While fire and explosion remains a top risk for all firms, cyber and Itechnology exposures are becoming increasingly complex

Technology

It was an industrial mishap that would have ordinarily gone unnoticed. On 4 September 2013, a fire engulfed a substantial portion of a computer memory chip production plant in Wuxi, China.

But it wasn’t just any production plan, and it didn’t go unnoticed.

Owned and operated by SK Hynix, the fire made international headlines owing to the plant producing between 10%-17% of the world’s supply of dynamic random access memory (DRAM), a memory chip used in computing electronics from laptop computers to mobile phones. The company supplied everyone from Apple and Dell to Lenovo and Sony.

So just how bad was the fire and business interruption?

The effects of the incident were instant: the price of a benchmark unit of 2-gigabit DRAM jumped some 20% to $1.90 the following day, a three-year high. One research firm estimated that the shipment of some 10 million smartphones and 11 million laptops were delayed as a result of the fire, while HP took the threat of supply-chain disruption seriously enough for senior management to clear their calendars for two days for no other reason than to make sure they had “an unfair share of the available [DRAM] commodity”.

Beyond the immediate supply chain disruption and delays, the case “totally changed the concept for fire risk in the technology, media and telecommunications (TMT) industry”, says Willis Asia head of TMT, managing director, Sirikit Oh.

SK Hynix was one of the top claims in the TMT industry, which cost insurers about $860m.

And, naturally, resulted in an increase to premiums in the semi-conductor industry.

It’s cases like these that have ensured ‘fire and explosion’ comes close to the top of almost any firm’s risk register and risk transfer programme.

But the risk priorities for TMT companies have evolved significantly in the past two years (see box out, below).

Today, the focus also prioritises cyber and technology risks.

This is because TMT companies today typically operate or depend on complex IT networks, depend heavily on web-based solutions, hold and work with a large amount of customer data and often host or manage data for their clients.

Indeed, David Ralph, senior vice president of risk management at Hong Kong-based telecommunications company PCCW Limited, insists that his IT background has been very beneficial to his risk role.

“As an IT, telecoms and media firm, these are IT-type businesses,” he says. “So not only do we rely on IT for billings and aspects like that, but the underlying infrastructure is IT-based for everything we are providing.”

Ralph says his IT knowledge has also assisted when people have tried to inform him that a certain area of technology has minimal, or no, risks.

“I have a reasonable amount of respect and authority when it comes to discussing what the risks actually are, and it enables me to work more closely with the technical teams,” he says.

Willis’s Oh explains that TMT firms are more “vulnerable to cyber and technology-related risks, including hacking, denial of service attacks, or data breaches causing potential expenses, liabilities and regulatory concerns”.

She says: “Companies in the TMT industry should take proactive measures in safeguarding their IT systems and intellectual property so as to ensure that their brand and reputation in the market place is protected.

“Besides taking physical protective measures, their risk mitigation strategy should include risk sharing and risk transfer through various insurance products.”

The cyber insurance market in Asia is still emerging, however, with both insurers and clients grappling with cover and capacity issues.

“In Asia, every country (whether developing or developed) is trying to find their footing in handling internet and cyber security issues. It is a very delicate balance between regulation and allowing cyber developments to take place at the right pace,” Oh says.

“However, we do see that regulators in Asia are coming together on a more regular basis to share regulatory issues and experiences among themselves and with the industry.”

This bodes well for Asia, Oh says, as the interactions have helped the industry to work closely with regulators to help them understand issues faced by the industry.

“In so doing, regulators are better equipped with knowledge to help the industry attract and retain talent in Asia thus helping the industry to grow at a more sustainable pace,” she says.

But Zurich Insurance Global Corporate Asia-Pacific chief executive Keith Thomas says the region needs a more coordinated response to increase its cyber resilience.

“Asia currently lacks an overarching framework to deal with cyber risk,” Thomas says.

The region has recently seen some promising steps forward in this area, however. For example, Singapore recently established a Cyber Security Agency and Hong Kong established a Cyber Crime Unit.

But Thomas is calling on regional bodies such as ASEAN and APEC to lead a unanimous response for the region.

“Companies cannot turn a blind eye to the prevailing risks of cyber-attacks,” he adds. “Besides the potential damage caused from such events, there are also serious reputational risks associated with cyber security. The topic needs to be a priority and escalated to a board-room level issue.”

 

Key risks for TMT companies in Asia

  • Supply chain and contingent business interruption - TMT companies are increasingly dependent on a complex supply chain, including alliances with third party providers of services, content or other strategic partnerships. Problems in the supply chain can have adverse financial and reputational consequences for the company if not managed adequately.
  • Catastrophic service interruption - In many countries there is an absolute requirement for telcos to provide continuous services.
  • Non-physical business interruption (BI) – An interruption or interference to key IT systems from events such as a cyber attack or network failure, can lead to revenue loss and increased costs that may not be covered under a traditional (BI) policy.
  • Mergers and acquisitions - The TMT industry is consolidating, as large cash-rich companies seek to expand and grow by acquiring companies that enhance strategic value. There are inherent risks involved in both the acquisition process and post-integration stage i.e. inherited liabilities.
  • Cyber, data privacy and network security risk – Most TMT companies operate or depend on IT networks, and hold large amount of data. This makes them vulnerable to cyber and technology related risks including hacking, denial of service attacks, or data breaches causing potential expenses, liabilities, and regulatory concerns.
  • Contractual liabilities and performance-related risks - As TMT companies move along the value chain or increase the amount and type of services they provide, they encounter an increased range of new and performance and contractual-related risks.
  • Human capital risks - TMT companies often employ large workforces across diverse territories, entailing large salary and benefits costs. Employers’ liability and talent management are key exposures.
  • Executive risks - TMT companies are facing increased directors’ and officers’ exposures with greater scrutiny from regulatory authorities and shareholders than ever before.
  • International operations and globalisation risks – As TMT companies expand into new markets in search of higher growth, they may face new exposures related to political risk, trade credit and global and local compliance.
  • Intellectual property/patents – TMT companies are often owners of large amount of intellectual property rights.
  • Reputation/brand – TMT companies are key brands in the local as well as global economy and the failure to manage an incident correctly could have negative impacts on the brand.