Category Archives: Business Risk

U.S. Exposure to Brexit Referendum

London, for decades the financial center of Europe, finds itself on the brink of a monumental vote. On Thursday, British voters will decide whether to leave the European Union in what’s known as the Brexit referendum.

While there is uncertainty over what a Brexit could mean for the UK economy and for London, there is also uncertainty over what it would mean for the United States and for U.S. companies.

The Los Angeles Times reports that while the U.S. economy is better insulated than most from the risk of market turmoil, the Brexit referendum has added to uncertainties in a presidential election year and to lingering concerns about China’s economic slowdown.

A lot of U.S. companies have something to lose if the UK decides to leave the EU, with the banking and insurance sectors among those most likely to be affected, according to this CNBC report.

Some U.S. companies have moved not just parts of their operations but whole headquarters from the U.S. to the UK, CNBC says.

For example, the world’s largest insurance broker Aon, relocated its corporate headquarters to London from Chicago in 2012, in a move designed to give the company greater access to emerging markets through London.

Aon told CNBC in a statement:

“If Britain votes to leave the European Union, the innovative center of excellence that has set London apart in the insurance space will be deeply challenged.

“Talent is a true differentiator for the city of London, and to create a barrier between the industry that addresses the world’s most complex risks and the global talent needed to do this will have real implications.”

If companies lose the ability to passport their services into Europe, they may decide to move their European hubs and staff out of London and the UK, which would lead to significantly higher operational costs.

The London insurance market has been very vocal on why remaining in the EU is the best outcome for insurers.

As Lloyd’s chief risk officer Sean McGovern said earlier this year, the London market is currently the largest global hub for commercial and specialty risk—controlling more than £60 billion ($88 billion) of gross written premium.

And the UK’s membership of the EU gives it access to the world’s largest insurance market with a world market share of nearly 33 percent and total insurance premiums of nearly Euros 1.4 trillion ($1.6 trillion).

In a recent paper, Lloyd’s, the International Underwriting Association and Fidelis warned that Brexit poses a significant threat to London insurance jobs and business.

Read more about the insurance sector impact of a Brexit in this analysis by London law firm Clifford Chance.

Aon’s full statement on the EU referendum is available here.

What Does A Cyberattack Really Cost?

The current market value put on the business impact of a cyberattack is grossly underestimated, according to a new report from Deloitte Advisory.

It finds that the direct costs commonly associated with data breaches, such as regulatory fines, breach notification and protection costs, and public relations costs account for less than 5 percent of the total business impact.

But the effects of a cyberattack can be even more far-reaching and last for years, resulting in a wide range of hidden or intangible costs related to loss of intellectual property, operational disruption, increase in insurance premiums, and devaluation of trade name.

In fact more than 95 percent of the financial impact of a cyberattack is likely to accrue in these areas and businesses can be caught especially unprepared for these intangible costs.

In a press release, Don Fancher, principal, Deloitte Advisory, and global leader for Deloitte forensic, says:

“Rarely brought into executive and board conversations around cyber risk are the costs and consequences of IP theft, cyber espionage, data destruction, or business disruption, which are much harder to quantify and can have a significant impact on an organization.

“Our intent is not to scare executives into thinking that all cyber incidents will be more costly than they think. It’s to give them a better understanding of their specific risks so they can make more educated decisions that are aligned with their business strategies.”

Find out more about cyber risks and insurance in this Insurance Information Institute paper.

Small Business Interrupted

Every business comes with a certain amount of risk. Although difficulties and challenges can’t be avoided, they can be mitigated with the proper precautions, planning and insurance coverage.

In support of National Small Business Week (May 1-7) and to help business owners understand insurance, the Insurance Information Institute (I.I.I.) developed this infographic that focuses on business interruption insurance which is also posted on the I.I.I’s Business Pinterest Board.

Did you know that after a catastrophe or other disaster 40 percent of businesses do not reopen and another 25 percent fail within a year?

When a business is shut down due to a damaging event it loses revenue. Meanwhile, the business still has to pay its bills and may incur additional expenses as a result of the disruption.

Fortunately, with business interruption coverage, many of these costs and losses can be reimbursed.

A recent report from Allianz Global Corporate & Specialty (AGCS) found that the economic impact from business interruption is often much higher than the cost of physical damage in a disaster and is a growing risk to companies worldwide.

