Abt SRBI Study for The St. Paul Companies: "The E-Frontier: New Challenges to Corporate Risk Management"
SRBI Survey for The St. Paul Companies: U.S., European Businesses are “Overconfident, Under-Prepared” for High-Tech Risks

> Focus on system security avoids managing new liability risks

> Companies' understanding of risk is "less than adequate"

> Few companies have process to identify and manage tech risks

> Financial services firms are best prepared

> Employee training lags behind technical preventive measures

> U.S. brokers skeptical of clients' sense of preparedness

NEW YORK, Jan. 31: Businesses do not adequately understand the risks posed by technology, have difficulty identifying potential risks and lack the tools to manage them effectively, according to a major survey of executives at 1,500 companies in the United States and Europe released January 31st by The St. Paul Companies (NYSE: SPC, London: SPA), the Saint Paul, Minn.-based global insurer.

The survey of executives responsible for their companies' insurance coverages also indicated that, although companies take pains to protect computer security, they are less prepared for new liability risks associated with information technology and "e-commerce."

"The survey indicates that companies rely chiefly on systems-based protection, such as anti-virus software and computer firewalls, to prevent losses from technology risks," said Kae Lovaas, vice president-technology, The St. Paul Companies, at a news conference here today." But that's not enough. Exposures involving intellectual property, privacy and first-party risks from computer fraud, business disruption and denial of service pose significant financial risk to companies doing business on the Internet.

"Compared to more traditional property-casualty risks, companies are poorly prepared for the risks posed by technology and e-commerce," Lovaas said. "Not only are companies unsure of the risks presented by their business operations, they also have substantial difficulty understanding what types and levels of insurance coverage they need."

The independent New York-based opinion research firm of Schulman, Ronca & Bucuvalas, Inc. (SRBI) conducted the survey. The companies surveyed, based in both the United States and Europe, included a broad range of industries, as well as additional samplings of financial services companies and high-tech firms. In the United States, insurance agents and brokers also were surveyed.

"The purpose of this survey was to learn how well company risk managers understand and identify technology exposures, how effectively they manage risk and the tools they employ in doing so," added Dr. Mark Schulman, president of SRBI. "This is the first such survey to gauge the preparedness of companies for the emerging risks of e-technology."

Key Findings
Highlights and key findings of the survey included:
* Computer, internet and e-commerce risks are considered among the most important risks companies will be facing in the next few years. Among U.S. corporate risk managers and their insurance agents and brokers, such issues rank second only to employment-related risks. In Europe, risk managers consider technology risks to be the No. 1 concern.

> Only 25 percent of U.S. companies and 30 percent of European companies surveyed had risk management committees or other formal structures to identify and monitor technology risk. Of those companies with such a committee or structure, only half -- or about 13 percent of total respondents -- felt it was effective. Only about three in 10 risk managers surveyed had reviewed the potential technological risks posed by a merger or acquisition involving their company.

> "In essence, there is a leadership opportunity on this issue in many companies," Lovaas said. "Senior management has the responsibility to take the lead and foster a partnership approach between their IT departments and risk management functions."

> Nearly all U.S. and European companies have taken similar steps to protect themselves from technology-related risks, such as installing anti-virus software and firewalls, establishing standard security procedures and auditing the security of their systems. But only six in 10 companies have implemented employee-training programs to lower their technology risk.

> U.S. and European corporate risk managers' understanding of technology risk is less than adequate, according to the managers themselves. About four in 10 risk managers say they have only a "fair" to "poor" understanding of technology risk. Very few (about 10 percent overall) say their understanding is "excellent." Only 52 percent of U.S. corporate risk managers have inventoried and quantified the technology risks their companies face, compared to 67 percent among European risk managers. Corporate risk managers both in the United States and Europe (65 percent and 57 percent, respectively) defer to their information technology (IT) departments as having primary responsibility for identifying and monitoring technology risks.

> "As businesses rely increasingly on technology, employees and customers have increased access to company data and information in an environment with untested legal liabilities," Lovaas said. "The global nature of e-commerce, varying legal systems and the speed with which new innovations are brought to market further complicate the challenges facing companies today, leading many firms into uncharted waters of liability risks as well as those which affect their revenue streams."

> Corporate risk managers consider their current insurance coverage for technology risk as "somewhat adequate" at best. European risk managers are slightly more confident in general of their current coverage than U.S. risk managers.

> The "Y2K" issue, which required companies to prepare their computer systems for the rollover to 2000, sensitized many companies to technology risks, but 42 percent of U.S. corporations and 38 percent of European corporations said the rollover had little impact on their firms' approach to technology risk.

