The Association of British Insurers (ABI) commissioned a research report into e-risks.

In December 2001, The Association of British Insurers (ABI) commissioned Dr Lynn Drennan and Professor Matthias Beck of Glasgow Caledonian University to produce a research report into e-risks. Here the authors discuss their findings

The growth of e-commerce has been phenomenal and seems set to continue. Such a rapid rate of expansion would create problems for any business - here they are compounded by the technology on which e-commerce is based and by its vulnerability to a range of threats.

The ABI's initiative was based on the observation that the continuing expansion of e-commerce presents companies with new challenges. These manifest themselves in terms of exposure to new security risks, such as hacker and virus attacks, as well as increasing the significance of existing risks, such as credit card fraud, breach of contract and non-payment. In addition, companies that enter into, or expand, e-commerce activities expose themselves to a host of strategic and operational risks.

The portfolio of risks to which an e-business is exposed can be described as:

  • e-specific risks which arise specifically and uniquely from the context of e-commerce, such as hacking
  • non e-specific risks which require a strategic re-evaluation in the context of an e-business environment, eg branding risks
  • non e-specific risks which have increased significance in an e-commerce context, eg intellectual property rights.

    While it is obvious that organisations should manage these e-risks as well as possible, in order to maintain and enhance shareholder value, guidance on corporate governance explicitly tasks management and boards with establishing and maintaining a system of internal control that is appropriate to the company's business operations. The Institute of Chartered Accountants in England and Wales (ICAEW) document Internal Control: Guidance for Directors on the Combined Code (the Turnbull Report) specifically states that:

    '… the reports from management to the board should, in relation to the areas covered by them, provide a balanced assessment of the significant risks and the effectiveness of the system of internal control in managing these risks. Any significant control failings and weaknesses identified should be discussed in the reports, including the impact that they have had, could have had, or may have, on the company and the actions being taken to rectify them.' (ICAEW, 1999)

    Although the current governance codes make no explicit reference to e-risk, their broad remit suggests that companies are expected to manage such risks pro-actively, especially where they may be potentially threatening to the business operation. Reference to the need to manage e-commerce related risks has, however, been made specific by the Financial Services Authority (FSA) for the authorised firms which it regulates. In its working paper The FSA's Approach to the Regulation of E-commerce, the FSA notes that:

    'For the majority of firms and markets, IT provides the backbone of the business, whether or not the firm uses e-commerce delivery channels. It is a firm's senior management's responsibility to specify what systems and controls a firm should use. However, we make clear our expectations that senior management is responsible, and that the controls which are in place should adequately address the risks to which the business is exposed.' (FSA, 2001, Executive Summary)

    Much of the literature on the management of e-risks has focused on prevention and control of the various technological threats. While this is an important element in e-commerce risk management, there is a danger that too great a focus on operational and technological elements may blind organisations to the need for management of the strategic risks associated with such ventures. The key questions may be not "how can we prevent someone from hacking into our system?" but "should we be conducting e-business at all?"

    The report's framework
    The ABI report aims to contribute to the understanding of e-commerce related risks by describing the generic steps which are involved in identifying and evaluating risks which arise in the context of e-transactions, and the measures companies can, and should be, taking in controlling and mitigating these risks. This approach is grounded in the view that the management of any risk should be part of an enterprise-wide strategy.

    The overarching goal of the project was to investigate the risks that private sector companies involved in e-commerce encounter, and to explore how these risks can be managed in different business contexts. In contrast to previous analyses, the project approached the issue of e-risk on the basis of a specific risk management framework. Thus, rather than focusing on the technical details of specific risks, we sought to establish a comprehensive framework for the identification, categorisation and management of those risks that arise in the context of electronic commercial transactions. Underlying this approach was the view that e-risk is best understood from the aggregate perspective of a business, which must manage, or delegate the management of, all business-related risks.

