Allianz Risk Barometer 2021 -
The Covid trio

A study by Euler Hermes [1] found that almost all (94%) companies surveyed reported a Covid-19- induced disruption to their supply chains, while more than a quarter (26%) of US companies reported “severe disruption” as a result of the pandemic. This means awareness of business interruption risk is now at the very top organizational level. It has become a discussion not just for risk professionals but for company boards and shows the need for businesses to build more resilient supply chains, as well as to find new ways to address uninsurable risks. Covid-19 is a reminder that not all perils are insurable, and that risk management and business continuity planning play a critical role in helping businesses survive extreme events.

The outbreak has also shown that business interruption is highly correlated with many of the risks of most concern to businesses today as identified in the Allianz Risk Barometer, such as natural catastrophes and climate change, political risks and civil unrest, and even rapid changes in markets, in addition to cyber. “Business interruption is the consequence – it is the impact on the balance sheet – caused by perils,” says Philip Beblo, Global Practice Group Leader Utilities & Services, IT Communication at AGCS. “Given the widespread disruption caused by Covid-19, it is no surprise that it is ranked as the highest peril, while cyber was already one of the most concerning potential causes of business interruption.” 

One of the big lessons learned from the pandemic is that extreme business interruption events are not just theoretical, but a real possibility. While a “known-risk”, the coronavirus pandemic was a surprise event of global magnitude, with many unexpected consequences. For example, a new strain of Covid-19 even led to the sudden closure of UK ports and borders in late December 2020, coinciding with existing port congestion during the Christmas period and the end of the Brexit transition period. Other potential triggers for large-scale business interruption events in future could include environmental or natural disasters, further disease outbreaks, a large-scale cyberattack or blackout, or even a solar storm.

The consequences of the pandemic are also likely to heighten business interruption risks in other areas in coming years. Even as the immediate health risks of the pandemic ebb with vaccinations, the accelerated push to digitalization will likely bring new risks, while the economic, societal and political repercussions of the pandemic could also bring sources of disruption for years to come. “Businesses have seen the consequences of the pandemic – the loss of revenue and disruption to production and supply chains – which has resulted in heightened awareness of the potential for losses from both traditional physical sources of business interruption and non-physical damage triggers. The pandemic has shown that business interruption risk is not isolated to a geography or sector, and that it can be overarching and span different geographies, markets and customers,” says Beblo.

Pre-Covid, both society and business were already growing more dependent and reliant on technology and intangible assets and this trend is likely to accelerate as companies change business models and ways of working.

Covid-19 will likely spark a period of innovation and market disruption, accelerating the adoption of technology, leading to regulatory changes, as well as hastening the demise of incumbents or traditional sectors, and giving rise to new competitors. A survey by McKinsey [3] found that companies may have accelerated the digitalization of supply chains and operations by three to four years, while the importance of digital products has accelerated by seven years.

Society’s growing reliance on technology and the threat posed by cyber is a particular area of concern. Technology is a double-edged sword for business interruption. While it can be a useful tool for business continuity, for example by switching to remote working and process monitoring or online sales and servicing, it also brings new risks.

The digitalization of supply chains could potentially reduce the frequency of business interruption events, but it may also lead to more severe disruption when the underlying technology goes wrong. “Digitalization increases transparency in the supply chain, which means organizations can react faster and better,” says Pachov. “However, a cyber-attack or a technical failure causing a major outage could lead to a severe business interruption event.” The pandemic may have opened a “Pandora’s Box” of cyber business interruption risks, according to Pachov. “The pandemic has demonstrated the need to ‘expect the unexpected’ and watch out for the pitfalls of digitalization. We may be about to open a box of ‘Black Swan’ events, with unexpected consequences from the pandemic, such as future cloud outages.”

