Cyber threats and security breaches forcing companies to re-evaluate risk management

Risk managers are being forced to reconsider how they protect company data and proprietary information because of cyber threats and security and privacy breachs, according to a recent survey from Towers Watson. 

The Risk and Finance Manager Survey examined how North American companies use outside resources, tool and frameworks to address their risk exposure across a variety of eventualities, ranging from a hardening property and casualty insurance market to natural catastrophes and the threat of terrorism.

The average policy limits purchased for network security/privacy liability policies were $18.1 million, which is an increase of 46% year over year, according to the survey of 123 risk managers.

Furthermore, 39% of respondents purchased network security/privacy liability policies, which is an 11-percentage-point rise from last year. Thirty-one percent of respondents said their internal IT department/controls were adequate when asked why they had not purchased a policy.

“Our survey results show a mounting awareness of cyber-attack capabilities, which require a more comprehensive protective net than reliance on even the most capable IT staff,” said Larry Racioppo, vice president of the executive liability group at Towers Watson. “Yet, six in ten companies are still without a liability policy in place, and this is alarming. The financial and reputational costs companies face could be enormous if they don’t develop comprehensive risk strategies to thwart cyber-attacks.”

Two-thirds (67%) of respondents said they have an enterprise risk management (ERM) program, which is a 10-percentage-point increase over last year. That growth, however, stems primarily from financial services companies, where 97% or indicated they have an ERM program, as compared to 56% of non-financial organizations.

Those with an ERM program in place still have a gap between ERM process and ensuing ERM action. Only 40% with ERM programs routinely quantify their key risks and utilize these metrics in making business decisions. Additionally, only 28% of executive committee/boards of directors actively use ERM as part of their strategic decision-making process. Furthermore, less than 24% integrate their risk metrics into budgeting and planning.

“Companies with ERM programs have well-defined processes in place, but they could do a better job of integrating ERM into their operations and the decision-making processes, especially if they want to benefit from a comprehensive risk detection and management program that benefits all of their stakeholders,” noted Steve Levene, risk advisory and brokerage group leader at Towers Watson.

When the survey looked at a company’s risk appetite and assessment, it found that 22% had not explicitly set any risk appetite level. Once companies did determine their risk assessment, many failed to communicate their findings across the operational level of their organization. Only 43% trained their employees — and only 20% trained their risk owners — on general risk issues.

“Only with full company-wide participation will a holistic approach to risk management occur,” said Levene. “There are evident lapses in the communication of risk assessment, from the corporate through the operational levels. These gaps are a call to action for a regular self-assessment process that needs to take place.”

The survey also found, using Superstorm Sandy as a gauge for judging a company’s level of preparedness, that there is a shortcoming in vendor preparedness. Nearly a quarter cited some deficiencies while 7% said their companies were flat-out unprepared when it came to vendor identification.

“Without adjusters and forensic accountants identified prior to major catastrophic losses, companies will have trouble getting their claim process moving quickly,” said Brendan Osean, property practice leader of the risk advisory and brokerage group atTowers Watson. “They’ll wait in line when a catastrophe strikes, and this time lost could have a critical impact on their long-term well-being.”