Risk Management in the Industry 4.0

Interview: Dr. Georg Bräuchle
Executive and Chief Market Officer Marsh Deutschland

 
» Like us now the whole world is currently talking about the topic of Industry 4.0: what does it mean for you? For example in the future will an app replace the insurance broker?

 
This thought suggests itself easily, since the insurance industry is also subject to digitalization and is facing great changes. At Marsh modern technologies have been supporting us for many years already in the most diverse processes. But as it concerns the topic of an app, we see its application primarily in the area of private clients or smaller businesses. Wherever processes can be more or less standardized and there is a large number of processes of the same type.

 
In the industrial insurance business, which as always typically involves custom-made individual solutions, an app cannot replace the human and his or her technical understanding, personal experiences and ability to innovate. At best it could only be an aid for the exchange of information. So people tend to talk more about platforms in which information is stored, for example that all involved could access in case of a claim. But to completely or almost completely automate the conclusion of the insurance policy and the regulation of damages with an app would not be conducive for our business, because it is too individual.

 

» How has digitalization changed the day-to-day work for you as a renowned insurance broker and risk consultant? What new challenges do your clients bring you?

 
The need for analytic services is growing and we have to elevate the dialogue with our clients to a new level. We see ourselves facing a generation of young managers with a new approach to the ssue. Decisions must be much more strongly founded upon objective data and facts than in the past. Not all companies can do this, besides experience they need the relevant data and analytical tools. For us that is an opportunity.

 
The field we call Analytics, the analysis and assessment of large amounts of data, is the most interesting – also known as Big Data. This concerns risk information across entire fields and industries that is assessed with analytic methods. In this way we can generate precisely targeted numerical models for clients – about their risk situation, the probabilities of risks occurring and their dimensions.

 

 
At Marsh we call this Marsh Analytical Platform or iMap. As a result we arrive at new models for how to optimize protection and calculate the repercussions of various alternatives – and how this effects the company’s own cost situation in turn.

 
» Cyber attacks are increasing and becoming more sophisticated. It is true that traditional security concepts seem to be increasingly ineffective?

 
No, but the race between code-makers and code-breakers was always a game of cat-and-mouse. There are more and more attackers, and they are more and more sophisticated and professional. There will be no end to the work. The defenders must always try to close or to keep closed a thousand different holes and the attacker only needs to find one. Hence it is always difficult to be in the defensive or protective position and to try to seal everything off. Of course this also changes the technology and the strategy of the defensive measures.

 
For us it is important in this regard that we advise our clients not just for example in how to protect their IT but also how to raise the awareness of their employees.
In addition, together with other service providers we offer an IT forensics service – Darknet Research, Penetration Testing, etc. That is, services that are necessary and possible to optimally protect oneself and to be able to say, from the viewpoint of an executive: “I’ve done my job right, technically and organizationally and in view of security I’ve done whatever can be done. If something happens anyway, hopefully it won’t be so bad and in the end I’ll have nothing to reproach myself with.”

 
Ultimately there is no absolute protection. But it is possible to secure yourself against the financial consequences of an incident and receive compensation.

 
» What strategies do your clients pursue to secure themselves? Can you give us examples?

 
Since we’re not IT consultants, we do not give our clients any recommendations about how to build up their IT security systems. But we can test whether they are good and function well. We’ve observed among our clients that encryption technologies, which form small units of information that are each encrypted, play an increasingly large role in their security concepts. When an encryption gets cracked, the attacker can only mess around in that one area and cannot, like with a breached firewall, wreck mischief everywhere. This technology is a development that is now very prevalent in the industry – above all in Germany.

 
» In all seriousness: is the glass half-full or half-empty when it comes to securing supply networks? So are all future challenges involving the vulnerability of digital supply chains an opportunity for the industry – or an absolutely unnecessary and incalculable extra expenditure?

 
This is more of a psychological statement, whether one is a pessimist or an optimist. I believe that it is above all an opportunity for every innovative company to move their security technology forward for their area – usually together with other partners.

 
This is a little comparable with the topic of environmental protection: in the first instant it is also seen as an additional burden by individual companies. But it very quickly becomes clear that you can open up additional market opportunities for yourself by being the first to develop or deploy a flue-gas desulfurization facility.

 
The situation is similar for cyber security topics. Whoever is the pioneer there and develops and deploys intelligent strategies or tools will attain a good position for themselves among the competition. This can ultimately be the feature that differentiates them in competition. For it is crystal clear that the cyber-threat situation is not going to go away, but will stay with us in the future as well.

