We often get called into corporate calamities where “heavy water” is starting to overwhelm the bilge pump of the corporate yacht. Especially in situations like today, where the markets are stuck in bear market territory, where the oil markets have collapsed, where the coronavirus rampages through the U.S. and where gross uncertainty exists regarding our transportation system and supply chain. We have lived through the financial crisis, regulatory messes and, most importantly, situations where organizations have simply lost the faith of the customers and investors.

Often, directors and officer who have to figure out what to do to “save the ship” must at the very same time try to figure out if they have enough directors and officers (“D&O”) liability insurance to weather the storm and protect them from plaintiffs’ lawyers circling the sinking ship.

Nautical allusions aside, figuring out if your D&O insurance is good enough when you are about to enter stormy seas is not ideal. First, there may be no time to tinker with the D&O coverage. Second, and more importantly, if there is a problem with your coverage, or there is not enough of it, many carriers are reluctant to modify policy wording (to potentially “enhance” coverage), or they add limits of liability when a company is having financial difficulty because the carrier is worried about its potential exposure to directors and officers claims (whether they might be lawsuits or regulatory investigations). To many less-forward thinking carriers, doubling down (in some respect, even if it serves to protect their insureds) sometimes makes no sense.

Finally, despite years of heavy claim activity and many large frauds, bankruptcies and regulatory investigations, we often still see the same problems with policies and towers of insurance. Why? We honestly cannot say. Sometimes corporations and their boards do not focus enough on D&O insurance issues because they are frankly too busy with other issues. Sometimes D&O insurance decisions are based not on “substance” issues but on cost issues, which is generally not the right answer for many reasons. Much of the literature dealing with D&O insurance tends not to be broadly disseminated to the folks who need the information most, like corporate directors and officers. Instead, decisions are often left to risk managers and brokers who do not have much experience dealing with D&O issues at troubled companies.

Our goal in this piece is to place front and center the most important issues relating to such issues. This will allow directors and officers to understand what they need to know and what to ask when questioning management on D&O coverage. These are not the only issues that should be addressed when considering the scope and breadth of D&O coverage, but certainly are ones that should be at the top of any director’s and officer’s list. Truth be told, this advice should hold true for all companies and boards, not just troubled ones. The best time to fix D&O issues is when the sailing is smooth, not when the corporate yacht is about to sink.

Will Your Carrier Hang Tough With You When Things Go Bad?

D&O insurance is frequently purchased in a “stack” or a “tower” of insurance, led by a primary carrier and multiple excess carriers. The excess policies are usually written in “follow form” nature. This means, in most cases, they follow the terms and conditions of the primary carrier. For larger companies, there is both a traditional Side A, B and C tower (covering the entity and individuals) and a Side A tower, covering the directors and officers for non-indemnifiable loss.

Because neither insurance policy forms nor D&O carriers are fungible commodities, it is very important to understand who is the company’s primary D&O carrier, what coverage the carrier offers and whether the carrier “pays claims.” In many ways, the primary D&O carrier is like a critical vendor or business partner that the company cannot do without. The primary D&O carrier can sometimes be the most important business partner (and friend) a company and a director or officer can have. The hope is that, when the seas are rough, like in an insolvency or restructuring scenario, the primary carrier will be there to respond to claims and ultimately protect the personal assets of the directors and officers involved – even in times where indemnification or advancement is unavailable or refused by the corporation.

 A few points to consider:

1. What is the carrier’s claims handling and claims paying reputation? Is it business-friendly and coverage-friendly, or is the carrier known to try to find “outs” to coverage? Does the carrier have a free-standing claims department, or does it farm out claims to hyper-aggressive coverage counsel? And, if the company has multiple offices overseas, how does the D&O carrier handle cross-border claims or investigations? Through a bit of investigation, one can often learn from others (such as defense counsel or experienced D&O brokers) information that might indicate which way a carrier leans on these important questions. Obviously, the best carrier is one that will hang with the directors and officers even in the worst of times, and will not “run and hide” behind coverage defenses so it does not have to pay.

2. What is the carrier’s underwriting response to questions and potential modifications? What is the carrier’s responsiveness to requests to enhance coverage for the insureds? These questions relate to the prior question. Directors, officers, and companies want a business partner in their primary carrier, not a “silent partner.” Many of the better carriers often will consider (and implement) policy changes even days or weeks before a bankruptcy filing to clarify policy language for the potential benefit of the insureds. Those are the types of carriers that a director or officer wants on his or her side.

3. Do you have enough coverage? This can be the most worrisome aspect to any director or officer caught up in a corporate storm. Unfortunately, this is also an area that is confusing because there are often no clear or “right” answers as to what limits should be purchased.

The most important thing a director or officer can do in this regard is ask many questions of management. For a public company with $2 billion of annual revenue, $30 million of D&O insurance likely does not make sense. Similarly, for companies with substantial debt and perhaps not a lot of cash on hand, a low D&O limit also would not make sense. Very often, an experienced D&O broker can provide benchmarking, showing what D&O insurance is purchased by similarly situated companies. Thus, a company can look to a competitor in its space, or at its size, to determine what type and level of D&O insurance comparable companies have purchased. Finally, many larger companies with public debt or equity exposure can perform “mock” damages analyses to understand what a potential securities claim against them might look like from the perspective of damages and defense costs. The variable here is that the cost of a simultaneous regulatory or criminal investigation, as discussed below, can vastly skew those amounts.

