Business Risk


The 2016 U.S. presidential election is one of the rising political risks facing businesses and investors in the year ahead, according to Marsh’s Political Risk Map 2016.

Terrorism and struggling emerging economies, such as China and Russia, are also among the growing political risks businesses face.

Marsh notes that the recent terrorist attacks in Paris and San Bernardino, California have intensified political rhetoric and brought foreign relations and defense policy topics to the forefront.

With polls showing national security to be a major concern for voters, foreign policy will remain a key theme on the campaign trail in 2016 — and will be top of mind for the next presidential administration.”

Marsh observes that in the last decade multinational organizations have undertaken unprecedented international expansion, leaving them exposed to global credit and political risks like never before.

And those risks—including terrorism and political violence, armed conflicts, increasingly powerful anti-establishment political movements, and persistently low commodity prices—continue to grow.

Against this backdrop, it’s critical for businesses to be prepared for the possibility that political violence, unrest, or other large- scale crises will quickly develop in virtually any part of the world — including those countries that were historically seen as safe or stable, Marsh says.

Companies can prepare for these risks by managing their credit risk, building resilient supply chains, protecting their people and by protecting their assets through insurance.

Marsh notes:

Credit and political risk insurance can protect against a variety of risks, including expropriation, political violence, currency inconvertibility, non-payment, and contract frustration.”

Marsh’s Political Risk Map 2016, with data and insight from BMI Research, presents country risk scores for more than 200 countries and territories, helping businesses and investors make smarter decisions about where and how to deploy financial resources—including risk capital—globally in 2016 and beyond.

As if we needed another reminder of the rising threat of cyber attacks, the estimated EUR 50 million ($55 million) loss arising from a cyber fraud incident targeting Austrian air parts supplier FACC AG made us sit up and take notice.

As Bloomberg reports here, if the damages do indeed amount to $55 million this would be one of the biggest hacking losses by size.

Bloomberg also points out that the incident is made more intriguing because FACC is 55 percent owned by China-based AVIC.

It will take time for the details of this attack to emerge, but in a January 20 press release, FACC acknowledged that the target of the cyber fraud was the financial accounting department of FACC Operations GmbH.

The company also noted that its IT infrastructure, data security, IP rights and the group’s operational business are not affected by the criminal activities.

Further, FACC said the $55 million in damage was an outflow of “liquid funds”.

“The management board has taken immediate structural measures and is evaluating damages and insurance claims,” FACC added in its third quarter report.

According to this report by ComputerWeekly.com, the fact that FACC’s financial accounting department was targeted in the fraud is prompting speculation that the company was likely the victim of a so-called whaling attack, also known as business email compromise (BEC) and CEO fraud.

These sophisticated phishing attacks are when cyber criminals send fake email messages from company CEOs, often when a CEO is known to be out of the office, asking company accountants to transfer funds to a supplier. In fact the funds go to a criminal account.

Last year, the Federal Bureau of Investigation (FBI) described BEC fraud as an emerging global threat.

Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, more than 7,000 U.S. companies have been targeted by such attacks with total dollar losses exceeding $740 million. If you consider non-U.S. victims and unreported losses, that figure is likely much higher.

The rising incidence of BEC and CEO fraud and its intersection with cyber insurance will form the topic of a future blog post.

Both the WEF Global Risks Report 2016 and the Allianz Risk Barometer 2016 have identified cyber attacks and incidents among the top risks facing business.

Find out more about cyber risks and insurance in the I.I.I. white paper Cyber Risk: Threat and Opportunity.

Cyberattacks are now the greatest risk to doing business in North America, according to the just-released World Economic Forum’s (WEF) Global Risks Report 2016.

In North America, which includes the United States and Canada, cyberattacks and asset bubbles were considered among the top risks of doing business in the region.

The WEF noted that in the United States, the top risk is cyberattack, followed by data fraud or theft (the latter ranks 7th in Canada, which is why it scores 50 percent in the table below).

The risks related to the internet and cyber dependency are considered to be of highest concern for doing business in the wake of recent important attacks on companies, the WEF observed.

WEF2016NorthAmericaTopRisks

On a global scale, cyberattack is perceived as the risk of highest concern in eight economies: Estonia, Germany, Japan, Malaysia, the Netherlands, Singapore, Switzerland, and the United States.

Public sector bodies in at least two of these countries have recently been disrupted by cyberattacks: the US Office of Personnel Management and the Japanese Pension service, the WEF noted.

