They take aim at the backbone of the connected economy and, when they strike, can jeopardize the success, or even the existence, of companies of every size and sector. Business interruption (#1 with 42 percent of responses / #1 in 2017) and Cyber incidents (#2 with 40 percent of responses, up from #3 in 2017) are this year's top business risks globally, according to the Allianz Risk Barometer 2018.
Larger losses from natural catastrophes (#3 with 30 percent of responses, up from #4 in 2017) are also a rising concern for businesses, with the record-breaking 2017 disaster year also ensuring Climate change and increasing volatility of weather (#10) appears in the top 10 most important risks for the first time. Meanwhile, the risk impact of New technologies (#7 2018 / #10 2017) is one of the biggest climbers, as companies recognize innovations such as artificial intelligence or autonomous mobility could create new liabilities and larger-scale losses, as well as opportunities, in future. Conversely, businesses are less worried about Market developments (#4 2018 / #2 2017) than 12 months ago.
These are the key findings of the seventh Allianz Risk Barometer, which is published annually by Allianz Global Corporate & Specialty (AGCS).The 2018 report is based on the insight of a record 1,911 risk experts from 80 countries. "For the first time, business interruption and cyber risk are neck-and-neck in the Allianz Risk Barometer and these risks are increasingly interlinked," says Chris Fischer Hirs, Chief Executive Officer, AGCS.
"Whether resulting from attacks such as WannaCry, or more frequently, system failures, cyber incidents are now a major cause of business interruption for today's networked companies whose primary assets are often data, service platforms or their groups of customers and suppliers. However, last year's severe natural disasters remind us that the impact of perennial perils shouldn't be underestimated either. Risk managers face a highly complex and volatile environment of both traditional business risks and new technology challenges in future."
Figure 01: Allianz-Most feared causes of business interruption
New business interruption triggers emerging
Business interruption (BI) is the most important risk for the sixth year in a row, ranking top in 13 countries and the Europe, Asia Pacific, and Africa and Middle East regions. No business is too small to be impacted. Companies face an increasing number of scenarios, ranging from traditional exposures, such as fire, natural disasters and supply chain disruption, to new triggers stemming from digitalization and interconnectedness that typically come without physical damage, but with high financial loss. Breakdown of core IT systems, terrorism or political violence events, product quality incidents or an unexpected regulatory change can bring businesses to a temporary or prolonged standstill with a devastating effect on revenues.
Figure 02: Allianz-Most underestimated business risks: cyber incidents, business interruption, new technologies
For the first time, cyber incidents also rank as the most feared BI trigger, according to businesses and risk experts, with BI also considered the largest loss driver after a cyber incident. Cyber risk modeler Cyence, which partners with AGCS and is now part of Guidewire Software, estimates that the average cost impact of a cloud outage lasting more than 12 hours for companies in the financial, healthcare and retail sectors could total $850 million in North America and $700 million in Europe.
BI also ranks as the second most underestimated risk in the Allianz Risk Barometer. "Businesses can be surprised about the actual cause, scope and financial impact of a disruption and underestimate the complexity of 'getting back to business'. They should continuously fine tune their emergency and business continuity plans to reflect the new BI environment and adequately consider the rising cyber BI threat," says Volker Muench, Global Property and BI expert, AGCS.
Figure 03: Allianz-How much can business interruption cost?
Cyber risks continue to evolve
Cyber incidents continues its upward trend in the Allianz Risk Barometer. Five years ago, it ranked #15. In 2018 it is #2. Multiple threats such as data breaches, network liability, hacker attacks or cyber BI, ensure it is the top business risk in 11 surveyed countries and the Americas region and #2 in Europe and Asia Pacific. It also ranks as the most underestimated risk and the major long-term peril.
Recent events such as the WannaCry and Petya ransomware attacks brought significant financial losses to a large number of businesses. Others, such as the Mirai botnet, the largest-ever distributed denial of service (DDoS) attack on major internet platforms and services in Europe and North America, at the end of 2016, demonstrate the interconnectedness of risks and shared reliance on common internet infrastructure and service providers. On an individual level, recently identified security flaws in computer chips in nearly every modern device reveal the cyber vulnerability of modern societies. The potential for so-called "cyber hurricane" events to occur, where hackers disrupt larger numbers of companies by targeting common infrastructure dependencies, will continue to grow in 2018.
Figure 04: Allianz-Digital dangers: cyber attack, cyber business interruption, data breach
Meanwhile, privacy risk is back in the spotlight following huge data breaches in the United States. The introduction of the General Data Protection Regulation (GDPR) across Europe in May 2018 will intensify scrutiny further, bringing the prospect of more, and larger, fines for businesses who do not comply. Time is running out to be GDPR-ready.
"Compared to the U.S., where privacy laws have been strict for decades and cyber security and privacy regulation is continuously evolving, firms in Europe now also have to prepare for tougher liabilities and notification requirements. Many businesses will quickly realize that privacy issues can create hard costs once the GDPR is fully implemented," says AGCS's Global Head of Cyber, Emy Donavan. "Past experience has shown that a company's response to a cyber crisis, such as a breach, has a direct impact on the cost, as well as on a company's reputation and market value. This will become even more the case under the GDPR."
Cyber threats also vary according to company size or industry. "Small companies are likely to be crippled if hit with a ransomware attack, while larger firms are targets of a greater range of threats, such as the DDoS attacks which can overwhelm systems," says Donavan.
Allianz Risk Barometer results show that awareness of the cyber threat is soaring among small- and medium-sized businesses, with a significant jump from #6 to #2 for small companies and from #3 to #1 for medium-sized companies. With regard to sector exposure, cyber incidents rank top in the Entertainment & Media, Financial Services, Technology and Telecommunications industries.
Weather and technology risk on the rise
After a record-breaking $135 billion in insured losses from natural catastrophes alone in 2017 – the highest ever – driven by hurricanes Harvey, Irma and Maria in the United States and the Caribbean, Natural catastrophes returns to the top three business risks globally. "The impact of natural catastrophes goes far beyond the physical damage to structures in the affected areas. As industries become leaner and more connected, natural catastrophes can disrupt a large variety of sectors that might not seem directly affected at first glance around the world," says Ali Shahkarami, Head of Catastrophe Risk Research, AGCS.
Figure 05: Allianz-Costliest natural catastrophes 1992-2017
Respondents fear 2017 could be a harbinger of increasing intensity and frequency of natural hazards. Climate change/increasing weather volatility is a new entrant in the Risk Barometer top 10 in 2018 and the loss potential for businesses is further exacerbated by rapid urbanization in coastal areas.
Meanwhile, the risk impact of New technologies is one of the big movers in the Allianz Risk Barometer, up to #7 from #10. It also ranks as the second top risk for the long-term future after cyber incidents, with which it is closely interlinked. Vulnerability of automated or even autonomous or self-learning machines to failure or malicious cyber acts, such as extortion or espionage, will increase in future and could have a significant impact if critical infrastructure, such as IT networks or power supply, are involved.
"Although there may be fewer smaller losses due to automation and monitoring minimizing the human error factor, this may be replaced by the potential for large-scale losses, once an incident happens," explains Michael Bruch, Head of Emerging Trends, AGCS. "Businesses also have to prepare for new risks and liabilities as responsibilities shift from human to machine, and therefore to the manufacturer or software supplier. Assignment and coverage of liability will become much more challenging in future."