Cyber Challenges Still Evolving
Some chief information security officers fail to see the value of standalone cyber-risk coverage, while some brokers give the impression that traditional policies cover many of the same risks.
These factors have contributed to surprisingly low recent take-up on standalone cyber coverage, according to Charles Cowan, counsel to law firm Drinker Biddle & Reath’s insurance transactional and regulatory team.
Cowan and Andrea Best, a partner with Drinker Biddle, addressed four emerging areas of cyber-related risk on May 19 in the Old Lloyd’s Library, built in 1928 and now in the basement at Lime Street. That very day, Lloyd’s announced its move into cyber coverage in Poland.
In the heavily wood-paneled atmosphere of the past, the speakers addressed four potential horsemen of the digital apocalypse.
Cyber-risk itself, drones, autonomous vehicles, and ride/car share all fall under the cyber umbrella and share a primary reliance on data that is largely not yet available, given the newness of the risks. The lack of data means that none of these risks is yet properly understood.
“First and foremost in cyber risk,” said Cowan, “is the need for data. Not a lot of reliable data exists about incidents and where future potential attacks might be, or of what size.”
Cowan added that little litigation has yet taken place to clarify the validity of exclusions. The wording of the standard war exclusion “requires a hostile act by a foreign Government,” he said, “without naming names.” The Sony hack, reportedly by the Government of North Korea, came to mind.
Following another hack that exposed some 80 million customer and employee records at Anthem Health Insurance, the company notified and conducted its correspondence with its customers on paper, Cowan said. (Target experienced further opportunist email hacking after advising its customers by email that the personal data of up to 70 million customers, including credit card numbers, had been stolen in late 2013.)
“For larger breaches, costs can be astronomical,” Cowan said, citing a three-year-old U.S. report that valued the average stolen record at about $180. Cowan, who had left Lloyd’s three weeks earlier, is now working with the Department of Homeland Security on garnering more timely information.
About 80 percent of commercial unmanned aerial systems, or drones, are used in agriculture. The U.S. economy might expect to earn $82 billion from the use and knock-on effects of drones by 2025, and the FAA is due to issue a set of standards in this as-yet largely unregulated area.
Liability issues abound: criminal activity, matters of privacy and trespass, nuisance and general danger, air traffic problems, misdirected payloads, and of course hacking. “Any system is hackable,” Cowan said.
The Institute of Electrical and Electronics Engineers forecasts that as many as 75 percent of all vehicles, some with removable steering wheels, are expected to be autonomous by 2030, Best said. Legislation in the U.S. is being enacted at the state level (five states plus Washington, D.C.), or has failed (12 states), or is not being considered at all.
Autonomous vehicles will require sensors for vehicle-to-vehicle communication, “but we’ll also have to have sensors on buildings, bridges, traffic lights and other objects we’ll have to navigate around,” Best said.
“The ultimate question, if this technology really takes off, and is so safe, is how much of an automobile insurance coverage market will there be left?” — Andrea Best, partner, Drinker Biddle & Reath
It is not yet clear who will need coverage. Manufacturers of the vehicles? Of component parts? Of the sensors? One known unknown is whether driver premiums for autonomous vehicles will fall, due to the lowered risk, or increase for traditional hands-on drivers.
“The ultimate question, if this technology really takes off, and is so safe, is how much of an automobile insurance coverage market will there be left?” Best asked.
Coverage challenges include the reliability and vulnerability of the technology, the adaptability of the driving public, and the hackability of the autonomous systems.
“These are probably just interim challenges,” Best said. “Given the level of investment, and how much of a push there is for (autonomous vehicles), these issues will fall away.”
The former will be familiar from transportation network companies such as Uber, which arrange one-time shared rides on short notice, and others that arrange transportation for a fee using online technology platforms.
The latter includes peer-to-peer car rentals organized by program administrators (such as RelayRides and Getaround) for short periods of time.
“Both services present new insurance coverage challenges,” Best said.
