Lloyd's - Can the 21st century corporation remain secure

The Houston Forum is known as a venue where important issues are raised and I have certainly brought some of my own for discussion this evening. And, while I don't have all the answers, I do have some suggestions and hope that between us we can generate some helpful solutions for Texas business.

I should perhaps start by saying that Texas is Lloyd's number one state: we conduct more business here than anywhere else in the US - over 850 million dollars of direct insurance in 2003 1 alone . On top of that, we also provide reinsurance coverage for insurers located here in Texas who in turn wish to lay off some of their insurance risk. Of the 17 Texan organisations which feature in the Fortune 500, 14 buy cover at Lloyd's 2 and from offshore oilfields to LNG tankers, Lloyd's plays a vital role in helping Texas manage its energy risk.

The most interesting Texan risk I have come across dates back to the 1960s. At that time, Lloyd's was insuring some geophysical vessels for a major Texan company when some pirates pillaged one of the boats off the coast of Africa. Lloyd's, I am delighted to say, not only ransomed the vessel but also returned the crew safely to Texas 3 .

Piracy still exists today, but the security environment in which corporations operate now is very different to the 1960s. This evening I have been asked to address the question "Can the 21st century corporation remain secure?"

I plan to answer that in three parts.

• First, I will discuss Texas at risk today - highlighting four key areas where I believe we need to turn our attention.

• Second, I want to look ahead into cyber-space and examine Texas at risk tomorrow . "Cyber-terrorism" is a popular new buzzword but what does it mean for your business?

• Third, and most important, you might be surprised to know that businesses are not always as prepared as you might think. So I will discuss some specific Texas-targeted risk solutions.

But to set things in context, let me ask a few quick questions.  

First: did you know that the cost of political risk to the global economy is forecast to top a staggering 1 trillion dollars this year? That's up from 200 billion dollars before 9/11, according to insurance broker, Aon 4 .

Second: did you know that of all the big issues, it is security which currently gives CEOs the most sleepless nights? Given a list of typical threats to business, terrorism is rated by business leaders of the world's largest companies as the most serious threat, followed closely by that of cyber risk 5 .

Of course, it's an area of particular concern to American corporations. Recent Lloyd's research showed that half of US companies think the chances of a terrorist attack on US soil has increased in the last two years 6 .

As for Texas, the risk is no less real. To set things in context, let's look back 50 years into history. The morning of April 16, 1947 dawned bright and clear but was a morning that many must have thought was the end of the world. A ship in the Texas City harbor bearing fertilizer destined for war torn Europe, caught fire. The standard emergency procedures weren't followed until it was too late, and a little after 9:00 a.m. there was an explosion and the Texas City Disaster, as it is known, started. Entire buildings collapsed, trapping people inside, and fires quickly spread to the refineries that made up the Texas City industrial complex. The result - some 600 deaths, over 2,000 injuries, and property losses of over 67 million dollars was a terrible toll for a town of 16,000 to bear 7 .

But the point I want to make is this: the explosion was so great that the Strategic Air Command briefly raised the US defense level in fear that it was a nuclear attack. Why emphasise that point? Simply to illustrate that because of its economic make-up and critical importance to the US nation, Texas faces some unique security challenges.

Texas at risk today
So let me touch on some specific challenges.

Ports at risk

First, Texan ports are at risk. Immediately after 9/11, the focus for transport security was, unsurprisingly, on airports. However, the sea provides a vital link between the US and the outside world. Maritime commerce currently contributes nearly 1 trillion dollars to the American economy and more than 95% of foreign trade passes through seaports 8 . And, as the largest US port for foreign tonnage, the Port of Houston is arguably the most important of all 9 .

Yet unlike airports which are physically confined spaces with entry controls, port security is much more difficult to achieve. Ports often extend along sprawling waterfronts. The regulation of what comes in and out is much more difficult. Because of the high numbers of contract and temporary workers, personnel provide an additional security challenge. And the risks extend inland: the Houston ship canal, with the world's second largest collection petrochemical plants, flows deep into the heart of the American economy.

Energy industry at risk

Second, the Texan energy industry is at risk. If you add up the economic implications, the public relations factor, and throw in the impact of environmental damage and clean-up, it's not difficult to see why it's regarded as a prime target.

The remote locations of oil facilities - whether onshore or offshore - and the difficulties of securing them from the outside world make them a particular challenge.

Gas carriers too, whether at sea or in ports, make obvious targets. Specialists reckon that a terrorist attack on a LNG tanker would have the force of a small nuclear explosion 10 . And it's not just the vessels, but the terminals and the whole infrastructure which are at risk from terrorism.

As early as November 2001, the Bush administration received information about a possible terrorist attack on the LNG industry. We can learn the lessons from elsewhere: pipelines are regularly sabotaged in the Caucuses, Africa and Latin America. In Indonesia, Exxon-Mobil's Arun gas processing terminal was forced to shut down for 5 months after an attack earlier this year by separatist rebels. That cost the Jakarta government 100 million dollars a month in lost revenue 11 .

