The Covid-19 crisis has created new demands for functionalities and improved service offerings from technology and telecoms providers. Investor activism and ESG (environmental, social and governance) will be one of the hottest issues facing the sector in the next few years. Robust and resilient operations will be essential to navigate the increasingly interconnected risk landscape
The following risks were identified by respondents from the technology and telecoms sectors in the annual Allianz Risk Barometer 2022. This annual report reveals the top corporate risks for the next twelve months and beyond, based on the insights of more than 2,650 risk management experts from eighty nine countries and territories.
Over the last two years, the pivot to remote working has seen many industries undergo an accelerated process of digitalization, a trend boosted by a proliferation of platforms and devices. This has enabled business activities to continue, but also increased entry points for cybercrime. A shortage of cyber security professionals and patchwork governance mechanisms has aggravated this risk.
Cyber insurance claims have increased significantly over the past three years, driven by the rise of losses from external manipulation of systems, as well as the increased uptake in cyber insurance. Overall, cyber-related claims seen by across all industry sectors increased from almost five hundred in 2018 to around one thousand one hundred last year. Ransomware attacks have emerged as a growing threat. In 2020, the number of ransomware claims was involved in increased by over forty per cent, although this represented a small proportion of claims overall. This activity is so potentially lucrative; criminals are now offering ‘Ransomware as a Service’ for as little as $40 a month.
The surge in cybercrime threatens to outpace society’s ability to manage and respond to it. At the same time, hackers are eyeing up bigger and more critical targets – such as the breach of American tech firm SolarWinds in 2020 that compromised multiple US government departments and agencies – with potentially wide-scale consequences across society. The ensuing physical disruptions and business interruptions of attacks like that on the Colonial Pipeline in 2021 have financial consequences for companies, consumers, and insurers.
There are intangible costs too – the effect on victims’ mental health, the impact on brand reputation, and the undermining of public trust in businesses and institutions.
All organizations should ensure compliance with the legislation and regulations that govern their activities in all jurisdictions they operate in. As the risk landscape changes, businesses need to be aware of how this will impact their activities and take steps to protect their assets. The invasion of Ukraine is a salient reminder of the omnipresent danger of state-sponsored cyber-attacks that aim to disrupt and disable information technology (IT) systems. Many companies are on alert for an escalation in hacking attempts and Russian reprisal cyber-attacks after the imposing of sanctions by Western nations, resulting in a number of the country’s lenders being kicked off the global payments messaging system Swift.
Cyber-attacks can cause widespread disruption – indeed, business interruption costs account for around sixty per cent of the value of cyber claims, AGCS analysis shows – but recent geopolitical upheaval and the pandemic have exposed other vulnerabilities in our supply chains. Whether it was shortages in lumber or semiconductors, these chinks became all too apparent as companies faced up to their overreliance on critical suppliers. Supply chain challenges can result in business interruption and contingent business interruption claims as a result of delayed components, or in directors and officers securities claims if operational management is deemed inadequate. Liability for third-party risk could arise if lower quality components are used because of a shortage, for example, and defective products lead to bodily injury.
Building resilience has been key during the pandemic, which saw businesses scramble to deploy new mechanisms in response to a crisis. But the situation was fluid. During the first lockdowns, many people were at home, so systems needed to be in place to enable activities to continue – videoconferencing for work or online grocery services for the daily necessities. Although these facilities existed pre-Covid, they had not been fully adopted, and the urgency of the pandemic heightened demand, creating opportunities for the tech and telecoms sector, but also piling on pressures as it galvanized to meet fulfilments while facing supply chain and workforce disruption.
When lockdown rules were relaxed, people became more mobile and further adjustments had to be made by service providers. Workers could continue with video-conferencing or remote workspaces, but if they were out and about, they needed additional mobile functionalities to ensure frictionless connections and adequate security. And where consumers once accepted the limitations of delivery hours, they came to expect a 24/7 service culture, so businesses have had to adapt to meet new demands, including building their online presence and improving service. Whether it was groceries delivered by taxi or in an hour through Amazon Fresh, or new movies released simultaneously in cinemas and via an app, customer service adapted to enable choice.
The tech and telecoms sector has fared relatively well through Covid lockdowns, propelled by the world’s drive to digitize. The sector was offering much-needed products and services, but that was not the only reason it weathered the storm – it was also buoyed by robust distribution chains. A very large online retailer can own its supply chain almost from end to end. It might need access to raw materials, but it likely owns its own storage centres and employs its own staff and drivers, which cushion it from shortages other industries struggled with – labour being one of them.
With the widespread rollout of new technologies, we are seeing increased reliance on cloud providers, data aggregators, APIs (application programming interfaces), and other intermediaries. These are all part of the new interconnected world and depend upon critical infrastructure. If a cloud provider goes down, the knock-on effects on an organization’s supply chain can be considerable – the failure of automated systems that rely on shared data could result in lost orders, non-delivery of goods and services, and delays to back-office functions. A global outage at Facebook in October 2021 is thought to have cost the company $100 million in lost revenue.