Can a company increase the limits of its D&O coverage midterm, or even after bad news surfaces? This is a common question. The answer is that it depends on the facts and the circumstances of the particular situation. Sometimes the circumstances a company faces are not so dire, and carriers will cooperate with the company’s desire to protect its directors and officers by agreeing to increase the limits of its tower (for a price, of course). Other times, the situation may be so severe that a request to increase limits will be politely declined. The later polite declination proves our point. Directors and officers should ask questions up front regarding coverage amounts. They should not wait until the corporate ship starts to heel over to request higher amounts. By then it might be too late.

See also: What Effective Leaders Do in Tough Times  

Coverage for Regulatory and Criminal Investigations

Troubled companies often encounter a regulatory or criminal investigation (SEC/DOJ) at the same time they are facing civil litigation. This is the potential “double whammy” of defense costs, which often can run into the millions of dollars. Thus, directors and officers need to know what sort of coverage their D&O insurance provides for such investigations because, to the extent such investigation constitutes covered loss under the D&O policy, every dollar spent on investigations will generally reduce the overall limits available to ultimately settle the underlying litigation.

The rules of the road are well established in this area. Directors and officers are generally covered under the company’s directors and officers insurance for formal regulatory and criminal investigations and inquiries as well as “a formal criminal, administrative, or regulatory investigation against an Insured Person when such Insured Person receives a Wells Notice or target letter in connection with such investigations.” 

Corporations are generally not covered for their involvement in such situations, unless individual directors or officers are also simultaneously named in the investigation (these rules of the road are often different in the private equity space, which is beyond the scope of this article). Specialized policies in the D&O marketplace exist to cover regulatory and criminal investigations in those situations where only the company is named, though those policies are reported to be expensive. All other things being equal, a director or officer should ensure that he or she is covered for regulatory and criminal investigations and inquiries. These can be very expensive to litigate and defend, and the last thing the company and its board needs at the time is a loose cannon on deck.

Why Does the Insured Versus Insured Clause (and Its Carve-outs) Really Matter?

The insured versus insured clause has been included in D&O policies for a long time. It finds its genesis in a carrier’s need to guard against collusive lawsuits brought by one insured (say, for instance, the company) against another insured (like a director or officer), solely designed to get to the proceeds of the company’s D&O policy.

Indeed, carriers may have valid reasons for not wanting to cover these types of lawsuits. But there are other types of potential “insured versus insured” lawsuits that should be covered (and thus “carved out” of the insured versus insured exclusion) because they generally would not be collusive (and normally are just as hotly contested as suits brought by traditional third parties). Here is a list of certain types of lawsuits that we believe should be explicitly covered under the D&O policy (i.e., carved out) to protect the interests of the directors and officers.

1. Shareholder derivative actions

2. Suits that generally arise in bankruptcy when bankruptcy-formed constituencies, such as creditors’ committees, bondholder committees or equity committees, bring an action derivatively on behalf of a bankrupt company for alleged breaches of fiduciary duty by the company’s directors and officers.

3. Similarly, suits by trustees, liquidators and receivers against directors and officers. As we have seen from high-profile suits involving companies like Tribune, Extended Stay and BearingPoint, bankruptcy-formed constituencies and trustees have become much more aggressive and litigious over the years, and the threat of such suits simply cannot be ignored.

4. Whistleblower suits brought under the provisions of either Sarbanes-Oxley or Dodd-Frank.

What is Non-Rescindable Side A Coverage?

There are two general coverage sides to a D&O policy (leaving for another day the concept of outside director coverage). Coverage “Side A” is for non-indemnifiable loss, meaning loss for which a company cannot indemnify or is financially unable to indemnify. Under this side, the directors and officers are the insureds. Coverage “Side B,” on the other hand, is for indemnifiable loss. Under Coverage C, the company is insured for securities claims.

Side A covers a range of different scenarios. For example, under Delaware law (where many corporations are incorporated), a company cannot indemnify its directors and officers for the settlement of a shareholder derivative action. And in bankruptcy, a company often will be unable to advance defense costs and to indemnify its directors and officers for claims. Indemnification claims by directors and officers against the company may be treated as unsecured claims that get pennies on the dollar, or may even be subordinated in certain circumstances.

As several of the noteworthy “financial fraud”-related bankruptcies have taught us, having “non-rescindable” Side A coverage is very important. “Non-rescindable” Side A coverage means what it says. Even in cases where a carrier may challenge as false statements made by a potentially complicit CEO or CFO in the company’s insurance application for D&O coverage (attaching to such application, for example, financial statements that later need to be restated), non-rescindable Side A coverage generally cannot be rescinded for any reason, which should allow the directors and officers to sleep better at night. Directors and officers should know that non-rescindable Side A coverage is generally standard in today’s D&O marketplace, and thus primary policies that do not have such coverage should be immediately updated.

What is Side A Excess Difference in Conditions Coverage (and Why Is It So Important)?

As noted above, having non-rescindable Side A D&O coverage is critically important. Having “Side A Excess Difference in Conditions” D&O coverage can be even more important. Why? This coverage reacts in two different, wonderful ways to protect directors and senior management.

First, it acts as “excess” Side A D&O insurance, meaning, in English, that it sits above the company’s traditional tower of insurance and will pay Side A non-indemnifiable claims when the traditional tower is exhausted by either traditional indemnifiable claims or non-indemnifiable claims. For example, a company may have $50 million in traditional D&O coverage and $25 million of Side A excess difference on conditions coverage, where $45 million of that insurance has already been exhausted by the settlement of a simultaneously commenced securities class action and SEC investigation. In such a case, the directors and officers would still have $30 million of Side A insurance to deal with, for example, the settlement of shareholder derivative action.

