Underinsurance is a significant issue across the insurance industry and for small-to-medium enterprises (SMEs), failure to take out adequate cover could be catastrophic.
While bigger businesses and companies can often bounce back relatively quickly after an event such as a flood or an earthquake, the same can’t be said for SMEs, which often run out of cash after a catastrophic event and are forced out of business.
And that’s only one of several things that can happen to an SME to affect their fixed costs.
Key person risk
The loss of a key person can be a real blow to a firm's finances, confidence and company image. Financial advisory firms are particularly vulnerable to key person risk as the nature of advice often means advisers have personal relationships with their clients, who will often follow the adviser out the door.
Key person risk particularly affects New Zealand, says Niall Martin, head of health and benefits at international risk management and insurance brokerage firm Willis Towers Watson.
“Small to medium-sized enterprises make up more than 95% of all New Zealand companies and headcounts in these businesses generally are quite small, so key person risk is very real,” Martin says.
“Anecdotally, we know coverage is a problem. We don’t have statistics but from talking to our clients our impression is there is a large level of under-insurance for this particular risk.
“This is a heightened problem for New Zealand companies. Given our geographical remoteness and the need to attract and retain top talent, it can be difficult to get key people with the required skillsets on board. Businesses need to be aware of the financial impacts of losing someone in a major role, as well as the time it takes to find and hire a new person.”
SMEs also need to look at potential effects on their client base, goodwill, and even market share if they lose a key person, Martin says.
“The impact of losing a key person has a larger impact in the SME market because multinational and large corporates have deep enough pockets, and bigger headcounts to mitigate the risk. In smaller businesses there’s a finite talent pool available if a business loses a managing director or CFO,” he says.
Michael Naylor, a senior lecturer in finance and insurance at Massey University, agrees that loss of key person is one area where SMEs are underinsured.
“When a business loses a key person, the business loses cash and knowledge and often reputation,” he says.
“Say your chief salesperson dies and all the customer contacts literally go with them to the grave,” he says. “That’s a really big loss on all levels, and often something a boss won’t plan for, or take out a policy for.”
Businesses should also be prepared if a business relationship goes sour, Naylor says, leading to a key person resigning abruptly and walking out the door, taking all their client contacts and files with them or leaving without handing over key computer system passwords and other crucial information.
“A business owner may have a dishonest employee and they terminate their employment but what if that person has a lot of knowledge? Will they leave it behind? There’s a reason why some bigger businesses will escort a former-employee off the premises.”
Then there are the problems that can come from the loss of a key person outside of, but close to, a business, says Naylor.
“It's not just your own business you need to think about I mean, if your key supplier can't supply and you can't sell, that's also a problem.
“Or your key customer goes bankrupt and you can't sell, that's a problem. So for example when the big earthquake hit Japan in 2011 one of the major car manufacturing parts of China was gone and that caused a hell of a problem in a range of firms. It’s a clear example of things occurring in different countries that can bankrupt your business.’’
Under-insurance is also a “real problem” for SMEs in the property sector, says Michael Brown, national manager broking for Willis Towers Watson.
“We’ve seen a lot of big-name companies go into liquidation in construction and that’s had a big flow on effect for the businesses supplying them,” Brown says.
“Under-insurance is a real problem. There have been some supplier arrangements that have been absolutely fine for decades, in terms of getting invoices paid and all of a sudden, a company falls over and there’s no money. This not only affects sub-contractors and trades but also businesses like hardware stores. They haven’t seen the crash coming and weren’t covered.”
Cyber risks
There is also a ‘’real and growing threat,’’ Brown says – cyber attacks.
“NZI released a report early in October saying they’d had over 60 claims against their cyber products and they’ve introduced more benefits, including increased cost of working, which is part of the business interruption cover, an optional extension to social engineering fraud that covers phishing, phreaking and fake invoice losses,” he says.
Tim Grafton, chief executive of ICNZ, says while large businesses generally tend to be well-insured for the risks they face, the vast majority of New Zealand businesses are small and these are not as well covered as they should be.
“Some lines of business insurance, such as cyber insurance, have particularly low pick-up – only 6% of small-to-medium-sized business had cyber insurance in 2017,” Grafton says.
Grafton took the opportunity during Cyber Smart Week to remind small and medium-sized business owners to take a look at their cyber security.
"Managing cyber risks is key for small-medium enterprises hoping to succeed in a modern, digital world," he says.
"There has been a very large increase in incidents reported to CERT NZ [the government’s Computer Emergency Response Team] and it drives home just how important it is for businesses to have the right cyber security in place and plan for how they’ll manage their risks if something goes wrong."
According to CERT NZ’s second 2018 quarterly report, cyber incident reporting by organisations has increased 143% since Q1 2018. In that period, 507 cyber incidents were reported by organisations. Direct financial losses from all cyber incidents for the period were $2.2 million.
"It’s important to remember that this is just what CERT is aware of," says Grafton. "$2.2 million is probably a conservative number; there will be many people who don’t report cyber incidents to CERT or may not realise they suffered a cyber-attack.
"In an increasingly digital world, the likelihood is these attacks will continue and small businesses are vulnerable because they’re less well-resourced than their large counterparts."
Can the industry expect to see more and more SMEs taking out coverage to protect against cyber-attacks? Eventually, says Naylor.
Currently that type of coverage is not that common outside the major firms, but that will change over time,” he says.
And if people were more aware of just how big a threat cyber-attacks pose then there would almost certainly be more businesses that insure against them.
