Companies are not doing enough to manage issues related to network security and privacy liability.
Cyber attacks across all sectors continues to increase, but many (73%) companies have not purchased network liability policies and some (46%) do not have enterprise risk management programs (ERM) and are missing significant opportunities to improve upon them, according to the survey.
Further, of those not having network liability policies in place, 37% said their own internal information technology (IT) departments and controls are adequate, while 15% either said the cost of a risk transfer solution is prohibitive, or that they aren’t overly concerned about the risk.
“We’re seeing a lot of companies in the market right now that have a false sense of security and an over-reliance on their own IT organization,” says Larry Racioppo of the executive liability group in Towers Watson’s Brokerage business. “Risk managers need to take a broader look at how they can manage the risks associated with cyber attacks from a corporate, financial and reputational standpoint.”
Of the 27% that have purchased network liability policies, the majority (61%) bought $10 million to $49.9 million limits; only 8% purchased $50 million or more. The median amount purchased was $10 million. While there was a wide range of reasons for how they arrived at the particular limit purchased, 36% said the limit was proposed by their broker, while 15% said they reviewed the level of the exposure with a third-party cyber risk management firm.
The survey of 164 risk and finance managers found that 54% have established ERM capabilities down one percentage point from the previous survey conducted last year. An overwhelming majority (83%) have identified and prioritized key risks, and have assigned risk owners, up from 73% a year ago. While far fewer either regularly quantify key risks (42%) or integrate risk metrics into their budget and planning process (31%), the findings did show an increase in those two areas from last year (36% and 17%, respectively).
Of the companies that currently do not utilize ERM, 42% said that there has been no articulation of the value of implementing ERM (up from 37% in the previous survey), while 29% noted that ERM was too resource-intense and expensive to pursue, up slightly from last years findings (27%).
“Not a significant amount has changed with regard to implementation, although a growing number of risk managers are identifying and quantifying key risks that could dramatically impact their organizations,” says Barry Franklin, a director in Towers Watson's Corporate Risk Management practice. “We’re also seeing that many companies are now getting their financial ‘sea legs’ after the financial downturn of a few years ago and are beginning to take a strong look once again at ERM.”
Towers Watson also gauged risk managers’ satisfaction with brokers and captive insurance companies. Results show that while the respondents are satisfied with captive insurance companies’ mitigating impact of insurance market price and coverage changes, they are not satisfied with these companies’ abilities to pursue innovative risk financing strategies (e.g., employee benefits). As for brokers, risk managers are satisfied with brokers’ knowledge of their industries, but feel there is room for improvement in analytics and cost of services.
