The technological revolution

From the risks of technological advancement to the liabilities of organisational management, the industry was fraught with discussions and events. A Premium report.

Many quarters in the industry are of the opinion that insurance is behind other industries in terms of technological revolution. A seminar titled ‘Flash of Genius: Building cyber resilience in banking and financial services’ organised by cyber security firm Dark Matter brought many relevant topics to light.

Delivering the welcome address, Rabih Dabboussi, SVP – Sales, Marketing and Business Development, said: “We’ve seen the transportation and healthcare, education and defence and security go through the last few years, tremendous changes in how they conduct business. What we haven’t seen is a real transformation in the banking and finance industry.”

Speaking about the regulatory changes in this space, Brian Meenagh, partner, Latham & Watkins pointed out that the regulatory landscape differed among organisations, particularly when it comes to overseas compliance. “A good compliance team should know the rules that apply to their organisation or where to look,” Meenagh said.

“The regulations that apply to you require two types of obligation: They impose obligations in terms of protecting data, and in terms of how you deal with a cyber breach. In particular they impose obligations on who you notify, and when you notify them. Everything else is just detail,” he added.

Meenagh spoke about protection of data: “There are UAE rules that impose condition of confidence upon organisations that hold confidential information. If you look at the UAE Banks Federation Code of Conduct, it imposes an obligation on banks to take reasonable care to keep secure from unauthorised disclosure of confidential information,” he said.

Speaking about cyber risk, Simon Bell, VP-Cyber Lead, Marsh MENA, pointed out that there were a number cyber instances taking place in the Middle East with financial institutions. “From an insurance perspective there’s not many notified claims in this region at the moment. It’s a very new product for the region, although we’re seeing a huge increase for the product as a whole,” he reflected.

Quoting a Ponemon Institute study on data breach he said that there were at least 26 cyber breaches over two years in the United Arab Emirates (UAE) and the Kingdom of Saudi Arabia (KSA). “The cost of data breach for these 26 attacks in the UAE and KSA was USD4.6 million of which USD1.96 million was just the loss of business. The direct cost (forensics, investigation, public relations) was 56 percent of that USD4.6 million. The direct cost is what you’re incurring to understand what happened in an event and how to manage an event can escalate rather quickly,” Bell said.

He said that the cyber insurance line of business has been around for only 25 years, having started in the US as a purely liability product. Breaking down the coverage into first party and third party liability covers, he went on to explain the difference. “So should you have an instance where your systems go down, your data has been compromised, you can no longer trade or operate, the policy will respond immediately with cost to mitigate the effect of this by bringing in specialist providers and to ensure the actual effect of the attack or the event is minimised as much as possible. If it’s not that simple to mitigate, then the policy will respond with a loss of profit that you incur for that period,” he said.

“In this part of the world we don’t have the liability culture that is present in the rest of the world. However that may change. Should the entity suffer a data breach and customer cannot use their banking facilities and they can’t make payments etc, they may in turn bring claims against the financial institution for the loss of that data and the potential impact they are going to have as individuals or corporates or for the failure to protect that data sufficiently. Defence costs are covered by the policy to ensure that the business is protected,” he explained.

“We’re also seeing increase in outsourced service providers and contingent business interruption in these sections. As most financial institutions these days you rely on a lot outsourced service providers for processing of data, hosting of data. If these entities were also impacted, their cyber instance affected your business, and you can operate or trade as before then the policy will have to respond so that you’re not negatively impacted and ensure you can operate, it will cover your incurred expense or your business interruption as a result of your outsourced service provider being taken down,” Bell added.

He outlined the different aspects of the coverage such as data asset protection, event management, breach notification costs, policy deductibles, among others.

Bell noted the use of archaic policy wording that was still being used in the region: “Most wordings that we see in this region from an electronic computer crime perspective are very old which potentially still rely on wordings are outdated and to do with telex, facsimile which most banks don’t normally use. From an awareness perspective it would be good to go back and check the computer crime wordings and how up to date they are.”

D&O

The Insurance Business Group (IBG) recently held a workshop on Directors & Officers (D&O) Liability Insurance. The objective of the workshop was to understand the increasing “blame culture” propogated by shareholders of organisations aimed at directors and officers. The event was also held to discuss increasing threats on compliance and liability such as cyber related exposures, bribery and corruption and money laundering.

Outlining the history of D&O, Dr. Abdul Zahra A. Ali, CEO, National General Insurance Company and chairman of IBG, said that the line of business began in the 1930s by Lloyd’s of London as a personal practice. “After that in 1940, corporate indemnification came through, which was not restricted to individuals. By 1970 there was an increasing uptake of D&O and increasing awareness of this line of business. From 2000 onwards people started to think about modern D&O coverage. In the US the market size for D&O is USD2.9 billion,” he said.

Dr. Ali also pointed out that the average annual growth for the last five years for D&O insurance premiums was 7.5 percent.

Delivering the first presentation, Nicola Stokes, assistant vice president – Professional Indemnity at Liberty Specialty Markets MENA Ltd., said that the D&O line of business had garnered attention since the last 40 years. “This has been a drive since corporate governance has become such a focal point in business specifically. Countries all over the world are updating companies’ acts and basically codifying directors’ duties… Very few people know what they are in for; understand what their risks are when taking up these positions. The cover is there to protect them,” Stokes said.

“Traditionally everybody thought D&O was only ready for the listed companies because they had shareholders, not everybody else. Things have changed since then and they can be held for private companies for decisions being made at a local level for employees, for creditors, customers, not just for shareholders,” she added.

Stokes explained the various responsibilities of directors and officers, which included policy-making and decisions regarding operations, capital, supervision, among others. With respect to duties, she said that directors and officers were bound by the duty of loyalty to the company, transparency, obedience and acting in good faith.

Speaking about risk factors, she said that companies operating in more than one country needed to take into consideration the regulations, compliance procedures and auditing practices in all those jurisdictions. “It has to be taken into consideration where is the risk and who the customers are and what laws are you placing,” she said. With respect to emerging risks such as cyber, Stokes recommended that dealing with these risks was a board decision and directors need to be fully involved. “D&O is almost a commoditised class which means it is easy to come across, everybody wants it. There’s no reason anybody should not have a D&O cover because it is so cheap. It’s a sleep-easy cover. There shouldn’t be any reason why anybody’s not buying it,” she added.

Speaking about liability, Walid H. Jishi, group chairman and managing director of Arab Loss Adjusters International LLC, said that the segmentation of the market translated to varying potentials of liability. He spoke about the current market and said that it was imperative to underwrite a business and satisfy the client by first understanding the business, going through the risk identification and carrying out a risk analysis. He also said it was important to increase penetration of insurance in the market.