“Everybody is rushing to embrace technology and embark on digital transformation, which could put technology companies under immense pressure to meet growing demand for cloud and other IT services. Tech companies will be working close to capacity and there will come a point when technology and servicing will become stretched or reach their limitations. If digitalization is not done properly [with due consideration for the risk/building resilience] then a future ‘Black Swan’ scenario involving the failure of a major cloud provider could become a reality,” says Beblo.

According to a survey of European risk managers [4], 46% expect to make changes to supply chains following the pandemic, of which 70% intend to find alternative suppliers. The Euler Hermes Global Supply Chain Survey found that a similar number (62%) of US and European companies are considering looking for new suppliers, while 30% are in favor of near-shoring. In fact, 20% of companies surveyed consider finding new suppliers at home.

“Clients are looking to de-risk their supply chains to achieve operational resilience. Covid-19 showed just how vulnerable global supply chains have become and highlights how the most agile companies and those that were quickest to react to the pandemic were those that had an adaptive and embedded risk management approach,” says Beblo.

Increased resilience of supply chains is to be welcomed. It will not only help with insurability of supply chain exposures, but it will also help clients react faster to market trends. “It’s not just about limiting insurance claims, more resilient supply chains should translate to more successful companies,” says Pachov.

Meeting the challenge of business interruption risk will require risk professionals to find ways of quantifying exposures, including areas like nonphysical damage business interruption and emerging risks.

“Businesses need to focus more on the quantification of business interruption triggers and their potential impact, and not just rely on high level risk management strategies or ‘blue sky’ thinking. They need to develop the tools and systems needed to understand business interruption triggers and measure the impact,” says Pachov.

“The pandemic has shown there is still a lot of work to be done on business continuity and business resilience,” adds Beblo. “In order to manage the risks and develop solutions, they will need to collect data, utilize analytics, and then consider what is insurable. Risk management today is very good at insurable risks, but could do better when it comes to the non-insurable risks, like intangible assets, supply chains and reputation.

"Resilience will be critical to surviving future business interruption events. It needs to be embedded in the organization’s culture and helps to make the remaining business interruption insurable. Resilience is also good for insurance. The insurance industry cannot take away all challenges but we can work in partnership with clients. We are able to underwrite some of the biggest drivers of business interruption – such as natural catastrophes and fire, as well as some cyber – and offer risk engineering services and alternative risk transfer solutions to support our clients in these challenging times.”

According to Allianz Risk Barometer respondents, data breaches rank as the cyber exposure companies are most concerned about over the next year, followed by IT vulnerability due to increased remote working and ransomware attacks, which have been increasing in both number and severity. Data breaches already rank as the top cause of cyber incidents for businesses, followed by external events such as ransomware attacks, while employee errors ranks third, reflecting the fact that mistakes and technical problems are the most frequent generator of cyber insurance claims by number, according to AGCS analysis.

“Data breaches remain the biggest concern for most companies, particularly those that deal with large amounts of personal data, such as retailers, healthcare providers and banks,” says Catharina Richter, Global Head of the Allianz Cyber Center of Competence, which is embedded into AGCS. “However, ransomware attacks are an ongoing threat for an increasing number of industries, such as manufacturing and service sectors, and can be a cause of significant business interruption. Ransomware incidents and privacy cases will remain prevalent issues for companies in 2021. Attackers continue to innovate while regulatory enforcement and fines for data breaches continue their upwards trend. New cyber loss scenarios are constantly emerging.” 

Prevalent forms of ransomware – including Sodinokibi, Maze, Ragnarok and Ryuk – have caused major disruption for manufacturers, public sector entities and healthcare providers, shipping companies, utilities, technology and professional services firms recently.

Almost half a million ransomware incidents were reported globally in 2019 and this trend is set to continue. For criminals, it is a very attractive mode of attack – low cost, low risk and very profitable.

