Posted on 03 May 2011
As the threat of devastating cyber attacks across all sectors continues to increase, the vast majority of companies (73%) have not purchased network liability policies, according to a 2011 Risk and Finance Manager survey conducted by global professional services company Towers Watson.
Further, of those not having such policies in place, 37% said their own internal information technology (IT) departments and controls are adequate, while 15% either said the cost of a risk transfer solution is prohibitive, or that they aren’t overly concerned about the risk.
“I think we’re seeing a lot of companies in the market right now that have a false sense of security and an overreliance on their own IT organization,” said Larry Racioppo of the executive liability group in Towers Watson’s Brokerage business. “Risk managers need to take a broader look at how they can manage the risks associated with cyber attacks from a corporate, financial and reputational standpoint.”
Of the 27% that have purchased network liability policies, the majority (61%) bought $10 million to $49.9 million limits; only 8% purchased $50 million or more. The median amount purchased was $10 million. While there was a wide range of reasons for how they arrived at the particular limit purchased, 36% said the limit was proposed by their broker, while 15% said they reviewed the level of the exposure with a third-party cyber risk management firm.
“Technology changes at such a rapid pace, there are new risks — potentially more damaging risks — that will undoubtedly occur, and companies have to continue to find better ways to manage and mitigate those risks, and make sure that they do all they can should they become exposed to a particular threat,” Racioppo said.
The survey of 164 risk and finance managers also found that, despite the uncertain financial climate, 54% said they have established enterprise risk management (ERM) capabilities — down one percentage point from the previous survey conducted last year. Further, an overwhelming majority (83%) said they have identified and prioritized key risks, and have assigned risk owners, up from 73% a year ago. While far fewer either regularly quantify key risks (42%) or integrate risk metrics into their budget and planning process (31%), the findings did show an increase in those two areas from last year (36% and 17%, respectively).
Forty-six percent of risk managers said their company does not have a true enterprise risk management (ERM) process in place. Of the companies that currently do not utilize ERM, 42% said that there has been no articulation of the value of implementing ERM (up from 37% in the previous survey), while 29% noted that ERM was too resource-intense and expensive to pursue, up slightly from last years findings (27%).
“Not a significant amount has changed with regard to implementation, although a growing number of risk managers are identifying and quantifying key risks that could dramatically impact their organizations,” said Barry Franklin, a director in Towers Watson's Corporate Risk Management practice. “I think we’re also seeing that many companies are now getting their financial ‘sea legs’ after the financial downturn of a few years ago and are beginning to take a strong look once again at ERM.”
Among other highlights of the Towers Watson survey:
• Despite events over the past year, such as the BP Deepwater Horizon disaster, earthquakes in Chile, New Zealand and, most recently, the March 11 magnitude 9.0 Japanese earthquake (the fifth-largest ever recorded worldwide) and subsequent tsunami, less than half of the respondents (49%) said the impact of those high-profile disasters had an effect on their risk modeling and business continuity programs.
• Predictive modeling is also becoming more prevalent. When asked about their use of statistical models to identify targeted risk control and claim management strategies, 24% indicated they would like their broker to have access to predictive models to focus the risk control and claim efforts of their providers, while 20% said they would like their risk control and claim providers to have access to predictive models as part of their service bundle.
About the survey:
One hundred sixty-four risk managers participated in the web-based survey, which was conducted between March 22 and April 1, 2011. The participating companies were from a variety of industries, with 57% of them having revenues of at least $1 billion.