The average policy limits for network security-and-privacy liability policies increased 46 percent year-over-year to $18.1 million, and 39 percent of survey participants purchased network security-and-privacy liability policies, an 11-percent increase from last year, according to Towers Watson’s annual “Risk and Finance Manager Survey.” The number of those who had not purchased a policy decreased 31 percent from the year prior and said their internal IT department/controls were adequate.
“Our survey results show a mounting awareness of cyber-attack capabilities, which require a more comprehensive protective net than reliance on even the most capable IT staff,” said Larry Racioppo, VP, executive liability group, Towers Watson. “Yet, six in ten companies are still without a liability policy in place, and this is alarming. The financial and reputational costs companies face could be enormous if they don’t develop comprehensive risk strategies to thwart cyber-attacks.”
According to the survey results, 67 percent have an ERM program in place, a 10-percent increase compared to last year; 97 percent of financial services companies said they have an ERM program, compared to 56 percent of non-financial services organizations.
For those with ERM in place, there is a gap between ERM process and ensuing ERM action within the company, Towers Watson said; 40 percent of respondents with ERM programs regularly quantify key risks and use those metrics to make business decisions; 28 percent of executive committee/boards of directors use ERM in strategic decision-making and 24 percent integrate their risk metrics into budgeting and planning.
“Companies with ERM programs have well-defined processes in place, but they could do a better job of integrating ERM into their operations and the decision-making processes, especially if they want to benefit from a comprehensive risk detection and management program that benefits all of their stakeholders,” said Steve Levene, Towers Watson’s risk advisory and brokerage group leader.
According to the survey, 22 percent had not set any risk appetite level, and once they determined their risk assessment, many failed to communicate the findings; 43 percent trained employees on general risk issues, such as information security, employment practices and workplace safety; 20 percent trained risk owners.
“Only with full company-wide participation will a holistic approach to risk management occur,” Levene said. “There are evident lapses in the communication of risk assessment, from the corporate through the operational levels. These gaps are a call to action for a regular self-assessment process that needs to take place.”
The survey also covered issues of preparedness for Superstorm Sandy. Vendor identifications, such as those selected for restoration and forensic accountants, were identified as a shortcoming; 23 said they identified deficiencies in vendor identification preparedness, and 7 percent said their companies were unprepared.
“Without adjusters and forensic accountants identified prior to major catastrophic losses, companies will have trouble getting their claim process moving quickly. They’ll wait in line when a catastrophe strikes, and this time lost could have a critical impact on their long-term well-being,” said Brendan Osean, Property practice leader, risk advisory and brokerage group for Towers Watson.
Respondents also were asked to evaluate their terrorism insurance coverage; 66 percent said they were concerned about implications of ending the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA), and 62 percent said they are considering preparation for possible outcomes; 17 percent said they are considering options for stand-alone terrorism placement.
“This level of uncertainty, over 18 months away from TRIPRA sunset, is concerning and will only increase over time,” said Christof Bentele, chief broking officer, Crisis Management practice, Towers Watson.
The survey was conducted online, with 123 individual participants. The survey ran from late February through mid March. Nearly three-quarters of participants worked for companies with 2012 total revenues of less than $5 billion; 39 percent from $1 billion to $4.9 billion, and 33 percent less than $1 billion. One percent had revenue of $25 billion or more; the mean for all participants was $5.6 billion.