Ride-sharing is typically excluded from personal auto policies, creating coverage gaps. NAIC has issued a white paper to help state insurance regulators, and legislation is pending in more than 35 states. Similar coverage gaps exist in the car-sharing realm.
As if these four risks were not enough to digest, on the subject of emerging risks, in Best’s words, “we could have covered any number of topics and be here for hours.”
CROs Gaining Authority, Survey Finds
The forces of change are continuing to reshape the insurance industry and its chief risk officers (CROs) are at the forefront of that change, reports Ernst & Young Global, aka EY.
The professional services multinational just published its fifth annual survey of CROs in the insurance sector. Conducted between December 2014 and February 2015, the survey canvasses views from various senior risk executives at 20 North American insurance companies, with life, P&C and multi-line insurers all represented.
The findings show that “the most profound forces of change” are reflected in an evolution of the CRO role. They have greater authority, are assuming greater responsibilities and gaining an enhanced profile across the organization, with effective risk management increasingly regarded as contributing to market success.
Ways in which this enhanced profile is evidenced include direct participation on key strategic business matters, larger staffs than before and a wider use of stress testing. Nearly three in four CROs told EY that their department had expanded in the past year.
Along with more stress tests, additional staff are needed for operational risk, the own risk and solvency assessment (ORSA) and model risk management. Risk management today is closely “integrated with the business, rather than being an afterthought,” according to one survey respondent.
The report identifies three current key themes cited by CROs:
Capital Standards Still Confuse
The lack of common accounting standards and capital measures makes it difficult to compare performance and solvency across companies. Insurers employ various capital measures, many specific to the company, to analyze their risk exposures over a range of time periods and under different normal and adverse scenarios. The quantitative impact survey (QIS) launched last September by the Federal Reserve Board and field testing by the International Association of Insurance Supervisors (IAIS) persuaded several companies to consider new approaches to regulatory capital treatment.
Expanding risk management capabilities and the hiring of more risk staff confirms that it has become a team activity, played across and at every level of the enterprise.
More Regulations and Intrusive Regulatory Oversight
CROs from insurers not already regulated by the Federal Reserve Board accept, grudgingly, that they will also come under its spotlight. Until recently these CROs were confident that current state-based requirements would remain unchanged, but now accept that the two regulatory regimes, with different risk management standards, will probably converge around more stringent guidelines.
Risk Management Is a Team Sport
The 2015 survey shows CROs spending more time and effort on integrating risk management practices into the business. For some, the risk management function’s value is chiefly measured through its integration with the business. Expanding risk management capabilities and the hiring of more risk staff confirms that it has become a team activity, played across and at every level of the enterprise.
Past and Future Challenges
Asked to identify the main risk challenges currently occupying the insurance industry, 40 percent of CROs surveyed cite the slew of regulation and pending common capital standards. Although a distant second, 14 percent picked cyber risk, showing the CRO’s agenda now extends beyond financial risk. Easing concerns over interest rates and the economy as well as renewal of the Terrorism Risk Insurance Act (TRIA) saw both dip from a year ago to 13 percent and 10 percent respectively. Lingering worries that TRIA might not be extended was subsequently resolved at the end of January. Competition and pricing levels also scored 10 percent.
Looking ahead to the main risk challenges of the next 12 months, 28 percent of CROs surveyed cited capital modeling and stress testing. Three tasks: establishing an enterprise risk management (ERM) framework and governance; integration and transparency; and assessing risk appetite each attracted 15 percent, while both emerging risks and operational risks were cited by 9 percent. Still a high priority a year ago, ORSA has since fallen off the list as many institutions have since participated in one of the three pilots or produced an ORSA draft.
Longer-term, insurance industry CROs expect greater authority and accountability, increased influence and broader interaction over the next few years, with their role becoming more visible and more accountable as it becomes better defined. In the meantime, they are focused on performance and creating value for the business. As one respondent commented, “we are spending less time on defining and debating the role and approach and more time on executing our risk plan.”
Making the Marine Industry SAFE
When it comes to marine based businesses there is no one-size-fits-all safety approach. The challenges faced by operators are much more complex than land based businesses.
