Some of us are old enough to remember when our stand-alone computers first became networked with other computers. Who over 40 years old doesn’t recall sending and receiving that first email?
That profound technological development – networked computing – brought enormous advantages but also set the stage for security concerns, like viruses and malware, which can be an Achilles heel of computer technology.
With the rise of the Internet of Things (IoT), we find that it is more than just our computers that are connected. Our homes, possessions and even our physical bodies are becoming connected.
Many IoT products can actually reduce exposures.
Arrays of smart, sensor-equipped, connected devices that collect and digitize a wide variety of data are already being used, with exponentially more in development.
Literally tens of billions of “things” containing sensors – cars, homes, medical devices – will be connected in the next several years. A range of twenty to 50 billion of these “things” are estimated to be installed by 2020, with a vast amount more to follow.
An example is car manufacturers’ strategies to sell “tires as a service.” The car manufacturers use embedded technology to detect tire wear and under-inflation, which improves service and increases safety.
The IoT phenomenon is unfolding faster than developers can address the accompanying security vulnerabilities and risk management concerns. We are living in a new world in which our “things” can tattle on us, compromise our privacy or even harm us.
While telematics in vehicles or home appliances may seem helpful when we need roadside assistance or to diagnose maintenance issues, they can also report our speed or our diet, which to some may seem invasive.
Drones, hidden cameras and driverless cars once seemed like fantasy objects in a futuristic world, but suddenly that future is here, and it is unclear how liability would be assigned when one of these “things” misbehaves or is used to harm another.
On the contrary, not all IoT innovations are necessarily harmful. Many IoT products can actually reduce exposures. Home automation startups being incubated by Microsoft Ventures carry a number of safety benefits, such as turning off your stove or protecting your home from water damage.
IBM just announced a $3 billion investment in IoT and is launching a multitude of services that will help make us safer, such as alerting car insurance policyholders of storms to help prevent damage. So it’s important to remember that IoT exposures are not necessarily negative, just different.
With the increased use of internet-connected devices, however, new types of exposures have arisen to increase the possibility of certain damages. This creates an enterprise risk management challenge as businesses seek to harness the exciting potential of this evolving technology while managing the related cyber threats.
The data gathered by IoT is often quite vulnerable. According to a study by HP, it’s estimated that 70 percent of the most commonly used devices contain serious vulnerabilities. Potential concerns include a dangerous hacker disabling a life-sustaining medical device, the brakes in an automobile, or aviation systems from Wi-Fi or power grids.
As it has repeatedly done throughout history, our ability to create new technology is opening up worlds of opportunity. It’s also creating new types of risk.
Plaintiffs’ attorneys will look to those involved in the design, production, delivery and servicing of the IoT device that allegedly causes economic loss, bodily injury or tangible property damage.
While it is impossible to predict the exact impact of the IoT on the insurance industry, this much is clear: future IoT evolution will force the insurance industry to better clarify where coverage starts and stops under each type of policy.
Cyber Insurance Uptake Still Lagging
“It is chronic that organizations are not analyzing the total cost of risk on a relative, comparative basis between tangible and intangible assets,” said Kevin Kalinich, global practice leader of network risk and cyber insurance at Aon Risk Solutions, summarizing the main takeaway from the 2015 Global Cyber Impact report, conducted by the Ponemon Institute and sponsored by Aon Risk Services.
Ponemon surveyed over 2,000 professionals involved with their companies’ cyber risk management and enterprise risk management, working in finance, risk management, compliance or general management roles.
The results revealed a stark contrast between what these professionals say and do about their organizations’ cyber insurance programs.
More than half of survey respondents said they expected their companies’ cyber exposure to increase over the next two years, but fewer than one in five were carrying coverage with an average limit of $13 million.
For example, 52 percent of respondents said they expected their companies’ cyber exposure to increase over the next two years, and 72 percent feel their current cyber coverage is sufficient.
Despite this confidence, only 19 percent of respondents were carrying coverage with an average limit of $13 million; meanwhile, the Ponemon Institute estimated that the probable maximum loss (PML) from stolen or destroyed information assets could reach as high as $617 million.
“Organizations seem to have a different operating philosophy on assets they insure,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Both [tangible and information assets] are viewed as very valuable, but insurance for tangible assets was at 51 percent of replacement value, versus just 12 percent for information assets.”
Kalinich said the discrepancy comes from senior management’s lack of understanding of their information assets’ impact on financial statements.
Companies are investing more and more in technology to streamline their processes and improve the way they do business, which helps to reduce their PML for tangible assets.
But they fail to take into account the total value that the new technology offers and how that changes their cyber exposure.
“They aren’t comparing the relative value of the assets, the relative exposures, and relative insurance spend of tangible and intangible assets,” Kalinich said. “If they do that, I think they’ll come to the conclusion that they are under-insuring on a relative basis.”
Many respondents also do not disclose material losses to uninsured information assets in financial statements (32 percent) or do so only as a footnote disclosure (36 percent). Not viewing technology as a “balance sheet asset” could contribute to management’s tendency to overlook its value, Ponemon said.
According to the report, only 26 percent of respondents said their company had conducted a formal, third-party assessment of cyber risk. Most had either no assessment (20 percent), or a very informal one (39 percent).
