As corporates around the world grow increasingly concerned about reputational risk, Sofia Lotto Persio looks at what insurers are doing to meet these new needs.
What do an e-commerce company like ebay, entertainment powerhouse Sony Pictures, and infidelity website Ashley Madison have in common? They have all suffered significant blows to their reputation in the past year, all caused by cyber-attacks. While the motives and perpetrators of the attacks differ, all companies have experienced damage to their revenue and, perhaps more lastingly, to their brand.
The attack involving Target, America’s third-largest retailer, was possibly one of the most financially damaging in corporate history. It involved the theft, allegedly by Russian hackers, of the personal data and credit card information of more than 40 million customers. It is thought that the details of 1 to 3 million of those credit cards were then sold on the black market for an estimated US$53.7mn. The company was hit both financially and in terms of reputation: the incident cost Target US$148mn, and, according to the Consumer Bankers Association and the Credit Union National Association, the cost to financial institutions was a further US$200mn. Media reports say the company will have to spend US$100mn in updating its payment system to chip-and-pin devices, along with US$61mn in anti-breach technology following the cyber-attack, all while profits fell 46% in the fourth quarter of 2013. Beth Jacob, the company’s most senior technology officer, resigned in February, and Gregg Steinhafel, CEO and chairman of the board, followed in May. Other Target executives had to appear before Congress to discuss data privacy, admitting they had neglected warnings about security gaps.
Financial institutions are an appealing prey for hackers. JP Morgan was one of the most affected in a network of banks targeted in August last year. An estimated 76 million households and 7 million small businesses’ checking and savings account information were accessed in an attack that went undetected for two months over the summer. Hackers weren’t able to access the most sensitive data such as social security or account numbers, yet JP Morgan was accountable for the lack of a two-step identification system that led to such a significant number of accounts being compromised, and the bank’s reputation suffered.
More general misbehaviour also has an effect on a company’s reputation. HSBC has had a particularly challenging year in that sense, between anti-money laundering and tax avoidance scandals and, more recently, having to fire six staff in the UK for filming a spoof Islamic State decapitation video during a training day in July. Speaking at the annual general meeting earlier this year, HSBC chairman Douglas Flint apologised to shareholders for the cost of the scandals hitting the bank: “I and my colleagues understand your disillusionment, share your frustration at having been let down, apologise for the inadequacies in controls that allowed unacceptable behaviours to occur undetected and accept responsibility for restoring HSBC’s reputation and standing to where they should be.”
Given the media coverage and social media attention these episodes enjoyed, it is no surprise that various global risk reports, such as Aon’s Global Risk Management Survey, find that risks to reputation have been corporates’ top concern over the past year. Deloitte’s reputation-focused global survey Reputation@Risk highlights the importance of reputation, quoting a World Economic Forum study according to which, on average, more than 25% of a company’s market value is directly attributable to its reputation.
Aon Risk Solutions’ CEO Rory Moloney defines reputational risk as a “potential adverse outcome resulting from an aggregation of one or many other risk events occurring in some part of the business.” Reputational risk is one of an interconnected nature, including risks related to ethics and integrity, such as fraud, bribery, and corruption; product and service risks, such as those related to safety, health, and the environment; third-party relationships and security risks, including both physical and cyber-breaches. Due to the complex nature of reputation, Aon has labelled it as one of 28 “uninsurable” risks.
According to Henry Ristuccia, global governance, regulatory, and risk leader at Deloitte, the cultural element is also critical. “Organisations often find behaviour and conduct risk difficult to govern. Training considerations and ensuring employees do the training are very important points which are basic, but require a lot of attention. From an insurable perspective, this is another area of intangible risk because you are dealing with people’s behaviours. There is always going to be a percentage that will do no good, no matter the kind of measures you take,” he says.
However, being “uninsurable” or “intangible” does not necessarily mean these risks cannot have a solution to match; just that they require a different approach.
Smart risk management
Attention to the digital sphere and cyber-risk is a particularly crucial aspect when addressing reputational risk, says Moloney: “Pretty much every business today has an increasingly digital approach. […] through the medium of social media, negative perspectives are amplified and distributed globally very quickly, often before companies have time to respond. Sometimes it can be overwhelming.” Which may be why, as the Aon risk survey indicates, business leaders’ tools and efforts in managing their reputations are lagging. To be prepared to face those risks, businesses have to understand their own exposures, which differ according to their priorities.
