Katie Kuehner-Hebert

Katie Kuehner-Hebert is a freelance writer based in California. She has more than two decades of journalism experience and expertise in financial writing. She can be reached at riskletters@lrp.com.

Cyber Insurance

A Solution to Cyber Risk Assessment

A new schema will create a standard way for insurers to gather data on cyber exposure.
By: | January 25, 2016 • 5 min read
Digital sketch of the different financial charts

The insurance industry is about to have a clearer idea of just how much exposure it has to cyber attacks on its customers.


Ahead of the February launch of its new suite of cyber risk management tools, RMS has released its recently developed Cyber Exposure Data Schema. The ‘open standard’ data schema will provide the insurance industry with a systematic and uniform way to capture cyber exposure data and manage cyber accumulation risk.

Many insurance companies have created cyber insurance products that are providing useful coverage, but their true exposure in the relatively new product line is still unclear, London-based RMS senior vice president Andrew Coburn said.

“Carriers appear to be getting decent profitability on writing cyber insurance, but the problem is that they don’t know how much they could lose in a bad year – what their ‘cyber catastrophe’ exposure is,” Coburn said.

“Clearly there is a lot of demand but not enough capacity in the market because carriers are nervous about accumulation – what happens if thousands get hit by a cyber attack at one time?”

In conjunction with the new schema, Verisk Analytics in Jersey City, N.J., announced the industry’s first global cyber exposure data standard “to help create a uniform method for data transfer across the insurance value chain.”

Verisk’s catastrophe modeling business AIR Worldwide has also developed a preparer’s guide to assist companies in collecting and storing the necessary cyber exposure data in an open format suitable for modeling.


Scott Stransky, manager and principal scientist, AIR Worldwid

“It’s important to lay the foundation – you can’t build a model until there is a standardized way to put it in a framework for capturing cyber risk,” said Scott Stransky, manager and principal scientist at AIR Worldwide in Boston.

Currently, some insurers just collect information on the potential insured’s industry and revenues, Stransky said.

Other insurers spend a lot of time talking to the company’s information technology staff about their recovery plans, whether they have network intrusion testing, and which devices they actually use for intrusion testing.

RMS created an accumulation management system to help carriers organize and structure their data enabling them to determine how much exposure they have, he said. RMS has also developed detailed scenarios to illustrate the five key cyber events that could occur and cause carriers to lose a lot of money.

“The schema is data architecture – how to organize exposure information in the insurance company to make sure they’ve got their data in the right structure,” Coburn said. “This enables them to report to senior management the exact picture of exposure, and how it’s segmented across the market in different architectures.”

The new data schema for cyber insurance provides firms with a standardized approach to identifying, quantifying and reporting cyber insurance exposure.

The Cyber Exposure Data Schema, developed in collaboration with the Centre for Risk Studies at Cambridge University and with support from eight leading insurance and reinsurance companies, provides firms with a standardized approach to identifying, quantifying and reporting cyber insurance exposure. The schema is both model agnostic and compatible with any exposure management system and will enable firms to:

    • Share and transfer information about exposures in a consistent and standardized format for risk transfer transactions, benchmarking exercises, and regulatory reporting;

  • Report exposure aggregates by different types of coverage and potential loss characteristics to a level of granularity that can inform risk appetite decisions;
  • Assess and monitor an insurer’s risk appetite, by estimating losses from accumulation scenarios or other types of risk models to the exposure recorded;
  • Clarify silent or affirmative covers by identifying insurance policies that may have ambiguity in whether they would pay out in the event of a cyber incident.

The Cyber Exposure Data Schema was developed by the Centre of Risk Studies at Cambridge University and supported by RMS, Amlin Plc, Aon Benfield, AXIS Capital, Barbican Insurance Group, Canopius Managing Agents Ltd., RenaissanceRe Holdings, Talbot Underwriting, and XL Catlin.

To develop the Cyber Exposure Data Schema, the Cambridge Centre of Risk Studies consulted with a broad range of organizations seeking to harmonize cyber exposure reporting, including cyber risk experts, cyber insurance writers, and industry organizations such as the Lloyd’s Market Association, U.S. rating agencies, the Reinsurance Association of America, and the Chief Risk Officers Forum.

In the London market, Lloyd’s has mandated that all companies within its syndicates or under its management need to report their cyber exposure by the end of the first quarter in March.

In addition to making its Cyber Exposure Data Schema available to all industry participants, RMS has also collaborated with Lloyd’s of London and AIR Worldwide to help the growing cyber insurance market quickly establish the core data requirements for managing cyber risk common to both modeling firms.

By using similar terminology and precise definitions, in addition to highlighting the common elements across their data schemas, the initiative will make it easier for companies to code existing account data to identify their potential cyber accumulations.

