A survey of North American companies reveals companies they’re showing an increased interest in cyber liability insurance, yet many of them believe their own methods offer enough protection.
Risk managers are reacting to the increasing threat of security and privacy breaches by considering how they secure their data, according to global professional services company Towers Watson.
The survey examined how North American companies use outside resources, tools and frameworks to address their risk exposure across a variety of eventualities, ranging from a hardening property and casualty insurance market to natural catastrophes and the threat of terrorism.
The Risk and Finance Manager Survey found that the average policy limits purchased for network security/privacy liability policies were $18.1 million, 46 percent increase year over year.
Nearly two-fifths (39 percent) of respondents purchased network security/privacy liability policies, an 11-percentage-point rise from last year. Among those who went without a policy, 31 percent said their internal IT department/controls were adequate.
“Our survey results show a mounting awareness of cyber-attack capabilities, which require a more comprehensive protective net than reliance on even the most capable IT staff,” Larry Racioppo, vice president of Towers Watson’s Executive Liability Group, said in a statement. “Yet, six in ten companies are still without a liability policy in place, and this is alarming. The financial and reputational costs companies face could be enormous if they don’t develop comprehensive risk strategies to thwart cyber-attacks.”
The survey revealed modest improvement for maintaining Enterprise Risk Management programs, with a full two-thirds (67 percent) saying they have an ERM program in place. This is a 10-percentage-point increase from last year, with most of the growth coming from financial services companies, where 97 percent indicated they have an ERM program, compared to just 56 percent of non- financial services organizations.
For those organizations with ERM programs in place, there is a gap between ERM process and ensuing ERM action within the company. Just two-fifths (40 percent) of the respondents with ERM programs regularly quantify their key risks and utilize these metrics in making business decisions.
Only 28 percent of executive committee/boards of directors actively use ERM as part of their strategic decision-making process, and less than one-quarter (24 percent) integrate their risk metrics into budgeting and planning.
“Companies with ERM programs have well-defined processes in place, but they could do a better job of integrating ERM into their operations and the decision-making processes, especially if they want to benefit from a comprehensive risk detection and management program that benefits all of their stakeholders,” Steve Levene, a Towers Watson Risk Advisory and Brokerage group leader, said in a statement.
The survey also assessed companies’ risk appetite and risk assessment, and the results revealed that a sizable portion (22 percent) had not explicitly set any risk appetite level.
Once companies determined their risk assessment, the survey found many of them failed to communicate the findings across the operational level of their organization. Less than half (43 percent) trained their employees on general risk issues such as information security, employment practices and workplace safety, and only one-fifth (20 percent) trained their risk owners.
“Only with full company-wide participation will a holistic approach to risk management occur,” Levene said. “There are evident lapses in the communication of risk assessment, from the corporate through the operational levels. These gaps are a call to action for a regular self-assessment process that needs to take place.”
Participants also weighed in on their level of preparedness for Superstorm Sandy. Vendor identifications, such as those selected for restoration and forensic accountants, stood out as a shortcoming. Nearly one-quarter (23 percent) cited some deficiencies in vendor identification preparedness, while 7 percent said their companies were flat-out unprepared.
“Without adjusters and forensic accountants identified prior to major catastrophic losses, companies will have trouble getting their claim process moving quickly. They’ll wait in line when a catastrophe strikes, and this time lost could have a critical impact on their long-term well-being,” Brendan Osean, a Towers Watson property practice leader, Risk Advisory & Brokerage group, Towers Watson.
Respondents also evaluated their terrorism insurance coverage. Two-thirds (66 percent) raised concerns about the implications of the sunset to the Terrorism Risk Insurance Program Reauthorization Act and 62 percent are considering action in preparation for its possible outcomes, including 17 percent contemplating options for stand-alone terrorism placement.
“This level of uncertainty, over 18 months away from TRIPRA sunset, is concerning and will only increase over time,” Christof Bentele, chief broking officer, Crisis Management practice at Towers Watson, said in a statement.