Almost two years after the COVID-19 pandemic began, cyber is now the most significant cause of concern regarding business interruption (BI), according to the latest Allianz Risk Barometer report, overtaking the pandemic.
Previously, Mark Mitchell (pictured above), Asia-Pacific regional managing director of Allianz Global Corporate & Specialty, discussed the pandemic’s impact on BI insurance in the region. Now, he looks at how insurers should approach cyber risks, which are less understood than more established triggers, and business interruption.
“Companies’ growing reliance on technology and digitalization is likely to be the biggest challenge for BI going forward,” Mitchell said. “Alongside supply-chain disruption, these were cited as the biggest changes brought about by the pandemic, while cyber is the most feared cause of BI in this year’s survey. Respondents note that cyber is still not as well-understood as traditional BI triggers such as natural catastrophes or fire, therefore mitigations are not as well developed. Cybersecurity also ranks as companies’ major environmental, social and governance concern, with respondents acknowledging the need to build resilience and plan for future outages or face the consequences from regulators, investors and other stakeholders.”
In the past three years, a large increase in the number of cyber claims has been recorded. According to Mitchell, this is partly due to higher losses caused by external manipulation of systems, as well as the increased uptake in cyber insurance.
“Overall, cyber-related claims seen by AGCS more than doubled from about 500 in 2018 to about 1,100 in 2020,” he said. “Ransomware-related claims increased 50% year on year in 2020, while the total number of ransomware claims received in the first half of 2021 was the same as that reported during the whole of 2019 (60), as criminals have become more organized and better resourced. Extortion demands have more than doubled, while business interruption losses have escalated as larger companies and their supply chains are targeted.”
Mitchell said that ransomware claims are showing some tentative signs of stabilizing, as insurers and business have taken steps to increase cyber security and resilience, while law-enforcement agencies have given more attention to ransomware.
“There has been a slight deceleration in ransomware claims, although they remain at elevated levels,” Mitchell said. “Future claims trends are difficult to predict, as perpetrators are always looking to exploit new vulnerabilities and employ new tactics. Cyber is one of those lines of business where you can cover one hole in the bucket only to find a new exposure emerges. As there is an increasing intersection of risks, as an insurer, we need to adopt a disciplined underwriting approach managing our global portfolio and addressing risk accumulation.”
Many times, technological problems require technological solutions. According to Mitchell, the pandemic has brought about a wave of innovation and market disruption, which accelerated the adoption of technology, led to regulatory changes, hastened the demise of incumbents or traditional sectors, and gave rise to new competitors.
“A survey by McKinsey found that companies may have accelerated the digitalization of supply chains and operations by three to four years, while the importance of digital products has accelerated by seven years,” Mitchell said. “Society’s growing reliance on technology and the threat posed by cyber is a particular area of concern. Technology is a double-edged sword for business interruption. While it can be a useful tool for business continuity, for example by switching to remote working and process monitoring or online sales and servicing, it also brings new risks.”
While digitalization of supply chains may reduce the frequency of business interruption events, it can also cause more severe disruptions if something goes wrong with the underlying technology. Extremely complex and automated supply chains operate efficiently, but a single cyber incident could bring it all crashing down.
“As the cyber risk landscape has changed, the insurance industry has turned its focus to helping clients improve the quality of their cyber risk management,” Mitchell said. “AGCS now assesses each insurance submission it receives against cybersecurity posture criteria. Assessments look for proactive technology controls – such as endpoint protection and multi-factor authentication – as well as regular backups, patching, training, business continuity arrangements and crisis response capabilities. The role of insurance has always been to ensure good risk management and loss prevention. Good cyber maturity and good cyber insurance go hand-in-hand. Even when companies follow best practices and implement technical solutions, systems can still be compromised. Pre-event planning and preparation – such as incidence response planning, scenario testing, and board war-gaming – are critical to minimizing the impact of a cyber attack.”