Don’t Panic. Financial Services Firms Seem to Have Cyber Risk Under Control
A new type of risk is making itself known to risk managers across the globe. Whether it is referred to as cyber risk, e-commerce risk or just plain old technology risk, it has infiltrated financial services firms just as quickly as the Internet has. Fortunately, the financial services sector is taking the threat of this risk very seriously. And according to the St. Paul Companies, a global insurer who recently conducted a study on cyber risk, financial services firms are handling it better than most other sectors worldwide.
Cyber risk is a subset of operational risk and can be defined as any risk associated with e-commerce or using the Internet for business purposes. It includes risks such as Website destruction and manipulation, unauthorized access to customer records, Internet fraud, telecommunications theft, copyright infringement and denial of access. How grave are these risks? "Serious," according to one half of financial services risk managers surveyed by the St. Paul Companies. And, these risk managers only expect the risks to grow over the next few years.
Financial services firms are taking many steps to combat these risks, such as using anti-virus software, establishing standard security procedures and creating firewalls. However, the latest form of protection against cyber risk emerging is, believe it or not, cyber risk insurance.
A number of insurers are capitalizing on this cyber fear and have rolled out insurance policies for back-up protection to financial services firms as well as other types of companies engaged in e-commerce activity. Indeed, according to the St. Paul study, 90 percent of financial services' respondents had reviewed their current insurance coverage taking a look at e-commerce exposure and protection.
"As risks are emerging every day, it's quite possible that even the most diligent of financial institutions isn't adequately covered for some of the emerging e-commerce exposure," says John Kearns, president global financial and professional services at the St. Paul Companies. "But the very fact that banks were prepared to review coverage and do that on a continuous basis leaves them in a much more confident position." Most financial services companies surveyed reported that their current coverage of technology risk was at least "somewhat" adequate. Furthermore, financial services risk managers are more likely than other types of companies to feel that their existing policies should cover loss from computer fraud, errors and omissions, destruction of data and unauthorized access to computer systems.
What kind of coverage is available for these types of technology risks?
One provider is the St. Paul Companies, which offers an insurance product for financial institutions covering a broad range of e-commerce exposures. The product can be customized to the firms' requirements. Although he wouldn't name them, Kearns says that there are clients "across the board-small, medium and large" that have purchased the coverage.
Some of the other insurers who are stepping to the plate, include The Chubb Group of Insurance Companies and AIG e-business solutions. Chubb has recently launched an insurance policy designed specifically to protect financial institutions against losses resulting form Internet-related security breaches. The product is called CyberSecurity by Chubb for Financial Institutions and it defines six main areas of e-commerce risk. The coverage includes areas defined by Chubb as E-theft, or the theft of confidential customer information, denial or impairment of E-service, E-signature, to protect against loss from electronic signature fraud, E-communication, covering fraudulent e-mail, E-vandalism, covering acts of employees who damage or destroy data and other E-threats. "The increased dependency on technology to deliver goods and services to customers creates significant vulnerability and exposure to loss," says Tracey Vispoli, cyber solutions manager in Chubb & Son's department of financial institutions. "This vulnerability is especially true for financial institutions, which are among the greatest users of technology and at the leading edge of transactional e-commerce activities."
AIG e-business solutions also offers coverage for e-commerce related risks for financial institutions. One of the aspects of coverage that AIG provides is an annual security assessment of the clients overall system. "We have a relatively standard way of evaluating on an enterprise level the security of a network," says Ty Sagalow, executive vice president and COO at AIG e-business solutions. "At a high level we look at people, procedure and technology. So everything from the intrusion detection software to the quality of the firewalls and anti-virus programs." Depending on the size of the firm and its needs, AIG offers technology risk coverage suited for each clients, adds Sagalow.
Whether it is a result of insurance coverage or not, St. Paul Companies found in their study that U.S. financial services firms were the best prepared for technology risk and receive high scores in the areas of awareness, identification and management of technology risks. The survey questioned risk managers and executives across a broad range of industries including risk managers at more than 350 financial services institutions.
"Given that most financial institutions view e-commerce as their most important risk, three-quarters had articulated a vision and a strategy as to how they should deal with e-commerce risk," notes Kearns. "Three-quarters also believe they are doing a good job in identifying and managing e-commerce risk. Both of these findings are much higher than the industry average." Kearns also explains that financial services firms are more likely to form risk management committees to identify and monitor e-commerce risks.
Kearns adds that Y2k efforts at financial services firms have made them more technology-risk conscious in the long run. "For the first time, IT departments and risk management departments and general management all got together to deal with and try to resolve a common business issue," says Kearns. "That model has been taken and brought forward in the context of emerging e-commerce exposures." So maybe Y2k wasn't so anti-climactic after all, notes Kearns, as firms now have the organization and structure to address other technology risks.
What is Cyber Risk?
Cyber risk is a form of operational risk and is often called e-commerce risk or technology risk. It refers to any risk associated with e-commerce or using the Internet for business purposes.
Such risks include:
-Website destruction and manipulation-unauthorized access to customer records - Internet fraud -telecommunications theft -copyright infringement -denial of access
Forms of combating risk include:
-anti-virus software -establishing standard security procedures -creating firewalls -taking out an insurance policy