According to Eleni Petros, senior vice-president of the financial and professional practice at Marsh, the problem is not so much whether the risk is insurable, as much as whether there is interest in the product. “Nothing is really uninsurable, in some way or another you can insure most things, but the question is whether the demand for it is there, and how the insurance fits together with the business risk,” she says. “The majority of businesses, as indicated in Marsh’s Cyber Risk Survey Report, do not really understand the threat to which they are exposed,” explains her Marsh colleague David Arnold, also senior vice-president of the financial and professional practice. “Only once they really understand financial exposures and what the impact of those exposures are can they understand what is important to them as a business.”
From an insurer’s perspective, calculating and insuring against reputational damages driven by a cyber-event is possible, but difficult. “A couple of insurers are now including coverage for reputational harm in case of a cyber-event, covering the fall in returns following a cyber-event. If you lose a lot of customers following a period of time and you can attribute that to a cyber-event, then they will look at what the business has lost. The problem for the insurer is it is very difficult to underwrite and quantify,” explains Arnold. The relative novelty of this risk also affects insurers’ estimates. “One of the reasons the market is struggling to respond on cyber more than traditional risks such as property damage is that they don’t have ten years of great data from which they can understand exposures, model frequency/volatility and effectively underwrite the risks,” adds Moloney.
From a corporate perspective, according to Deloitte’s Reputation@Risk, responsibility for reputation falls on the board of directors. As so much of what can affect a company’s brand happens online, a key priority for any board of directors should be to look into cyber-risk. “Directors have a duty to carry out their obligations in the best interest of the company, and not considering cyber-risk in this day and age is a breach of their duties, because cyber-risk is one of the biggest threats to business in this current environment,” says Marsh’s Petros.
She explains that many businesses do not devote enough attention to implementing cyber-security programmes: “There are a number of reasons why directors may not tackle cyber-risk: they may not be informed about it, so they may not even know there is a cyber-risk; they may have other issues that they need to take priority over; they may underestimate a cyber-risk.” Her colleague points to a disconnect in the way that board members manage cyber-risk: “This issue spans across the entire business and not just one strand of the company. There are a number of businesses who do talk across the board members and have a risk committee that is designed just for cyber-risk. But the majority is still operating in silos,” says Arnold.
A holistic approach is the best strategy to tackle complex, uninsurable risks. “A business where people are encouraged to think about risk together, in a cohesive, comprehensive way, is in a position to improve both understanding and response on risk issues and essentially position themselves to drive value for the firm through risk management,” says Moloney. Thinking strategically about risk to transform the organisation and strengthen its reputation is something risk officers do not do enough, says Ristuccia, as they are usually busy tackling “hot topics” as they emerge: “Particularly in the banking sector, compliance officers often do not have a chance to get to the transformational agenda because they’re reacting to the next regulatory area of focus,” he laments.
Changes to come
The necessary push for companies to think more strategically about their reputational and related risks may be driven by legislation. A regulation holding individuals accountable for security breaches would convince the board of directors to prioritise cyber-threats: “When the day comes that regulators hold directors personally liable for failures, that will be when boards of directors will become more interested in cyber,” says Petros. While it may seem that mostly American companies are hit by cyber-attacks and reputation scandals, it is not because these only occur in the US, but because US law requires companies to unveil data breaches.
Regulators are hard at work in the EU to create a similar legislative environment regarding data. According to Arnold, the new regulations are expected to come into play by 2017, and will impose significant obligations on businesses: “Mandatory notifications affecting individuals, fines of up to 2% of global revenue… That really is a game changer, putting some significant financial exposures on to any business. The board of directors will naturally look to mitigate those exposures, and then insurance will have a part to play in that.” According to Aon, these changes are already happening, with a 13% increase in entities that are setting up their own risk management function. “That largely comes from mid-market entities where the evolving risk profile and associated complexity has required companies to invest in dedicated resources to manage risk effectively,” says Moloney.
Once the proper measures are in place, reputation is expected to wind down again in the priority of corporates’ worries – but the digital aspect should remain prominent in their concerns. According to Ristuccia, business model disruption may become the most critical strategic risk and, he says, risk officers should be ready to face the challenges affecting traditional business models and opportunities offered by these new technologies