Attempts to detect and address attacks are made harder by their constantly evolving nature, as perpetrators quickly find new ways of executing them. Businesses trying to match this speed in their development of prevention and response methods are sometimes constrained by a poor understanding of the risk, a lack of technical talent, and inadequate security capabilities.”

Defining clear roles and responsibilities for cyber risk within corporations is crucial, the WEF noted.

Who in the corporation is the actual owner of the risk? While there are many “C” level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management.”

Outdated laws and regulations also inhibit the ability of governments to capture criminals, but also to expedite the often lengthy procedure of implementing legal and regulatory frameworks to reflect evolving realities.

Check out the Insurance Information Institute’s latest report on cyber risks here.

Environmental pollution stories seem to be dominating the headlines and with this comes renewed awareness of potential environmental liabilities among companies, municipalities and their (re)insurers.

An ongoing gas leak at the Southern California Gas Co Aliso Canyon natural gas storage facility near the Porter Ranch suburb of Los Angeles, has forced thousands of residents to evacuate, many of whom have been experiencing health problems.

The Los Angeles Times reports that so far, the gas company has spent more than $50 million to combat the methane leak that began October 23, and more than 25 lawsuits have been filed against the utility.

A securities filing last week stated that the cost of defending the lawsuits, and any damages, if awarded, could be significant.

As the LA Times reports:

The utility has told the U.S. Securities and Exchange Commission that it had “at least four types of insurance policies that it believes will cover many of the current and expected claims, losses and litigation…associated with the natural gas leak at Aliso Canyon.”

Those insurance policies are understood to have a combined available limit in excess of $1 billion, though legal experts suggest the ultimate costs could run much higher.

Meanwhile, officials in Flint, Michigan, made a cost-saving decision to switch the source of their drinking water to the Flint River from Lake Huron in April 2014, a move that has exposed thousands of children to dangerous levels of lead.

While the city has since switched back to Lake Huron water, and started distributing water filters and bottled water to the city’s residents, The New York Times reports that many have called for state money to replace Flint’s aging pipe infrastructure (at an estimated cost of $1.5 billion) and a fund to address any developmental impact on children.

Last week Michigan governor Rick Snyder declared the city to be in a state of emergency just as federal officials opened an investigation into the water contamination.

Other environmental pollution stories in the news include one lawyer’s fight against DuPont’s decades-long history of chemical pollution and further away the recent Samarco dam burst in Brazil—described as the worst environmental disaster in the country’s history.

In a recent note AIG Environmental Insurance said that environmental pollution continues to be a major source of concern for the (re)insurance market.

AIG noted that the potential environmental liability impact of the Samarco dam burst remains the unknown factor, with market sources putting the overall insured coverage at in excess of $600 million.

Taken together with the property and business interruption elements of the cover, the (re)insurance market is facing a potential overall loss that could be in excess of $1 billion.”

Natural catastrophes made up the lion’s share of global insured disaster losses in 2015, but a man-made loss was the year’s costliest.

Preliminary estimates from Swiss Re sigma put insured losses from disaster events at $32 billion in 2015, of which $23 billion were triggered by natural catastrophes and $9 billion by man-made disasters.

The explosions at the Port of Tianjin, China in August are expected to lead to claims of at least $2 billion, making it the costliest event of the year and the biggest man-made insured loss in Asia ever, sigma said.

Some 173 people were killed and many more injured in the Tianjin explosions, which damaged and destroyed vehicles, shipping containers, production facilities and surrounding property.

The insured loss estimate is subject to a high degree of uncertainty due to the many different lines of business and coverage impacted, including potentially contingent business interruption, sigma noted.

An earlier report by Guy Carpenter has suggested potential losses of up to $3.3 billion resulting from the Tianjin explosions.

figure_1_2015prel

Insured losses from man-made disasters were up 30 percent in 2015 at $9 billion, from $7 billion in 2014, according to sigma.

However, at $23 billion natural catastrophe insured losses were below the annual average of $55 billion for the previous 10 years.

Losses were caused by various severe natural catastrophes across different perils in 2015, including windstorms, hurricanes, earthquakes, flooding and wildfires.

A February winter storm in the United States was the costliest natural disaster of the year, resulting in insured losses of more than $2 billion.

Low activity during the North Atlantic hurricane season kept the total global insured loss low, sigma noted.

Sadly, approximately 26,000 people lost their lives in disasters this year, double the amount in 2014.