In that report AGCS also noted that the vast majority of BI losses are not caused by natural catastrophes, but rather non-natural hazard events like human error or technical failure.

Cyber business interruption risk is often underestimated, another report found.

More information on covering losses with business interruption insurance is available at the I.I.I. website.

IoT and Piracy Increase Risks to Shipping

A hacker causes an oil platform located off the coast of Africa to tilt to one side, forcing it to temporarily shut down. A port’s cyber systems are infiltrated by hackers to locate specific containers loaded with illegal drugs and remove them undetected.

These are just a few of the cyber attacks on the shipping industry reported to date, according to Allianz Global Corporate & Specialty SE’s (AGCS) fourth annual Safety and Shipping Review 2016.

But such attacks are often under-reported as companies opt to deal with breaches internally for fear of worrying stakeholders, AGCS notes.

“When reports of attacks do surface, details are usually vague, making it extremely difficult to gauge the headway the industry has made in strengthening online security.”

The shipping industry’s reliance on interconnected technology also poses risks. Cyber risk exposure is growing beyond data loss.

Technological advances including the Internet of Things (IoT) and electronic navigation means the industry may have less than five years to prepare for the risk of a vessel loss, AGCS warns.

There has already been one known incidence of Somali pirates having infiltrated a shipping company’s systems to identify vessels passing through the Gulf of Aden with valuable cargoes and minimal on-board security, leading to the hijacking of a vessel.

In the words of Captain Andrew Kinsey, senior marine risk consultant AGCS:

“Pirates are already abusing holes in cyber security to target the theft of specific cargoes. The cyber impact cannot be overstated. The simple fact is you can’t hack a sextant.”

The industry needs more robust cyber technology in order to monitor the movement of stolen cargoes, according to Kinsey.

For the first time in five years piracy attacks at sea failed to decline in 2015. International Maritime Bureau statistics show there were 246 piracy attacks worldwide in 2015, up from 245 in 2014.

Attacks in South East Asia continue to increase, with the region accounting for 60 percent of global incidents and Vietnam a new hotspot, AGCS reports.

The Insurance Information Institute offers facts and statistics on marine accidents here.

Tianjin: A Reminder of Insurance Need in Developing Countries

The explosions at the Port of Tianjin, China could ultimately become one of the largest man-made insurance loss events worldwide ever recorded, according to Swiss Re sigma.

Based on Swiss Re’s latest estimates, the total insured property loss of the Tianjin explosions is likely to be around USD 2.5 billion to USD 3.5 billion, making it the largest man-made insured loss event in Asia ever recorded.

Tianjin currently ranks as the third largest man-made insured global loss (in 2015 dollars), behind the September 11, 2001, terrorist attacks in New York, Washington and Pennsylvania and the 1988 Piper Alpha oil rig disaster.

Screen Shot 2016-03-30 at 10.09.19 AM

The Tianjin experience highlights the new potential risks facing developing countries with rapidly-developing economies, according to the latest sigma study.

2015 was the third year in a row that the biggest man-made loss globally originated from an emerging market, a reminder of the importance of insurance for developing countries, sigma says.

“The event shows the large loss potential in a country like China, with a fast-growing economy. If further evidence is needed, in 2013 a fire at a major high-tech semiconductor plant in Wuxi, also in China, caused insured losses of USD 0.9 billion.”

Financial protection through insurance is key to restoring business operations and recouping losses, sigma notes.

Accurate assessment of exposures, appropriate coverage terms and adequate pricing are likewise crucial:

“For re/insurers, they need to actively identify monitor and manage exposures in hazard zones and in areas with high asset-value concentrations.”

The complexities of the Tianjin loss have challenged re/insurers, and highlighted the accumulation of risks that can arise from a single large-scale industrial catastrophe event.

While destroyed and damaged vehicles account for most of the Tianjin losses, uncertainties remain as to the types of insurance policies involved.

Property and cargo present major risk accumulation factors in ports, especially in big centers like Tianjin, sigma observes.

The Insurance Information Institute has useful facts and statistics on man-made disasters here.

Don’t Ask, Don’t Tell

We’re reading an item of interest from across the pond where the United Kingdom’s Institute of Directors (IoD) has issued a new report that gives insight into how companies tend to react if they are under a cyber attack.

