HEADING FOR A BUSINESS INSURANCE DISASTER?
TO ERR IS human, but to really foul things up you need a computer, said American biologist Paul R. Ehrlich. To have things fouled up for you on a grand scale, all you need is any connected computer or mobile device.
More than eight in 10 large UK businesses and six in 10 small companies suffered a cyber security breach in the previous 12 months, according to a report this spring. Cyber threats are estimated to cost the economy billions of pounds a year with the cost of cyber attacks nearly doubling between 2013 and 2014.
The report by the UK government and leading insurance broker Marsh was followed in summer with a study from Marsh showing that almost seven in 10 large and mediumsized companies do not assess their suppliers or customers for cyber risk.
More than five in 10 had not themselves been asked to demonstrate a competent standard of IT security practice to their bank or customers. Only just over half were planning to buy cyber insurance in the next 12 months but just over one in 10 actually had a policy in place.
At the same time more "traditional" threats to business continuity have not reduced. In fact some, like flooding, have increased with climate change.
"Cyber risk is perhaps the most pernicious of all the emerging risks faced by businesses today," said Stephen Wares, Marsh's cyber risk practice leader for Europe, the Middle East and Africa. "The trouble with cyber risk is that few firms are used to dealing with it. With the exception of organisations such as banks, utilities and other critical infrastructure, operational risk for many firms is managed well below board level.
"Although companies are concerned about cyber risk, a survey by Marsh conducted earlier this year revealed that board-level ownership of cyber risk among UK firms remains comparatively low. IT departments continue to take primary responsibility for cyber risk, while the board takes primary responsibility for cyber risks in less than one fifth of the organisations we surveyed.
"If organisations are to reduce the threats arising from cyber attacks, more work needs to be done to consider cyber security as a business issue, as opposed to a technical problem. That goes well beyond the historic expectations on risk management for many firms and requires a significant elevation and investment in risk."
And the smaller firms might be a route into the bigger ones. "Larger organisations attract highly motivated and sophisticated hackers who might identify smaller business partners that are typically less well protected as the 'back-door' into their IT systems."
It might have been some comfort if the technological expertise that had enabled us to work in cyberspace had tamed some of the risks of the physical world. However, Wares' colleague Caroline Woolley, global leader of Marsh's Business Interruption Centre of Excellence, offered little solace.
"From natural catastrophes such as earthquakes and floods to manmade mayhem in financial markets or cyberspace, in our globalised economy these incidents often have repercussions for global supply chains that can be felt on the other side of the world," she said.
"To date, much of the work undertaken by companies in addressing supply-chain risk." has been to improve understanding of their supply and value chains. Detailed information is not always readily available, in part because of the complex web of suppliers of suppliers.
"But it is also because traditional insurance policies often pay out only in the event of property damage suffered by first-tier suppliers, and therefore do not require risk managers to provide details of suppliers further down the chain.
"Risk management and risk transfer must work together to make organisations more resilient, as firms become more exposed to major disasters and subsequent business interruption as a result of these increasingly complex global networks."
Companies do not themselves have to be global to find themselves reliant on global networks. Andrew Lothian, head of casualty and general insurance in Scotland at DWF, said: "Business interruption insurance is becoming more and more important as many organisations now rely on electronic communications, external data hosting and sophisticated technology to function day to day.
"An essential aspect of disaster recovery planning is business interruption cover, as organisations need to ensure that provisions are in place to meet payroll and other overhead commitments if the business can't operate.
"This also extends to the supply chain, and businesses should discuss the disaster recovery plan of any suppliers to effectively manage risk and ensure a business interruption further down the chain doesn't impact others.
"In a competitive market, insurers will underwrite most risks. However, businesses need to seek advice on what cover to take now and in the future, as a growing business will need to factor in future expansion plans to ensure the cover is adequate."
Risks in the supply chain are not always high-tech and include the very old-fashioned one of not getting paid. "This is the single biggest risk to any company with the potential to undermine its ability to do business," said Mike Rowan, regional manager for trade credit insurer Atradius in Scotland.
"Buyer insolvency and payment defaults are primary concerns for businesses and among the threats that could impact a supplier's ability to pay are cybercrime and fraud.
"Protecting your business from risk is essential. When entering into a trading relationship you need to be sure that your customer is actually who they say they are. Buyer impersonation and fraud pose significant risks for businesses and cybercrime in particular is becoming more prevalent."
His company has invested in training to improve fraud detection and offered these tips: "Small suppliers are the most vulnerable as they may not have the systems in place to detect fraud and are more likely to feel the squeeze if they do suffer a financial loss.
"Warning signs to look out for are buyers who are not interested in negotiating prices, setting short periods between first contract and delivery, and placing big orders after an initial run of small low-cost orders. Another red flag is where the buyer has moved between different trade sectors."
Businesses are dynamic entities and it is relatively easy to fail to keep insurance cover at a sufficient level. "Any claim that you make will often only be paid on the basis of the amount of cover that you chose, based upon what is called the 'average clause'," said Seonaid Busby, partner at Weightmans.
"The operation of this clause means that the cover will be based upon the percentage of cover that was taken out rather what the cover should have been."
