The new year is seeing a substantial shift in the risk landscape for businesses.
Businesses are becoming less concerned about the impact of traditional industrial risks, such as natural catastrophes or fire, and are becoming more worried about the impact of other disruptive events, fierce competition in their markets and cyber incidents.
A recent survey of over 800 risk managers and insurance experts from more than 40 countries revealed that business and supply chain interruption (BI) remains the top risk for businesses globally, for the fourth consecutive year.
According to the survey, many companies are concerned that BI losses, which usually result from property damage, will increasingly be driven by cyber attacks, technical failure or geopolitical instability as new “non-physical damage” causes of disruption.
The survey cited cyber incidents as the most important long-term risk for companies in the next 10 years. Also in the top three global business risks are market developments, which consist of market volatility, intensified competition and market stagnation. In contrast, natural catastrophes dropped two positions to fourth, year over year, reflecting the fact that in 2015 losses from natural disasters reached their lowest level since 2009.
In the United States, 39% of respondents cited BI as the top business risk, followed by natural catastrophes (33%) and cyber (32%).
“Business interruption continues to be the primary concern of risk managers and how well a company responds will determine how well it survives to compete,“ said Hugh Burgess, Allianz's global head of mid-corporate and head of corporate lines, North America. “As global supply chains continue to grow and increase in complexity, the threat of BI continues to incubate in numerous and increasing areas, which in turn, continues to weigh on the minds of risk managers today.”
The Cyber insurance market in Europe is still in its infancy, but is expected to grow quickly as the European Union moves to adopt data protection regulations this year. (Photo: iStock)
Rising sophistication of cyber attacks
The survey revealed that businesses globally are growing more concerned about the threat of cyber incidents, which include cyber crime, data breaches and technical IT failures.
The threat of cyber incidents increased by 11%, year over year, moving from fifth position into the top three risks (28% of global responses). Five years ago, only 1% of the inaugural "Allianz Risk Barometer" respondents cited cyber incidents as a risk. Now, 69% cited loss of reputation as the main cause of economic loss for businesses after a cyber incident, followed by BI (60%) and liability claims after a data breach (52%).
Almost 50% of respondents said that a lack of understanding of the complexity of the risks involved is the main factor preventing companies from being better prepared to combat cyber threats, followed by inconcrete assessment of the cost of the risks involved (46%).
“Attacks by hackers are becoming more target-oriented, lasting for longer and can trigger a continuous penetration,” said Jens Krickhahn, practice leader for cyber and fidelity at AGCS Financial Lines Central and Eastern Europe.
“Studies show that it takes, on average, 90 days for businesses to discover they have been hacked," he said. "Often the incident is identified, not by the business itself, but by the customer or another stakeholder, which is another reason why risks pose a huge threat to a company’s reputation.”
Krickhahn added that prevention is a key element in IT security, therefore it is important for companies to include cyber risk management strategy.
“The fact that companies often only recognize the loss when an attack has already happened means all they can do is try and prevent further damage,” he said.
The report said that although the Cyber insurance market, still in its infancy in Europe, is developing quickly, the U.S. market has already reached maturity and has experienced substantial losses.
“The U.S. is unique in that we have already paid losses in the hundreds of millions to cover cyber loss. Breaches happen everywhere, but the U.S. has complex regulatory regimes and an extremely active plaintiff's bar. These dynamics have driven the price of loss higher in the U.S. than anywhere else,” said Allianz’s Emy Donavan, national practice leader for cyber. “Boards and C-suites in the U.S. are acutely aware of the individual risk they may have if a cyber-event occurs on their watch. Litigation trends and case law are developing so quickly that potential liability associated with clients’ normal operations can change literally overnight.”
An analysis from an AGCS report, “A Guide to Cyber Risk: Managing The Impact of Increasing Interconnectivity,” estimated cyber crime to cost the global economy approximately $445 billion a year, with the world’s largest economies accounting for around half of this. The threat posed by such incidents is expected to increase further during 2016.
The report said that data protection rules around the world are becoming tougher as governments bolster cyber security, which has a significant impact for businesses, as penalties for failing to take precautionary measures can be severe.
The U.S. already has strict laws that require companies to notify individuals of a breach. The European Union is moving ahead with plans to harmonize its regime, with data protection regulations expected in 2018. A current version proposes fines of up to 4% of a company’s global turnover for breaching the rules — which could run to billions of dollars.
These developments are also expected to drive growth in the Cyber insurance market, as companies seek to protect against the increasing costs associated with responding to a breach.
The report suggested that all organizations consider their cyber exposures and prepare for a potential incident:
- Businesses should identify key assets at risks and potential weaknesses — such as human error or overreliance on third party service providers.
- Different stakeholders from the business must share knowledge. Insurance can mitigate the impact of many cyber risks but after a security incident or loss of data an immediate response is required to manage the incident successfully.
- Companies need a crisis or breach response plan, which should be regularly reviewed and tested.
Related: How to develop a cyber strategy
Have you Liked us on Facebook?