Second, most Side A excess difference in conditions D&O insurance has something called a “drop down” feature, meaning that if, for example, an underlying excess carrier refused to pay its limit of insurance for some coverage-related reason, the Side A excess difference in condition carrier might have the contractual obligation to “drop down” and fill that layer. Thus, it is a critically important feature that potentially will help fill potential gaps in coverage. Also, note that most Side A excess difference in conditions policies have very few exclusions (e.g., most do not have an insured versus insured exclusion), so they can be particularly helpful to directors and officers.

See also: COVID-19: Moral Imperative for the Insurance Industry  

Does My Corporation Have Enough Side A Coverage?

In the olden days of D&O (meaning 10 years ago), it was pretty rare to have a large Side A tower of insurance. Companies may have had a large primary tower of insurance, but Side A towers over $100 million were a rarity.

Since the settlement of several large financial crisis cases, we have seen a steady rise in the settlement values of shareholder derivative actions. However, in the last three years alone, the value of these cases has skyrocketed in nine-figure territory on a regular basis. Why? Reasons vary from severity, to regulatory fines and penalties, to the opioid crisis to enormous cybersecurity breaches. One of the major factors in all tends to be a really bad event that caused both a stock-price plunge, along with a large fine or penalty. The resulting litigation is called event-driven.

Event-driven litigation puts pressure on the primary tower of insurance, which quickly gets exhausted, and puts an equal amount of pressure on the Side A tower, which will need to respond to the shareholder derivative action. We would strongly recommend that companies entering troubled water re-evaluate their Side A coverage before the bad event happens. Afterward, it may be way too late.

What is the Priority of Payments Clause, and Why Is It Important?

A priority of payments clause specifies how a carrier should handle competing claims on a policy’s proceeds. For example, most such clauses (some carriers call them “order of payments” clauses) specify that Side A claims get paid first, and then traditional Side B company reimbursement and indemnity claims get paid. Obviously, this approach is tremendously important to directors and officers who may need to defend themselves in securities class actions or bankruptcy-related or inspired litigation.

Some priority of payments clauses give the right to the company or a company officer (like a CEO or CFO) to “withhold” or “delay” payments made under Side B of a D&O policy until those payments are properly designated by the appropriate party. This type of discretion is potentially not a good thing. Why? Giving such potential discretion to the company or a company officer to withhold or direct payments under Side B of a D&O policy might be creatively viewed by some as giving the debtor in bankruptcy “a say” or “control” over the proceeds of the D&O policy. That situation could be used by a creditor or other bankruptcy constituency to control or delay payments to the directors and officers under Side A of the policy, again potentially leaving them without resources to pay their counsel. Varriers are very able to make policy reimbursement calls in bankruptcy settings, and the order of payments under a D&O policy should be left to them, not others.  

Making a Better D&O “Mousetrap”

Admittedly, some of the above items are a bit difficult to understand conceptually for the non-insurance professional, and, admittedly, directors and officers often have more pressing issues to deal with when trying to help their companies navigate through troubled waters. But, as we have seen time and time again in our practice, very often D&O insurance becomes the lifeline for directors and officers when companies face trouble.

How can a director or officer stay on top of these issues in the most efficient manner possible? Here are a few suggestions:

1. Ask the right questions to the right people, like the company’s risk manager, CFO or general counsel, as to what is covered and what is not, and ask about the above limits of liability issues to make sure you are comfortable that at least these points are properly covered. Again, common sense often prevails here, and, if a director or officer does not like the answers he or she is getting, then corrective action should be demanded before it is too late to act.
2. Make D&O insurance issues a board topic at least twice a year so that board members can stay abreast of coverage developments, options and modifications.
3. Make sure management sends out the company’s D&O program and tower of insurance at least once a year for a “tune-up.” In this area, coverage options often change, and better coverage can often be obtained so long as the right diagnosis is made by qualified persons such as an experienced D&O broker or, sometimes, experienced outside counsel.

My dad often said he'd rather be lucky than good. Now that it's becoming clear that the coronavirus shutdown will cause a longer and deeper economic slump than many initially thought and will likely lead to permanent, structural change in the economy, it seems to me that those are the two options for insurance companies: You can be lucky, or you can be good. (Or, like my dear old dad was, you can be both.)

To me, lucky looks like Michael Dell at the dawn of the internet age. I know that the official origin story is that he was simply too good: He supposedly saw, in the 1980s, the opportunity for a hyperefficient personal computer business that was based on direct sales and manufacturing only after receiving payment from buyers. This, even though every major manufacturer was producing millions of machines on spec and selling through stores. But the real story is rather different.

I know because I interviewed him in 1986, when as a 21-year-old he had already built an impressive mail order business around his PC's Limited computers and desperately wanted to break into mass-market retail outlets alongside the three major brands (IBM, Compaq and HP). If he had succeeded, you might never have heard of him. He would have been entangled in the same inefficiencies that crushed the IBM brand and bedeviled the other two. Instead, when the internet came along in the mid-1990s, he had the best brand not tied to the retail channel, and he quickly turned his mail-order model into a business that dominated online.

So, kudos to Dell. He built a strong company from the get-go and capitalized on his opportunity in a huge way. But the positioning for the internet occurred because of no particular strategic insight. He was lucky.

Lucky is lovely. No need to apologize for luck. You just need to exploit the luck the way Dell did.

In the insurance world, the lucky ones include those companies that were already well on their way to digitizing when the coronavirus shut the world down. Because the economy may open only in fits and starts until a vaccine arrives in 2021 (let's hope), highly digital companies have some time to exploit their advantages in selling, in providing customer service, in processing claims, etc. Those that have updated core systems should be more agile than those that haven't. (It pains me to see states having to advertise for programmers who can use Cobol or even Fortran and can update systems, such as for unemployment insurance, that have been largely untouched since the 1960s and 1970s; some states need people who can program in machine language, to update systems written in the 1950s.)

