Businesses have woken up to the fact that cyber risk is one of their biggest concerns, joining business interruption in joint first place in the Allianz Risk Barometer for 2019.
This influential survey from insurer Allianz questioned 2,415 experts including CEOs, risk managers, brokers and insurance specialists, from 86 countries and produced a top 10 as follows:1. Cyber incidents (37%)
1. Business interruption (BI) (37%)
3. Natural catastrophes (30%)
4. Changes in legislation and regulation (21%)
5. Market developments (22%)
6. Fire, explosion (20%)
7. New technologies (15%)
8. Climate change (13%
9. Loss of reputation or brand value (13%)
10. Shortage of skilled workforce (9%)
This is a pertinent and current reflection from those with up to date risk awareness, so, what can be read into these findings and are there any surprises? Certainly, given that there have been so many and such high-profile data breaches affecting businesses of every description, and the introduction of GDPR, the rise of cyber (from number two in 2018) is to be expected.
Allianz’s Marek Stanislawski, deputy global head of cyber and tech PI, said:
“Finally we have reached an important point where cyber is equally concerning for our customers as their major ‘traditional’ exposures, which means that entities across all industries and business segments now have this risk firmly on their radars.”
Furthermore, it is pointed out that Business Interruption (BI) events are becoming more diverse and complex because global economies are now more connected and importantly, may well be intertwined with a cyber incident. So, a firm may be forced to cease trading through IT systems being breached and there could be fallout in terms of litigation for failing to keep systems secure.
“Cyber incidents can cripple a company’s operations and severely impair its ability to deliver its services, yet they are just one of many loss triggers that can result in a BI for corporates,”said Volker Muench, Allianz’s global practice leader.
Other BI causes could be through product recall, terrorism, political rioting or environmental pollution. So, for example, Allianz cited the example of the French retailers that lost about €1 billion from four weekends of disturbances in the so-called ‘yellow vest’ protests at the end of 2018.
The insurer also pointed out that the average BI property insurance claim now totals €3.1 million (£2.7 million), which is 39% higher than the corresponding average direct property damage loss of €2.2 million (£1.95 million). But, the fact climate change moves to number 10 from number eight in 2018 suggests that senior executives now have greater understanding and knowledge about the risk.
Growing occurrence of natural disasters are also being increasingly linked to climate change and look set to lead to both more property damage and business interruption, but there is also a rising regulatory burden with firms required to meet emissions targets. The shortage of a skilled workforce is a new entry into the list. Given there are fears that Brexit could result in shortages of employees both skilled and unskilled, this has particular relevance to the UK and the ageing population in developed countries is a further factor.
There is also growing demand for those with expertise in areas like data science, cyber security and artificial intelligence – and not enough people around to fill these roles, even if
there are generous salaries on offer. Further, at number four, changes in legislation and regulation again has a Brexit connection, but looking at the global slant, clearly trade wars, such as between the US and
China and increasing introduction of tariffs are creating anxiety for many businesses.
With regard to Cyber in particular it's clear that a sound operational risk process can significantly assist. While IT has the tools to help prevent some of these attacks, the rest of the business also need to adopt good cyber awareness in practise. A centralised, consistent approach through using an enterprise risk system will enable controls in areas such as training and assessment to be put in place together with actions with accountable owners, that are visible across the organisation.
Take a look at our white paper which provides some suggestions for the types of metrics that you may want to consider measuring as part of a cyber risk programme for your organisation.