“People don't quite know how just how many attacks occur in this New Zealand every day that are stopped by the government. If they were aware of the major problems they'd probably insure more against them.”
The numbers are stark. The latest figures from CERT and financial services firms saw reports of phishing attacks more than double in the June 2018 quarter.
The Crown agency responsible for tracking, monitoring and advising on cybersecurity incidents registered 455 phishing attacks in the three months through June, up from 196 in the March quarter. Some 337 of those attacks were in the financial services sector, which the agency put down to a closer working relationship with the industry.
The total number of incidents reported was 736, of which 112 were referred to police and nine to Netsafe. None were referred to the National Cyber Security Centre or Department of Internal Affairs in the quarter.
Those led to $2.2 million of direct losses for people and organisations, again skewed to older demographics. Four incidents accounted for 77% of those losses, of which two were scams, such as phone calls or ads designed to trick users into installing fake software on their computers. Eleven scams and frauds were reported to Cert NZ in the quarter.
“It’s really quite staggering,” says Naylor.
“And these cyber-attacks, while they are not all successful, it’s worth keeping in mind that there are people trying all the time. Not every single attempt is going to be able to be stopped. It’s absolutely a case of being a much bigger problem than most people are aware of.”
But how does a business, particularly a small or medium-sized one, insure itself against cyber-attack?
Not easily, says Naylor.
“When it comes to cyber-attacks the ultimate cost to a business of a successful cyber-attack is still mostly an unknown thing,” he says.
However, while it is impossible to insure against every single unforeseen event, there are steps all business owners, large or small, can take to understand their risks and select a quality insurance policy.
“There are a lot of SMEs out there focused on getting on with their business and don’t have a degree of foresight about what could happen,” says Niall Martin, a senior employee benefits consultant with Willis Towers Watson.
“Our job is to ensure we promote awareness of the risk and educate our clients.”
Willis Towers Watson’s Brown says a good policy is all about working with clients to help them protect their balance sheet.
Cyber is a good example, he says, with 56% of New Zealand businesses having been impacted by some form of cyber event.
“The average claim last year in cyber was $26,000 so it’s a not insignificant impact for many businesses but in terms of obtaining cover it’s still relatively new,” he says.
Company collapses have also hurt a huge range of businesses, he says, and the upshot is that business owners are becoming more cautious and more interested in looking at a range of insurance solutions.
“We’ve seen far too many instances where businesses have had good clients forever who always paid their bills and suddenly something falls over and it can have a devastating effect on a business very quickly.”
Liability
Directors and officers liability insurance (or D&O) cover take-up is also low, says the ICNZ’s Grafton.
“The Institute of Directors announced this year that only 24% of directors have D&O cover,” he says. “There will be higher take-up of more traditional lines such as material damage to property, but businesses need to take advice to fully assess their risks and to consider which of the wide range of business insurance cover is best for them.”
It is also important to distinguish between under-insurance and not insured, says Grafton.
“New Zealand has very high levels of house insurance with well in excess of 95% insured,” he says.
“Some of these for various reasons will not be insured for the amount required to rebuild the house should the very worst happen – that is under-insurance.”
The very worst did happen in 2011 in Christchurch and many lessons were learned after the earthquake, says Naylor. A great number of SMEs suffered financial hardship not just because of property damage, but simply because customers could not gain access to shopfronts and office spaces – something they were not insured for.
“There’s even a famous case going about, I am not quite sure of the details, but there was a law firm that had all their computers, containing all their client files, in their sixth-floor office. The quake struck and the stairway collapses and they couldn’t get into their office. They had to get a guy with a crane to go in and get all the computer hard drives. That’s the type of thing you would probably never expect to happen, but it can and it will, especially in a country like New Zealand.”
Naylor says he has seen anecdotal evidence that after the Christchurch quake more and more businesses, especially small and medium ones, have been insuring against natural disasters or “acts of God”.
However, insurance needs to cover all sources of risk, even personal risk such as a business owner suffering a heart attack, Naylor says.
“This is not so much insurance as scenario planning – going through a list of all the things that can go wrong, whether earthquakes, or fires, or the death of a key staff member, and planning for what the business does when that event occurs,” he says.
As a result it is essential for any business to get the advice of a good insurance broker, Naylor says.
“A good broker will be able work with you to examine your finances and establish a suitable insurance solution that ensures you have the right level of cover in place,” he says.
“The skill of your broker is very, very important.”
ICNZ recommends SMEs do these things to help manage cyber risks:
1. Make sure all employees regularly update their passwords and don’t write them down anywhere or use passwords they’ve used for other services. If you can, enable two-factor authentication on website or system logins.
2. Buy and install good quality anti-virus and anti-malware software - don’t just rely on what comes default with your system. Make sure you protect tablets, cellphones and any other devices you can that connect to the internet.
3. Change your office WiFi password regularly and don’t leave printed copies of it lying around. Access to your WiFi could open up access to your files and systems if someone dishonest got in.
4. Don’t connect company devices to open or free WiFi networks or install and use unauthenticated apps. These networks allow anyone connected to them to see other connected devices and could make your device a target for hackers.
5. Make sure employees only download legitimate apps from the Google Play or Apple stores if they’re conducting any work on their devices. Unauthenticated apps could contain security vulnerabilities.
6. Keep your software up-to-date. Vulnerabilities in unpatched software make for easy entry for hackers.
7. Set up logs to detect unusual activity and verify any strange business requests you get by phone if you’re unsure of them.
8. Get cyber insurance - cyber insurance covers you for cyber attacks and helps your business get back on its feet faster.