Companies that sell usage-based insurance (UBI) also have a leg up because premiums are ratcheting down precisely and automatically; while many other insurers are (I'm happy to see) rebating premiums to customers, they have to make those determinations at a macro level and can't serve customers as well as the UBI companies are.

Health insurers will be lucky at least in the short run. While costs for treating coronavirus will obviously soar, governments will cover many of those expenses. In the meantime, people who would otherwise seek treatment, schedule elective surgeries, etc. are staying away from hospitals, sharply reducing claims for insurers.

And so on. If you're lucky, you surely know that by now and can be trying to figure out ways to entrench your advantage, as Dell did.

But what if you have to be good?

I've already written about some ways you can be rethinking your business to prepare for the world that comes after COVID-19: reimagining risk management services; exploring "reverse innovation"; and using the economic shutdown as a "natural experiment." An earlier piece on how to rethink an industry once it becomes digital also seems relevant, given how the virus is accelerating the transition for insurance.

But "good" insurers will go well beyond internal issues and start exploring scenarios for clients, whose worlds are being turned upside-down, too, and whose insurance needs will change as a result.

Health insurance, for instance, could change drastically. About half of Americans get their health insurance through jobs, and 22 million have lost those jobs just in the past few weeks. Might there be new pressure to separate health insurance from employment — a connection that prevails only in the U.S.? Some suggest that healthcare providers will want to switch away from a fee-for-service model, given that the coronavirus has scared so many people away from seeking any service that would get them near those who are possibly infected and that they don't absolutely need.

I'm not convinced that health insurers will change much — the immediate problems will be that they will generate such huge profits, in the absence of claims, that they'll have to dampen public outcry and will have to return premiums because of Obamacare's limits on their profit margins. But the health insurers need to be at least considering how the medical system may change, and lots of other types of insurers will surely find their customers in new environments.

If many of us continue to work from home, what does that do to commercial office space? Will people be healthier if they stay home, or will we all add what a friend calls "the COVID-19 19" pounds? If workdays are staggered to limit the times employees interact with each other, how does that change the risks in workers' comp? If supply chains are realigned to reduce reliance on other countries, and certain types of manufacturing resume in the U.S., what does that do? But what if most of the "workers" are robots? What happens to the living situation for retirees, as long as retirement/nursing homes have turned out to be Petri dishes for infections?

Those questions are just the start, of course. You can ask similar questions about transportation, our food supply, education and a host of other areas. The point is that lots of what we've taken for granted is now up for grabs.

While it may be many months, or even years, before we start to settle into a new normal, it's not too soon to start exploring with clients how their worlds are changing, so you can serve their new needs as well as you've served their old ones to date. Even if you haven't been lucky, there's still time to be good.

Stay safe.

Paul Carroll

Editor-in-Chief

P.S. How was my dad both lucky and good? Glad you asked. Among many other things, he got a job taking sports scores over the phone for the Des Moines Register as a 16-year-old in 1943 because all the older boys were already in the military. That credential with a metropolitan daily, slim as it was, tipped the balance in his favor when he later ran for election as editor of the paper at the University of Iowa. That, in turn, helped him launch a career in journalism, where talent kicked in and he worked his way up to a reporting job at the New York Herald Tribune and then had a 30-year career as the chief spokesman for Westinghouse.

Oh, and he met my mom on a blind date, arranged by a friend of my dad's who happened to meet her on a plane.

Over the past several weeks, there have been numerous aerial photos of some of the nation’s largest highway systems – devoid of vehicles. The sight of tens of miles of ramps, junctions and straightaways with no visible cars is startling, almost a made-for-Hollywood view. But COVID-19 has taken a huge percentage of people out of their vehicles, leaving their cars idle in driveways and garages. Given that vehicle usage is a fundamental and historical rating factor – a predictor of accident frequency – one could conjecture that telematics might be heading toward a new and shining position within the industry.

There are several points for insurers to consider.

• A huge percentage of businesses that have never had a home-based workforce have been compelled to have one due to stay-at-home advisories. Published interviews indicate that company executives across all industries believe the experience with COVID-19 will change the nature of work even faster than anticipated. More workers will be home-based either permanently or part-time. Will a greater percentage of consumers see the value of usage-based, telematics-driven insurance, given that their vehicles will be idle for greater periods? Insurers need to be prepared for this outcome.
• Insurers that have yet to commit to telematics programs may well be feeling the strain of not doing so. Many of the largest auto insurers have announced they will refund portions of automobile premiums due to the precipitous decline in miles driven. In particular, Allstate knows, through its telematics programs, that driving has declined by 35% to 50% in terms of miles. This makes the company's refund program much more fact-based. Clearly, there is significant customer goodwill value in making refunds voluntarily. But what if regulators require insurers to do this across the board? Without telematics data, determining refunds is much more of a guess. And no insurer likes guessing. For the long term, telematics data can facilitate a smooth communication process between insurers and regulators on a number of levels, and this is a good thing.
• From a claims perspective, adjusting losses in a time where staying home is the norm is a huge challenge. There are a number of technologies that insurers are using to compensate, most prominently DIY photo-estimating. In some cases, insurers are rolling out technologies that were in limited tests to cover the gap in face-to-face adjusting practices. However, sophisticated telematics devices can detect crash damage and relay crash information automatically, eliminating the DIY step and improving accuracy. While there is a fervent hope that we never again have to self-quarantine due to a pandemic, there is significant value in getting sensor-based, telematics crash information directly from point of impact.