However, part of the problem lies on the insurance provider side as well. Many respondents said they chose not to purchase cyber insurance because coverage was insufficient, came with too many exclusions or restrictions, or executive management did not see the value, among other reasons.
They have a point.
According to Kalinich, broad and comprehensive coverage with large limits does exist for PII exposure, but not for non-PII cyber exposures such as supply chain or manufacturing disruption, or “tangible damage resulting from an intangible peril.” Those solutions will continue to evolve as the industry gathers more actuarial benchmarking data, he said.
A Global Perspective
As any traveler knows, the world is full of uncertainty and dangerous places, where the challenges of simply trying to run a profitable business far from home are complicated by even greater risks, such as political violence, civil unrest, credit risk, corruption, expropriation of private assets by the government, and more.
Anyone doubting this need only take a look at current events. Some 70 percent of the world’s nations currently have serious corruption problems throughout their governmental and civil service framework. Nearly 40 percent of all nations are experiencing some form of significant civil unrest. Signs of economic distress are everywhere, from falling oil prices to Eurozone debt crises to economic slowdown in China.
Despite such geopolitical risks, the world still needs its businesses to continue running amid dangers that range from warfare and terrorism to punishing economic conditions caused by international sanctions, to simple graft and hostility toward foreigners.
For global and multinational companies, keeping an eye on their political risk profile is as important as handling worker safety, environmental impact, products liability, or any other insurable risk. Thankfully, political risk exposures are insurable as well, and Starr Companies is there to provide its clients with robust political risk insurance coverage, a suite of unique support services that truly is second to none, and the ability to educate clients on how to manage their political risk.
Political risk hazards generally fall into one of the following categories:
Breach of Contract and Non-Honoring of Financial Obligations
These related hazards involve the failure of a local actor to uphold their contractual or financial obligations to a foreign investor, and the inability or unwillingness of local authorities to intercede on the foreign investor’s behalf. This is perhaps the most common form of political risk hazard, as it is a major problem in any environment where there is substantial economic instability and/or corruption.
Confiscation of Property
Also known as “expropriation,” “ownership risk” and “nationalization,” this is when a government seizes property or assets without compensating the owners for them. An overt example of expropriation would be a revolutionary government seizing an office building or a factory belonging to a foreign-owned corporation. An example of creeping expropriation would be a series of successive events by a government to gradually deprive an investor of their property rights.
This is when the local laws change in such a way as to constrict foreign investors’ economic activity in some way. It could range from creeping expropriation to changing taxation or labor laws that might simply make it far less profitable or far less efficient for a foreign entity to operate in a local jurisdiction.
Inconvertability of Currency
Also known as “transfer risk,” this is when a government takes action to prevent the conversion of local currency to another form of currency, making it difficult or impossible for foreign investors to transfer their profits elsewhere. This tends to happen in countries undergoing some kind of political crisis, like when Zaire—now the Democratic Republic of Congo—declared a new national currency in 1980.
Property or income losses stemming from violence committed for political purposes, including, but not limited to declared and undeclared warfare, hostile actions taken by foreign or international forces, civil war, revolution, insurrection and civil strife (politically motivated terrorism or sabotage).
Kidnap and Ransom
Political violence might also manifest itself as a kidnap, ransom and extortion hazard, but that is typically covered by a separate, specialized policy.
To protect against these risks, insurers can provide comprehensive and custom-tailored political risk solutions, which at a client’s request can be broadened to cover investment contract repudiation, currency inconvertibility and political violence. Such policies typically last for periods of 5 to 10 years. Protected assets for this coverage include fixed assets (e.g., a factory, farm, warehouse or office), mobile assets (e.g., harvested natural resources, raw or manufactured inventory or mobile equipment), leased assets (e.g., aircraft, watercraft or construction vehicles) and investment interests in assets abroad (e.g., money dedicated to funding a foreign project, held in a host country bank and subject to expropriation).
Kidnap & ransom coverage protects company personnel and family by providing financial reimbursement for such an event. Depending on the insurer, some K&R programs also provide independent expert consultancy before and after a potential act of kidnapping, ransom or extortion.
Great insurance coverage isn’t enough to adequately protect against political risk, however. Businesses need extra support to stay on top of their exposures, and to know what the latest geopolitical developments are.
Starr Companies, for example, does this through Global Risk Intelligence, a specialized team of political risk experts with long-standing backgrounds in national intelligence and international affairs. GRI delivers to Starr clients a unique risk advisory service that spans the gamut of commercial property & casualty exposures. GRI also produces two assets that are extremely helpful. The first is the Executive Intelligence Brief, a world-class monthly analysis of ongoing geopolitical developments (especially in emerging markets) available exclusively to a carefully selected readership of top executives. The second is the Global Risk Matrix, a quarterly ranking of the overall political security risk of every country on the planet.
The world’s geopolitical landscape is changing at a remarkable pace, with new risks and uncertainties arising in even the unlikeliest of places. And yet, as business becomes ever more globalized, insurers can provide their clients with tailored coverage to absorb the losses that stem from political turmoil. By finding the right insurer, with the financial strength to cover their risks as well as the analytical acumen to help turn risk into opportunity, businesses can create partners in prosperity anywhere in the world.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Starr Companies. The editorial staff of Risk & Insurance had no role in its preparation.