Sign In
Business Risk 2022

Navigating the shifting business risk landscape

As the busi­ness risk land­scape con­tin­ues to shift, now, more than ever, busi­ness­es should con­sid­er their insur­er less as a last resort and more as a trust­ed advis­er. Devel­op­ing a long-term rela­tion­ship can pro­vide the added val­ue, insight and risk man­age­ment that is invalu­able at to help pro­tect their oper­a­tions

Share on X
Share on LinkedIn
Share by email
Save in your account
Sarah Vizard
25 Mar 2022

Pro­mot­ed by Bea­z­ley

Risks are all around. The prin­ci­pal risk is, of course, the risk to the exec­u­tives of an organ­i­sa­tion. The direc­tors and offi­cers of a busi­ness shoul­der the great­est respon­si­bil­i­ties and face per­son­al and cor­po­rate lia­bil­i­ties if they make the wrong deci­sions.

“In the last five to 10 years, there has been a major shift in the appli­ca­tion of direc­tor and offi­cer lia­bil­i­ty (D&O) insur­ance cov­er,” says Cathe­ri­na Mac­Cabe, focus group leader inter­na­tion­al man­age­ment lia­bil­i­ty at Bea­z­ley. “Once reserved for finan­cial prob­lems aris­ing from the need to restate earn­ings or prof­its, there are many more event dri­ven D&O claims made today.”

ESG and rep­u­ta­tion­al risks go far beyond con­cerns about cli­mate change. Today the diver­si­ty of board mem­bers, claims about green­wash­ing a firm’s green cre­den­tials, mis­man­ag­ing the firm’s adher­ence to ever chang­ing reg­u­la­tions and gov­er­nance require­ments and the per­son­al and finan­cial con­duct of senior exec­u­tives all fall under D&O risk, and can result in cost­ly dis­putes and lit­i­ga­tion.

Employ­er risks, cov­er­ing every­thing from how you recruit, reward and retain staff are also under close scruti­ny – not only from busi­ness ana­lysts, but share­hold­ers, reg­u­la­tors, lob­by­ists and employ­ees.

Every risk is also a rep­u­ta­tion­al risk with the poten­tial to not only dis­rupt the busi­ness in the short term, but to cause per­ma­nent dam­age.

“This is where insur­ers with a depth of expe­ri­ence and claims data insight can help. By shar­ing their vast expe­ri­ence of risk to iden­ti­fy not only where busi­ness­es expe­ri­ence loss­es, but also to help iden­ti­fy the spe­cif­ic risks with­in a client’s organ­i­sa­tion, and tai­lor D&O cov­er to suit their needs” says Mac­Cabe.

Understanding the business mindset

Spe­cial­ist insur­er Beazley’s annu­al risk & resilience report asks C‑suite direc­tors to iden­ti­fy the key risks they believe threat­en their busi­ness. The list includes sup­ply chain insta­bil­i­ty, busi­ness inter­rup­tion, board­room risk, crime and both rep­u­ta­tion­al and employ­er risks.

Employ­er risk was con­sid­ered to be a key con­cern in 2021 by 11% of respon­dents. They also pre­dict­ed it would remain the same for 2022, but it has actu­al­ly increased dra­mat­i­cal­ly in the last 12 months, with almost a fifth (19%) now con­sid­er­ing it a major con­cern.

Some of this may be asso­ci­at­ed with rep­u­ta­tion­al risks from ESG con­cerns. ESG was a new entry into Beazley’s ques­tion­naire for 2022, it jumped up the agen­da for 18% of those sur­veyed.
Accord­ing to Beazley’s research, board­room risks have remained a high pri­or­i­ty for many busi­ness lead­ers.

Cyber risk has, right­ly, become a pri­ma­ry con­cern for busi­ness lead­ers, and the impact of a cyber breach is not only increas­ing each year, but becom­ing more expen­sive to resolve. This is because cyber threat actors are becom­ing more aggres­sive in their exfil­tra­tion of target’s data and are look­ing at more inven­tive and aggres­sive ways to extort mon­ey from their tar­gets.

Every risk is also a rep­u­ta­tion­al risk with the poten­tial to cause per­ma­nent dam­age

The Covid-19 pan­dem­ic forced organ­i­sa­tions to open up their sys­tems in ways that they had nev­er envis­aged in order to per­mit employ­ees to work remote­ly, says Raf Sanchez, head of cyber ser­vices at Bea­z­ley.

“This sud­den shift to home­work­ing meant organ­i­sa­tions had to imple­ment remote access to busi­ness sys­tems often before they had the time to under­stand and mit­i­gate the risks this entailed” he says. “Some busi­ness­es rolled out train­ing and adopt­ed addi­tion­al secu­ri­ty mea­sures such as mul­ti-fac­tor authen­ti­ca­tion (MFA) but many had nei­ther the resources nor the bud­get to ensure these mea­sures were imple­ment­ed in time. Opti­mism about busi­ness risk does not equate to mit­i­ga­tion.”

Ulti­mate­ly, adopt­ing new tech­nol­o­gy prac­tice is only part of the process of build­ing busi­ness resilience and reduc­ing the threat of cyber risks.