See also: 10 Moments of Truth From COVID-19  

To date, telematics adoption has settled in as a segment. Projections that telematics would be the dominant base for all auto programs have not materialized. There are many reasons, but maybe the COVID-19 pandemic will be the impetus that consumers and insurers need to up adoption rates. In the not-too-distant future, the highways will again fill up with more than medical professionals, first responders and retail workers. Why waste the opportunity to use actual data to improve insurance outcomes? Telematics can make the connections!

The nation’s immediate strategy to support businesses affected by the COVID-19 pandemic has now formed around a portfolio of emergency federal loan and grant programs authorized by the Coronavirus Aid, Relief, and Economic Security (CARES) Act. As these programs become operational, policymakers are turning their attention to the risk of future pandemics.

When confronting the “new” risk of terrorism nearly two decades ago, policymakers forged the Terrorism Risk Insurance Act (TRIA) as a public-private partnership with shared financial responsibility for terrorism losses but heavily relying on the commercial property and casualty insurance industry’s product design, operational and claims administration capabilities.

Naturally, TRIA has emerged as a leading model for a future pandemic program – generally referred to as the Pandemic Risk Insurance Act (PRIA). While a reasonable starting point, TRIA is far from an off-the-shelf catastrophe risk program.

Congress designed TRIA to progressively recede from the terrorism insurance marketplace until expiring three years later. This temporary program is now in its fourth extension, guaranteeing a total program life of at least 25 years. Not a single dollar has been paid out from the federal backstop -- owing more to the success of the U.S. law enforcement, defense and intelligence communities than to any beneficial feature of the program itself. While TRIA may offer the reassurance of longevity, this model remains (thankfully) wholly untested, such that any underlying design flaws only become visible on careful inspection.

We can test the efficacy of PRIA by answering three questions related to our current experience with the loan and grant programs authorized by the CARES Act:

• Which businesses should be entitled to claim benefits under the program?
• What benefits should be available?
• Who has the infrastructural capabilities to deliver the necessary benefits?

Eligible Businesses

CARES Act loan or grant programs are available to nearly all businesses that meet the size requirements. An otherwise eligible business must certify merely a general need for financial relief as a result of the pandemic such as that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the applicant.”

PRIA would reach far fewer businesses. Under that program, insurers must first offer a policy of commercial property insurance without a virus or pandemic exclusion. No business is required by law to purchase it. In fact, under TRIA, only half of all businesses pay a premium for the removal of the terrorism exclusion. According to data released by the U.S. Treasury, 29% are informed that there is no additional charge for removal of the terrorism exclusion and the rest simply opt not to pay the average 2.5% additional premium.

We do not know how much insurers would charge to remove a virus or pandemic exclusion as required by PRIA. However, it is likely to be much more than the current charge to remove terrorism exclusions. As a rough benchmark, it takes the insurance industry about 10 years to charge enough terrorism premium to equal the amount of commercial property insurance losses from Sept. 11. It would take 125 years to collect enough premium just to equal the initial round of funding for the CARES Act’s Paycheck Protection Program.

See also: Rethinking Risk Management in a COVID-19 World  

Take-up rates for policies without virus or pandemic exclusions under PRIA will certainly be somewhere far less than 100%. Even if three-quarters of policyholders pay for the removal of the exclusion, many U.S. businesses would be left with no economic support in the event of another pandemic. If the cost of coverage is more than a couple of percent of total policy premium, take-up rates would be even lower, leaving vast amounts of the U.S. economy “willingly” exposed.   

Covered Losses

CARES Act programs are largely aimed at encouraging businesses to keep employees on the payroll. For example, Payroll Protection Program loans can only be used to cover expenses for payroll, rent, mortgage interest and utilities. If at least 75% of the loan proceeds are spent on payroll (subject to caps on high earners) during the first eight weeks, the entire loan is forgiven.

Business income coverage under a standard commercial property insurance policy also covers the expense of continued payroll, rent and utilities. However, insurance also covers the profits a business would have made and the full amount of salaries, including those paid to high-earning executives. While those benefits are more generous while they last, Civil Authority Coverage typically only extends to the first four weeks of a government-ordered shutdown (half the time period of the Paycheck Protection Program).

Of course, not every policyholder purchases a typical policy. Under TRIA (and therefore our hypothetical PRIA), captive insurance companies are full-fledged participants in the program. A captive is an insurance company set up and owned by its policyholder, typically a large corporation. Hundreds of large corporations (including the New York Times, Credit Suisse and the New York Stock Exchange) have established captives, allowing access to TRIA on far more favorable terms than those available via the traditional insurance market. For example, while small businesses are effectively shut out of property insurance coverage for terrorist attacks using nuclear or radiological weapons, a large corporation can negotiate with its insurance subsidiary for hundreds of millions or even billions of dollars of such protection, with 80% of the losses picked up by the federal backstop.

Large corporations would surely deploy these same strategies to maximize the value of PRIA. While a small business may be lucky to afford the standard four weeks of Civil Authority Coverage, a big business could ask its captive to provide coverage for 40 weeks or even 400. Certainly, the captive would not impose on its corporate parent restrictions on share buybacks, dividends or executive bonuses such as those demanded by the CARES Act’s Main Street Lending Program. 

Claims Administration Capacity

TRIA contemplates that insurance companies possess the claims administration capacity to manage up to $100 billion of shared industry and federal losses. Hurricane Katrina was the largest property insurance event in U.S. industry’s history, resulting in about half that amount in paid claims.

Under the CARES Act, U.S. lenders have been called on to administer $349 billion in loans through the Paycheck Protection Program and a further $600 billion through the Main Street Loan Facilities. Just the initial funding of the Paycheck Protection Program is the equivalent of insurance companies facing down claims from Hurricanes Katrina, Maria, Irma, Andrew, Harvey, Ike and Wilma, Sept. 11 and the Northridge earthquake all at the same time, together with 10 years of National Flood Insurance Program and National Crop Insurance Program claims. The insurance industry is simply not designed to operate at that scale.

