Allianz Risk Barometer 2019: Top five risks for medium sized businesses

• Cyber incidents rank as the top risk for medium sized businesses (32% of responses), up from second (30%) for the previous year
• Changes in legislation and regulation has increased significantly, ranking #2
• Natural catastrophes remain in third position as one of the major concerns while market developments and business interruption rank #4 and #5 respectively.

Cyber incidents are the top risks for medium sized businesses (annual revenues of R500 million to R1 billion) in South Africa and around the world, replacing business interruption (BI). This is according to the eighth Allianz Risk Barometer 2019, an annual survey on global business risks from Allianz Global Corporate & Specialty (AGCS), which incorporates the views of a record 2,415 experts from 86 countries including CEOs, risk managers, brokers and insurance experts.

Medium sized companies increasingly recognize their cyber exposure and are more apt to secure adequate insurance cover than in the past, says Nobuhle Nkosi, Head of Financial Lines, AGCS Africa. “This stems from the fact that advances in cloud computing and social media have increased companies’ exposures while large data breach events, such as the breach experienced at Liberty and numerous other cyber security-related issues have necessitated greater protection of customer data. Medium sized businesses see the need for adequate cyber cover to feel more protected in case of an event such as a breach.”

“Companies worry about cyber-attacks and data breaches because their internal structures may not be as developed as larger companies,” explains Nobuhle. “Survey results have shown that many medium sized businesses have had data security problems, but have not always reported these because they were concerned about the reputational damage this could cause, including loss of contracts. We see a clear relationship between cyber and loss of reputation, especially for medium sized businesses.”

However, insurance can only be part of the solution, with a comprehensive risk management approach being the foundation for cyber defense. “Once you have purchased cyber insurance, it does not mean that you can ignore IT security. The technological, operational and insurance aspects of risk management go hand in hand,” explains Nobuhle. “Cyber risk management is too complex to be the preserve of a single individual or department, so we as AGCS recommend a ‘think-tank’ approach to tackling risk whereby different stakeholders from across the business collaborate to share knowledge.”

While cyber incidents increased in the medium sized company space, BI dropped from first place to fifth in the ranking for 2019. A severe interruption can even have a terminal impact for companies, given the significant effect it can have on income and revenues. Nobuhle sees significant BI exposure among medium sized businesses from fire and explosion, cyber risk and changes in legislation and regulation (the latter having moved from fifth to second year-on-year).

Changes in legislation and regulation

In general the directors of a company in many African countries can be held personally liable for their executive actions where such actions are not in conformity with the Memorandum of Incorporation or their fiduciary duties. In South Africa, a company may indemnify its directors in respect of arising from a director’s negligence.

However, the permissibility of a company to indemnify its directors and officers varies from country to country. Many jurisdictions do not permit the reimbursement of a fine as a consequence of a director’s criminal conviction. There is also no guarantee that the company will pay the financial burden of defense costs in prolonged legal proceedings or damages awards which can spiral very quickly. Even if the company is permitted to indemnify the director, it may not have the financial resources to provide for such an indemnity in the event of a claim.

“There has been a recent trend towards shareholders seeking to hold directors liable for losses as a result of the negligent or reckless conduct. In South Africa, the Companies Act No.71 of 2008 codified the derivative action and the class action. Class actions are now permitted which altered the previous common-law rule that a claimant must have a personal and direct interest in the subject matter of the claim. A recent example would be the Dutch-led class action of the alleged destruction of over R185 billion in shareholder value resulting from the long-running accounting irregularities at Steinhoff,” explains Nobuhle.

Natural catastrophes remain in third position year-on-year for medium sized. Allianz Risk Barometer respondents fear that recent natural catastrophe and extreme weather activity could be a harbinger of increasing financial losses and disruption. Market developments are in the fourth position indicating that companies may see a residual slowdown in production in 2019 as the global economy slows down. However medium sized companies with diversified portfolios will be able to weather the possible downturn.