U.S. Businesses ‘Continue to Underestimate’ the Risks Involved in E-Commerce, According to New St. Paul Companies Survey

SAN FRANCISCO, Jun 12, 2002

  • Companies not addressing liabilities associated with e-commerce

  • Risk managers “out of the loop” in cyber-risks; in
    conflict with I.T. managers

  • Employees the “weakest link” in cyber-risk management

  • September 11: “little or no” impact on companies’
    Internet risk protections

In spite of growing evidence of the risks associated with
doing business via the Internet — and heightened national attention to security — U.S.
companies continue to underestimate such risks and are not adequately training employees
to deal with them, according to a survey of 460 U.S. companies released today by The St.
Paul Companies (NYSE: SPC), the Saint Paul, Minn.-based property-liability insurer.

The survey of a combined total of 501 information
technology (I.T.) managers and corporate risk managers responsible for their firms’
insurance coverages indicates that, although companies continue to invest in I.T. security
and rely on anti-virus software and other technological protection, risk managers are
“out of the loop” when it comes to assessing and managing their companies’
Internet liability risks. Additionally, the survey showed that there is widespread
conflict between risk managers and I.T. managers on this issue.

And, when asked about the impact of the September 11
attacks and their aftermath on the management of Internet technology risks, most
respondents said these events had little impact on their efforts to manage risks and have
not prompted increased involvement by senior management in addressing cyber-risks.

“Only one-third of those surveyed indicated their
companies are more likely to identify and manage e-risks than they were a year ago,”
said Bill Rohde, President-Global Technology, The St. Paul Companies, who announced the
survey results at a news conference here today. “While our research indicates that
firms believe the risks of e-commerce will increase in the future, we continue to see
alarming gaps in the preparedness of U.S. companies today.

“Clearly, U.S. companies continue to underestimate these risks,” Rohde said.
“They need to more fully address such risks — for example, failure to protect confidential information,
intellectual property infringement and failure to prevent transmission of computer viruses — before they
experience major financial losses.”

The independent New York-based opinion research firm of
Schulman, Ronca & Bucuvalas, Inc. (SRBI) conducted the survey of 251 risk managers and
250 I.T. managers at more than 460 large and mid-sized companies, representing a variety
of industries, throughout the United States.

“These findings follow a survey commissioned by The
St. Paul and released last year, which showed that businesses were under-prepared for the
risks posed by technology and found a lack of communication between risk managers and I.T.
managers concerning cyber-risks,” said Dr. Mark Schulman, president, SRBI. “The
St. Paul commissioned the follow-up study to, again, gauge U.S. companies’ preparedness
for cyber-risk — especially in light of September 11 — and to explore the gap between
I.T. managers and risk managers.

“We found in last year’s survey that many risk
managers felt challenged, and even reluctant, to intrude into their companies’ I.T.
departments, often because they felt under-prepared to grasp the technical aspects of
I.T.,” Schulman said. “The new survey indicates that this gap continues to pose
a serious risk for many U.S. companies.”

The increasing use – and risks – of e-commerce

More than half of the companies surveyed engage directly in
e-commerce, and another 16 percent plan to launch e-commerce initiatives in the next year.
Of the companies conducting e-commerce, one-third store their clients’ private information
– for example, credit card information, Social Security numbers, histories of
purchases and individual health data – online.

As e-commerce increases, however, few companies are
assessing the third-party liability risks inherent in doing business via the Internet.
Three out of four companies indicate they rely on technology, including firewalls and
virus protection software, to manage Internet risks. Only 55 percent of the risk managers
surveyed, however, have actually reviewed their existing insurance coverages regarding e-risk.

Of that group, only 41 percent say they are covered for
intellectual property infringement, and even fewer companies report coverage for damage
from hackers (37 percent), online libel or slander (36 percent) or customer privacy issues
(32 percent). Larger companies involved in e-commerce are no more likely than smaller
companies, or companies not engaged in e-commerce, to have e-commerce coverage. Only 37
percent of risk managers cite cost as a reason for not purchasing e-risk coverage.

“When it comes to Internet-related risks, companies
can’t solely depend on technology for protection,” Rohde said. “If they do, they
continue to ignore the liabilities that result when employees or others have technological
access to corporate assets and resources.”

“Risk management” not always considering cyber-risk

An issue first identified by the “E-Frontier”
study released in 2001, and further explored in this year’s survey, was the gap between
risk managers and I.T. managers in terms of managing the risks involved in doing business on the Internet.

