The different sectors at high risk of a cyber security breach vary greatly in their cyber disclosures, a Moody’s report says.

The lack of transparency about cyber security strategies could erode confidence and affect credit quality, it warns.

The companies reviewed operate in North America, Asia and the emerging markets.

Banks, telcos and media provide detailed disclosures of their cyber security strategies, and describe their oversight of these risks. They are the most at risk of experiencing a cyber security attack, Moody’s says.

Telco and media companies appear to be heavy adopters of cyber insurance, but they are not disclosing the amounts insured, type or scope of coverage.

The ratings agency says insurance program limits of $25-$100 million are common, but the cost of recovering from a cyber attack can reach hundreds of millions.

Hospitals and healthcare providers have the least complete disclosures of all the sectors reviewed. Fewer than half of the companies detail how their board oversee cyber risk, and only a handful discuss their strategy for managing it, the report says.

In the retail, health insurance, medical devices and transportation sector, companies aren’t citing cyber in their risk discussions. Nor are they disclosing governance structures around cyber risk, and few are providing details of cyber risk mitigation, even though they face medium to high risks.

“This is surprising given Target, Marriot International and FedEx all fell victim to large-scale cyber attacks.”

There are significant geographical divergences as well. Some 90% of US and European companies mention cyber security in their financial disclosures, but less than 60% of Asian companies cite it.

US companies are more likely to rely on insurance to mitigate their risks, while European companies are more likely to offer “detailed discussions about their internal infrastructure”.

This may reflect different regulatory and cultural regimes, Moody’s says.

The report admits that some companies may choose to withhold information for security reasons and therefore their disclosures don’t necessarily mean they aren’t prepared to deal with the threat.