See also: 10 Moments of Truth From COVID-19  

A Path Forward

While there are other “glitches” in the Terrorism Risk Insurance Act that should give us pause before expanding the model to include pandemics, the three points explored here should be enough to warrant a thoughtful debate about the objectives of any proposed pandemic risk management program and how best to implement it.  

For example, we may find insurance companies can make available policies without virus or pandemic exclusions, but small businesses are unwilling to bear the consequent cost. A program with low take-up rates is worse than no program at all. Today, we can extend loans and grants to businesses that did not have the choice whether to buy insurance coverage. Once we have PRIA, we cannot. 

Similarly, we may find the business income loss benefits made available to small businesses are modest and difficult to trigger compared with loan forgiveness under the Paycheck Protection Program. Meanwhile, large corporations can use their captive insurance companies to engineer bailouts that make the terms of the airlines’ $25 billion Payroll Support Program look stingy.

Finally, we may conclude business income coverages in standard commercial property insurance policies are too complex to quickly administer during a pandemic. We may also come to believe insurance companies should invest more heavily into maintaining robust catastrophe claims management capabilities.

If we do not get to the bottom of these challenges before committing to a new pandemic program, we will surely struggle with them when we most desperately need the program to work.

The insurance industry is in the midst of a crisis as bad as the Great Recession and possibly worse than the Great Depression. 

The crisis worsens each day because of the COVID-19 pandemic. 

We do not know when the worst will end. 

We cannot predict when the pandemic itself will end.

But we can choose what we say and do; what we must say and do for the good of the insurance industry and the economy as a whole.

We must choose to lead.

The choice is just that: a choice to fight fear with facts, because the insurance industry must not let fear be the face of the pandemic. Not when the faces of the heroes among us cover their faces, but show us their eyes.

Their eyes say many things.

Their eyes speak to feelings of loss, depression, doubt and frustration. Their eyes also speak of the resolve to continue.

David Albanese of Ameraquest Financial Group shares the same resolve. He says:

“The insurance industry must be a voice of clarity and wisdom. People need to hear from experts and executives they trust. Communication is essential to success.”

Albanese is right about trust. Insurers need it, customers demand it and the public deserves it. Which means the insurance industry must work to preserve and protect it. 

See also: What Effective Leaders Do in Tough Times  

The industry must convey what it believes and be true to its most fundamental belief, that trust is the basis for everything a business does.

Acts strengthens trust. Put another way, good works are more effective than good words. The works speak for themselves—up to a point.

The moment comes when insurers must speak about their works. The moment is right—now is the moment—for insurers to lead by speaking to the public, about the needs of the public, for the safety of the public.

Each day is a new moment for insurers to offer news, answer questions and address the public. Whether insurers use traditional media or social media to communicate is less important than what they deem to be of importance. 

The medium is not the message; the message is the message, regardless if it is a post, a comment, a column or a tweet. Substance comes before style, especially during a pandemic.

The substance of what insurers say should be direct, just as the information they provide—the directions they give—should be correct. 

Does this mean insurers must be perfect, that they cannot afford to make mistakes? 

On the contrary, mistakes are inevitable, and misstatements are unavoidable. Admitting one’s mistakes is, however, critical to maintaining what too many companies do not enjoy in the first place: trust.

The insurance industry has a chance to personalize its mission and humanize its spirit.

See also: Do We Need Thought Leaders, or Followers?  

The industry has the chance to reach hundreds of millions of people worldwide, thanks to the power of communication and communications.

Thanks to clear speech, on the one hand, and technology, on the other, the industry can be a voice of leadership.

The insurance industry must speak to us, now more than ever.

Potential business disruptions are part of a company’s regular continuity plan. Still, few were prepared for the impact of a global pandemic that has shut down businesses around the world. Many companies have faced challenging decisions like laying off or furloughing employees for an extended period, while others have had to shift to a fully remote workforce quickly. 

Four leading CEOs in our industry joined us for our special edition Out Front Ideas COVID-19 Briefing Webinar Series to discuss the challenges their businesses are facing and how they are adapting: 

• Keith Newton – CEO of Concentra
• Dave North – CEO of Sedgwick
• Tom Warsop – CEO of One Call
• Mark Wilhelm – CEO of Safety National

The Carrier Perspective

The insurance companies are facing an onslaught of regulators seeking a myriad of information. Carriers are inundated with data requests, receiving hundreds of bulletins and directives covering most territories, states and Canada. Some states have issued moratoriums on cancellations for non-payments of premiums, while others have requested that carriers make it clear to the public how they will treat premium leniency. Carriers are being asked to provide a COVID-19 readiness plan, including the impact on the business, both operationally and the impact on investment income. The National Association of Insurance Commissioners (NAIC) has stepped in, asking states to pause on data requests, so carriers can focus on servicing their insureds.

Regulators and legislators are seeking to expand the compensability of claims beyond what was planned during the  underwriting and pricing phases. Many legistlators are passing laws stating that COVID-19 claims are presumptions, especially for healthcare workers and first responders, meaning it is presumed they contracted the virus while on the job and it should be covered accordingly. Some states are even looking to expand this to all essential workers. 

As far as the financial impact on carriers, there are a few items to consider. Carriers could see a decrease in premiums due to employer payrolls decreasing. There are also credit risks due to non-payments on premiums, and there may be portfolio devaluations in the future due to lowered interest rates. However, with specific industries, like healthcare, seeing more claims, many sectors will see a decrease in claims because of shelter-in-place enforcements.