The IoD study, supported by Barclays, revealed that most companies keep quiet, with under one third (28 percent) of cyber attacks reported to the police.

This is despite the fact that half (49 percent) of cyber attacks resulted in interruption of business operations, the IoD noted.

Hat tip to forbes.com which reports on the IoD findings in this blog post.

It’s worth noting that here in the United States, the Identity Theft Resource Center (ITRC) has long maintained that the record number of U.S. data breaches it tracks are by no means the whole story.

Many data breaches fly under the radar, the ITRC says, because businesses want to avoid the financial dislocation, liability and loss of goodwill that comes with disclosure and notification.

Back to the UK the survey of nearly 1,000 IoD members also showed a worrying gap between awareness of cyber risks and preparedness.

Even though nine in 10 of business leaders said cyber security was important, only 57 percent had a formal strategy in place to protect themselves, and just one fifth (20 percent) held insurance against an attack.

In the words of Professor Benham, author of the IoD report:

No shop=owner would think twice about phoning the police if they were broken into, yet for some reason, businesses don’t seem to think a cyber breach warrants the same response.

Our report shows that cyber must stop being treated as the domain of the IT department and should be a boardroom priority. Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance.”

With 34,500 members, ranging from start-up entrepreneurs to CEOs of multinational companies, the IoD is the UK’s largest organization for business leaders.

More on cyber security in the Insurance Information Institute’s paper Cyber Risks: Threat and Opportunities.

PwC: Incidence of Cybercrime Sharply Higher

Cybercrime has jumped to the second most reported type of economic crime affecting 32 percent of global businesses, according to a just-released survey by PwC.

PwC’s Global Economic Crime Survey 2016 found that while traditional leaders of economic crime–asset misappropriation, bribery and corruption, procurement fraud and accounting fraud–all showed a slight decrease over 2014 statistics, cybercrime is on a steady increase.

In fact over one quarter of the 6,000 respondents to PwC’s survey said they’d been affected by cybercrime.

Despite a sharply higher incidence of reported cybercrime among PwC’s respondents, the survey found that most companies are still not adequately prepared for–or even understand the risks faced.

Only 37 percent of organizations have a cyber incident response plan in place and many boards are not sufficiently proactive regarding cyber threats.

Even though  boards have a fiduciary responsibility to shareholders when it comes to cyber risk in several countries, PwC found that less than half of board members actually request information about their organization’s state of cyber-readiness.

Losses from cybercrime can be heavy, PwC reported. A handful of respondents (around 50 organizations) said they had suffered losses over $5 million. Of these, nearly one-third reported cybercrime-related losses sin excess of $100 million.

Reputational damage was considered the most damaging impact of a cyber breach among survey respondents, followed by legal investment and/or enforcement costs.

According to PwC:

The insidious nature of this threat is such that of the 56 percent who say they are not victims, many have likely been compromised without knowing it.”

This year’s results show that the incidence of economic crime has come down, for the first time since the global financial crisis of 2008-9 (albeit marginally by 1 percent).

Check out  the I.I.I. white paper  Cyber Risk: Threat and Opportunity  for the latest on cybercrime, risks and insurance.

U.S. Elections Add to Growing Political Risks Businesses Face

The 2016 U.S. presidential election is one of the rising political risks facing businesses and investors in the year ahead, according to Marsh’s Political Risk Map 2016.

Terrorism and struggling emerging economies, such as China and Russia, are also among the growing political risks businesses face.

Marsh notes that the recent terrorist attacks in Paris and San Bernardino, California have intensified political rhetoric and brought foreign relations and defense policy topics to the forefront.

With polls showing national security to be a major concern for voters, foreign policy will remain a key theme on the campaign trail in 2016 – and will be top of mind for the next presidential administration.”

Marsh observes that in the last decade multinational organizations have undertaken unprecedented international expansion, leaving them exposed to global credit and political risks like never before.

And those risks–including terrorism and political violence, armed conflicts, increasingly powerful anti-establishment political movements, and persistently low commodity prices–continue to grow.

Against this backdrop, it’s critical for businesses to be prepared for the possibility that political violence, unrest, or other large- scale crises will quickly develop in virtually any part of the world – including those countries that were historically seen as safe or stable, Marsh says.

