Home / Analysis / Cyber takes top spot as cause of sleepless nights
26 April 2021
As some insurers take the “nuclear” option and stop writing Directors’ & Officers’ (D&O) business entirely, a new survey finds cyber attacks have jumped to be the top concern for executives both locally and offshore for the first time.
Boards have a “huge task” on their hands to navigate a broad range of risks, and cyber attacks are now the top worry keeping C-suite folk awake at night, the latest D&O Liability Survey from Willis Towers Watson says.
“It’s become closer to home,” head of FINEX for WTW in Australia Jill Stewart tells insuranceNEWS.com.au.
“You think you are safe following protocols and procedures but everybody is vulnerable, not just the ill-informed or ill-resourced,” she says. “The scale is becoming so much bigger. This is a massive issue at a senior level.”
The eighth in the series, the poll found cyber, along with data loss, now dominates global concerns after the COVID pandemic allowed criminals to exploit new vulnerabilities created by a remote working environment.
“Given the widely-publicised statements that home working has increased these risks, it is unsurprising to see them feature so highly,” WTW Executive Director Angus Duncan says.
The rise in cyber crime “coincided with and intensified” a hard market for D&O liability insurers which is unlike any seen before, says the survey, which was done in conjunction with law firm Clyde & Co.
The scale of risks facing managers and the rate of change has already forced unprecedented hardening in the D&O insurance market, with insurers seeking premium increases across the board in order to try and balance their books and some insurers taking what the report describes as the “nuclear” option to drop D&O entirely.
More than half (56%) of global respondents surveyed late last year said cyber risk was very significant or extremely significant.
Coming closely behind was data loss and regulatory risk, with the risk of health and safety/environmental prosecutions and the risk of employment claims rounding out the top five issues keeping executives awake at night worldwide.
In the Asia Pacific region, the rankings were close with some interesting differences.
Cyber attack and regulatory risk (including the threat of fines and penalties) both garnered 42% of responses ranking these threats as of top importance.
“By comparison with some of the other regions, regulatory risk continues to be a high priority risk in the APAC region,” the survey says.
Next was the risk of health and safety/environmental prosecutions (39%) and data loss (37%) and the risk of employment claims (32%).
The Asia Pacific accounted for 16% of survey respondents while 26% of respondents worked for finance and insurance companies.
Here are the top APAC risks:
Not even on the radar as a top five risk for the first three years of the survey, since 2016 cyber risks have ranked number two and this year jettisoned to be 2021’s top worry worldwide.
The increasing prevalence of ransomware, state sponsored cyber-attacks and increasingly sophisticated and directed method of attacks has very much increased the risk for corporates and their directors and officers in Australia, the survey says.
“We’re just as at risk. Cyber is a global issue,” Ms Stewart says, “It’s really about seeking the weakest link.”
The trend is towards bigger targets and bigger incidences and ransomware attacks are also on the increase, which could expose directors to criminal sanctions for breaches of terrorism and proceeds of crime laws.
This increased cyber-attack frequency and severity has provoked “hyperactivity” from APAC regulators now intently focused on privacy and data protection and ensuring corporates and their directors have systems and policies in place to ensure cyber resilience.
Last year, corporate regulators targeted directors with inadequate cyber security systems and WTW says this is set to continue in the region with privacy reforms recently implemented or on the agenda in Australia and New Zealand, as well as in Japan and Singapore.
“There is also increased focus on analysing corporate governance and assessing how boards are managing risks during the pandemic.”
Ms Stewart says cyber underwriters are reducing exposure to any one risk and introducing sub limits for ransomware, though hardening is not as dramatic as the withdrawal of capacity seen in D&O.
“There is definitely quite a significant shift this year,” she says. “The market is moving very quickly.”
Closely aligned with cyber attacks, WTW says it is dawning on Australia’s executives that the implications of a data breach are far wider than “just data” and executives are appreciating the vulnerability of systems and the interconnectedness of business.
Increased vulnerability to data loss is resulting from business moving to new procedures and systems overnight due to the COVID-19 pandemic, which has created a fertile ground for cyber criminals seeking to exploit the weaknesses presented by businesses having to move to new procedures and systems overnight, often with a remote workforce.
“Given the prevalence of cyber-crime and the severe consequences for companies and [directors] should they fall foul of an attack and/or data is lost, this is no surprise,” WTW said of the high data loss ranking.
Regulatory and litigation risk continues to challenge organisations, with board diversity now becoming mandatory to most businesses.
Enforcement actions generally are increasing, and in Australia, corporate regulators, including the Australian Securities and Investments Commission (ASIC), are pursuing a “why not litigate” approach after criticism following the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services industry.
Further, significant legislative reforms targeting corporate misconduct have been introduced and key decisions by the High Court of Australia expanding the definition of those employees considered ‘officers’ under the Corporations Act will mean regulatory risk will remain high in Australia.
Health and safety
Boards could be accused of mishandling the pandemic, WTW says, with allegations of failure to have robust IT systems and inadequate handling of increased exposure to cyber risks, corporate manslaughter or occupational health breaches resulting from a failure to ensure adequate health & safety in the workplace.
In Australia, employment claims also ranked highly.
“There have been recent developments in industrial relations legislation and increasing wage/employee related class actions that are consistent with this risk becoming more and more prominent,” WTW says.
Climate change is being forced into the board room as a leading issue, though apathy was detected in Australia.
The survey was done late last year and Ms Stewart says that “even now it has started to shift” and is spoken about by clients and D&O underwriters are increasingly asking questions about progress on climate change.
“We’re only going to see more focus on that,” she says.