The most successful marine operators understand that success is dependent on developing custom safety programs and then continually monitoring, training and adapting.
After all, it’s not just dollars at stake but the lives of dedicated crew and employees.
The LIU SAFE Program: Flexible, Pragmatic and Results Driven
Given these high stakes, LIU Marine is launching a new initiative to help clients proactively identify and address potential safety risks. The LIU SAFE Program is offered to clients as a value added service.
“The LIU SAFE program goes beyond traditional loss control. Using specialized risk assessment tools, our risk engineers function as consultants who gather and analyze information to identify potential opportunities for improvement. We then make recommendations customized for the client’s business but that also leverage our knowledge of industry best practices,” said Richard Falcinelli, vice president, LIU Marine Risk Engineering.
It’s the combination of deep expertise, extensive industry knowledge and a global perspective that enables LIU Marine to uniquely address their client’s safety challenges. Long experience has shown the LIU Risk Engineering team that a rigid process will not be successful. The wide variety of operations and safety challenges faced by marine companies simply cannot be addressed with a one-size-fits-all approach.
Therefore, the LIU SAFE program is defined by five core principles that form the basis of each project.
“Our underwriters, risk engineers and claims professionals leverage their years spent as master mariners, surveyors and attorneys to utilize the best project approach to address each client’s unique challenges,” said Falcinelli.
The LIU SAFE Program in Action
When your primary business is transporting dry and liquid bulk cargo throughout the nation’s complex inland river system, safety is always a top concern.
The risks to crew, vessels and cargo are myriad and constantly changing due to weather, water conditions and many other factors.
SCF Marine, a St. Louis-based inland river tug and barge transportation company and part of the Inland River Services business unit of SEACOR Holdings Inc., understands what it takes to operate successfully in these conditions. The company strives for a zero incident operating environment and invests significant time and money in pursuit of that goal.
But when it comes to marine safety, all experienced mariners know that no one person or company has all the answers. So in an effort to continually find ways to improve, SCF management approached McGriff, Seibels & Williams, its marine broker, to see if LIU Marine would be willing to provide their input through an operational review and risk assessment.
The goal of the engagement was clear: SCF wanted to confirm that it was getting the best return possible on its significant investment in safety management.
Using the LIU SAFE framework, LIU’s Risk Engineers began by sending SCF a detailed document request. The requested information covered many aspects of the SCF operation, including recruiting and hiring practices, navigation standards, watch standing procedures, vessel maintenance standards and more.
Following several weeks of document review the LIU team drafted its preliminary report. Next, LIU organized a collaborative meeting at SCF’s headquarters with all of the latter’s senior staff, along with McGriff brokers and LIU underwriters. Each SCF manager gave an overview of their area of responsibility and LIU’s preliminary findings were reviewed in depth. The day ended with a site visit and vessel tour.
“We sent our follow-up report after the meeting and McGriff let us know that it was well received by SCF,” Falcinelli said. “SCF is so focused on safety; we are confident that they will use the information gained from this exercise to further benefit their employees and stakeholders.”
“It was probably one of the most comprehensive efforts that I’ve ever seen undertaken by a carrier’s loss control team,” said Baxter Southern, executive vice president at McGriff, which also is based in St. Louis. “Through the collaborative efforts of all three parties, it was determined that SCF had the right approach and implementation. The process generated some excellent new concepts for implementation as the company grows.”
In addition to the benefits of these new concepts, LIU gained a much deeper understanding of SCF’s operations and is better positioned to provide ongoing loss control support.
“Effective safety management is about being focused and continuously improving, which requires complete commitment from top management,” Falcinelli added. “SCF obviously is on a quest for safety excellence with zero incidents as the goal, and has passed that philosophy down to its entire workforce.”
“SCF’s commitment to the process along with LIU’s expertise was certainly impressive and a key reason for the successful outcome,” Southern concluded.
There are many other ways that the SAFE program can help clients address safety risks. To learn more about how your company could benefit, contact your broker or LIU Marine.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty International Underwriters. The editorial staff of Risk & Insurance had no role in its preparation.