Companies can prepare for these risks by managing their credit risk, building resilient supply chains, protecting their people and by protecting their assets through insurance.

Marsh notes:

Credit and political risk insurance can protect against a variety of risks, including expropriation, political violence, currency inconvertibility, non-payment, and contract frustration.”

Marsh’s Political Risk Map 2016, with data and insight from BMI Research, presents country risk scores for more than 200 countries and territories, helping businesses and investors make smarter decisions about where and how to deploy financial resources–including risk capital–globally in 2016 and beyond.

Another Day, Another Hack

As if we needed another reminder of the rising threat of cyber attacks, the estimated EUR 50 million ($55 million) loss arising from a cyber fraud incident targeting Austrian air parts supplier FACC AG made us sit up and take notice.

As Bloomberg reports here, if the damages do indeed amount to $55 million this would be one of the biggest hacking losses by size.

Bloomberg also points out that the incident is made more intriguing because FACC is 55 percent owned by China-based AVIC.

It will take time for the  details of this attack to emerge, but in a January 20 press release, FACC acknowledged that the target of the cyber fraud was the financial accounting department of FACC Operations GmbH.

The company also noted that its IT infrastructure, data security, IP rights and the group’s operational business are not affected by the criminal activities.

Further, FACC said the $55 million in damage was an outflow of “liquid funds”.

“The management board has taken immediate structural measures and is evaluating damages and insurance claims,” FACC added in its third quarter report.

According to this report by ComputerWeekly.com, the fact that FACC’s financial accounting department was targeted in the fraud is prompting speculation that the company was likely the victim of a so-called whaling attack, also known as business email compromise (BEC) and CEO fraud.

These sophisticated phishing attacks are when cyber criminals send fake email messages from company CEOs, often when a CEO is known to be out of the office, asking company accountants to transfer funds to a supplier. In fact the funds go to a criminal account.

Last year, the Federal Bureau of Investigation (FBI) described BEC fraud as an emerging global threat.

Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, more than 7,000 U.S. companies have been targeted by such attacks with total dollar losses exceeding $740 million. If you consider  non-U.S. victims  and unreported losses, that figure is  likely much  higher.

The rising incidence of BEC and CEO fraud and its intersection with cyber insurance will form the topic of a future blog post.

Both the WEF Global Risks Report 2016 and the Allianz Risk Barometer 2016 have identified cyber attacks and incidents among the top risks facing business.

Find out more about cyber risks and insurance in the I.I.I. white paper Cyber Risk: Threat and Opportunity.

Cyberattacks Top Risk To Doing Business in North America

Cyberattacks are now the greatest risk to doing business in North America, according to the just-released World Economic Forum’s (WEF) Global Risks Report 2016.

In North America, which includes the United States and Canada, cyberattacks and asset bubbles were considered among the top risks of doing business in the region.

The WEF noted that in the United States, the top risk is cyberattack, followed by data fraud or theft (the latter ranks 7th in Canada, which is why it scores 50 percent in the table below).

The risks related to the internet and cyber dependency are considered to be of highest concern for doing business in the wake of recent important attacks on companies, the WEF observed.

WEF2016NorthAmericaTopRisks

On a global scale, cyberattack is perceived as the risk of highest concern in eight economies: Estonia, Germany, Japan, Malaysia, the Netherlands, Singapore, Switzerland, and the United States.

Public sector bodies in at least two of these countries have recently been disrupted by cyberattacks: the US Office of Personnel Management and the Japanese Pension service, the WEF noted.

Attempts to detect and address attacks are made harder by their constantly evolving nature, as perpetrators quickly find new ways of executing them. Businesses trying to match this speed in their development of prevention and response methods are sometimes constrained by a poor understanding of the risk, a lack of technical talent, and inadequate security capabilities.”

Defining clear roles and responsibilities for cyber risk within corporations is crucial, the WEF noted.

Who in the corporation is the actual owner of the risk? While there are many “C” level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management.”

Outdated laws and regulations also inhibit the ability of governments to capture criminals, but also to expedite the often lengthy procedure of implementing legal and regulatory frameworks to reflect evolving realities.

Check out the Insurance Information Institute’s latest report on cyber risks here.