First impressions of Hong Kong people are that they are wonderfully entrepreneurial and willing to take risk. Look again, however, and there’s an innate caution – a conservatism – that sees many people look to avoid risk in work, investment and business outlook.
And then there’s the paradox: their aversion to risk is seemingly matched only by their willingness to accept risk.
It’s one of the glories of Hong Kong, a reason the city is such a great place to do business and home to 340,000 small and medium enterprises (SMEs) – 98% of the city’s businesses. On the flipside, however, it’s a seemingly cavalier attitude to risk that presents a critical challenge to this vibrant commercial hub. The sheer lack of protection against risk in all its manifestations, notably in cybersecurity, creates a soft underbelly that could undermine business resilience.
Remarkably, 14% of SMEs – that’s about 47,600 companies – have no insurance at all (excluding employees’ compensation which is a statutory requirement), according to a QBE research study (1). And while four-in-five SMEs have insurance plans, these may not provide adequate protection to their specific needs and makes them vulnerable to risks that could potentially disrupt their business. This is despite 73% of SMEs having experienced at least one business issue in the past year, such as equipment breakdown, damage or loss of inventory and property damage.
But it’s with cybersecurity that Hong Kong SMEs’ risk-taking goes to a much higher level.
Astronomical cost of cyber attacks
The business impact and money at stake are not insignificant. A Microsoft survey estimates that cyber attacks could cost Hong Kong a staggering US$32 billion, roughly 10% of the city’s annual gross domestic product (2). The survey also shows that almost a quarter of companies in Hong Kong have experienced security incidents, resulting in job losses in three quarters of the firms that experienced them.
The good news is that the vast majority (86%) of SMEs are aware of the cybersecurity risks, owing in part to the growing number of incidents, the European Union’s General Data Protection Regulation, China’s cybersecurity law, among other factors. Yet, there’s a clear lack of appetite for cybersecurity protection, particularly among the smaller SMEs. In all, 32% of SMEs wouldn’t even consider cybersecurity insurance, and for smaller SMEs, that percentage rises to 45%(3).
The findings echo those of the Hong Kong Computer Emergency Response Team Coordination Centre, which says that SMEs may be aware of the need for cybersecurity, but often do not take proactive measures, such as regular security risk assessments along with security technology and management upgrades.
Lack of understanding
So, why the inertia and risk-taking? In some cases, the risks are not understood, and this often manifests itself with the response that it’s “not my problem, it won’t affect a company like mine.” This is partly explained by the difficulty some SME owners have in understanding the technology and finding the right talent with the right skills – at the right price.
To be fair, digitalisation and the accompanying cybersecurity measures have their challenges. We found that the main barriers facing SMEs were high costs (39%), a shortage of digital and IT skills (30%), data security (26%) and a lack of funds (26%); for smaller businesses, these present not-so-small problems.
History shows that in addition to the financial losses linked to cybersecurity incidents, such as fines, the cost of addressing the problem, possible loss of productivity etc. – there can also be considerable reputational damage and loss of customers – those who move elsewhere and don’t return.
We’ve seen from elsewhere that the reputational impact tends to be greater when it’s evident that the preventive measures were non-existent or inadequate; it can ultimately lead to the demise of the business.
Protecting SMEs before it’s too late
For some SMEs, the investment in cybersecurity or protection may be significant, but the cost of going without or doing it on the cheap can be far higher. Typical considerations for cover include terms for the underlying cause of a security breach, the cost of remedial actions, loss of business, cost of production downtime and, very likely, legal costs. Also important on the list is the claims process, as you don’t want to be battling for years to get a payout.
Customers and intermediaries increasingly like to view digital offerings – be it digital claims or an intermediary service platform enabling end-to-end online transactions. It’s easier to navigate and offers better, faster, 24/7 services. Ultimately, it’s about enhancing the experience and making the insurance sector fit for the digital future.
SMEs in Hong Kong are legally obliged to take out insurance for employees’ compensation. On the face of it, everything else is optional; but all things considered, it’s not – the risks now are too high.
Whether it is a typhoon or a cyber attack, the outages can easily go from being an interruption to being permanent. A step-up from the statutory minimum may prove a farsighted decision to ensure longevity.
This author of the article is Lei Yu, chief executive for North Asia and regional head of distribution for Asia, QBE Asia.
References
1 “SMEs: Navigating Opportunities and Risks”, a research study commissioned by QBE Hong Kong, March 2019
2 “Cybersecurity threats to cost organisations in Hong Kong US$32 billion in economic losses”, Microsoft, June 2018
3 “SMEs: Navigating Opportunities and Risks”, a research study commissioned by QBE Hong Kong, March 2019
-
IFRS 17: Making your financial controls automation truly work for you
- September 26
Shifting towards a more automated and streamlined workstream can free up time for insurers to critically analyse results that inform future financial planning.
-
Flood resilience: Water, water everywhere…
- September 11
Floods are one of the most complex natural perils with highly localised impacts, making them challenging to insure and data is key to the effective design of an affordable product to protect the vulnerable.
-
Maritime energy transition: Data dialogue key to achieving decarbonisation goals
- August 3
Collaboration and shared learning amongst stakeholders will be vital to getting full value from the data captured as well as in achieving regulatory goals. The International Maritime Organisation’s (IMO) greenhouse gas (GHG) strategy is to reach net-zero emissions from international shipping by or around 2050, and there are various checkpoints to meet along the way. […]
-
Contentious losses: Evidence-led forensic investigations stand the test of time
- May 17
Even minor cracks in evidence capture will become exposed when it comes to recovery and repudiation. Forensic investigations form part and parcel of many insurance claims in the Asia-Pac region. Whether a loss is complex, costly, or if there are expected to be questions down the line around causation and liability, insurers and their loss […]
-
AXA XL | Low and no-cost cybersecurity actions for companies
Considering the increasing frequency of attacks, the evolving threat landscape, including the use of AI to launch more sophisticated attacks, companies today can’t afford to ignore the possibility of being targeted by cybercriminals.
-
BHSI | Managing non-Asian exposure in long-tail lines
While US-exposed business can look attractive to Asian carriers, managing the volatility around the long-term results and the ability to model those losses are crucial, say BHSI’s Marc Breuil and Marcus Portbury.
-
Sedgwick | To Handle CAT Claims Well, Multi-Step Preparation is Key
When it comes to risk, it’s not a matter of “if” it’s a matter of “when” an event will occur.
-
HSBC Asset Management | Is it time to relook at Asian currency bonds?
With diversification and performance high on investors’ agendas, it seems a good time for global portfolios to revive allocations in Asian local currency bonds – including Hong Kong dollar (HKD) bonds.
Lei Yu, QBE Asia
Hong Kong’s SMEs need to get serious about risk
Lei Yu, QBE Asia