“This year’s survey produced several findings
indicating that, in most companies, the two disciplines seldom interact,” Rohde said.
“When it comes to cyber-risk, their responsibilities should overlap, yet there is
clearly a gap between the two groups.”

Among those findings:

  • I.T. managers report many more
    Internet-related problems and losses than do risk managers, indicating that risk managers
    do not see the full range of cyber-risk problems. For example, 28 percent of I.T. managers
    reported losses due to hackers causing damage or destruction of data, computer viruses, or
    denial of service, compared with only 1 percent of risk managers.

  • 37 percent of I.T. managers and 14 percent
    of risk managers say they do not interact at all with their counterparts. The rest spend
    little time working together on cyber-risk issues.

  • 75 percent of risk managers and 89 percent
    of I.T. managers assign primary responsibility for cyber-risk to the I.T. department, with
    only one in three risk managers having any responsibility in this area. Risk managers tend
    to get involved in cyber-risk issues only when losses are significant or the potential for
    a lawsuit is high.

  • 90 percent of I.T. managers say their
    understanding of cyber-risk is good or excellent, but they believe that only half of their
    risk manager counterparts have the same level of understanding.

Employees: the weak links

Few risk managers (24 percent) and I.T. managers (14
percent) rate their companies as “excellent” in managing Internet risks and
exposures. About one in four from both groups rate their companies’ efforts as
“poor” or “just fair.”

When asked to rank the significance of Internet risk, only
one in five I.T. managers and one in ten risk managers rated it as a “major”
risk for their companies. At the same time, employees — who handle sensitive data or have
access to corporate resources and databases — are given low marks for their understanding
of Internet risk. About three-fourths of both risk managers and I.T. managers rate
employee understanding of e-risk as “fair” or “not very good.”

“This is an area that could improve dramatically
simply by better education and awareness of employees,” Rohde said. “Yet, there
has been little change in this regard among U.S. companies since we first identified this
need over a year ago.” Less than half of the companies surveyed have developed
employee awareness and training programs for Internet risk. In addition, only one-half of
the I.T. managers surveyed have worked with other departments in their companies to
identify and quantify Internet risk.

Cyber-risk and the specter of September 11

In addition to investigating issues raised in last year’s
survey, researchers also investigated whether the increased vigilance and heightened
security following September 11 extended to Internet-related risks at U.S. companies.

“While last year’s attacks didn’t involve high-tech
risks, the heightened attention to security that resulted needs to extend to
cyber-risks,” Rohde said. “As companies conduct business via the Internet, they
are opening themselves up to a new set of risks and dangers, and those risks must be
better understood, quantified and managed.”

Only 20 percent of I.T. managers and 22 percent of risk
managers said that their companies’ senior management has been more involved in assessing
and managing cyber-risk since the attacks. Few risk managers (11 percent) and I.T.
managers (16 percent) indicate their departments are working more closely to identify and
manage Internet risks.

In addition, more than 80 percent of risk managers say it is not likely their
companies will purchase e-risk insurance coverage because of the September 11 attacks.

About the Survey

Schulman, Ronca & Bucuvalas, Inc. (SRBI) conducted
telephone interviews with 251 risk managers and 250 information technology managers,
together employed by 460 U.S. companies. The companies, from a variety of industry groups,
have annual revenues ranging from $100 million to $1 billion. The interviews were
conducted from January 3 to February 5, 2002.

The St. Paul Companies is headquartered in Saint Paul,
Minn., and provides commercial property-liability insurance, reinsurance and asset
management services. The St. Paul reported 2001 revenue from continuing operations of $8.9
billion and total assets of $38.3 billion, and is ranked No. 218 on the Fortune 500 list
of largest U.S. companies. For more information about The St. Paul and its products and
services, visit the company’s Web site, www.stpaul.com.

Schulman, Ronca and Bucuvalas, Inc., (SRBI) is a
full-service market research and strategic solutions provider. Headquartered in New York
City, it produces custom surveys and qualitative research in the United States and
globally. SRBI is an affiliate of Global Market Research and a member of the Council of
American Survey Research Organizations (CASRO). For more information about SRBI, visit the
company’s Web site at www.srbi.com.

For complete results of the survey, “The E-Frontier
2002: Continuing Threats to Corporate Risk Management,” log on to