With more and more new loss triggers emerging, and an increase in cyber business interruption (BI) incidents, BI is the top risk in a “networked society".
The threats may be changing but the result stays the same. Business interruption (incl. supply chain disruption) is the top risk for companies for the sixth consecutive year, according to the Allianz Risk Barometer with 42% of responses rating it as one of the three most important risks companies face in 2018, up year-on-year. Whether it results from factory fires, destroyed shipping containers, or, increasingly, cyber incidents, BI can have a tremendous effect on a company’s revenues. Yet its impact is one of the hardest risks to measure. A severe interruption can even have a terminal impact, particularly for smaller companies. Moreover, increasing interconnectivity means the potential for higher losses is growing. BI can be a consequence of many of the other top risks in this year’s Allianz Risk Barometer.
An increasing number of disruptive scenarios
BI can be triggered by traditional property damages resulting from natural catastrophe losses or a break in the supply-chain due to property damages at the premises of a supplier or customer, often known as contingent business interruption (CBI).
BI losses for businesses can often be much higher than the cost of any physical damage. The average large BI property insurance claim is now in excess of $2m1. This is more than a third higher than the average direct property damage loss. ($2.4m and $1.75m respectively).
But as many businesses transition from being rich in physical assets to deriving more value from intangibles and services, increasingly, BI is being triggered by non-traditional risk exposures which don’t cause physical damage but result in lost income – so-called nondamage business interruption (NDBI).
“Businesses are facing an increasing number of disruptive scenarios, as the nature of BI risk evolves in our networked society,” explains Volker Muench, Global Practice Group Leader, Property, AGCS. “They still have to deal with traditional exposures, such as the impact of natural catastrophe activity, which we’ve seen peak in 2017. But they are also challenged by a multitude of new triggers stemming from digitalization – as data becomes a critical asset – supplier interdependencies, product quality incidents, as well as the indirect impact from terrorism and political events or strikes, which can result in loss of income from people staying away from impacted areas.”
The threats don’t stop there. In today’s uncertain political and business landscape, where the prospect of an abrupt change of rules disrupting business models is an increasing concern, a withdrawal of regulatory approval or product license is another potential BI risk.
Risk mitigation, semantic analysis and an insurance evolution
In this year’s Risk Barometer, BI also ranks as the second most underestimated risk.
“BI impact is easy to underestimate,” says Thomas Varney, Regional Manager Americas, Allianz Risk Consulting, AGCS. “Risks can be extremely complex. In many cases it is difficult to know what the actual exposure is, how to calculate the loss, or even where the actual disruption in the supply chain occurred.”
“Companies often underestimate the complexity of ‘getting back to business’ and can have bottlenecks in their emergency plans, particularly with regards to alternative suppliers,” says Muench. “Cyber risk is another example. They may have a cyber-attack continuity plan to start their own IT again but is the BI threat adequately assessed? What about the impact of a cyber incident at one of their suppliers stopping them from delivering products or services?”
Nevertheless risks can be mitigated. “Businesses should continuously fine tune their emergency plans to reflect the new BI environment, plan for a variety of scenarios and have strategic alignment through all departments on predictive detection of risks,” says Muench.
Insurers such as AGCS can support businesses further through provision of new insurance solutions such as cyber and NDBI cover, which indemnifies a business for lost revenue due to disruption from an event. AGCS also leverages semantic analysis tools to better understand a business’ supply chain risk. This enables mapping of supplier relationships up to the fourth tier, thus helping to identify exposure and accumulation issues.
“It’s important that businesses understand that new NDBI triggers are evolving,” says Varney. “Today’s threats may be understood, but what about tomorrow’s? It’s an ongoing diligence to keep abreast of the impacts that are going to change as a business evolves. Businesses need to understand the new facilities they have, mergers and acquisitions that may have occurred, different suppliers they may be using – all of these continually change as a business grows.”
The rise of cyber BI and internet supply chain risk
For the first time in the Allianz Risk Barometer survey, the impact of cyber incidents (42% of responses) is ranked as the most feared BI trigger by businesses. BI also ranks as the main cause of an economic loss after a cyber incident (67% of responses). This represents a significant shift in the perception of BI risk by respondents over the past 12 months, reflecting the fact cyber incidents have escalated in scale. Events in 2017, such as the WannaCry and Petya ransomware attacks, have brought significant disruption and financial losses to a large number of businesses and services. Others, such as the massive distributed denial of service attack on internet provider Dyn in October 2016, also demonstrate the interconnectedness of risks and shared reliance on common internet infrastructure, service providers and technologies, according to Cyence Risk Analytics, from Guidewire, which partners with AGCS in assessing cyber risk.
While cyber BI can result from the likes of ransomware incidents, which have doubled in frequency over the past year and involve hackers encrypting files and demanding compensation to unlock them a more frequent cause of cyber BI can be mundane technical failures or employee error. For example, in February 2017, Amazon suffered an outage of its cloud service storage service for four hours, impacting a number of internet services, websites and other businesses. It was reported the outage was caused by human error2. Cyence Risk Analytics estimates that companies in the S&P 500 dependant on Amazon’s services lost approximately $150m as a result3.
Cyence Risk Analytics notes that BI is one of the largest loss drivers for businesses after a cyber incident. For example, in the event of an outage at a cloud service provider lasting more than 12 hours, it estimates that projected losses could total $850m in North America and $700m in Europe, based on 50,000 companies in three specific industry sectors (financial, healthcare and retail) being impacted by the outage in each region.
SOURCES
1. Allianz Global Corporate & Specialty, Global Claims Review: Buisness Interruption in Focus
2. The Guardian, Typo blamed for Amazon's internet-crippling outage, March 3, 2017
3. Evolution of Cyber Risks: Quantifying Systemic Exposures, George Ng and Philip Rosace, Cyence Risk Anaytics, MMC Cyber Handbook 2018
Newsletter
Keep up to date on all news and insights from Allianz Commercial