Such attacks are also becoming more ambitious. Where hackers once hit small- to mid-size companies, they are now also targeting large companies, where the rewards are highest. A noticeable recent trend has been the added dimension of privacy and hackers’ willingness to exploit brand and reputation. Having encrypted critical or personal identifiable data, cyber criminals threaten to release the data or publicize the breach if demands are not met. Ransomware demands, increased by almost a third between the second and third quarters of 2020, according to incident response firm Coveware, while almost 50% of cases included the threat to release stolen data [6].

While ransom demands attract the most public attention, the biggest cost driver for ransomware incidents is business interruption and the cost of restoring data and systems.

The total cost of ransomware demands in 2019 was $25bn, but this increased to $170bn when the cost of downtime was included, according to Emsisoft [7]. On average, a ransom incident can result in 16 days downtime. “If systems are down for a week or two, losses can be significant,” says Jens Krickhahn, a Regional Cyber Practice Leader at AGCS. “We recently heard of a claim for a ransomware attack against a company where the cost of restoring systems was under €10mn, but the BI loss was €50mn ($60mn).”

In response to the growing threat, AGCS has stepped up its underwriting focus when needed, for example on ransomware exposures, differentiating between firms that have strong controls and processes in place to mitigate the risk. Regular patching and awareness training can help deter attacks, while maintaining secure backups can significantly reduce losses. A dedicated business continuity plan outlining what a company needs to do in event of an attack to minimize disruption can also help.

“Only a few companies end up paying ransom demands, usually those that are least prepared. Organizations that have good patch management and backup processes are able to rebuild systems and get back to business quickly without having to pay ransoms,” says Krickhahn. Training is particularly important. “People are the last wall of protection. If employees are able to identify phishing mails they can avoid huge claims,” says Krickhahn. “IT security, technical processes and people go hand in hand when combatting the growing problem of ransomware.”

AGCS analysis of over 1,700 cyber-related insurance claims over the past five years shows that business interruption is the main cost driver behind losses, accounting for around 60% of the value of these claims. “In Europe, we now see more cyber insurance claims with a business interruption impact than we do for [data breaches] third party liability. This is a trend that is likely to continue for the foreseeable future,” says Krickhahn.

At its most extreme, cyber may also present a systemic or catastrophic risk. A major blackout or cloud outage could have a massive impact, simultaneously affecting companies around the world. “Future ‘Black Swan’ events cannot be ruled out. It will be important to identify and prepare for such scenarios quickly before they become true events,” says Krickhahn. 

The coronavirus pandemic is likely to add to existing cyber concerns, given the increasing reliance on technology and online sales. Even the arrival of the vaccine has brought another element of risk with recent attacks against approval authority, the European Medicines Agency, as well as labs handling Covid-19 tests.

Acceleration towards greater digitalization was the change caused by the pandemic that Allianz Risk Barometer respondents believe will most impact their company, followed by more remote working.

“A lot of change is being forced upon companies and the pace of adoption will only increase with the pandemic. Cyber security and business continuity may struggle to keep up,” says Krickhahn.

The shift to remote working during the early stages of the lockdown was accompanied by a reduction in cyber security – some firms turned off multi-factor authentication – while employees working from home are more susceptible to phishing attacks. At the peak of the first wave of lockdowns in April 2020, the FBI reported a 300% increase in cyber incidents alone.

Many months later, companies should now have the right processes and protections in place to enable safer remote working. However, there is a risk that companies will reduce IT budgets and security spend if the pandemic subsides and people return to offices, meaning vulnerabilities could re-emerge. Businesses need to prepare for the next event and not let their guard down, says Krickhahn.

Cyber risk was once seen only as an issue for computers and software, but with the acceleration of digitalization it is increasingly expanding to include everything from cars to factories to smart devices in our homes.

“Emerging areas like artificial intelligence (AI) – such as “deepfakes”, where realistic media content such as photos, audio and video is modified or falsified by AI – the digitalization of supply chains, automation and the ‘Internet of Things’, as well as new ways of working, could all provide opportunities for hackers and open up new vulnerabilities,” says Krickhahn.