Supply Chain Risk Was a Surprise Menace in 2021. Here Are Some Risks that May Come to the Fore in 2022

Predicting some specific risks such as ransomware or climate change disruptions may be easier than others and regulators are expecting companies to show they are prepared for them.
By: | January 3, 2022

When it comes to which risks will dominate headlines in 2022, forecasters shouldn’t feel too smug about their predictions.

In something of a surprise, 2021 was the year that the “supply chain” entered common discourse, with empty store shelves illuminating the vast complexity of how global commerce works—or in this case, saw its challenges. But for risk managers, supply chain issues encompass more than a lack of inventory or an immobilized shipping container in the Pacific. They can represent a much deeper and broader set of concerns.

“When you really stop and think about it, the supply chain includes the public infrastructure, all the utilities at a given location, all the organizations that a company contracts with, and in turn, the companies that those organizations are dependent upon. So in other words, there’s many layers to it,” said Gary Pearce, chief risk architect at Aclaimant.

As we’ve all seen, supply chain issues such as bottlenecks in the distribution system, scarcity of goods or materials, and unanticipated shifts in demand can quickly have a domino effect. Add in the less predictable factors such as talent or hiring shortages, political instability, and a global pandemic that creates the perfect storm for all of the above and our interconnectedness quickly becomes a tangle of chaos.

That’s not even mentioning cyber risks in the supply chain, which in the past two years have become endemic.

“A cyberattack can cripple the supply chain system as much as any other disruption,” said Mark Greisiger, founder and president of NetDiligence.

“Both physical and network-based supply chains are under attack ransomware. Our recent claims study shows that ransomware is still the leading cause of loss, to the tune of hundreds of thousands of dollars, and for SMEs that can be an existential threat. With everything interconnected, there are many ways a system can fail— upstream, downstream, sideways.”

Predicting some specific risks such as ransomware or climate change disruptions may be easier than others and regulators are expecting companies to show they are prepared for them. Pearce said, “There is a lot of pressure on public companies these days to be very descriptive in their risk disclosures regarding climate change and I’m sure supply chain risk will be right up there as well—the risk manager should be anticipating how those things will interact.”

That being said, risk managers should not get caught in the weeds with how any one particular threat will manifest in the organization, Pearce said. The point is to be ready for any and all through a holistic process that can appropriately respond to a broad range of potential events.

“Supply chain risk is really an operations issue with a risk management component to it,” Pearce said.

He stresses that a risk manager will likely not be successful trying to rewrite operations. Their time would be better spent developing visibility into the entire supply chain to better identify and mitigate emerging threats. Technology or specialized services that perform web crawls to identify issues with a supplier base—think labor disputes, human rights violations, or criminal activity—can be helpful in this regard.

Contracts with key suppliers should be updated to reflect prioritization, non-performance penalties and any other concerns. Pearce says second tier visibility—understanding who supplies your suppliers—is also important. Using automated tools and technologies to manage all of these processes will be more efficient.

A thorough incident response plan that includes identifying all possible scenarios, assigning roles and responsibilities, and tabletop scenario modeling is excellent preparation for risks.

“My advice for a risk manager would be to anticipate the possibility of a cyberattack disrupting your supply chain,” said Greisiger.

“Discuss it with your broker. What cyber coverage do you need for that eventuality, and what technical/loss control resources could your insurance carrier provide? Include a playbook for that scenario in your Incident Response Plan (IRP). Consider hosting your IRP with a third-party (off your network) so you can access it even if the cyberattack spreads from the supplier to your organization.”

To make the supply chain more resilient, companies can take preemptive action to reduce over dependencies, identify alternative sources and redeploy talent to minimize bottlenecks, Pearce says.

“You don’t want to plan for last year’s problem. You want to generically prepare. Sooner or later, all these ships off the shoreline will be emptied out. But the issue of supply chain risk, which has multiple determinants, will persist.”

More Risks and Trends Ahead in 2022

Taking all of the above into account, we asked industry insiders for their predictions about what trends risk managers should be on the lookout for in the New Year. Not surprisingly, supply chain and cyber were mentioned. But as we see below, there are a few others risk managers might want to think about.

Increased Policyholder Engagement

“There has been a shift in cyber insurance to proactively alert prospective and current policyholders to vulnerabilities by tapping into digital tools, including AI-driven cybersecurity scans,” said Lauren Winchester, vice president of risk and response for Corvus Insurance.

“In 2022, I expect it will become increasingly necessary for policyholders and their insurance providers to work even more closely to identify new areas of vulnerability and cyber threats as they arise and work to quickly eliminate the risk. Insurance providers that wish to truly combat risk and mitigate the destructive impact of cyber attacks will lean into tech-enabled policyholder engagement.”

Supply Chain Vigilance

“When you’re dealing with small suppliers in the supply chain, you need to make sure that you aren’t at risk of them being characterized as your employees,” Pearce said.

“You want to make sure that your efforts are harmonized with anything that’s done in the worlds of corporate social responsibility, diversity, equity and inclusion, environmental and social and governance areas. Some of the other things to look out for would include mobility bans on talent, whether because of COVID or because of political risk,” Pearce continued.

“International data transfers happen a lot more than people think and personally identifiable information is crossing country borders. That can be a risk because the United States is deemed by much of the rest of the world to be deficient in its data privacy protections, so that needs to be part of the supply chain consideration. Scarce commodities are probably going to continue to be a prominent issue for years to come.”

