Lei Yu, QBE Asia

Hong Kong’s SMEs need to get serious about risk

Lei Yu, QBE Asia

May 28 2019

First impressions of Hong Kong people are that they are wonderfully entrepreneurial and willing to take risk. Look again, however, and there’s an innate caution – a conservatism – that sees many people look to avoid risk in work, investment and business outlook.

And then there’s the paradox: their aversion to risk is seemingly matched only by their willingness to accept risk.

It’s one of the glories of Hong Kong, a reason the city is such a great place to do business and home to 340,000 small and medium enterprises (SMEs) – 98% of the city’s businesses. On the flipside, however, it’s a seemingly cavalier attitude to risk that presents a critical challenge to this vibrant commercial hub. The sheer lack of protection against risk in all its manifestations, notably in cybersecurity, creates a soft underbelly that could undermine business resilience.

Remarkably, 14% of SMEs – that’s about 47,600 companies – have no insurance at all (excluding employees’ compensation which is a statutory requirement), according to a QBE research study (1). And while four-in-five SMEs have insurance plans, these may not provide adequate protection to their specific needs and makes them vulnerable to risks that could potentially disrupt their business. This is despite 73% of SMEs having experienced at least one business issue in the past year, such as equipment breakdown, damage or loss of inventory and property damage.

But it’s with cybersecurity that Hong Kong SMEs’ risk-taking goes to a much higher level.

Astronomical cost of cyber attacks
The business impact and money at stake are not insignificant. A Microsoft survey estimates that cyber attacks could cost Hong Kong a staggering US$32 billion, roughly 10% of the city’s annual gross domestic product (2). The survey also shows that almost a quarter of companies in Hong Kong have experienced security incidents, resulting in job losses in three quarters of the firms that experienced them.

The good news is that the vast majority (86%) of SMEs are aware of the cybersecurity risks, owing in part to the growing number of incidents, the European Union’s General Data Protection Regulation, China’s cybersecurity law, among other factors. Yet, there’s a clear lack of appetite for cybersecurity protection, particularly among the smaller SMEs. In all, 32% of SMEs wouldn’t even consider cybersecurity insurance, and for smaller SMEs, that percentage rises to 45%(3).

The findings echo those of the Hong Kong Computer Emergency Response Team Coordination Centre, which says that SMEs may be aware of the need for cybersecurity, but often do not take proactive measures, such as regular security risk assessments along with security technology and management upgrades.

Lack of understanding
So, why the inertia and risk-taking? In some cases, the risks are not understood, and this often manifests itself with the response that it’s “not my problem, it won’t affect a company like mine.” This is partly explained by the difficulty some SME owners have in understanding the technology and finding the right talent with the right skills – at the right price.

To be fair, digitalisation and the accompanying cybersecurity measures have their challenges. We found that the main barriers facing SMEs were high costs (39%), a shortage of digital and IT skills (30%), data security (26%) and a lack of funds (26%); for smaller businesses, these present not-so-small problems.

History shows that in addition to the financial losses linked to cybersecurity incidents, such as fines, the cost of addressing the problem, possible loss of productivity etc. – there can also be considerable reputational damage and loss of customers – those who move elsewhere and don’t return.

We’ve seen from elsewhere that the reputational impact tends to be greater when it’s evident that the preventive measures were non-existent or inadequate; it can ultimately lead to the demise of the business.

Protecting SMEs before it’s too late
For some SMEs, the investment in cybersecurity or protection may be significant, but the cost of going without or doing it on the cheap can be far higher. Typical considerations for cover include terms for the underlying cause of a security breach, the cost of remedial actions, loss of business, cost of production downtime and, very likely, legal costs. Also important on the list is the claims process, as you don’t want to be battling for years to get a payout.

Customers and intermediaries increasingly like to view digital offerings – be it digital claims or an intermediary service platform enabling end-to-end online transactions. It’s easier to navigate and offers better, faster, 24/7 services. Ultimately, it’s about enhancing the experience and making the insurance sector fit for the digital future.

SMEs in Hong Kong are legally obliged to take out insurance for employees’ compensation. On the face of it, everything else is optional; but all things considered, it’s not – the risks now are too high.

Whether it is a typhoon or a cyber attack, the outages can easily go from being an interruption to being permanent. A step-up from the statutory minimum may prove a farsighted decision to ensure longevity.

This author of the article is Lei Yu, chief executive for North Asia and regional head of distribution for Asia, QBE Asia.






1 “SMEs: Navigating Opportunities and Risks”, a research study commissioned by QBE Hong Kong, March 2019

2 “Cybersecurity threats to cost organisations in Hong Kong US$32 billion in economic losses”, Microsoft, June 2018

3 “SMEs: Navigating Opportunities and Risks”, a research study commissioned by QBE Hong Kong, March 2019

MORE FROM: Comment
Partner Content