First impressions of Hong Kong people are that they are wonderfully entrepreneurial and willing to take risk. Look again, however, and there’s an innate caution – a conservatism – that sees many people look to avoid risk in work, investment and business outlook.
And then there’s the paradox: their aversion to risk is seemingly matched only by their willingness to accept risk.
It’s one of the glories of Hong Kong, a reason the city is such a great place to do business and home to 340,000 small and medium enterprises (SMEs) – 98% of the city’s businesses. On the flipside, however, it’s a seemingly cavalier attitude to risk that presents a critical challenge to this vibrant commercial hub. The sheer lack of protection against risk in all its manifestations, notably in cybersecurity, creates a soft underbelly that could undermine business resilience.
Remarkably, 14% of SMEs – that’s about 47,600 companies – have no insurance at all (excluding employees’ compensation which is a statutory requirement), according to a QBE research study (1). And while four-in-five SMEs have insurance plans, these may not provide adequate protection to their specific needs and makes them vulnerable to risks that could potentially disrupt their business. This is despite 73% of SMEs having experienced at least one business issue in the past year, such as equipment breakdown, damage or loss of inventory and property damage.
But it’s with cybersecurity that Hong Kong SMEs’ risk-taking goes to a much higher level.
Astronomical cost of cyber attacks
The business impact and money at stake are not insignificant. A Microsoft survey estimates that cyber attacks could cost Hong Kong a staggering US$32 billion, roughly 10% of the city’s annual gross domestic product (2). The survey also shows that almost a quarter of companies in Hong Kong have experienced security incidents, resulting in job losses in three quarters of the firms that experienced them.
The good news is that the vast majority (86%) of SMEs are aware of the cybersecurity risks, owing in part to the growing number of incidents, the European Union’s General Data Protection Regulation, China’s cybersecurity law, among other factors. Yet, there’s a clear lack of appetite for cybersecurity protection, particularly among the smaller SMEs. In all, 32% of SMEs wouldn’t even consider cybersecurity insurance, and for smaller SMEs, that percentage rises to 45%(3).
The findings echo those of the Hong Kong Computer Emergency Response Team Coordination Centre, which says that SMEs may be aware of the need for cybersecurity, but often do not take proactive measures, such as regular security risk assessments along with security technology and management upgrades.
Lack of understanding
So, why the inertia and risk-taking? In some cases, the risks are not understood, and this often manifests itself with the response that it’s “not my problem, it won’t affect a company like mine.” This is partly explained by the difficulty some SME owners have in understanding the technology and finding the right talent with the right skills – at the right price.
To be fair, digitalisation and the accompanying cybersecurity measures have their challenges. We found that the main barriers facing SMEs were high costs (39%), a shortage of digital and IT skills (30%), data security (26%) and a lack of funds (26%); for smaller businesses, these present not-so-small problems.
History shows that in addition to the financial losses linked to cybersecurity incidents, such as fines, the cost of addressing the problem, possible loss of productivity etc. – there can also be considerable reputational damage and loss of customers – those who move elsewhere and don’t return.
We’ve seen from elsewhere that the reputational impact tends to be greater when it’s evident that the preventive measures were non-existent or inadequate; it can ultimately lead to the demise of the business.
Protecting SMEs before it’s too late
For some SMEs, the investment in cybersecurity or protection may be significant, but the cost of going without or doing it on the cheap can be far higher. Typical considerations for cover include terms for the underlying cause of a security breach, the cost of remedial actions, loss of business, cost of production downtime and, very likely, legal costs. Also important on the list is the claims process, as you don’t want to be battling for years to get a payout.
Customers and intermediaries increasingly like to view digital offerings – be it digital claims or an intermediary service platform enabling end-to-end online transactions. It’s easier to navigate and offers better, faster, 24/7 services. Ultimately, it’s about enhancing the experience and making the insurance sector fit for the digital future.
SMEs in Hong Kong are legally obliged to take out insurance for employees’ compensation. On the face of it, everything else is optional; but all things considered, it’s not – the risks now are too high.
Whether it is a typhoon or a cyber attack, the outages can easily go from being an interruption to being permanent. A step-up from the statutory minimum may prove a farsighted decision to ensure longevity.
This author of the article is Lei Yu, chief executive for North Asia and regional head of distribution for Asia, QBE Asia.
References
1 “SMEs: Navigating Opportunities and Risks”, a research study commissioned by QBE Hong Kong, March 2019
2 “Cybersecurity threats to cost organisations in Hong Kong US$32 billion in economic losses”, Microsoft, June 2018
3 “SMEs: Navigating Opportunities and Risks”, a research study commissioned by QBE Hong Kong, March 2019
-
Insurtech: Six tech predictions for the insurance sector in 2024
- January 11
2023 was undoubtedly the year artificial intelligence (AI) went mainstream in the insurance industry. Many leaders are now entering 2024 with high, and potentially inflated, expectations on the potential of AI to ignite an era of accelerated technology led change. Fintechs are seizing the moment, finding ways to bring value to traditional insurers. Insurers are […]
-
Cyber: Companies need proactive approach to cyber security in a deteriorating risk landscape
- October 27
As we move toward the end of 2023, the risk landscape has deteriorated with cybersecurity attacks trending upwards.
-
P&I: “With port infrastructure under strain, there can also be disconnects between international operators and local authorities, especially when incidents or accidents occur.”
- October 3
Claims from collisions, sinkings and groundings grow more frequent amid complex conditions, with more ships set to travel on the river due to the Russia/Ukraine conflict.
-
D&I: “Diversity allows (re)insurers to understand risks better and evaluate them from multiple angles, with different employees able to identify potential risks that others may overlook.”
- September 28
One of the main advantages of having a workforce made up of individuals from diverse backgrounds is the wealth of perspectives it brings to the table.
-
WTW | Building resilience against emerging risks in Asian realty sector
WTW’s Ben MacCarthy, head of real estate, hospitality & leisure, Asia, and Jennifer Tiang, cyber leader, Asia, discuss the real estate industry’s sectoral risk landscape and the emerging role of proptech.
-
FM Global | Resilience: No longer a choice
As climate disclosure becomes mandatory and new risks emerge from natural hazards, understanding the tools that are available to build resilience is more important than ever.
Lei Yu, QBE Asia
Hong Kong’s SMEs need to get serious about risk
Lei Yu, QBE Asia