Large disasters in other parts of the world contributed to the high level of fatalities.

The magnitude 7.8 earthquake that struck Nepal and neighboring countries in April triggered a humanitarian catastrophe, killing around 9,000 people.

More than 5,000 people also died in waves of extreme temperatures during the summer season in India, Pakistan, Europe, North Africa and the Middle East.

And more lives were lost due to capsizing of many boats carrying migrants from conflict zones in northern Africa to Europe, often in unseaworthy vessels, sigma noted.

More facts and statistics on man-made disasters available from the I.I.I. here.

“Clear rules that are fit for the digital age.” That’s how Vera Jourova, the European justice commissioner, described tough new European data protection regulations just agreed by European policy makers.

The long-awaited reforms, which are expected to take effect in early 2018, will establish one set of rules on data protection across all 28 member nations in the European Union (EU).

As the New York Times reports, the new regulations would apply to any company with customers in the EU, whether or not it is based in the region.

This will expand potential liability for companies, experts note.

What key changes can businesses active in the EU market expect?

Among the policy changes the new law would require companies to inform national regulators within three days of any reported data breach.

The other proposed change that jumps off the page is one that would link sanctions (read: fines) to company revenues.

Policymakers have agreed that fines could total up to 4 percent of a company’s global revenue for the most serious breaches to European data privacy rules. This could amount to billions of dollars, according to this report by the Guardian.

While the tougher fines are seen as a major step forward for consumer protection, they have raised concerns among large tech companies such as Google and Facebook, the NYT says.

It cites Peter Church, a technology lawyer at Linklaters in London:

Europe’s approach to privacy is much stronger than in the United States. There’s a fundamental difference in culture when it comes to privacy.”

The new law will also expand potential liability for companies, bringing increased responsibility and accountability for those controlling and processing personal data, according to this politico.eu article.

Currently the data controller at a company is liable for data breaches in the EU, but Politico notes that once the law takes effect, both the controller and data processors will be jointly liability for any damages.

Economic impact from business interruption (BI) is often much higher than the cost of physical damage in a disaster and is a growing risk to companies worldwide, according to a new report from Allianz Global Corporate & Specialty (AGCS).

Its analysis of more than 1,800 large BI claims from 68 countries between 2010 and 2014 found that business interruption now typically accounts for a much higher proportion of the overall loss than was the case 10 years ago.

Both severity and frequency of BI claims is increasing, AGCS warns.

The average large BI property insurance claim is now in excess of €2 million (€2.2 million: $2.4 million), some 36 percent higher than the corresponding average property damage claim of just over €1.6 million ($1.8 million), the global claims review found.

The vast majority of BI losses are not caused by natural catastrophes, with non-natural hazard events such as human error or technical failure accounting for 88 percent of BI losses by value.

Reported loss estimates from the largest non-natural catastrophe BI events across the insurance industry during 2015 total more than $7 billion so far, with the Tianjin loss potentially accounting for almost half this total.

GlobalLossAtlas_471x150

Fire and explosion is the top cause of BI loss around the globe by value (2010-2014), with each incident analyzed averaging €1.7m ($1.9 million) in BI costs alone, but there are some major differences regionally.

Storm and flood related losses are notable in Asia, highlighting the region’s continuing economic development and increasing exposure to natural hazards.

Storm is also the top cause of BI loss in the Caribbean and Central America region, accounting for one-third of insurance claims by value.

As Chris Fischer Hirs, CEO of AGCS, says:

The growth in BI claims is fueled by increasing interdependencies between companies, the global supply chain and lean production processes.

Whereas in the past a large fire or explosion may have only affected one or two companies, today losses increasingly impact a number of companies and can even threaten whole sectors globally.”

Check out Insurance Information Institute resources on business interruption insurance here.

Suffering shopper fatigue? With Black Friday in full swing and Cyber Monday imminent, the biggest online shopping days of the year are upon us, but for businesses trying to see off cyber attacks, fatigue can be a danger at any time of the year.

The just-released annual global fraud survey by Kroll—which found that incidence of fraud, including information theft, is at its highest level in eight years—warns that cyber fatigue is real, but not an excuse for inaction.

It’s easy to become fatigued at the thought of cyber security. With so many things to do and to learn, you can lose sight of the benefits. If the process does become too overwhelming, remember this: Each step your company takes to protect itself makes it that much more difficult for attackers. They will move on to an easier target—one without as much security in place.”

Information theft was identified as being of particular concern among the 768 senior executives worldwide polled for the fraud survey.