    The original purpose of the internet was to provide an open medium for free, uncensored communication. As a consequence, the internet is not ideally suited to companies that expect to operate in a predictable, highly regulated environment. Today, there is clear evidence that the systems and structures that support e-commerce are susceptible to abuse, misuse, and failure. These risks, need to be managed. In order to do so, it is necessary to implement a risk management process, involving the identification, evaluation and control of risk, as well as its continuous monitoring, and the preparation of business continuity plans.

    Risk identification

    The first stage of the risk management process is to identify the threats to the e-business objectives. Such threats can be classified as:

  • strategic risks, arising from the strategic direction a company takes in order to cope with the challenges of e-commerce. They include outsourcing and dependency risks, brand risks, customer expectations risks, reputation risks, governance challenges, cultural risks, risks arising from employee malfeasance, and skilling and staffing risks
  • operational and systems risks, typically resulting from failures in technology or network security. In addition, these can arise from problems in adjusting the company's business processes to the demands of e-commerce. Interruption to the business operation, with the likely consequence of reputation damage, is of particular concern.
  • legal and regulatory risks, which can be particularly complex because of the global nature of e-commerce. Threats may arise from uncertainty over international legal rules, jurisdictional disputes, use of trademarks, breaches of copyright or patent laws, consumer protection laws, unfair and deceptive advertising, defamation or disparagement issues, and taxation
  • financial risks, affecting e-commerce activities generally and centring on four areas: foreign currency exposures, traditional business risks, electronic payments risks and matters of working capital management.Such threats are particularly significant in the financial services and general retail sectors, where the rate of expansion in online sales has been considerable.

    Risk evaluation
    The risk identification element of the risk management process usually results in the production of an extensive list of all possible threats to the e-business. These need to be evaluated in terms of both their likelihood and their potential severity.

    In recent years, a number of surveys have been conducted, with the aim of gauging senior managers' views on the relative importance of such threats. A summary of the most important recent surveys indicates that e-commerce practitioners generally perceive hackers and other forms of malicious interference, together with lack of employee awareness, as the principal threat to e-business. Moreover, there is a broad consensus that resource constraints and lack of skilled staff are key obstacles to the expansion of e-commerce.

    Risk control
    Following the identification and evaluation stages, decisions require to be taken as to the most appropriate and cost-effective measures that might be taken in order to control the risks.

  • Risk avoidance and risk reduction are aimed at minimising the organisation's overall exposure to risk. Risk avoidance can be achieved by simply ceasing the business activity that is giving rise to the threat. However, this approach may not be practicable. Risk reduction measures allow the e-business to continue its activities with increased confidence that threats will be reduced, in terms of both their likelihood and their potential severity. Such measures may include using software-based security packages, employee-based measures, such as training in the use of passwords, and physical data protection.
  • Risk transfer, on the other hand, allows the company to transfer responsibility for aspects of its operations to another party, perhaps in the form of outsourcing and service agreements, in return for an agreed fee. Responsibility for the financing of risk can also be transferred to an insurer, in return for a set premium.

    With regard to insurance, e-businesses require their property and liability policies to cover both physical and intangible property. The debate as to what, and what does not, constitute 'property' continues in the courts – both in the UK and overseas. What is clear is that e-businesses face a range of threats which may not be covered under traditional insurance policies. While a number of brokers and insurers have put together specialised cyber-risk packages, it is unclear whether these products are actually attractive to companies that are trading online.

    Risk monitoring and continuity planning
    The guidelines set out in the Turnbull Report list risk monitoring as one of the areas that a board should consider when reviewing its processes for internal control of business risks. Such a review would encompass both strategic and operational risks, and reflect changes in the internal and external environments within which the business operates. Risk monitoring allows a review of the organisation's ability to deal with incidents that might result in business interruption. While implementing risk identification, evaluation and control measures will minimise the likelihood and severity of an incident, they cannot entirely eliminate the risks.

    The final stage in the risk management process is therefore the preparation of business continuity plans. In the context of e-commerce, particular threats arise from the speed at which problems can be communicated to the marketplace, and thereby to potential customers. The need to ensure continuous access to the online trading site has resulted in the use of the term 'e-continuity', and increased awareness of the dependency which e-businesses have on virtual value chains and external networks.