Cyber risk cannot be ignored

One of the great­est mis­con­cep­tions about cyber risk is a belief that attack­ers only want access to high-pro­file, blue-chip com­pa­nies, Sanchez says. “The real­i­ty is that just like in any mar­ket­place, we see attack­ers that spe­cialise the mass-mar­ket and who can deploy auto­mat­ed attacks with almost zero cost (or risk of being caught) against any busi­ness or organ­i­sa­tion regard­less of size or sophis­ti­ca­tion,” he adds. “Busi­ness­es that find their oper­a­tions dis­rupt­ed are as like­ly to be small enter­pris­es or even sole traders as a multi­na­tion­al bank or enter­tain­ment com­pa­ny.”

The risks, and there­fore the impacts, are not con­tained to just finan­cial con­sid­er­a­tions. They are oper­a­tional, finan­cial, legal and rep­u­ta­tion­al. Data exfil­tra­tion rais­es trust issues with clients and employ­ees, data unavail­abil­i­ty results in imme­di­ate oper­a­tional impact and organ­i­sa­tions may be under con­trac­tu­al duties to noti­fy their clients of cyber­se­cu­ri­ty inci­dents that can result in auto­mat­ic ter­mi­na­tion of cus­tomer con­tracts.

Since many attack­ers use extor­tion, specif­i­cal­ly the threat of pub­li­cis­ing the cyber attack, as a lever to encour­age pay­ment, it can be tempt­ing for organ­i­sa­tions to con­sid­er pay­ing off the crim­i­nals, but this comes with its own risks, Bea­z­ley argues. Sanchez asks: “How can you ensure that the crim­i­nals will hon­our their com­mit­ment to delete the exfil­trat­ed data? Is your organ­i­sa­tion con­tra­ven­ing legal or reg­u­la­to­ry pro­hi­bi­tions against inter­act­ing with them?”

He adds: “The data you have paid to be destroyed is just as like­ly to turn up on the dark web, be shared among threat groups or even be acci­den­tal­ly released. The only sen­si­ble way to deal with these risks is to imple­ment mit­i­ga­tions for them and try to pre­vent them from hap­pen­ing in the first place.”

Mit­i­gat­ing these risks is not as dif­fi­cult as it may appear at first sight. Busi­ness­es can mate­ri­al­ly decrease their expo­sure to cyber risk by tak­ing a small num­ber of key actions. For instance, imple­ment­ing mul­ti-fac­tor authen­ti­ca­tion for all remote access to their sys­tems is a sim­ple and effec­tive step that will great­ly reduce the risk of hav­ing an inci­dent. It is also impor­tant for organ­i­sa­tions to under­stand that imple­ment­ing these actions in a con­sis­tent and com­pre­hen­sive man­ner are essen­tial to their suc­cess.

The team at Bea­z­ley has seen exam­ples in which MFA has been imple­ment­ed, but those at the great­est risk of tar­get­ed phish­ing attacks – such as senior exec­u­tives – have been excused from com­ply­ing with that con­trol. It is also not just a ques­tion of expe­di­en­cy or con­sis­ten­cy; senior man­age­ment and exec­u­tives should also be lead­ing by exam­ple to ensure that a cul­ture of secu­ri­ty is cul­ti­vat­ed with­in the busi­ness. Also, a mis­man­aged cyber inci­dent could turn into a D&O claim against the exec­u­tives of a firm.

A stitch in time saves more than nine

Some of these risk man­age­ment mea­sures will cost mon­ey and many will take time to imple­ment. How­ev­er, the fast-paced nature of tech­nol­o­gy inno­va­tion is also help­ing busi­ness­es. Where once a busi­ness would need to invest in new hard­ware and soft­ware – and the IT staff to man­age it – new cloud ser­vices and solu­tions allow com­pa­nies to imple­ment and scale sophis­ti­cat­ed risk man­age­ment solu­tions that were pre­vi­ous­ly only avail­able to a large enter­prise.

Exec­u­tives must be seen to be mon­i­tor­ing cyber risk to strength­en busi­ness resilience. “We under­stand there’s no sil­ver bul­let,” says Sanchez. “Nor is there a mag­ic mon­ey tree to cov­er every con­ceiv­able risk. But we can help clients iden­ti­fy which con­trols will have best effect and give them insight into cyber risk trends.”

Mac­Cabe adds: “We don’t get paid for telling clients how to reduce their risks and improve their oper­a­tional resilience. Our reward comes from clients with good risk man­age­ment that pro­tects their busi­ness and reduces both the cor­po­rate and per­son­al risk so they don’t become sub­ject of a claim.”

How­ev­er, if the worst hap­pens and a busi­ness does have to make a claim, then busi­ness lead­ers need to be sure that they have the right insur­ance part­ner who will help to suc­cess­ful­ly man­age the claim on their behalf.

The more inclu­sive the dis­cus­sion is between insur­ers, those respon­si­ble for risk man­age­ment, the CFO, com­pli­ance, the respon­si­ble busi­ness team, human resources and beyond, the more com­pre­hen­sive, coor­di­nat­ed and effec­tive the risk plan­ning, and there­fore more valu­able, it will be.

Read Beazley’s Risk & Resilience Deep Dive Report into Busi­ness Risk
https://reports.beazley.com/2021/rr/business/index.html

More on Beazley’s exec­u­tive risk safe­ty net
https://www.beazley.com/london_market/executive_safety_net.html

Pro­mot­ed by Bea­z­ley

Business Risk 2022