Survey: Risk managers lack understanding of e-risks

Risk & Insurance, April 1, 2002 by Lori Widmer

Companies in both the U.S. and overseas are overconfident and under-prepared for technology risks. So says a new survey released by St. Paul Cos. Inc. The survey of 1,500 chief financial officers, risk managers, and insurance brokers from the United States and Europe showed that the problem isn't with lack of technology solutions, but with lack of understanding of how to apply those solutions.

St. Paul's E-Frontier survey, conducted by New York-based Schulman, Ronca & Bucuvalas Inc., found that computer, Internet, and e-commerce risks are some of the most important risks a company faces. European risk managers believe that technology is their number one risk, while U.S. risk managers believe it to be number two after employment practices. Thirty percent of all surveyed identified technology risks as major concerns.

While risk managers obviously can identify the possibility of risk, they don't have an understanding of how to manage it, according to the survey. Four in 100 surveyed said that they have only a fair to poor understanding of e-risk. And 75 percent of companies have no formal process in place to monitor and manage the risk.

"Any company doing business on the Internet today faces a wide variety of risks and exposures," says Jon Farber, assistant VP of the global technology underwriting division of St. Paul. "Those risks and exposures could create huge financial losses if companies don't address them properly." Given that the majority of corporate risk managers defer the responsibility for e-risk to their IT departments, companies could be missing some key areas of risk, if left unchecked.

The "Big Three" of technology-based risks, according to St. Paul, are intellectual property risks, privacy, and network security. Yet while computer security has long held the headlines, the study results indicate that liability exposures in these areas are a much bigger threat. Scarier still is the news that corporate risk managers consider their current insurance coverage for technology risk as "somewhat adequate."

"Those risks include things such as copyright and trademark infringement, failure to protect confidential information, computer viruses and denial-of-service attacks," says Farber. "And, unfortunately, most corporate risk managers don't have the necessary tools or background to address these technology risks."

Minimizing risks require clear, concise company policies and procedures that are available to everyone in the organization, says Farber. A key area many don't think of as a risk is the technologies created by outside contractors or vendors. Is there an infringement threat, he asks. Companies should require outside vendors as well as employees to sign a nondisclosure agreement to protect intellectual property.

Protecting privacy includes using secure servers and encryption to safeguard personal information on the company network. Limiting access to private information means making sure other employees or contractors don't have access to the information. Also, says Farber, understand what information is being collected for you by contractors or vendors.

Network security protection means having and using a written security policy, says Farber. Also important is to review the policy periodically. Managing passwords, using anti-virus software, having firewalls in place, even a business continuity plan will help to safeguard the company systems.