George Beattie, head of incubation underwriting at Beazley writing on new research from the London market insurer into clients’ risk and resilience
Beazley recently released two reports, based on the insight of over 1,000 research respondents. The research that sits beneath tells us what clients care about, what keeps them up at night, where their risk blind spots are and what they want from an insurer. We call this data our Risk and Resilience toolkit.
As part of this programme, we asked clients to rate business risks and their corresponding sense of resilience to these same risks, and the results were surprising. As you might expect, the pandemic was rated high risk, but clients felt that they also had high resilience. Having lived through the pandemic experience for the last eighteen months, a high understanding of the risks of a pandemic clearly makes sense.
In other areas, climate and supply chain issues were both viewed as being high risk, low resilience – again as expected.
Cyber brings together a multitude of risks
Much more surprising is the report’s findings that clients think that they are resilient to cyber events. Beazley’s experience is that they aren’t: our claims continue grow year on year. The 2021 year is not finished but we have already had a 71% increase in cyber claims, and also a widening of the variety: not just ransomware, but also email compromise, phishing, fraudulence and obstruction, as well as old-fashioned cybercrime: people losing hardware with unencrypted data, or sending emails to the wrong recipient.
The background is a grim one too: the number of interactive intrusions grew by 400% from the beginning of 2019 to the end of 2020.
The reality, of course, is that clients’ sense of resilience may be illusory. There are pockets of resilience, and in some sectors regulatory oversight can help. In other sectors, protective standards are simply too low.
A large part of any cyber breach is the potential impact that this has on the reputation of a business, however reputational risk – as rated by the same client types – comes very low down on the list things that keep people up at night – low risk, and equally low resilience.
Reputational risk is under-played
We believe that on the subject of reputation, it is difficult for organisations to pinpoint just how important it is until it actually comes to the crunch.
The trick for many organisations is that they have a limited pot to spend. How you respond to an incident is crucial to maintaining a good reputation – which can be lost very, very quickly.
The good news is that while there is no magic formula, many incidents incorporate the same elements. Criminals pick soft targets first, and repeatedly visit the path of least resistance. You need to be that resilient organisation, implement multi-factor authentication properly and ensure backups are safe. None of these steps are especially expensive or difficult compared to the alternative of facing a breach, but they could differentiate a nuisance attack from becoming something so serious that you have to notify all clients, employees and regulators about an incident affecting data. Once that happens a business faces a huge reputational impact.
D&O cover will be part of the protective picture
Then there is the impact of cybercrime on D&O insurance. Inevitably, because of pressure from regulators and class action lawsuits which set precedents, there is more focus on directors and officers, and their actions: what they are personally doing to protect their companies and their shareholders.
We fully expect an increase in D&O claims in the coming years and undoubtedly, there will also be an increase in third-party litigation arising out of cyber events.
A multi-impact future is coming
How will all this impact your insurance coverage?
One takeaway is that organisations need to think a lot more about their supply chains, so that when something happens they have a plan for how to respond. Incident response and business continuity plans usually centre on events that happen to a single organisation: people need to think more broadly and consider critical suppliers of online as well as physical services.
But the biggest to do list is for the insurer. What the recent Risk and Resilience report clearly spelt out to me is the interconnected nature of risk – only sped up and complicated by the emergence and dependence on technology. What was impossible last year, is now the new normal – global meetings via teams, virtual care, virtual conferences. All of this is testament to the adaptability of industry to black swans like the pandemic, however we need to be vigilant to the fact that the world of insurance must change to keep up.
The role of Beazley’s Incubation Underwriting team is to hunt down opportunities to deliver breakthrough product innovation – not just ideas that bring incremental or adaptive change to existing products. We know that we need to innovate in new ways.
To do this, we have a simple outlook, focusing initially on addressable market and the level of economic pain that the issue at hand causes to that market. For issues that are frequent and potentially severe, like cyber, the incentive to risk transfer is pronounced. The other side of the coin are risks that are both infrequent in realisation, and not severe. We have to remember that insurance is a need, not a want. If the frequency and severity context isn’t right, the buyers won’t spend premium and will seek to retain the risk themselves.
And there is another point. Yes, insurance needs to deliver more resilience for the ‘new model’ digital world, and yes, now everything is increasingly connected: cyber, supply chains and D&O all link together. But that concept does not – to me – mean we have to merge all our risk coverage into single products that ‘do everything’ in one place. Linked risks still bring separate and discernible pain points. Our challenge is to digest the big, macro trends like climate change into addressable components of risk, so we can properly deliver risk management and financial safety nets where they are needed. I see the future of products as being ‘hub and spoke’ – with centralised services adding risk management value (the hub), surrounded by straight-forward risk transfer mechanisms for transferable risks (the spokes). These mechanisms may be parametric, or not, depending on the issue, the available data and contribution to solving the problem, which is ultimately where it all starts and ends.
It’s a big challenge, and one that is transformative of all aspects of our business, but we are working hard on it. A new world is coming.