2019 was another eventful year in the risk calendar with major incidents occurring around the globe and caused both by man and nature. The risks faced by organisations continue to multiply and evolve so here we look at some of the significant events of last year and highlight the key lessons for risk managers.
Source
Cyber and Tech
Last year saw cyber losses spiral upwards in terms of frequency, severity and cost as cyber criminals and hackers continued to target companies holding large volumes of personal data.
In the past year over 60 per cent of public and private sector organisations in the US, UK, Belgium, France, Germany, Spain and the Netherlands have suffered one or more cyber attacks, according to recent research published by insurer Hiscox. The cost of these attacks has escalated dramatically during 2019 with large firms suffering losses of £551,000, compared with £128,000 12 months earlier.
As the year began the full details of the Cathay Pacific and Marriott Hotels breaches were still unravelling. However, these attacks were soon dwarfed by the Capitol One data breach, which saw the personal details of approximately 106 million individuals across the US and Canada stolen in a hack. The data breach is believed to be one of the largest in banking history.
Capital One said the data included names, addresses and phone numbers of people who applied for its products, but maintained that the hacker did not gain access to credit card account numbers.
One of the big lessons to come out of the Capital One breach is that as well as regulatory fines, companies that face breaches can also be faced with class action suits.
The attack also highlighted the significant risks of storing information in the cloud if it is not properly protected.
Social engineering fraud is also on the increase, with Accenture research showing that 70 per cent of companies have been hit. Companies of all sizes have been targeted with the costs running into the billions.
The fraudsters use methods including sending phishing emails purporting to be from vendors, clients or customers, or directing a transfer or funds or a change of invoice details. The frequently complex nature of these schemes often makes it difficult to identify the fraud before it is too late.
What can risk managers do?
Tiago Dias, Cyber Consultant at FM Global, says: “Cyber security is no longer only an issue for IT staff as all employees are being increasingly targeted by cyber criminals. Phishing, which is defined as ‘a cybercrime in which a target or targets are contacted by someone posing as a legitimate institution to lure individuals into providing sensitive data’ remains the most effective way for cyber criminals to gain entry into businesses.
“So, another important step is to conduct training for all staff to be aware of cyber threats and how to recognise and deal with a potential cyber attack. In this way businesses can successfully prevent a huge number of cyber attacks.
“Fortunately, building cyber resilience does not have to be a demanding task for risk managers. Given 80 per cent of cyber attacks would be defeated by basic security controls, it is clear that a few relatively simple risk management steps, coupled with a responsive insurance programme should the worst happen, can make a real difference.”
Political and social unrest
2019 was notable for the social unrest that swept across developed and developing nations alike with issues including growing inequality and failing infrastructure fuelling distrust in business and political discontent.
In fact, social unrest is the fastest growing risk to the world’s economy, according to data from the Cambridge Centre for Risk Studies. It climbed three places up the rankings to be the 14th overall biggest threat facing the international economy with a GDP risk value of $8.3bn.
Extinction Rebellion protests against climate change took place in 60 major cities around the globe and brought transport to a standstill in many key locations. There have also been gilet jaunes protests sparking violence in France, extradition riots in Hong Kong, uprisings in Venezuela and the potential signs of a second Arab Spring.
In addition, almost seven in 10 businesses suffered political risk losses during 2019, according to a survey by Willis Towers Watson. The survey of 41 major corporations also found that 61% of respondents believe that political risk levels have risen in 2019.
According to the broker’s annual Political Risk Survey, disruption of international trade was considered the most significant risk in the majority of regions. Sanctions against Russia, Iran and Venezuela, a trade war involving China, and the threat of Brexit in Europe were reported as concerns by respondents.
What can risk managers do?
Willis Towers Watson says that as political risk continues to increase (with related financial losses also rising) corporations now face a strategic choice to either maintain their global business models while accepting, mitigating or transferring the political risks associated with them, or attempting to realign themselves with the emerging shape of a new and apparently more nationalist global landscape.
Nick Allan, CEO of Control Risks, says: “The security, compliance and resilience skills business has learned over the past year will be tested further.
“The past teaches us that political risk never gets easier to manage in an economic downturn, and economic stress will amplify current fractures in global stability.
“Despite a somewhat gloomy outlook on several fronts, many clients remain set for growth in the months ahead. While regulations, trade barriers, sanctions regimes and cyber threats will hinder international business, we believe that conflict will be kept largely to these domains.