“Cyber insurance is an important new area of coverage, and it is essential that we have good-quality standardized data to track exposures,” Tom Bolt, director, performance management, Lloyd’s of London, said in announcing the new schema.

“I am delighted that RMS has collaborated with us to help standardize some common data requirements and that their new data schema incorporates this.”

Bolt noted that Lloyd’s also collaborated with AIR to “help standardize some common data requirements and … their new data schema incorporates this.”

In the London market, Lloyd’s has mandated that all companies within its syndicates or under its management need to report their cyber exposure by the end of the first quarter in March.

“That was one of the drivers for getting the RMS schema published now,” Coburn said. In early February, RMS will release its cyber accumulation management system which includes the five scenarios.

“While the problems are the same in every region, the U.S. is further ahead of other markets in writing cyber risk; the large majority of cyber insurance premiums are written in the U.S.,” he said.

“There are still many more companies in the U.S. market that are very keen to expand their capacity, so it’s a universal problem.


“Our purpose is not to stop insurers from collecting this information or force insurers to collect more – the guide is really a framework for how companies can think about which fields are more relevant than others,” he said.

In addition, AIR Worldwide has developed an SQL implementation to allow organizations to begin to use the standard in their enterprises. In the coming months, the firm aims to provide SQL scripts that can be used for deterministic scenario analysis and accumulation analysis.

One example would be finding out what types of encryption that insureds are using, Stransky said. The firm could use a query to find flaws that could impact the carrier’s book of business.

“We want to make this practical so carriers can use this right away, but also flexible to allow growth within the framework – something that adds value,” he said.

Katie Kuehner-Hebert is a freelance writer based in California. She has more than two decades of journalism experience and expertise in financial writing. She can be reached at riskletters@lrp.com.
Share this article:

Higher Education

Hazing Risks

University relationships with student organizations can help mitigate the risk of hazing.
By: | January 25, 2016 • 4 min read

Hazing is strictly prohibited on virtually all college campuses, yet it still happens. And it can still tragically lead to death.


More than half of college students involved in clubs, teams and organizations experience hazing, according to Stop Hazing, a nonprofit that serves as a resource for hazing research and prevention.

Its survey of 11,000 college students, in conjunction with The North American Interfraternal Foundation, found that alcohol consumption, humiliation, isolation, sleep-deprivation and sex acts are common hazing practices across all student groups.

John McLaughlin, managing director, higher education practice, Arthur J. Gallagher Risk Management

John McLaughlin, managing director, higher education practice, Arthur J. Gallagher Risk Management

“Any college or university that has a large Greek population or athletic teams is concerned about hazing practices, which can also occur throughout the campus, including in marching bands,” said John McLaughlin, managing director, higher education practice at Arthur J. Gallagher Risk Management in Itasca, Ill.

“Universities have been very strident and specific about prohibiting hazing in any form on campus,” he said, as do the organizations themselves.

While fraternities seem to be most targeted in discussions about hazing, the practice is by no means limited to Greek life.

In 2011, Florida A&M Marching Band member Robert Champion was beaten to death in a hazing incident.

According to a 2014 research study published in the “Journal of Research in Music Education,” nearly 30 percent of marching band members responding to an online questionnaire indicated they observed some form of hazing in their marching band.

The most common acts involved public verbal humiliation or degradation. Most went unreported.

Universities have strict policies prohibiting hazing, and virtually all provide training for students during orientation, McLaughlin said. Many organizations provide additional training to students who are members of Greek organizations.

“There are many creative steps to be more engaged with the Greek organizations, including requiring live-in adults to supervise students in Greek housing,” he said.

The most common acts involved public verbal humiliation or degradation. Most went unreported.

By and large, universities are covered under their insurance policies if they are named in suits alleging failure to supervise university organizations, or failing to take appropriate action to prevent hazing, McLaughlin said.

In addition, if hazing is done by a university employee, such as athletic coaches, the institution would be protected under their policy, but there may be limited coverage for the employee.

In addition to communicating to freshman at orientation, many institutions reinforce the perils of hazing to upper classmen, as well as to the advisers of Greek organizations who are expected to look out for hazing, said Richard Vohden, national education practice leader at Marsh Risk Consulting in Morristown, N.J.

“There is zero tolerance for any kind of hazing,” Vohden said. “Even keeping pledges up past 2 a.m. in the morning or scavenger hunts where someone else’s personal property can be taken are prohibited activities.”


Many institutions also make sure to communicate to organizations that hazing is considered a criminal office in 44 states.

“For example, a pledge died due to hazing at a New York City university, and members of that fraternity were indicted for murder,” Vohden said.

In that case, five members of Baruch College chapter of the Pi Delta Psi fraternity in September 2015 were charged of third-degree murder, nearly two years after the death of Chun Hsien Deng, who was seeking to join the fraternity and was fatally injured during a hazing event.

