Skip to main content

Report Finds S&P Companies Are Underinsured for Cybersecurity Risk

Report Finds S&P Companies Are Underinsured for Cybersecurity Risk

The third annual Deloitte-Arkley Report on risk factor disclosures identifies surprises and challenges as cybersecurity threats increase.

Hands on a laptop with a graphic overlay of a cyber halogram

According to the Deloitte-Arkley report survey, companies noted that cybersecurity risk is increasing.
[iStock Photo]

Stay Informed + Stay Connected


Government agencies, foreign nations, private companies. No one seems immune to the threat of cybersecurity attack — even the healthcare field. Ascension, a private healthcare system, is currently recovering from a major breach which affected their hospital services nationwide.

While companies may face a number of challenges to their business model, cybersecurity remains top of mind. So much so, it became the center of attention in the THIRD ANNUAL REPORT on disclosures released in November 2023 by global consulting firm Deloitte and the PETER ARKLEY INSTITUTE FOR RISK MANAGEMENT.

“Every year, the Arkley Institute and Deloitte take a deep dive into a particular area of risk in public company risk factor disclosures. In 2023, our focus was on cyber,” said KRISTEN JACONI, executive director of the Arkley Institute and associate professor of the practice in accounting.

Given the U.S. Securities and Exchange Commission’s (SEC) release last year of its CYBERSECURITY RULE (requiring public companies to disclose both material cybersecurity incidents and information regarding their cybersecurity risk management, strategy, and governance), the timing of this report was perfect: All 440 of the S&P 500 companies surveyed in the report noted cybersecurity risk in at least one risk factor, with over 80% discussing this risk in multiple risk factors.

What do the disclosures suggest is amplifying these cybersecurity risks? Geopolitical tensions, including the war in Ukraine, and remote work rose to the top of company concerns.

While that’s not a shock, the Deloitte-Arkley report revealed a few surprises of its own, Jaconi notes.

“We found the cyber insurance protection gap is real,” Jaconi said. “Nearly half our largest public companies are underinsured for cybersecurity risk, and a couple don’t even carry cyber insurance.”

Nearly half of our largest public companies are underinsured for cybersecurity risk, and a couple don’t even carry cyber insurance. 

— Kristen Jaconi

Executive Director Peter Arkley Institute for Risk Management

According to the report’s analysis, nearly 50 companies disclosed they would be unlikely to acquire cyber insurance on acceptable terms. Two companies stated they did not carry cyber insurance at all, with one of them acknowledging the costs and restricted coverage as causes for not carrying cyber insurance.

“The combination of a rapidly morphing cybersecurity risk and limited historical and standardized data has presented challenges to insurers’ models to price cybersecurity insurance accurately,” Jaconi explained. “The past few years, insurers have disclosed significant losses on cyber. Because of these losses and the uncertainty surrounding cybersecurity risk, insurers are being more selective on coverage.”

The Deloitte-Arkley report found that over 40% of companies disclosed explicitly that they had not experienced a material cybersecurity incident. “Material” is the key word.

The SEC has required disclosure of material cybersecurity incidents — actually anything material to a reasonable investor — before the final rule; however now, the enhanced guidance explicitly requires the disclosure of material cybersecurity incidents.

The report further notes that certain sectors were more likely to report that they had not experienced a material cybersecurity incident, with half or nearly half of the companies in the Utilities, Materials, Industrials, Financials, Energy, and Consumer Staples sectors so stating.

About 10% of companies discussed they experienced specific cybersecurity incidents, all identifying the date of either the incident, the discovery of the incident, or the announcement of the incident.

Deloitte and the Arkley Institute have worked closely together over the last three years for the deep dive series. Each organization brings valuable, yet different perspectives, including those from student researchers.

Owen Ticer ’24 is one of those students who validated the data required to report the results of the study. And it’s not his first time. Ticer relished the added responsibility for this report, now that his former student partners had graduated the previous spring.

“Most of the initial research had been done, but my role was to sift through all the data and verify the data. I managed a large spreadsheet to analyze all the findings,” Ticer shared.

Nothing in the final report was too shocking for the recent graduate who majored in Public Policy with a minor in Risk Management.

“It was really interesting to see how certain companies approach different strategies for cybersecurity risk and understanding the struggle to get insurance,” Ticer added.

Interning for AIG and working as a research assistant for the Arkley Institute have prepared Ticer for the future. The experiences have sparked his interest in a career as a cybersecurity insurance underwriter.

“Through these experiences, I have a deeper understanding of the potential threats to companies with cybersecurity risks, but it’s still only the surface.” Ticer said. “It’s not ‘if,’ but ‘when’ you’ll likely be hacked.”

The learning outcomes undoubtedly will help Ticer apply what he knows post-graduation at AIG. As cybersecurity risk continues to rise, it’s almost a given the insurance industry is going to need students like Ticer studying risk management to safeguard the future.

The examples highlighted above are just a few of the key findings. Read the FULL REPORT analyzing general risk factor disclosures as well as cybersecurity risk factor disclosures and recommendations.