The Third-Party Administrator (TPA) Perspective

Initially, TPAs saw a surge in paid leaves in the U.S., but that has now shifted to unpaid leaves because of the programs that employers have in place. With federal programs, like paid leave extensions, being evaluated, we do not yet know the direct impact they will have on injured workers. It may mean shifting an injured worker off workers’ compensation and on to one of those programs in the future if it is more beneficial.

Many employers are reaching out for planning for a future catastrophe. For example, if a natural disaster like a hurricane or tornado occurred during this time (a “cat” within a “cat”), employers want to know that their business would have a continuity plan in place. Everyone is considering the “what-if” scenarios right now, so many are overly preparing for the next big event. 

See also: Keeping Businesses Going in a Crisis  

In the workers’ compensation industry, there has been a drastic decrease in the number of new claims due to some businesses shutting down completely. However, some industries are growing significantly in the current state of the economy, which is noticeable with a more-diversified customer base. Pending claims in workers’ compensation have not seen the same drastic decrease, meaning the injured workers who received our attention before COVID-19 still need assistance, but now are less likely to obtain the care they need. Some patients have no idea how the change will affect their recovery or return to work.  

Due to the pent-up demand for healthcare during the COVID-19 crisis, there will be a backlog of post-pandemic patient needs. This demand may put injured workers at a disadvantage because elective surgeries will not be prioritized above other significant needs like trauma surgeries. Actuaries will have to learn how to adjust to this uncontrollable shift. For example, will a lack of litigation be considered a trend, or will litigation rebound based on the high consumption of healthcare upon a return to normalcy?

There is a balance right now of taking care of the injured workers’ needs and also maintaining communication with them. As a workforce, all partners should be ready to embrace the injured workers when the industry returns to normal, readying resources and preparing to handle the increase of needs.

The Ancillary Program Provider Perspective

The most considerable impact has been an unwillingness for injured workers to get the treatment they need because of COVID-19 risks. Because patients do not want to come into contact with others, the frequency of demand is affected and delays their care. Provider access has also seen an impact. While most are still accessible, industries like dentistry have been advised not to continue treatment. The extension of telehealth has also made accessibility to care much better. 

Referrals for ancillary services have decreased significantly. Specifically, transportation service requests are suffering, but well-established services like home health do not see the same drop in requests. Some ancillary program providers are seeing furloughs of their workforce due to a decline in demand. Some companies are providing advanced paid time off and healthcare coverage for furloughed employees. 

Expect new operating models to emerge from this crisis. There will most likely be a significant increase in remote work employees, now that work from home opportunities have proven to be an adaptable method. The issues surrounding telemedicine use will likely not disappear after this crisis, now that there is a sustained demand for it. Rescheduling technology will also change due to the current number of requests. Shifting to a text-based rescheduling program has seen a much higher response rate from injured employees due to its ease of use, potentially guaranteeing future care for those who cannot currently access it.

The Occupational Health Provider Perspective

Because the occupational health workforce is patient-facing, at occupational medicine centers, employer worksites and primary care facilities, the industry is facing many challenges. These challenges include regulatory directives, limited personal protective equipment (PPE) for front-line healthcare providers and a significant drop in patient volume. However, the industry has dealt with a substantial reduction in patient volume before. During the 2008 recession, there was a significant decrease, but demand rebounded over the months following.

See also: Rethinking Risk Management in a COVID-19 World  

Opportunities have developed from the crisis, including testing assistance and telehealth expansion. While limitations on PPE do not allow for occupational health employees to run testing for COVID-19, they are instead managing fit tests for the frontline providers, like those working the drive-through testing sites, to make sure their gear fits properly. Telehealth has provided an incredible opportunity for occupational health providers to expand their services for injured workers. Many providers that were not interested before have now been working quickly through an approval process, so their patients can receive the care they need. However, most occupational health practices are still open for business, but, to reduce exposure, they have reduced hours and staff in facilities.

While most of the industries within workers’ compensation had the ability to move to a fully remote workforce, declines in patient volume and referrals have forced some to furlough employees until there is a rebound. This crisis has forced all our CEOs to use disaster task forces within their organizations and learn how to readily adapt to changes in their businesses, both financially and operationally. COVID-19 will certainly breed many advances in patient care and opportunities for growth in the workers’ compensation industry, as all of our CEOs are continuously learning from the experiences this has created. 

To listen to the full Out Front Ideas with Kimberly and Mark webinar on this topic, click here. Stay tuned for more from the Out Front Ideas COVID-19 Briefing Webinar Series, every Tuesday in April. View the full list of coming topics here.

No longer exclusive to healthcare, regularly disinfecting surfaces has become a way of doing business during COVID-19. For essential services, it represents a commitment to both workforce and customers alike. It is important to note that, much like any chemical, disinfectants come with risks, and those risks compound with increased use. Here are some important safety tips to follow while using disinfectants.

1. Choose a disinfectant from the EPA’s List N: Disinfectants for use against SARS-CoV-2.

The EPA has tested List N disinfectants to meet two criteria. First, disinfectants must show efficacy against harder-to-kill pathogens and coronaviruses similar to SARs-CoV-2 (the cause of COVID-19). Second, they must qualify for the emerging viral pathogens claim. The EPA can certify select disinfectants for use against novel pathogens after having cleared a two-stage review. View the EPA’s full List N here.