“The frameworks and structures that served as a reference point over the past few decades have fallen away, but business continues to innovate and drive prosperity in all corners of the globe. Indeed, in many areas companies are often responding faster than governments to meet these challenges.
“In 2020, it is anticipation, agility and the ability to pick through tactical obstacles that will be critical.”
Climate and natural catastrophes
Our climate continues to change at an alarming rate and 2019 was the second warmest year on record, according to the World Meteorological Organisation. These changes continue to trigger extreme, and often unprecedented, weather events around the globe.
In Australia the hot weather caused an unparalleled bushfire season that started three months earlier than usual in June and continued to burn well into 2020. The devastating bushfires caused huge destruction and loss of life across the south-east of the country. The Insurance Council estimates the total damage and economic loss caused by the Australian wildfires will be in excess of $2.4 billion.
On the other side of the globe parts of northern and central England saw a month’s worth of rain fall in 24 hours during November. Homes and businesses were flooded with PricewaterhouseCoopers (PwC) estimating £120 million in insured losses.
From a commercial risk management perspective, this increase in frequency and intensity of extreme weather events is particularly notable, due to the severe damage that such events can cause.
What can risk managers do?
Given these broader trends, it is imperative that business leaders and risk managers are prepared to mitigate the damage that natural catastrophes can cause, by building resilience throughout their organisations.
Businesses should create a location specific emergency response plan, which addresses the natural hazard posed e.g. windstorm and flood. In addition, a business continuity plans will establish alternate suppliers for key components that would support consistent delivery of services whilst a business is recovering.
AIRMIC warns risk managers that the price will be high for those who fail to understand this – as many organisations are still failing to do. It says that c-suites, board members and all top executives across corporate and political life must do far more than just take note. They must act decisively.
Last year’s events have only increased public pressure for decisive action to counter the climate emergency. However, this creates a new opportunity for risk professionals to take the lead.
Mark Carney, the outgoing governor of the Bank of England, who is now a UN Special Envoy for climate action and finance, said: “It’s not moving fast enough. For the climate crisis, unless companies and investors wake up to the new scale of risk that is approaching at ever higher speed, many assets will become stranded and worthless.
“If there is no action, there will be an emergency so what is required are a variety of steps to bring the future into the present so that action is catalysed today.”
Financial risk
Increasingly financial losses are being driven by events ranging from product failures to man-made disasters, natural catastrophes to cyber attacks. More and more these types of events are exposing c-suite executives and board members to significant securities or derivative claims from shareholders, according to Allianz Global Corporate & Specialty (AGCS).
Of the top 100 US securities fraud settlements ever, 59 per cent are event-driven and such cases highlight the importance of appropriate Directors’ & Officers’ insurance.
AGCS has seen a number of securities class actions, derivative actions and regulatory investigations and fines, including from the EU’s General Data Protection Regulation (GDPR), in the last year, and expects an acceleration in 2020 with the California Consumer Privacy Act (CCPA) adding to the regulatory burden.
These laws have created a substantial challenge for companies that rely on personal data for business, with significant adverse consequences. Non-compliance fines are exceptionally high under the GDPR as a €10 million penalty could be imposed if a company fails to disclose a data breach within 72 hours.
Further, the company would likely be subject to negative publicity leading to adverse financial consequences.
For instance, Cambridge Analytica was forced to shut its doors after its unlawful use of consumer data through Facebook’s platform. However, even if a firm remains open amid its reputational nightmare, it will likely face securities action lawsuits from the financial ramifications to investors, sparking even more D&O claims.
Internet company Yahoo! ended up paying an $80 million settlement from a securities class action suit for failing to disclose its cyber breach in 2018, the first of its kind. This large settlement has set an important precedent for future cyber disclosure violators.
These events have enormous potential to cause business interruption, reputational damage and financial losses so organisations have swiftly moved D&O up the corporate agenda.
Shanil Williams, Global Head of Financial Lines at AGCS, says “AGCS continues to see more claims against D&Os emanating from ‘bad news’ events not necessarily related to financial results. Scenarios include product problems, man-made disasters, environmental disasters, corruption and cyber attacks.
“D&O insurance addresses the intrinsic strategic risks of corporations and their senior management, and over the past year the D&O market has seen major change and likely will experience further volatility in 2020.
“One of the best defences to protect against such volatility is for risk managers and their D&Os to maintain an open dialogue with underwriters and brokers, so that all parties can gain a better understanding of the risk culture and governance within an organisation.”
No comments yet