Allianz Risk Barometer 2019: Cyber incidents, major risks for financial services

Cyber incidents such as WannaCry, ransomware attacks, technical failures or employee errors are the top risks for the financial services sector

• Changes in legislation and regulation is second followed by market developments (e.g. volatility, intensified competition, M&A, market stagnation, market fluctuation)
• Natural catastrophes (e.g. storm, flood, and earthquake) come in as a new risk in fourth place while business interruption is the fifth risk in the sector.

Johannesburg, March 14, 2019: The financial services industry’s biggest risks are cyber incidents, which are increasingly bringing significant disruption and financial losses to the industry. Cyber incidents take the top spot for two years running with a response rate of 46% versus 51% last year. This is according to the eighth Allianz Risk Barometer 2019, an annual survey on global business risks from Allianz Global Corporate & Specialty (AGCS), which incorporates the views of a record 2,415 experts from 86 countries including CEOs, risk managers, brokers and insurance experts.

SA loses R2.2 billion a year to cyber-attacks

Many incidents are the result of technical glitches or human error rather than malicious acts. This is according to an analysis conducted by the UK’s financial services regulator, which revealed a 138% increase in technology outages over a year but just 18% of reported incidents were cyber-attacks. Reports claim that cybercrime will be the most disruptive economic crime to affect their organizations in South Africa over the next 24 months. The country has the third highest number of cyber crime victims worldwide, losing about R2.2 billion a year to cyber-attacks.

Changes in legislation and regulation also retain second position with a response rate of 31% versus 28% in 2018. This is due to increased regulations in the financial services sector locally and internationally. One of the most significant regulatory changes affecting the industry in South Africa was the establishment of the Twin Peaks model for financial sector regulation as a means to reform the regulatory and supervisory system of financial institutions. This was implemented through the passing of the Financial Sector Regulation (FSR) Act.

The FSR Act gave effect to important changes relating to the supervision of the financial sector. Most notably, it created a prudential regulator; the Prudential Authority (PA) located within the South African Reserve Bank (SARB) and established a market conduct regulator, being the Financial Sector Conduct Authority (FSCA) which is located outside of the SARB.  The PA is responsible for regulating banks, insurers, cooperative financial institutions, financial conglomerates and certain market infrastructures.  Previously the Financial Services Board had oversight of prudential regulation of insurers, whereas SARB had prudential oversight of banks. This created opportunities for regulatory arbitrage in particular for larger financial conglomerates whose different subsidiaries may have had different regulators overseeing their prudential positions. Clearly in a post credit crisis world, financial conglomerate and group supervision is essential and this “marks an important milestone on the journey towards a safer and fairer financial system that is able to serve all citizens.”

Although unrelenting regulatory changes come with increased costs and implementation challenges, they do however present hidden opportunities for insurers to better manage risk, and allocate capital appropriately. Some of the new regulations that are put in place are expected to prompt insurers to redesign simpler and more appropriate products for their customers.

Market developments (e.g. volatility, intensified competition/new entrants, mergers and acquisitions, market stagnation, market fluctuation) moved down from second to third with an unchanged response rate of 28%. For instance, reports indicate that the newly-licensed South African banks are likely to pose disruptions to the local banking industry through web – and app-based services and by leveraging on behavioral and neuroeconomics.

Risk arising from natural catastrophe (e.g. storm, flood, and earthquake) is a newly ranked risk at number four with 26% of responses. A recent report indicated that reinsurers do not regard South Africa as a low catastrophe risk region anymore, with the country having experienced a high frequency of large loss events in the last five years such as Knysna fires and Durban floods, which cost the industry more than R5 billion.

Business interruption (BI) has moved from fourth to fifth place with 24% (2018:27%) of responses. Companies face an increasing number of BI scenarios and many of them can occur without physical damage but with significant financial losses. In addition, the breakdown of core IT systems, product recall or quality incidents, political violence or protests as well as  environmental pollution can severely impede a company from operating. If companies are unable to provide products and services – or customers choose to stay away, the impact on revenue can be devastating.