyber-risk/

50029/10/13

Willis North America Inc.

One World Financial Center200 Liberty Street, 7th FloorNew YorkNew York 10281-1003United StatesTel: +1 212 915 8888

www.willis.com

FINEX Alerts, newsletters and white papers provide a general overview and discussion on a wide range of topics. They are not intended, and should not be used, as a substitute for legal advice in any specific situation.

©