If, for example, you have taken out insurance that will cover PS50,000 of loss but you sustain a loss of PS100,000, you will be under-insured by 50 per cent. So the 'average clause' means your insurer would cover only 50 per cent of any claim Research by one insurer in 2014 into a sample of 383 of clients where under-insurance was a problem found that 177 of them had underinsured by an average of PS486,000. The remaining 206 clients were referred for specialist valuation and, of these, more than three quarters were on average 45 per cent underinsured.
Under-insurance of commercial property was highlighted recently by a report from the Financial Conduct insurance specialist at brokerage Caunce O'Hara.
Authority (FCA): Handling of INSURANCE Claims for Small and medium-sized Enterprises. This report revealed a significant number of instances where the sums insured were inadequate to cover the loss incurred. One example revealed the sum insured was less than 50 per cent of the amount required.
A leading global and property and construction consultancy reported that the average level of underinsurance for owners of commercial properties is 60 per cent.
"Businesses are often reluctant to pay for professional valuations," said Busby. "This is coupled with the common misapprehension that the market value of a property is the figure that they should use for the sum insured. It should in fact reflect the cost to rebuild.
"If the market value is used there is often a considerable risk that the property will be under-insured. The general advice in relation to property insurance is that valuations should be carried out at least every three years unless there is any reason to believe meantime there has been a fluctuation in the correct value required for adequate cover."
The more specialist the business's operations the longer any interruption to them is likely to be. For example, the lead time for bespoke plant and machinery can be longer than anticipated, particularly if made to order or being shipped from overseas. The logistics of transportation and installation can also dramatically add to costs and timescales.
"An understanding of the insurance in place is essential. For example, reinstatement cover will replace old for new while indemnity cover will pay out the market value of the plant and machinery at the time of the loss. The difference can be significant."
Busby listed just some of the factors that could affect the level of cover you need: "The valuation of your property has fluctuated up or down; you have altered a property; insurance cover has been based on market value rather than what it would cost to rebuild; your property is a listed building - time and cost of repair/rebuild are usually greater; you have not factored in costs such as professional fees for architects or surveyors; for site clearance or access; you are carrying more stock now than you did when you took out the policy; you have new or specialist plant or equipment; there is a higher risk of terrorism or political unrest."
The last is an example of the ever-changing nature of the risks incurred in the real world as much as in cyber-space. We have grown used to the idea of terrorism and political violence, but how many hauliers predicted that they would be caught up in Operation Stack, when the police turned the main route into Dover into a miles-long truck park? How many suppliers predicted that their goods might spoil in the delay or pass their sell-by date? How many factories or retailers predicted that production would be interrupted or sales lost even though they were in Scotland, hundreds of miles from the scenes of the trouble in Calais? "When it comes to liaising with your insurance firm over any business interruption cover, you'll need to ensure that you have the correct indemnity period detailed in your policy," said Steve Lewis, "Getting the period right on your policy should be done at inception and all good insurance brokers will be happy to talk you through the full business ramifications of such a clause. This detail should also be reviewed on an ongoing basis as many businesses change over a period of time and this information needs to be current.
"Very few businesses will be in the position of being able to leap into a new factory after a fire, for example, but those fortunate enough to operate in multiple locations may be able to resume operations more quickly. It's vital that you err on the side of caution with this. A fire, for example, will require a full investigation before you can even begin to negotiate a return and this can take up to six months to even get started. Your indemnity period should be no less than 18 months at an absolute minimum and even then, this is very close to the bone. We don't tend to advise anything that short-term - 24 months is a more realistic period."
One of the other major concerns is to ensure that you have the correct gross profit figure which directly relates to the indemnity period chosen. Making sure your insurance policy reflects realistic figures, staffing and business-related information makes it much easier to facilitate a claim.
"These concerns apply to all businesses but have particular implications within the manufacturing, engineering and construction industries or the supply chain to them."
And then we have forces of nature, sometimes exacerbated by the efforts of man. The risk of flood damage is growing due to more severe and concentrated rainfall in many areas already considered to be high risk.
"In these cases it isn't 'if' but 'when' flooding will happen," said Chris Netherton, chief executive of Flood Excess INSURANCE. "When it does, and you're not properly protected, the task of finding a considerable sum of money to cover the insurance excess for repairs could have huge financial consequences."
As any self-respecting pessimist will tell you, it never rains but it pours, and an umbrella alone is unlikely to provide sufficient cover. But pessimists tend to get rained on less often. |
Cyber risk is perhaps the most pernicious of all the emerging risks faced by businesses today Stephen Wares, Marsh (below)Risk management and risk transfer must work together to make organisations more resilient, as firms become more exposed to major disasters and business interruption Caroline Woolley, Marsh (below)If the market value is used there is often a considerable risk that the property will be under-insured Seonaid Busby, Weightmans (below)
Above: Not many hauliers predicted that they would be caught up in Operation Stack
|Printer friendly Cite/link Email Feedback|
|Date:||Dec 4, 2015|
|Previous Article:||Q3 DEALS: ROUND-UP.|
|Next Article:||BIG BANKS ON THE UP BUT MAJOR ISSUES FACE BUSINESS; Alasdair Northrop's regular view on business.|