 
» On the topic of building up security structures, experts say “Anti-virus is dead”. This principle underlines the importance of a paradigm shift in cyber-security. This includes the insight that companies have to deal with these topics that are to some extent outside their industry. Does the industry already have this understanding of how to look beyond their own nose? Why might they find this so difficult?

 
There are still companies that believe they’re too small and unimportant to be the target of a cyber-attack. Here the awareness has to grow more. It is very important that everyone soon understands how vulnerable they are, what measures they can respond with, and that they have to position the topic of cyber-security at the right place in their company – namely in executive management.

 
This is a very important strategic topic. For many this is already the case, for others not yet. Thus as always in economic life, over the course of time with every new technological development the wheat is separated from the chaff. The quicker and smarter ones notice this earlier and will be able to assert themselves better than those who hesitate too long.

 

» That means that the companies that are not leading in this right now will disappear from the market?

 
Or they’ll catch up on this later. It doesn’t have to spell the end for them right away. But I can easily imagine that the topic of cyber-security will be a very important one in the field of machine construction, for example, since there are very complex electronic guidance systems there. Whoever can demonstrate a state-of-the-art protection there will have better marketing potential for their products than someone who neglects this topic. And that is the question, if the distance can still be made up or if they have already been left behind.

 
» Do financial considerations also play a role in whether a company invests in cyber-security?

 
Of course. The fascinating development however is that for many companies the focus of activity has evolved from pure production companies to software and service companies. And if I am less and less a classical producer and increasingly a planner, system developer or provider, then my business model will also change.

 
For example if a producer of paint finishing systems is no longer just selling them but operating them in the factory of an automobile producer, then along with the business model the risks and liability scenarios also change, such as with interruptions of operations. Accordingly the businesses have to review their prior strategies to secure themselves and adjust them if needed.

 
» Industry 4.0 brings new challenges to workplace safety as well, if humans and machines will work together more closely in the future. This generates a new kind of risk that companies might not have considered before. What solutions are imaginable?

 
I think that the risk is exaggerated. In general processes become safer when they are guided by machines. When machines and humans work together, the human is probably the greatest risk factor. With autonomous driving we also assume that the probability of accidents will fall by about 60 percent, since the technical systems are a number of times better than the human.

 
In reality what we perceive is often the reverse: if the machine makes a mistake, it strikes us as much more threatening, than when the human makes a mistake.

 
In terms of security, in terms of risk management and insurance concepts I don’t see any great problem. The liability rules have to be sharpened somewhat in one place or another. When the guidance of a machine is insufficient or wrong, then this is a case of product liability, just like in the case of pure mechanics.

 
» Consulting liability can hang over a client relationship like a Sword of Damocles – especially for new topics like Industry 4.0 and digitalization. How could we develop internal solutions to minimize these dangers?

 
Insofar as we provide IT programs to our clients, this is regulated as for software service providers generally. This means that liability is either excluded or strongly limited. Otherwise our liability situation is unchanged. I don’t see any great difference there.

 
» Assuming the emergency does happen and a company is hacked. The worst case scenario for everyone involved. What communication is necessary on the part of the company to win back their clients and to maintain themselves long-term in the future?

 
An anticipatory risk strategy can help to protect the company from damages and to preserve the trust of the clients. From the viewpoint of communication, three areas need to be kept in mind in order to protect the reputation of a company in case of cyber-crime: preparation, coping and repair.

 
Above all a company should think about this beforehand – not just in the emergency, since then usually hectic breaks out and everything is happening at once. So a crisis communication plan is enormously important. And you should understand clearly that it’s usually not a pure IT topic but a matrix topic, the interplay of various areas of the company – from purchasing, sales and client support to the press office.

 
Depending on the company’s exposure it often makes sense to engage a crisis communications consultant, who also should have been selected beforehand. All information should be coordinated between those responsible for the crisis communication and the IT forensics, so that unified communication is guaranteed. So that one person doesn’t communicate something that becomes untenable later or turns out to be a mistake. A good coordination of communication with the IT forensics, the responsible data protection authorities, the investigating authorities as well as the company’s own lawyers and the insurance is essential.

 
It is not a good idea to keep as much as possible secret for as long as possible or to suppress it, since this naturally destroys trust. On the other hand overly hasty statements should also be avoided that later turn out to be exaggerated or unnecessary. This is a fine line to walk. Thus it is important to consider a communications strategy beforehand.

 
Fundamentally with all cyber-incidents it is advisable to react as quickly as possible, since things get more complex, difficult and wide-spread the longer they ferment by hemselves.