The very technologies that have revolutionised business operations have also created new, but poorly understood risks that companies have yet to manage effectively, according to a major survey of executives at 1,500 companies in the US and Europe. Moreover, the risks are not limited just to the Amazon.coms and Microsofts. Virtually any company with a computer, whether high-tech or lo-tech, is at risk.

The study, conducted for the St Paul Companies, the US-based global insurer, revealed a serious and growing gap between exposures and insurance coverage. This gap leaves many businesses overconfident and underprepared for high-tech risks. Executives participating in the survey, conducted last towards the end of last year, are those responsible for their companies' insurance programmes. This is the first major study to gauge the preparedness of companies for the emerging risks of e-technology.

The survey finds that companies rely chiefly on systems-based protection, such as anti-virus software and computer firewalls, to prevent losses from technology risks. However, technology risk extends well beyond viruses and firewalls. Any company with a computer network or an e-commerce site faces significant financial risk from exposures involving intellectual property, privacy and first-party risks from computer fraud, business disruption and denial of service.

Risk management is having a difficult time keeping pace with these growing exposures, according to the executives surveyed. Not only are companies unsure of the risks presented to their business operations, but they also have substantial difficulty understanding what types and levels of insurance coverage they need.

Also, as businesses rely increasingly on technology, employees and customers have increased access to company data and information in an environment with untested legal liabilities. The global nature of e-commerce, varying legal systems and the speed with which new innovations are brought to market further complicate the challenges facing companies today, leading many firms into uncharted waters of liability risks as well as those which affect their revenue streams.

Highlights and key findings of the survey included:

  • computer, internet and e-commerce risks are considered among the most important risks companies will be facing in the next few years. US corporate risk managers and their insurance agents and brokers consider such issues to rank second only to employment-related risks. In Europe, risk managers consider technology risks to be the primary concern (figure 1);
  • only 25% of US companies and 34% of European companies believe their existing property/casualty coverage covers them ‘very adequately' from e-risk. They identify their biggest shortcomings in the areas of product liability insurance for software and hardware products (only 36% say they have coverage), access to and misappropriation of the company's intellectual property (40% claim coverage), unintentional infringement of the intellectual property of others (44%), unauthorised access to computer systems and misappropriation of data (50%), sexual harassment resulting from inappropriate e-mail from an employee (62%), and damage or destruction of data by hackers (65%);
  • more than one in three companies give themselves fair-to-poor marks in identifying potential risks and liabilities from internet technology and e-commerce activities. Just 16% rate their efforts as ‘excellent' (figure 2);
  • nearly all US and European companies have taken similar steps to protect themselves from technology-related risks, such as installing anti-virus software and firewalls, establishing standard security procedures, and auditing the security of their systems; and
  • employees may be the real chink in the armour, according to risk managers. Almost any employee sitting at a networked terminal could provide an entry point for hackers. Yet only six in ten companies have implemented employee-training programs to lower their technology risk. Risk managers gave their companies' employees low grades (27% positive in US, 38% positive in Europe) in understanding and minimising cyber risk.

    Need for leadership
    Only 25% of US companies and 30% of European companies surveyed had risk management committees or other formal structures to identify and monitor technology risk. Of those companies with such a committee or structure, only half – or about 13% of total respondents – felt it was effective. Only about three in ten risk managers surveyed had reviewed the potential technological risks posed by a merger or acquisition involving their company (figure 3).

    For many companies, there is a leadership opportunity on this issue. Senior management has the responsibility to take the lead and foster a partnership approach between their information technology (IT) departments and risk management functions, though these two departments are not natural allies in many companies. As one risk manager commented, “We always need to pull information from the IT people, who are not great communicators.”

    Fast-paced environment
    US and European corporate risk managers' understanding of technology risk is less than adequate, according to the managers themselves. About four in ten risk managers say they have only a ‘fair' to ‘poor' understanding of technology risk. Very few (about 10% overall) say their understanding is ‘excellent' (figure 4). Only 52% of US corporate risk managers have inventoried and quantified the technology risks their companies face, compared to 67% among European risk managers. Corporate risk managers both in the US and Europe (65% and 57%, respectively) defer to their IT departments as having primary responsibility for identifying and monitoring technology risks.

    In recent times, the ‘Y2K' issue, which required companies to prepare their computer systems for the rollover to 2000, sensitised many companies to technology risks. However, 42% of US corporations and 38% of European corporations said the rollover had little impact on their firms' approach to technology risk.

    For a model of how to prepare for technology risk, companies should study financial services, according to the study. Risk managers at more than 350 banks, thrifts and other financial services institutions were surveyed.

    Banks and other financial services firms have begun to address the problem effectively, particularly in the US. Of the types of companies surveyed, financial services firms scored high in awareness, identification and management of technology risks. For example, risk managers at 75% of US financial services companies surveyed said their firms were good or excellent at identifying and managing e-risks, compared with the broader cross-section of US companies, where about two-thirds of the companies were rated as good or excellent.

    Brokers sceptical
    US insurance agents and brokers (intermediaries were surveyed only in the US) have an even more critical view of their own and their clients' cyber-risk preparedness. Brokers said they themselves have only a ‘fair' understanding of the technology risks facing their clients, and felt their clients are not much better. A scant 19% of brokers and agents gave their clients positive marks (excellent/good) on identifying e-risk. Companies are much more optimistic, with about six in ten (61%) giving themselves high marks.

    More importantly, agents and brokers questioned the extent to which client companies are actually covered. For example, only 20% of US brokers believed that their clients would be covered for denial of service problems, compared to 39% of companies. Few brokers (27%) said that their clients' policies would not cover hacker attacks. However, almost half of companies (47%) believe that they are covered (figure 5).

    With every click
    Cyber-risk insurance today appears to be in a similar state as was professional/ management liability and errors and omissions insurance 20 years ago, several risk managers commented during in-depth discussions. At that time, the risks were growing, but their coverage was a bit behind the curve, and it took a spate of high profile incidents and lawsuits for this coverage to become standard in today's companies. That may be the path that awaits cyber-risk coverage today.

    The independent New York-based opinion research firm of Schulman, Ronca & Bucuvalas, Inc. (SRBI) conducted the survey between August 25-November 15, 2000. The companies surveyed, based in both the US and Europe, included a broad range of industries, as well as additional samplings of financial services companies and high-tech firms. In the US, insurance agents and brokers also were surveyed.

    For complete results of the survey and technical details on, ‘The E-Frontier: New Challenges to Corporate Risk Management', log on to http://www.stpaul.com/cyberrisk-survey.