Here in the States, some 255,000 miles of new distribution infrastructure are needed to meet projected demand for natural gas, at a cost of 100 billion dollars 12 . Likewise, the oil industry is drilling in ever more remote locations in order to keep up with demand. As these changes take place, the risks grow and multiply.

Texan buildings at risk

Third, Texan office blocks and residential buildings are at risk. Of course, ever since JR graced the television screen, Texas has been synonymous the world over with high rise buildings. But, as 9/11 showed, what we might see as testament to your economic success can be seen as terrorist targets.

At least we might feel we can control access and security better in these confined spaces. However, in addition to the risk of air attack, car bombs and underground car parks give further rise for concern.

But if these are some of today's security risks, what about tomorrow's? Let's now glance up into cyber-space and examine Texas at risk in the future.

Texas at risk tomorrow?
21st century companies have no choice but to use technology to connect to the outside world - to communicate with customers, suppliers, partners, and their own employees. Unfortunately with that interconnection comes a range of new security issues.

Briefing reporters in Japan at the end of last year, Donald Rumsfeld referred specifically to the growing threat of "cyber attacks" 13 . These - best defined as viruses and hacking-attacks - are now causing high levels of concern amongst business leaders, with 60 per cent worried that they are at risk 14 .

Experts agree that, at the moment, most cyber-crime results from the intellectual motives of "super-kid" hackers, and very little relates to commercial crime or terrorism 15 . But it is expected that could change.

Terrorist technological capability is widely assumed by intelligence experts and the scope for terrorist abuse is increasingly recognised.

Could it happen in Texas? The government, at least, seems to think so. Last year, the Texas Department of Information Resources successfully carried out one of the first state-wide cyber attack simulations, in preparation for the possibility that terrorists could sabotage critical government computer systems 16 .

It's a threat which businesses need to take increasingly seriously too. For example, most oil and gas companies use process control software which, as many of you know, controls safety valves and with which a hacker could wreak havoc.

From a business perspective, the indirect risks are perhaps of just as great importance: loss of customers, and damage to the corporate brand and reputation if such an attack becomes public news.

Texas-targeted risk solutions
But enough of the threats. What can Texas do to manage its risks better?

The good news is that awareness amongst companies both around the world and here in Texas has improved significantly since 9/11. But there is much that remains to be done.

Contingency planning
First, let me start with contingency planning. Any underwriter will tell you that preparedness is key. Yet you may be surprised to know that many businesses actually aren't ready to face disaster when it strikes.

In one recent survey, almost 40 per cent of Western companies admitted that they do not have adequate plans in place to protect against terrorist attacks 17 .

The same is true of cyber-risk. A third of organisations admit that they cannot tell whether their systems are under attack, and believe that their ability to respond to incidents is inadequate 18 .

Some think that contingency planning is too expensive, but in fact the most important steps for surviving a crisis often cost little. Being unprepared can be the most expensive strategy of all. Careful thought and enough time are the important factors. But it is clear that companies must invest more - as much in terms of time as money - in contingency planning, to better prepare themselves against the broadest spectrum of risks which we all fear.

Improved security
Improved security is another step which companies can take relatively easily, but which can make all the difference, according to the experts in our market.

One of the first acts of US Congress back in 1790 was to launch ten cutters to patrol the eastern seaboard and guard major ports from illegal trade and smuggling: this was the foundation of the United States Coast Guard 19 . Moving forward 200 years, that challenge has changed.

In December last year, the Department of Homeland security announced that almost 32 million dollars would go towards improving defences along the Texan coast - with the Port of Houston Authority receiving the largest grant 20 .It's all part of a co-ordinated strategy which, to insurers, seems like a very sound strategy.

But there is no room for complacency. Further investment, even closer co-operation between government departments here as well as internationally, and plugging any gaps in federal law, are all vital.

All business leaders have a role to play too. Many companies have improved their security measures since 9/11, but there is little consistency and standards vary greatly. So where are the weak links? Our underwriters talk about perimeter control, checking of ID, close circuit TV monitoring, and a greater presence of security personnel as the main examples.

In order to improve security, companies will need to allocate funding, educate employees, and work better together with their industry peers to share information and develop solutions across their own corporate boundaries.

Sometimes people fear that additional security just leads to more red tape. But only 16 per cent of global companies feel that security measures introduced since 9/11 have had a negative impact on their business. Even better, over half believe that they have actually helped them to deliver their business goals 21 . It's an investment, and a change of culture, that's clearly worth making.

Greater consideration of insurance
Third, Texas businesses should consider insurance very carefully. The insurance markets learnt the hard way, following the Twin Towers disaster, that terrorism is a risk which needs to be separately priced - and priced at a level commensurate with the risk.