A model: financial services companies
"For a model of how to prepare for technology risk, companies should study financial services," Lovaas said. Risk managers at more than 350 banks, thrifts and other financial services institutions were surveyed.

"Banks and other financial services firms have begun to address the problem effectively, particularly in the United States," Lovaas explained. "Of the types of companies surveyed, financial services firms scored high in awareness, identification and management of technology risks." Risk managers at 75 percent of U.S. financial services companies surveyed, for example, said their firms were good or excellent at identifying and managing e-risks, compared with the broader cross-section of U.S. companies, where about two-thirds of the companies were rated as good or excellent.

"And, not surprisingly, they reported fewer losses due to technology problems," she said. U.S. financial services risk managers were half as likely (13 percent) as risk managers in general (27 percent) to report losses from computer viruses and malicious acts to computer systems (4 percent and 8 percent, respectively). By comparison, European financial services risk managers were more likely to report losses for viruses (23 percent) than their U.S. counterparts (13 percent).

High-technology firms
Researchers polled a specific sampling of risk managers in more than 300 high-tech firms in the United States and Europe. This segment included such firms as high-tech product manufacturers, software developers, communications companies and computer services firms. This additional sample showed that:

> Risk managers for high-tech companies ranked technology risks as their second-most significant concern (29 percent in the United States and 26 percent in Europe). The No. 1 concerns were product liability (among the European respondents) and employment issues (among the U.S. respondents).

> High-tech risk managers in Europe and the United States rate their current coverage of technology risk as only "somewhat adequate" overall.

> Risk managers for high-tech companies in Europe and the United States have each taken steps to review their exposure to and coverage of technology risk, but with striking differences. U.S. high-tech risk managers were more likely to have reviewed existing insurance coverages (82 percent vs. 72 percent for Europe), worked with insurers and brokers to identify risks (76 percent vs. 68 percent) and reviewed the technological risks posed by a merger or acquisition (44 percent vs. 36 percent). European risk managers were more likely to have inventoried and quantified the types of technology risk they faced than their U.S. counterparts (68 percent vs. 48 percent).

The skeptical broker audience
Those with perhaps the most critical view of the issue were U.S. insurance agents and brokers (intermediaries were surveyed only in the United States). Brokers said they themselves have only a "fair" understanding of the technology risks facing their clients and felt their clients are not much better.

"Brokers indicated that their clients' top management has only a 'fair' understanding of technology risk and that and front-line employees have the worst understanding," Lovaas said.
The results indicated that brokers feel their clients have not created sufficient safeguards against technology risks. While the vast majority reports that their clients have installed anti-virus software (91 percent), far fewer have trained employees (64 percent) or installed firewalls (61 percent). Fewer still (55 percent) say their clients have audited the security of their systems.

About the survey
Schulman, Ronca & Bucuvalas, Inc. (SRBI) conducted telephone surveys with 1,350 risk managers in large corporations in the United States and Europe between August 25 and November 15, 2000. The U.S. and European cross-section samples combined totaled more than 800 companies in all industries (excluding insurance companies and government organizations), with annual revenue of $250 million or more. Interviews were conducted with the senior executive in each company who has primary responsibility for managing his or her company's exposure to all classes of risk including technology risk. In the United States a nationwide sample of 150 insurance agents and brokers also was surveyed.

The financial services company samples represent cross sections of financial services companies with annual revenue of $100 million or more. The high-technology company samples represent cross sections of high-technology companies with annual revenue of $100 million or more. In the European samples companies were selected from thirteen countries: Belgium, Denmark, France, Germany, Ireland, Italy, the Netherlands, Norway, Portugal, Spain, Sweden, Switzerland and the United Kingdom.

The St. Paul Companies is headquartered in Saint Paul, Minn., USA, and provides commercial property-liability insurance and non-life reinsurance worldwide. The St. Paul reported 2000 revenue of more than $8.6 billion, total assets of $41 billion and is ranked No. 204 on the Fortune 500 list of largest U.S. companies. For more information about The St. Paul and its products and services, visit the company's web site.

IN THE UNITED STATES - ALTERNATE MEDIA CONTACTS:
Kerstin March
Telephone: 651 310 4823
E-mail: kerstin.march@stpaul.com

IN EUROPE -- ALTERNATE MEDIA CONTACT:
Peter Elliott (U.K.)
Telephone: Mobile - (+44) 07770 273424; or: (+44) 0173 7787223
E-mail: peter.elliott@stpaul.com