More than half of US Fortune 500 companies admit they would face “serious harm” or be “adversely impacted” by a cyber attack, according to a report by Willis.

But only 6% have cyber risk insurance, “even though recent market surveys are showing significantly higher take-up rates… among public companies”, the Willis Fortune 500 Cyber Disclosure Report says.

About 15% of companies admit they do not have the resources to protect against critical attacks.

The three leading cyber risks identified by respondents are loss or theft of confidential data (raised by 65% of companies), loss of reputation (50%) and direct loss from malicious acts such as hackers or viruses (48%).

Some companies may be overlooking critical exposures, according to report co-author and Willis North America executive Chris Keegan.

“Only one in five… mentions cyber terror as a factor, despite the heightened emphasis on cyber terror by the US Government.

“In addition, only one in 10… detailed cyber threats caused by the acts of outsourced vendors. This runs contrary to what we see in our day-to-day practice.”

About 12% of the Fortune 500 companies are failing to publicly disclose their potential exposure to cyber attack, including some that seem to have cyber exposures, Willis says.

They included an insurance company, a pharmaceutical group, a restaurant chain and a healthcare provider.

The report tracks companies’ responses to US Securities and Exchange Commission guidelines calling for extensive disclosures of cyber exposures.