Cyber and reputation top dutch risk register–Netherlands
On the subject of cyber risks, the Dutch risk and insurance managers who took part in this year’s Netherlands roundtable in Amsterdam agreed with risk managers in other European countries who took part in the survey that this is not a simple topic.
The response to the question of whether cyber risk actually represents a risk, or for that matter a line of business in itself, generated a typically diverse set of opinions that suggest this topic will take some time to be worked out.
Eric Bloem, Manager Global Insurance, Global Tax & Financial Markets, Insurance at global brewery group Heineken, and a former head of Narim, said that cyber is clearly a big risk but it is just one of the many risks faced by companies today. “It is a new risk, 10 years ago we didn’t have it,” he said.
hide
Tjerk van Dijk, the man who recently replaced Peter den Dekker as Director Insurance at Stork/Fokker after he left for Vimpelcom shortly after standing down as president of Ferma, said cyber risk is just a different format of known risks.
“I think the scary part is that people do not exactly know what it is. People say it is new and it is scary but it is not defined yet. Who is taking responsibility when an employee comments on Facebook about your company and it damages your reputation?”
Annemarie Schouw, recently elected president of Narim, said, however, that in her opinion, cyber risk is not rooted in the kind of social activity that Mr van Dijk referred to. “Cyber risk is more an intervention of your critical IT systems,” she said.
Jacqueline Plessius, Senior Insurance Manager Group Treasury & Insurance at TNT Express, said: “That could be one of the risks. But I think the big discussion is over how much of it is already known and dealt with as a risk, either mitigated by insurance or not, and then how much is covered by the insurances you already have and how much is then left over.”
Sandrine Hogendoorn, a former risk manager who is now Client & Distribution Leader for Benelux for XL Insurance, said she had recently seen research that showed that cyber crime costs Dutch society €10bn per year. She pointed out that this is equivalent to 2% of the Dutch gross domestic product and equal to the economic growth of the Netherlands in 2010.
Tjerk van Dijk asked whether the cost is so high because of claims and losses or whether it is because of prevention?
Hans Gorree, Directeur Corporate Risk & Insurance VolkerWessels, and also a former president of Narim, said that in his opinion, the cost is primarily based upon risk management by ICT departments.
Mr Bloem agreed. “If you add up all of the costs we spend on fire prevention for example that will also be an enormous amount of money, so the amount connected to cyber risk tells us nothing.”
Adri van der Waart, Insurance Manager at ARCADIS, asked for some examples of cyber crime in Holland to help flesh out the discussion.
Rob Wagenvoord, Director Special Projects, Large Accounts at Willis, said the big claims tend to be filed by financial institutions such as banks and credit card companies and that is not public information. “So I think it is very difficult to have a real figure on the losses,” he pointed out.
Annemarie Schouw added that, in her view, cyber is a risk that a risk manager should be aware of, but whether they should insure it depends on the business. And Ms Plessius pointed out that credit card risk is not a new risk but just a form of theft.
Mr Bloem therefore concluded that this represents the whole problem with cyber risk. “We agree that we disagree about its definition,” he said.
“It is just another form of theft. Insurers like to exclude all kinds of things related to data. Then they come up with something that is called cyber risk insurance. And that is called innovation,” he said.
Reputational risk has also been a topic of debate in the risk and insurance markets in recent times but has been around for longer than cyber.
The Dutch risk managers agreed with their colleagues in other countries that reputational risk is on the board agenda currently, adding that the actions that can be taken to mitigate and transfer the risk remain something of a conundrum.
Hans Gorree said that both reputation and safety are big issues for his company. “As contractors every day we face many risks on a lot of projects around Europe and we have a substantial spread of activities. This type of risk is partly insurable but more important is the management of the company and the consequences. Internal communication is very important and our board every month sends a memorandum about safety, integrity and other issues,” he said.
Rob Wagenvoord of Willis pointed out that the problem is bigger for stock-listed companies. “If you are a stock-listed company it is a real problem. No matter what insurance can do, the impact reputational damage has on the stock price and other stakeholders can be huge,” he said.
Adri van der Waart of ARCADIS said his company is aware of reputational risk so it creates rules internally about what to do if a ‘case is on the table’ and it simply has to deal with it. “It is about how to react and how not to react in those cases,” he said.
As noted elsewhere in Europe during this survey it appears therefore that the biggest risks faced by risk managers in the Netherlands are more macro business risks that are inherently more difficult to insure and thus difficult to place in traditional boxes.
Whether the Dutch risk management community and its partners in the insurance industry are willing and able to rise to this challenge was the focus of the ensuing debate and, as elsewhere in Europe, raised some big questions about the ability of the profession and the insurance sector to rise to the challenge.