However, many companies are currently not buying coverage. Maybe they feel removed from the risk. Maybe they feel unable to bear the cost, or have still not got used to the idea of having to pay for it 22 .

A new survey by Marsh, a leading insurance broker who works closely with the Lloyd's market, shows that 46 per cent of US companies are buying terrorism cover 23 . The good news is that's nearly double the number buying it this time last year, but the bad news is that over half of corporations remain uninsured - and smaller companies in particular are much less likely to have insurance in place.

Amazingly, and this has particular resonance for Houston, energy companies are the least likely to buy terrorism insurance. Only 18 per cent of energy companies surveyed said they had coverage in place - compared to around 70 per cent of public entities and real estate companies.

The range of risks which terrorism brings is also expanding. Take 9/11, where some 25 per cent of the total 40 billion dollar loss related to business interruption 24 . In today's business environment, the impact of a business temporarily ceasing operation in one location can often be felt right across the world. And in a society where litigation is such a preoccupation, some companies are increasingly concerned about the liabilities they could face in the event of a terrorist attack, and we are seeing emergence of a new terrorism liability market to cover these risks. The hotel industry protecting its guests is one example, but pollution liability following terrorism is another - and so it is as relevant an issue for oil installations as for hotels. Of course, developing innovative solutions for new, complex and difficult risks has always been an area where the Lloyd's market excels, and Lloyd's is a leader in these fields.

Closer attention to risk management by the board
Finally, however, insurance is only part of the solution. In the end, closer attention to risk management is critical. Companies need to recognise that the risk environment has changed, and they cannot rely on 20th century management techniques to solve 21st century problems.

The whole area of cyber risk is one where the insurance market can and does offer solutions, but any insurer will look very closely at the risk management procedures in place before offering coverage. As one Lloyd's expert involved in this field puts it, if best practice is in place it mitigates the risk in 90 per cent of cases 25 .

Whether it's a question of more insurance; or using risk experts to help your business manage security, today's risks no longer fit into easy categories, and in the wake of Sarbanes-Oxley, responsibility for decision making on corporate risk lies in the boardroom.

We seem slow to learn the lesson. Although attitudes towards risk management are changing, it appears that much of the impetus for change is coming from regulatory pressures - rather than being a commercial motivation to manage risk better 26 . A culture of risk awareness has yet to emerge in the boardroom it seems - in only 31 per cent of corporations do all major decisions involve interaction with the risk management team.

Conclusion
In conclusion, success for the 21st century corporation is dependent upon a secure operating environment. All businesses must recognise that terrorism is a long-term problem which will not simply go away. There is no doubt that Texas is a state at risk. With its strong influence in the US economy, its ports, its energy industry, its high rise buildings and its people all contribute to a unique security environment which needs to be managed in a careful and planned way. As business leaders, you cannot become complacent and assume that terrorism is not a problem which will affect you.

Better contingency planning, improved security measures, and closer consideration of insurance are all part of the solution. But in the end the most important change we need to make as business leaders is a change in ourselves. Without a culture of risk awareness in the boardroom, we cannot truly put our hands on our hearts and say we are ready for the 21st century risk environment.

Thank you for listening, and I am happy to take any questions.

Sources

1. X-Changing and Market Reporting, Lloyd's. Report for year 2003.
2. X-Changing and Fortune, February 2004
3. Maxson, Mahoney, Turner. Letter to Lloyd's, October 2000
4. This para: reported by Tony Santiago, Electronic Engineering Times, 6 February 2004
5. Janusian/ Rand/ FT survey, 2004
6. Lloyd's RIMS survey, April 2004
7. All details this para: "The Texas City disaster" - http://www.ezl.com
8. Admiral Thomas H. Collins, US Center for Strategic and International Studies, July 30, 2002
9. Houston in the Twenty-first Century, Robert D. Thomas and Richard W. Murray August 28, 2002
10. Liquid Gas: the Next Terrorist Target? , Dr JCK Daly 2004
11. Alexander's Gas & Oil, 6 May 2004
12. American gas Association, 2004
13. US Defense Agency, November 2003
14. Janusian/ Rand/ FT survey 2004
15. Hiscox, August 2004
16. American management Systems, January 2003
17. CSO survey: Companies lack plans in event of attack: Wednesday, 9 June 2004 , by Paul Roberts, IDG News Service
18. Ernst & Young, July 2003
19. Admiral Thomas H Collins, Center for Strategic & international studies, July 30, 2002
20. Department of Homeland Security, December 2003
21. Janusian/ Rand/ FT survey, 2004
22. CIAB, 2003 survey
23. This and following para: Marsh, August 2004
24. Lloyd's, Altered States, US CFO survey 2002
25. ACE Global markets, reported in The Market, issue 2, 2004
26. This and following sentence: PwC 2004 survey of financial institutions