More than half of executives (51 percent) believe their businesses are highly or moderately vulnerable to information theft risks such as cyber incidents, according to Kroll’s analysis.

The good news is that this increased awareness level has led to an increase in the number of companies proactively looking after their cyber security stance.

Some two-thirds (67 percent) of companies report that they regularly conduct data and IT infrastructure assessments, and a majority (60 percent) regularly conduct data and IT infrastructure assessments.

Some 60 percent also report they have an up-to-date information security incident response plan and 59 percent have tested it in the past six months, an increase on the previous survey.

Another interesting takeaway: while media attention is focused on external cyber threats to companies, the report findings tell a different story.

Of those companies that have fallen victim to information loss, theft or attack over the past 12 months, the most common cause was employee malfeasance–involved in 45 percent of cases, according to Kroll. Vendor/supplier malfeasance was also involved in 29 percent of cases.

By comparison, only a small minority of cases involved an attack by an external hacker on the company itself (2 percent) or on a vendor/supplier (7 percent).

For information on how insurance can help businesses protect themselves from the cyber threat, check out I.I.I.’s latest paper Cyber Risk: Threats and Opportunities.

I.I.I. facts and statistics on cybercrime and identity theft are available here.

 

There are many factors that can affect a company’s credit ratings and it appears that cyber risk is moving up a notch in importance in corporate credit analysis.

In a new report, ratings agency Moody’s Investors Service said it views material cyber threats in a similar vein as other extraordinary event risks, such as a natural disaster, with any subsequent credit impact depending on the duration and severity of the event.

Moody’s reports:

While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios.”

According to the report, “Cyber Risk of Growing Importance to Credit Analysis,” assessing how prepared an issuer or organization is for a cyber threat presents challenges, owing to the complexity of the problem.

Moody’s identifies several key factors to examine when determining a credit impact associated with a cyber event, including: nature and scope of the targeted assets or businesses; the duration of potential service disruptions; and the expected time to restore operations.

On a positive note, more cyber security expertise is being added to boards and trustee governance in response to the growing cyber threat.

A press release cites Jim Hempstead, Moody’s associate managing director and lead author of the report:

We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive.”

Moody’s said industries housing significant amounts of personal data, such as financial institutions, health care entities, higher education organizations and retail companies are at greatest risk of a large-scale data breaches resulting in serious reputational and financial damage.

Critical infrastructure sectors such as electric utilities, power plants, or water and sewer systems are more exposed to attacks that could result in large-scale service disruption, causing substantial economic—and possibly environmental—damages to sovereign, state and local governments or utilities.

However, Moody’s believes this type of attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk.

Hat tip to Reuters for its article here.

Check out the I.I.I.’s latest paper Cyber Risk: Threats and Opportunities.

Whether it’s the VW emissions scandal or rebuilding a company’s reputation after a cyber attack, we’re reading a lot about the challenges of managing reputation risk in the business world.

How important—and valuable—a positive reputation and ethical C-suite leadership is for an organization to attract talent is highlighted by recent findings of a survey of 1,012 U.S. adults by Corporate Responsibility Magazine and Cielo Healthcare.

(Hat tip to the WSJ’s Risk & Compliance Journal for flagging this survey.)

The research identified bad behaviors most harmful to a company’s culture and reputation as:

  • Public exposure of criminal acts (33 percent);
  • Failure to recall defective products (30 percent);
  • Public disclosure of workplace discrimination (21 percent);
  • Public disclosure of environmental scandal (15 percent).

What’s the true cost of a bad corporate reputation? According to the survey, companies perceived as unethical face a potential talent shortage and increased recruiting costs as they struggle to successfully recruit women and millennials.

Only 67 percent of employed Americans surveyed would take a job with a company that had a bad reputation if they were offered more money, compared to 70 percent in 2014.

In contrast, 92 percent would consider leaving their current jobs if offered another role with a company with an excellent corporate reputation.

It would also take a substantial pay increase for many to take a job with a company with a bad reputation, with 46 percent of survey respondents needing a pay increase of 50 percent or more to consider moving to an unethical company.

Women are more motivated to work for an ethical company, the survey found. Some 86 percent of women who responded said they would not join a company with a bad reputation compared to only 67 percent of men.

In contrast, 92 percent of men and women would consider leaving their current jobs if offered another role with a company with a stellar corporate reputation.

Check out the I.I.I. online resource for business insurance here.

Next Page »