    Practitioners' views
    A study of practitioner views – both those which have been previously published and others arising from our own small survey – reinforce the view that the principal risks facing an e-business are strategic in origin. The most prominent were threats, such as the failure to meet customer expectations or provide customer satisfaction; getting the marketing or advertising strategy wrong; the action of competitors; recruitment and retention of key personnel; and problems relating to non-payment or credit card fraud. In addition, security risks were seen as particularly significant in the e-business context, and a number of policies and strategies had been implemented to deal with them. The need to protect corporate reputation was highlighted as a key concern of our UK respondents, and this mirrors the findings of other studies. The purchase of specialist cyber-insurance did not feature prominently as a response to managing such risks.

    Reliance on risk financing mechanisms, such as insurance, can neither prevent the loss-making event from taking place, nor cover all the associated costs, such as damage to corporate reputation or brand name, loss of market share or reduction in shareholder confidence. On the other hand, it can provide some security that money will be available to mitigate the financial impact of the loss.

    The problem, however, appears to be that lack of underwriting experience in the area of cyber-risks, together with a fear of opening the floodgates to a torrent of claims, has driven many insurers to exclude such risks from their property and liability policies. Instead, new policies have appeared, with specific coverage for a variety of cyber-risks.

    From the results of our small survey, and from anecdotal evidence in conversation with key players, the take-up on these specialised policies appears to have been low. A combination of high premiums, stringent risk assessments and restrictive policy wordings has not proved attractive, particularly to organisations which try to obtain comprehensive insurance coverage for their needs, without having to resort to the purchase of multiple, specialist policies.

    More work is required to analyse both the ways in which insurers are adapting 'mainstream' policy wordings to cope with the new e-risks, and the range of specialist covers being developed. Meanwhile, it is of fundamental importance that companies which operate online do not rely on risk financing as the key mechanism for managing their e-risks, but develop a comprehensive approach to managing all of the potential threats associated with this form of trading.

    Information Security
    Over 75% of companies are at serious risk from ignoring their poor information security, according to research by Aston Information Security (AIS). The company claims that there is a mistaken belief that hackers are responsible for causing the most information security breaches. In reality, whether it is accidental or deliberate, it is employees that are the weakest link.

    'The misappropriation of company assets such as pens, and the use of the franking machine for personal mail, have been superseded by a much more sinister violation of employee/company trust, that of the breach of information security,' says AIS. 'With the advent of the electronic era, it is much easier and quicker to 'borrow' information. Over 80% of information now leaves the office unofficially by e-mail, disks and laptops. Of this, e-mail accounts for 24%, laptops 18% and disks 39%.'

    There are two distinct groups of employees who misappropriate information. First there are those that do it maliciously, either because they are disgruntled or about to be made redundant. Although the number is very small, they can create havoc with a company's information. They corrupt hard drives or even wipe them clean, and companies often do not have a tested back up. Alternatively, they copy the company secrets and database for their own use, or to sell to a competitor.

    The second group is more common, with no malice aforethought, yet often more disruptive. Laptops are now as powerful as the desktop and with over 15% of laptops stolen for the information they contain, they should, but generally do not, have the same, if not a greater, level of security. Stolen or lost laptops or disks can cause major damage to a company.

    E-mails are a very easy way of sending information, and it is not uncommon for an extra address from the address book to be added inadvertently before the send button is pushed. There is no method of retrieval.

    Why are some of the most rudimentary steps in information security not being adhered to? AIS says that the biggest problem is ownership of responsibility. Directors and managers think that information security is an IT matter, while the IT department feels that it is a management issue.

    Dr Lynn Drennan is Head of Division, and Professor Matthias Beck is Professor of Risk Management, in the Division of Risk, Glasgow Caledonian University, e-mail: ldr@gcal.ac.uk or mpb@gcal.ac.uk Information on the ABI report Managing E-Risk can be obtained from info@abi.org.uk