April 24, 2014

Nearly 60% of retail companies describe their cyber security exposure as "significant," "serious," or "critical," but another 9% are not reporting any cyber security exposure at all, according to a report published Wednesday.

According to a study of filings with the Securities and Exchange Commission conducted by risk advisor and insurance broker Willis Group Holdings, almost a tenth of retailers have not reported any cyber risk in financial documents filed with the SEC, which has required such reporting since Oct. 2011. The report describes the non-disclosure as "surprising," given the high-profile breaches recently discovered at retail chains such as Target, Michaels, and Neiman-Marcus.

Among those that did report cyber exposure, the top three risks cited were privacy/loss of confidential data (74%), reputation risk (66%), and cyber liability (61%). Cyber risk at the hands of outsourced vendors ranked at just 9%, a result Willis also describes as "surprising," given the level of outsourcing across the sector and retailers' heavy reliance on third-party technology partners.

Read the rest of this article on Dark Reading