Deng was blindfolded and forced to wear a backpack filled with sand while taking blows from fraternity members as he tried to cross a frozen yard during a weekend retreat in the Poconos, according to press reports.

He was knocked unconscious and carried inside, but instead of immediately seeking help, the fraternity members used their cellphones for searches using phrases like “concussion can’t wake up,” and called a national fraternity leader, who is accused of telling them to hide any possessions identifying the fraternity.

An hour passed before fraternity members drove Deng to the hospital, where he died.

In all, 37 members of the fraternity were criminally charged, and the national fraternity itself also faces criminal charges, including murder.

Leta Finch, national leader higher, education practice, Aon Risk Solutions

Leta Finch, national leader higher, education practice, Aon Risk Solutions

“Schools have done a good job of trying to prevent hazing, but more recently school and Greek organizations have become much more scrutinized,” said Mark Turkalo, national education and public entity placement leader at Marsh in New York City.

“Because of the increased awareness and exposure to hazing, some are being told by their carrier that they would no longer be insured and to find coverage elsewhere.”

Insurance is becoming a lot more difficult for Greek organizations to obtain, Turkalo said. Hazing is an exclusion and retentions continue to rise.

A university’s influence in mitigating hazing depends on the relationship between the institution and the organization, said Leta Finch, national leader higher, education practice at Aon Risk Solutions in Burlington, Vt.


It is more difficult for institutions when they maintain an arm’s length relationship, she said. If there is a close relationship, the university can be involved in establishing policies and inspecting housing facilities.

“For those schools that have banned Greeks, in some cases there are underground Greek societies that have been established,” Finch said. “Schools can’t prevent students forming these organizations, though sometimes these underground Greeks have caused hazing injuries that have resulted in death.”

Katie Kuehner-Hebert is a freelance writer based in California. She has more than two decades of journalism experience and expertise in financial writing. She can be reached at riskletters@lrp.com.
Share this article:

Political Risk

Managing Risk Amid Turmoil

Insurers and brokers are developing unique tools to help insureds stay ahead of global political risks. 
By: | December 14, 2015 • 7 min read

Multinationals and their supply chains are continuing to be challenged by political upheavals, from ISIS to Europe’s refugee crisis, to growing territorial rifts over shipping lanes in Asia.


To help risk managers better assess exposures, insurers, brokers and specialty firms are offering sophisticated tools to monitor the impact of political turmoil on various geographies and industries.

Such tools are becoming critical as an unexpected crisis can pop up virtually overnight, said Yoel Sano, head of political risk at BMI Research in London, part of Fitch Group. The research firm offers “Total Analysis,” an online platform containing the firm’s forecasts, analysis and data.

“It’s becoming increasingly clear that seemingly obscure things can emerge quite quickly as a big thing — in 2014 we saw the rise of ISIS in Iraq and Syria and also the conflict in eastern Ukraine,” Sano said. “Hardly anyone was paying attention to these events beforehand, and suddenly they were center stage. I think the overall speed of world history has increased over the past generation thanks to the internet, especially social media, and one aspect of that is a sudden increase in risk.”

Yoel Sano, head of political risk, BMI Research

Yoel Sano, head of political risk, BMI Research

Organizations seeking to build facilities or acquire companies in foreign markets are often there for the long haul and need to be fully cognizant of what they are getting into, he said.

“Investors don’t like uncertainty — they like to know what’s going to happen,” Sano said. “Sometimes uncertainty is worse than the event itself.”

BMI also analyzes how political decisions could likely affect economics and financial markets, such as the recent Trans-Pacific Partnership multinational trade agreement. Moreover, the firm also outlines alternative scenarios on risks that may not be apparent, “so that our clients are not ‘caught in the headlights.’ ”

Tools Emerging

The Hostile Environment Liability Protection (HELP) program — a consortium led by Beazley Syndicate at Lloyd’s that provides risk mitigation, crisis response and insurance for “hostile or complex environments” — recently added an “Intelligence Panel” consisting of three risk and strategic consultants firms, G4S Risk Analysis, Contest Global and Aegis Advisory.

London-based Contest Global helps clients “manage every aspect of their intelligence operations,” whether it is collecting new and hard-to-access information, analyzing data by applying the latest structured analytical techniques, or generating intelligence judgments designed to inform real-world decision-making, said Chris Mackmurdo, founding director.

For instance, this year the firm has been helping a number of banks in London come to grips with the risks presented by ISIS in Syria and Iraq, he said. A major factor is the issue of illicit oil connected with ISIS-controlled oil facilities in the region.