With technology advancing so rapidly, we must be mindful of its potential impacts on our society and environment. Everybody is talking about 5G, which on paper will greatly benefit society – people will be able to access more data faster and, in the long run, more cheaply. But in January 2022, the rollout of 5G mobile phone services near airports in the USA was postponed because airlines had concerns about its potential interference with aviation systems. As with any new technology, we need to be aware of associated health risks and unintended consequences.
Digital currencies and payments are also innovations we’re watching with interest, although the infrastructure is not yet available to handle them by default, and regulation is likely to create barriers to wider adoption. Digital currencies are emerging as a new asset class, but there is uncertainty around potential asset bubbles and concerns about money laundering, ransomware attacks, third party liabilities and ESG issues.
Changes in legislation and regulation
Regulatory changes often lag behind technological advances, which can inhibit the adoption of innovations. They can also affect a company’s bottom line as they require new ways of working and incur fines and penalties for businesses that do not comply.
Changes in legislation are being driven by a combination of factors, including advancing technology and high-profile cyber incidents. Data security and privacy laws are top concerns in tech with a number of companies receiving significant fines for falling foul of the General Data Protection Regulation (GDPR). At the same time, society is changing. As investor activism exerts pressures and younger generations make their voices heard about ESG concerns, companies must evolve or face more shareholder and class actions around areas such as climate change, diversity and executive pay. Interestingly, Allianz Risk Barometer respondents cited cyber security resilience as their main ESG priority – increasingly, cyber security considerations are incorporated into the ESG risk-analysis frameworks of data providers, who look into companies’ data protection and information security practices to evaluate their preparedness for cybercrime. This will be a major consideration for companies in years to come.
Natcat remains a concern even for companies whose main assets are in the cloud. They may not store large amounts of goods or inventory, but they have physical servers and office buildings. Many are located in coastal cities or campuses, so if they were hit by an earthquake or another natural catastrophe, there could be additional losses from flooding. With climate change and extreme weather events increasing, businesses might find their premises are now located in flood zones or are at heightened risk of windstorms, winter storms or wildfires.
Shortage of skilled workforce
Access to talent is challenging the tech sector, as well as many other industries, and there is an ongoing need to upskill indigenous populations and reduce barriers to entry for skilled workers from overseas. The older generation is retiring and we do not have enough talent in the pipeline so a number of organizations are aggressively recruiting. Amazon recently more than doubled its maximum base salary for tech and corporate workers, citing a competitive labor market. Higher salaries like this in the US will make it harder for tech companies around the world to compete, so we will need more global mobility in the workforce.
Corporates also face competition from start-ups, which attract a younger generation with a different kind of package – the promise of equity and a flexible working culture. On a more optimistic note, we see a number of universities and colleges developing IT security programs that should swell the ranks of talented graduates in the next few years. With so many new technologies on the horizon, from cryptocurrencies to the metaverse, we need bright enquiring minds to help us create the solutions of the future.
Risk mitigation: how to future-proof your operations
What these seven trends reveal is the extent to which risks are interrelated and aggregated in the networked world we live and work in. Faced with loss scenarios that can fall like dominoes, businesses need robust, resilient operational processes to safeguard their supply chains and ensure business continuity.
Business continuity planning (BCP) reviews are essential and must be regularly updated. Cyber protection should include regular backups, segmentation of data, the right end-point detection and multi-factor authentication. Data is paramount. Insurers such as AGCS can leverage your company data to facilitate a tailored risk assessment and help draw up a personalized mitigation strategy.
Cyber risk management for the cloud
AGCS and Munich Re have developed a cyber-risk insurance solution called Cloud Protection + for customers of Google Cloud enrolled in Google’s new Risk Protection Program. The program consists of Risk Manager, a tool that helps determine a customer’s security risk posture on the cloud, and Cloud Protection +. Under Cloud Protection +, companies are offered protection against cyber incidents within their own corporate environment as well as incidents related to Google Cloud. Customers are US-based at present, although it may be offered globally in future.
Growing interest in ART solutions
AGCS offers a number of traditional insurance solutions for the tech and telecoms sectors, with particular focus on hardware manufacturing, software and IT services, telecom network operations, and the semiconductor and hi-tech sub-sectors. These traditional solutions include Liability, Property, and Financial Lines cover.
However, tech and telecoms businesses often have strong risk management procedures and access to a lot of data, which is driving growing interest in Alternative Risk Transfer (ART) solutions. This is especially true if risk managers have a non-traditional exposure and believe their current risk profile has not been fairly considered in the current market environment. These companies are interested in exploring alternative insurance vehicles, like captives or the capital markets. An ART solution, such as a multi-year and multi-line program, could help them reduce volatility over the long term. For example, this could be for a company that wants to organize cover for any potential liabilities for its directors and officers in their official capacities.
Larger tech companies can share relevant data with the ART team at AGCS, allowing them to synthesize this information and provide a bespoke solution. ART experts can also provide tailored support with captives and fronting. Depending on your jurisdiction, captives may not be licensed to issue policies internationally, so AGCS can call upon its ART team to provide expertise in these transactions.