Ransomware is Here to Stay

“Ransomware is the defining force in cyber risk in 2021 and will likely continue to be in 2022,” Jason Rebholz, CISO, Corvus Insurance said.

“The increased visibility brought a positive shift in the security posture of businesses looking to avoid being the next news headline. We’re starting to see these proactive efforts pay off, and my hope is that this trend will continue,” he added.

“In 2022 we can likely expect to see threat actors pivot their ransomware strategies. In a shift from a single group managing the full attack life cycle, specialized groups have formed to gain access into companies who then sell that access to ransomware operators. As threat actors specialize on access into environments, it opens the opportunity for other extortion-based attacks, such as data theft or account lockouts, all of which don’t require the encryption of data. These shifts call for heavier investments in new tactics to manage the volatility.”

And Here are Seven More Risks or Risk Management Trends

Mahesh Natarajan, the Cognizant’s head of strategy, insurance solutions, gave us seven more to think about.

The emergence of new business domains will accelerate blurring lines between traditional industries

“In the post-Covid-19 era, businesses are rethinking core and sustainability while divesting non-core businesses or splitting conglomerates into new entities to create shareholder value. With the ever-increasing need to adapt business models to how customers engage with products and services, we expect to see the emergence of new business domains that overlap and integrate services from several traditional industries. We should expect these new domain companies to build the business model around customers and get the attention of private equity money to forge unlikely partnerships. 2022 may be the year where this phenomenon will give rise to more embedded insurance products.”

Employee wellness will continue to spur innovation and development of new group products

“Wellness products are all the rage and for a good reason. Anything that promotes happiness and physical, emotional, and financial health is a win for all involved. Risk can be dialed down for many insurance products, employers’ benefit from having more productive staff who are less likely to leave, and individuals can lead more fulfilling lives. The shift in 2022 will be that more buyers will look to voluntary products—particularly those sold D2C in a digital-first model. So employers face an imperative as they try to use benefits as a retention tool. They create better employee experiences quickly and get more dialed into the products that employees desire, or they can choose other, more expensive methods to address the active war for talent.”

Mahesh Natarajan
Head of Strategy, Insurance Solutions

Every software provider becomes a no-code provider

“2021 was when no-code /low-code platforms gained notoriety, offering more power to people to automate processes, develop new applications and build new customer experiences without ever writing a single line of code. Although the jury is still out on the promise of the no-code platforms to change the world, core systems and enterprise software providers do not want to be left behind. In addition to some blockbuster IPOs and acquisitions of these platforms, we expect to see every software provider announce themselves as participants in the no-code revolution.”

Digital purchasing experience comes of age

“Consumers have been buying things online since before the Millennium. (Remember Travelocity selling airline tickets in 1996?) But a decades-long crawl toward increasingly complex online sales capabilities has now shifted to high gear. The expectation for online purchases in every domain is now convenience, speed, and something very close to full service. Insurers are tracking these trends and adapting their processes and unique data assets to meet the challenge. Most insurers are placing “digital-first” bets with the goals of creating seamless purchase experiences, driving behaviors in ways that improve risk profiles and increasing loyalty and engagement. The emergence of better tools (think AI and analytics, for example) will help. But a commercial FOMO (“fear of missing out”) brings real urgency to this shift.”

Changes in permissible data and role of regulating authorities

“Reliance on traditional credit and demographic data are increasingly under scrutiny by regulators, resulting in wholesale changes and limitations on how policies are priced, purchased, and serviced. New data sources, AI, and ML, and related technologies will increasingly come in to address the vacuum created across product development, distribution, underwriting, pricing, servicing, and claims. Such variables will draw more scrutiny from regulators. Insurers will find protracted regulatory reviews of new data sources, predictive models and analytics testing bias, potentially complicating new filings and rate changes until they become approved and repeatable. Leading companies will begin and accelerate investments in 2022 to establish the foundation for dealing with 3rd party data, new rating systems, analytical capabilities and establish streamlined filing processes to differentiate themselves.”

Industry M&A and PE activity will alter the insurance pecking order

“Armed with trillions of dollars, private equity firms are snapping up Insurance books, and VC and PE investments are lavishing Insurtechs. At the same time, insurance companies are actively incorporating digital capabilities from Insurtechs and startups. With more acquisitions being announced every quarter since the beginning of the pandemic, we continue to see a shift in the makeup of the insurer landscape. It is easy to imagine capital, underwriting expertise, and customer experience capabilities from non-traditional sources are applied to underwrite new risks. 2022 may be the inflection point in the industry, where the concept of insurance companies gets unbundled and new providers challenge mega-insurer dominance.”

Corporate board-level activism will become a significant factor that drives strategic planning and operating model changes

“Insurer C-suites have generally had broad latitude in setting their companies’ strategies. But factors that were previously an afterthought are now front and center for many insurers. Under pressure from their boards, most insurers now include Environmental, Social, and Governance (ESG) components in their strategic plans and portfolio strategies. This trend will strengthen in 2022, which will impact diverse issues such as investment returns, employee hiring and retention, ecosystems and partnerships, and the firm’s ability to expand into new geographies. Companies that respond thoughtfully to ESG concerns will have a significant advantage over those that do not.” &

Elisa Ludwig is a contract writer based outside Philadelphia. She has written extensively about cybersecurity issues for the Junto blog on the eRiskHub. She can be reached at [email protected].

More from Risk & Insurance