Chris Mackmurdo, founding director, Contest Global

Chris Mackmurdo, founding director, Contest Global

“There are sanctions in place that will punish anyone involved in trading or otherwise moving oil products connected with ISIS, which presents a serious challenge to banks and any company within the oil supply chain,” he said.

“The onus is on them to devise strategies to mitigate their exposure to these risks and protect themselves against any operational and reputational damage.”

Mitigation takes certain steps. Organizations must be able to collect information from multiple sources to identify any immediate or potential problem. They must also have in place a process to analyze, assess and prioritize risks based on the information available, “which will never be complete.”

They must develop risk mitigation strategies and communicate them to all stakeholders involved in implementing them, from strategic through tactical and operational personnel. Finally, they must monitor the effectiveness of their processes and strategies, refine requirements and adapt to change quickly.


The key for risk managers is being able to communicate intelligence data to decision-makers effectively, Mackmurdo said.

“You can have all the tools in the world, but unless you can influence the people making decisions, you aren’t going to change people’s minds and behaviors — so how you present the information is crucial,” he said.

Hart Brown, head of organizational resilience at HUB International, said that things often come up that clients had not anticipated prior to market entry, whether they’ve inherited operations or chose to speedily go into a market to capture market opportunity and later evaluate the risk.

While some companies are eager to take on political risks, the challenge is managing them.

Hart Brown, head of organizational resilience, HUB International

Hart Brown, head of organizational resilience, HUB International

“For example, in Asia, there is a concern about China … about the expansion of territorial waters that it is claiming, wanting to control certain shipping lanes throughout that region,” Brown said. “This can impact the flow of goods within a company’s supply chain, especially if there is a military buildup, which could very easily result in an accidental collision and overreaction.”

There is no one way to evaluate those risks, and in many cases, there is enough uncertainty that the analyses can be very different, Brown said. “A lot of art goes into it, along with some science.”

HUB starts by creating a risk assessment, quantifying first what a company is already experiencing within a certain market. Risks assessed include governance within that country, the business environment within that area, issues related to conflict and security, labor and economic issues within that space, and also challenges related to cyber crime.

HUB creates scorecards and dashboards to help the client understand those risks. Then it establishes the key things that clients need to monitor and include in a protective intelligence program.

“We give them analysis in a timely enough fashion to avoid potential disruption within their supply chain,” Brown said. “If we see the political climate beginning to change, clients can proactively ship material faster than they normally would.”

Actionable Intelligence

Visualization and analytics play increasingly important roles in such analyses, he said. HUB takes the intelligence it gathers and puts it on a supply chain map, overlaying the risks in a way that’s easy to see and “more impactful.”

The firm is also using analytics of sources including social media and news reports.

“We’re able to map out, in many cases, what’s going on and do a trend analysis, pinpointing the date and time when a disruption is going to occur,” Brown said.

Aon Risk Solutions provides clients with a global interactive map, designed to allow clients “to get a pretty good snapshot of what the world is like at this point in time,” said Roger Schwartz, New York-based senior vice president and political risk practice leader at Aon.

“Clients who have used this map may not have realized a particular country’s risks, which induced them to do more research on whether they need to get more coverage for their subordinates operating in that country,” Schwartz said.

For example, a recent snapshot of Venezuela on the map stated that the country “continues to have elevated risks in all areas, with particularly high exchange transfer, legal and regulatory risk ratings.”

“Structural issues and government mismanagement leave Venezuela very vulnerable,” according to Aon’s snapshot. “Sovereign non-payment risks have increased as lower oil output and revenue have weakened Venezuela’s cash flow and reduced its ability to pay its sizeable debts. Venezuela’s exports of crude oil have fallen in volume due to government interference and underinvestment.

“Although default on international sovereign debt is still only a risk scenario, arrears to local and global companies are rising, consistent with Venezuela’s high sovereign non-payment risk. After years of high levels of government interference, political violence and protest is rising due to food shortages. The current exchange rate mechanism is not functioning, and capital controls are hitting production.”


The interactive map also contains a variety of tools, including an “Exposure Calculator” and “Country Analysis Tour,” to compare risks in different areas, as well as a rate tracker and pricing model, to help clients determine what the costs of risks are going to be.

Aon also provides “Portfolio Manager,” a web-based tool that monitors a client’s portfolio of exposures including amortization, providing historical, current and future in-depth analysis of country, obligor and counterparty exposures.

“We are one of the very few brokers that have this in-depth tool kit, and we also work with them to determine solutions that are appropriate,” Schwartz said.

Still, “multinational corporations operating in emerging markets have access to any number of tools, and the service we provide helps them identify and manage risk, but it’s not intended to be a stand-alone service.”

Katie Kuehner-Hebert is a freelance writer based in California. She has more than two decades of journalism experience and expertise in financial writing. She can be reached at riskletters@lrp.com.
Share this article: