A few weeks ago, I saw a LinkedIn post from Dr. Robert Hartwig that discussed his testimony to one of the U.S. Senate’s subcommittees about the uninsurability of business income from the COVID-19 pandemic. Seeing that LinkedIn post, and reading his testimony, triggered my continuing belief that uninsurability of certain risks has been happening more frequently over the decades.
More specifically, I believe that as we, as a society, become increasingly more dependent on web-connected devices, uninsurability will become more of an issue for both the insurance market and for corporations (and individuals, as well).
I want to thank Dr. Hartwig for giving me permission to use some of his content from his July 21, 2021 testimony to the U.S. Senate subcommittee.
His testimony is titled: “Examining Frameworks to Address Future Pandemic Risk,” and he presented it to the U.S. Senate Committee on Banking, Housing and Urban Affairs, Subcommittee on Securities, Insurance and Investment.
My three key messages
My three key messages for the readers of this blog post:
- There has been, and continues to be, an inexorable shift to (potentially uninsurable) severity from a small but expanding number of risks.
- Not all of the risks that fall into the uninsurable severity category are technology-related or technology-driven. Terrorism and global pandemics fall into the uninsurable severity category (in my opinion), as does, or will, certain ramifications of climate change. None of those three are technology-related or -driven. However, technology specifically in the form of web-enabled devices will push more risks – cyber risks – into the uninsurable category.
- Regardless of the insurability or uninsurability of a risk, the risk itself doesn’t disappear from a corporation’s (or individual’s) need to manage the impact of the risk in some manner. (Neither denial nor hope is a risk management strategy.)
Frequency and severity
Almost all, if not all, P&C insurance professionals would tell any person who asked that the two connected concepts of frequency and severity are critical to analyzing and pricing each risk that happens in their target markets or throughout society more generally. (Frequency and severity are also needed to perform claims analysis – before, during and after a claim event – as well as needed for target marketing, product development, setting reserves and surplus and a host of other operational and financial functions.)
These two concepts were at the forefront of my mind when I decided to write this blog post.
The "frequency of severity" is increasing
However, the continual expansion of technology applications is leading society and the insurance industry into more instances of uninsurable severity. Specifically, I believe that what I call the "frequency of severity" of risks is increasing as our society becomes more digitally dependent on the web throughout its operations, home life, transportation, entertainment, shopping, communication and collaboration, and within other personal and corporate activities.
Simultaneously, as web-connected digital capabilities become the lifeblood of society, insurance firms will find fewer opportunities to generate profitable premium because the risk costs will become too large to profitably underwrite.
From a societal and insurance industry viewpoint, we have lived in a situation of "uninsurable severity" before, following the terrorist acts of war of 9/11. Now, society and the insurance industry are living with another situation of "uninsurable severity" risk: the impact of COVID-19 on business income/interruption.
I identify both of these risk situations (terrorism and global pandemics) as sign posts on the path to a "shift to (uninsurable) severity": a shift that effectively shrinks the market segments that are insurable.
Before discussing why I believe that cyber is yet another instance of a shift to uninsurable severity risk, I want to take a few steps back to consider the P&C insurance industry. The people who have read my blog posts or have read my analyst reports through the years know that I like to discuss context before delving into the heart of an issue. So, …
A macro insurance industry overview of risk
The societal value-added of the insurance industry is to profitably manage or mitigate risk for people, corporations, non-profit organizations and actually businesses of every flavor. One of the critically important words in this first sentence is: "profitably." Insurance firms strive to operate profitably through their ever-changing risk appetite.
Risks emerge on their own (e.g., lightning strikes) through interaction with nature, through interaction with the actions and behaviors of members of society (alone or among members of society), through the applications of technology or through some hybrid combination of any of these elements. (See visual below.)
Insurance professionals, including risk managers, think of a risk landscape. I’ve written reports about the risk landscape (or landscape of risk) through my decades as an insurance industry analyst. But the term "land" has outlived its usefulness for many years.
True, we can, and do, think of risks beyond those occurring on a terrestrial terrain to include risks happening in (or under) the oceans or in air or space. However, with the advent of the web and web-enabled applications and their concomitant risks, "land" is too mentally limiting. The web is a bridge from our historical world of analogue risks to a hybrid world encompassing an ever-changing mixture of analogue and digital risks. The bridge is a host of cyber risks that will affect both the digital applications as well as the analogue applications infused with or connected to the web-connected digital applications.
I propose using “risk radar” instead of “risk landscape” to encompass all past, current and emerging risks regardless of where they exist or appear, including in the application of web technologies. I’ll try to use it in this and forthcoming blog posts. However, I know that I used "risk landscape" in my book, which is going through an initial edit by Wells Media. We’re targeting 2Q22 or 3Q22 for the book to be published as an ebook, audio book and paperback. (I had to put in a plug for my own book, didn’t I?)
See also: The Spectre of Uninsurable Risk?
Shift of impact of risk to an uninsurable level of severity
I am not stating that every risk that society has experienced, is experiencing or will experience will have an uninsurable level of severity. I am stating that there will be a growing number of risks, particularly those associated with web-connected digital artifacts (or analogue artifacts infused with or connected to web-connected digital artifacts), will have uninsurable levels of severity.
The table below shows a 2 X 2, but we all know there is actually a gradient from low to high frequency as well as a gradient from low to high severity. Pandemics, terrorism and, in my opinion, cyber attacks sit in the "high severity" row (or end of the severity gradient).
Most of us trust the companies we conduct commerce with, but there will be more questions like these:
- “How did thieves break into my digitally locked car?”
- “What do you mean I can’t get into my house because the ‘key’ has been hacked and I have to pay ransomware to get into my own home?”
- “How could some person hack into our web-connected devices that we use in our homes to know we were gone and rob us?”
- “Why are all of our corporate systems shut down?”
- “What do you mean that my company’s servers have been used for a dedicated denial of service attack and my company is liable for the damages done to other companies and their clients?”
- “Why is my EV car stopping in the middle of the highway?
- “Why has our company stopped providing petroleum products throughout the U.S. East Coast?
In reality, the trust – between each of us and the web-connected devices we use in our homes, vehicles or corporations – should have been completely vaporized as soon as the first device (home appliance, corporate appliance, personal vehicle, company fleet vehicle,…) was connected to the web.
Web-connected devices have an impact of and level of losses that is no longer local or regional: The impact of the risk is global. To repeat what is in the red outlined box in the visual above for better readability:
I hypothesize that as society – governments, businesses, people – use increasingly more digital technologies (of which increasingly more will be connected to the web), that the scope of cyber attacks will represent a financial scale that represents a level of severity that the insurance industry is not financially able to provide sufficient coverage for.
Pogo is definitely at play here: “We have met the enemy, and he is us.”
Revisiting the CP&C broker commerce conversation
My remarks in this section are based on the areas of focus in the visual of the last section: low frequency and high severity as well as high frequency and high severity of risks.
The first visual I show below illustrates what I call the "conversation and acceptance" of commercial P&C insurance commerce. I have a question mark next to "acceptance" to indicate the changing risk appetite of carriers.
(In case there is any doubt about my use of “changing risk appetite,” I am from the insurance carrier business side of the insurance industry. I absolutely believe that carriers have the right – and responsibility – to change their risk appetites whenever they think it is best to do so for their companies.)
I’m using the curved arrows to reflect that large/jumbo CPC clients will have a hybrid stack of self-insurance, use of primary insurance and use of reinsurance. There will not necessarily be a stacked column of the three elements one after the other. Moreover, I’m showing some of the elements of the CPC carrier that "greet" the broker and the client as they look for cover for the specific risk. Please don’t overlook the "small" potential role of the federal government (depending on the risk being considered for coverage.)
I want to repeat what I wrote in the green box under the CPC client for emphasis: Regardless of the market solution the broker identifies to mitigate the client’s risk(s), the legal onus is on the client to manage the risk in some manner. This always holds (for every risk) and will hold in dramatic fashion for cyber risks. And for the cyber risks in the areas of focus, I believe the role of the federal government will have to explode in a similar dramatic fashion.
Actually, I could foresee when (and it should be when and not if) the federal government plays a major role "covering" cyber risks that are uninsurable. At that time, the federal government will take a very large stick (perhaps through laws, regulations and executive orders) to hammer corporations to better secure their cyber operations to protect their company, their clients and prospects, their subcontractors and others (people and companies) they conduct commerce with.
This will expand the market for technology firms that create and sell cyber security and privacy solutions. It will also expand the market of people with "white hat" cyber hacking skills to work for companies (or technology firms or consulting firms). The technology firms offering cyber security and privacy solutions should also find themselves under the harsh glare of the government cyber laws and regulations.
I want to make another point clear: Brokers involved in the cyber commerce conversations will have to have some minimal level of knowledge of the (changing) nature and implications of cyber security and privacy as well as the cyber solutions available to mitigate their damage to the broker’s clients (and their clients).
I believe there will be a role for CPC insurers to generate non-risk-based fees from the provision of cyber services (e.g., auditing, monitoring, remediation). The CPC insurers participating in the cyber services market would obviously have to determine the resources needed to offer the cyber services.
Not every risk is insurable
The crux of this post is the point that there are some risks (and I believe a growing number of risks) that are (and will be) uninsurable.
See also: Why Open Insurance Is the Future
Criteria for insurability
This raises the question: How can an insurance/risk management professional identify risks that are insurable? Here I introduce some of Dr. Hartwig’s July 2021 testimony. I’ll let the table below speak for itself, but I will repeat his point that “The inability of a risk to meet one or more of these criteria reduces or eliminates its insurability.”
Consideration of a pandemic through the lens of the six criteria
Here – in the table below – is how Dr. Hartwig viewed the current pandemic through the six criteria: You can see there is a relentless parade of "no," with his logic given for the requirement of each criteria not being met.
Cyber risk will increasingly become uninsurable
Turning now to cyber risk (which encompasses various risk segments), I use the same six points of insurability (or uninsurability, depending on your point of view) to conclude that cyber risk is uninsurable.
Remember, the risk is not insurable if only one of the six criteria is not met.
By my analysis, I come up with: two criteria of insurability met, two criteria not met and two criteria assigned a "quasi" rating, meaning maybe yes or maybe no. I answer no to the criteria: 3) determinable and measurable loss and 5) calculable chance of loss.
I suggest you select a specific cyber risk and do your own analysis. I may be too skeptical. I may be looking at the cyber risks too harshly. However, whoever does the analysis should lose whatever levels of trust they have about any of their web-connected devices being safe, secure and private.
Remember, there are only two types of web-connected devices: those that have been hacked … and those that have been hacked but you don’t realize it.