Although companies in the US continue to invest in IT security, anti-virus software and other technological protection, risk managers are 'out of the loop' when it comes to assessing and managing their organisations' internet liability risks, according to research by The St. Paul Companies, USA.
Despite growing evidence of the risks of doing business via the internet, companies in the US are under-estimating those risks and not adequately training employees to deal with them. The survey of 460 companies, The E-Frontier 2002: Continuing Threats to Corporate Risk Management, examines data from 501 IT managers and corporate risk managers (who are responsible for their firms' insurance coverage). The survey showed that there is widespread conflict between risk managers and IT managers on this issue.
When asked about the impact of the September 11 attacks and their aftermath on the management of internet technology risks, most respondents said these events had little impact on their efforts to manage risks, and have not prompted increased involvement by senior management in addressing 'cyber-risks'. As few as 33% of respondents said that their companies are more likely to identify and manage e-risks than they were a year ago.
Close the gap
The survey indicates that businesses need to more fully address e-risks right now - such as failure to protect confidential information, intellectual property infringement and failure to prevent transmission of computer viruses - before they experience major financial losses.
A similar survey last year showed that many risk managers felt challenged, or even reluctant, to intrude into their companies' IT departments - often because they felt under-prepared to grasp the technical aspects of IT. The new survey indicates that this gap poses a serious risk for many companies.
More than half of the companies surveyed engage directly in e-commerce, and another 16% plan to launch e-commerce initiatives in the coming year. Of the companies conducting e-commerce, 33% store private client information (such as credit card information, social security numbers, purchase history and health data) online.
As e-commerce increases, however, few companies are assessing the third-party liability risks inherent in doing business via the internet. Some 75% of companies indicate that they rely on technology, including firewalls and virus protection software, to manage internet risks - while only 55% of the risk managers surveyed have actually reviewed their existing insurance coverage for e-risks.
Of that group, only 41% are covered for intellectual property infringement, and even fewer for 'hacker damage' (37%), online libel or slander (36%) or customer privacy issues (32%). Only 37% of risk managers cited cost as a reason for not obtaining e-risk coverage. But companies can't solely depend on technology for protection - they can't ignore the liabilities that result when employees or others have technological access to corporate assets and resources.
With regard to the apparent gap between risk managers and IT managers in terms of managing the risks involved in doing business on the internet, the survey revealed several key factors:
- IT managers report many more internet-related problems and losses than risk managers do - indicating that risk managers do not see the full range of cyber-risk problems. For example, 28% of IT managers reported losses due to hacker damage, viruses or denial of service attacks, compared with only 1% of risk managers reporting those events.
- Over a third of IT managers (37%) and 14% of risk managers say they do not interact at all with their counterparts. The rest spend very little time cooperating on cyber-risk issues.
- Most risk managers (75%) and IT managers (89%) assign primary responsibility for cyber-risk to the IT department, with only one in three risk managers having any responsibility in this area. Risk managers tend to get involved in cyber-risk issues only when losses are significant or the potential for a lawsuit is high.
- Most IT managers (90%) say their understanding of cyber-risk is good or excellent but they believe that only half of their risk managing counterparts have the same level of understanding.
Very few risk managers (24%) and IT managers (14%) rate their companies as "excellent" in managing internet risks and exposures. Around 25% from both groups rated their companies' efforts as poor or 'just fair'.
When asked to rank the significance of internet risk, only 20% of IT managers and 10% of risk managers rated it as a major risk for their companies. At the same time, 75% of both risk managers and IT managers rated employee understanding of e-risk as either fair or not very good. Less than half of the companies surveyed have developed employee awareness and training programs for internet risk. In addition, only half of the IT managers surveyed have worked with other departments in their companies to identify and quantify internet risk.
Identify the risks
"Looking back to September 11, although the attacks did not directly involve technology, the heightened attention to security that resulted needs to extend to cyber-risks," explained Bill Rohde, president of global technology at The St. Paul Companies. "As companies conduct business via the internet, they are opening themselves up to a new set of risks and dangers, and those risks must be better understood, quantified and managed."