See also: How to Turn Around Sluggish Life Sales  

2. Never mix disinfectants, especially bleach. 

Mixing disinfectants does not improve their performance or make them intrinsically safer. In fact, these mixtures can often result in conditions that are immediately dangerous to life and health for both workforce and customers. For instance, mixing bleach with other common disinfectants, such as quaternary ammonium (quat) or cleaning acids (citric or peroxyacetic), can generate toxic chlorine or chloramine gases. Hydrogen peroxide and bleach mixtures can result in explosion, if near an ignition source. Allow a bleach-cleaned surface time to completely dry before using another disinfectant or cleaning agent. 

3. Disinfect electronics using 70% isopropyl alcohol (IPA) wipes. 

Regularly disinfect high-touch electronics surfaces such as touch screens, phones, ATMs, keyboards and remotes. IPA safely disinfects these devices without compromising oleophobic coatings or damaging circuitry.

4. Barring allergies, use disposable nitrile gloves over latex or vinyl when disinfecting. 

Nitrile gloves tend to be more chemically resistant and tend to result in fewer allergic sensitivities. 

5. Discourage workers from “watering down” or “topping off” disinfectant bottles to stretch supply. 

These practices can drastically reduce the efficacy of disinfectants and introduce the risk of mixing incompatible chemicals.

See also: Keeping Businesses Going in a Crisis

There is no end in sight for this increased disinfectant use, so it is important to communicate these safety tips clearly to your entire workforce. Create an integrated approach with all unit managers to help incorporate these safety measures and enforce them throughout the organization. Risk management is, ultimately, everybody’s job.

Of late, cloud computing adoption has gained such traction enterprise-wise that it is rightly called the new normal. The 2019 State of the Cloud report by RightScale shows that 94% of organizations use cloud, shifting their corporate workload there. High costs are for now the greatest concern for cloud adopters, but organizations work on tackling it, either on their own or with the help of Google, Microsoft or AWS consulting specialists.

Despite being welcomed by most, cloud computing is still associated with plenty of complications and threats that haunt adopters and skeptics alike. As a result of persisting misconceptions, some enterprises adapt ill-suited cloud policies and practices, while others abandon cloud migration at early stages or steer clear of it altogether. 

This article will take a closer look at the top five cloud software risks and examine the ways enterprise decision-makers can contain and manage them.

Data security loopholes

Security concerns are the main reason why cloud computing becomes a no-go option for some companies. This consideration particularly inhibits industries handling sensitive customer data: Banks, medical facilities and such can’t afford a single data breach and therefore by default opt for on-premises software.

But these fears are exaggerated. The strength of security boils down to the measure introduced into a corporate environment. Cloud security provisions indeed differ from on-premises ones, but, when enforced correctly, they render the system impregnable.  

See also: Cloud Computing Wins in COVID-19 World  

At the same time, the cloud beats on-premises systems when it comes to compliance with data privacy and security regulations. Since cloud solutions must adhere to every legislative change, the vendors make the effort to update their software timely. On-premises security measures, on the other hand, are taken by each enterprise individually and may be insufficient or timed poorly. Therefore, cloud software can facilitate full compliance for businesses required to follow the GDPR, HIPAA and other regulations.

The prohibitive cost of ownership

Enterprises tend to adopt cloud computing to optimize costs but do not necessarily achieve the desired results. Cloud software is commonly known as a cheaper option because the adopter does not incur implementation, maintenance and security costs. In reality, hidden incremental costs do pile up. 

So, how to estimate whether a cloud solution will indeed be cost-effective?

First off, the responsible parties should factor in the enterprise expansion in the foreseeable future. Because SaaS, PaaS and IaaS licenses directly depend on the number of users, the workforce growth will force subscription prices upward. 

Availability of IT resources is another significant part of the equation. When the company employs a full-time development and support team, then the maintenance of on-premises software should not become a large cost component. If this is not the case, cloud software is a more reasonable option. An outsourced cloud-savvy team can easily cover the demands of initial customization and occasional support, while the updates and patches will be the cloud vendor’s responsibility entirely.  

The final consideration is the time gap between the project kickoff and the moment the software starts bringing value. For companies looking for quick ROI, cloud solutions offer a much shorter time to market compared with traditional on-premises setups.

Software discontinuation

Another of cloud adopters’ fears is that a vendor may all of a sudden go out of business, taking along the product. The possibility of software discontinuation indeed exists, but this is not as common an occurrence as one may think. Oftentimes, companies abandon the software, either cloud-based or on-premises, that grew outdated in the modern technological context and therefore ceased to be valuable to its users. In this case, the customers are alerted well in advance and given enough time to find a substitute. 

To mitigate the risks of possible cloud platform shutdown, companies need to take precautions against vendor lock-in and associated disruptions:

• Map out an exit strategy before subscribing to a cloud-based product.
• Study the contract carefully to clearly understand vendor obligations.
• Maintain data in easily exportable formats.

Management complexity

Hybrid and multi-cloud environments are notorious for bringing confusion into the enterprise setting. As companies take more and more of their workload to the cloud, they sooner or later find themselves unable to fully govern the spiraling infrastructure and ensure its security. This can result in the failure to realize the full potential of the infrastructure, as well as in performance botches, security lags and above-budget spending. 

However, proper planning undertaken way ahead of multi-cloud adoption can greatly mitigate such downsides. Starting from the solution architecture and network topology to interoperability mechanics, the environment should be laid out by experts.

Apart from this, a cloud management platform can provide better visibility across multiple accounts, along with cost and security control. 

Weak connection and network failure

Ironically, the very thing that makes the cloud possible — internet connection — causes most problems in a cloud environment. Cloud outages strike enterprises large and small and cause data and money losses — in 15% of cases, over $5 million per hour of server downtime. These connectivity issues have a particularly damaging impact on hybrid cloud adopters, which rely on unhindered connectivity for unlimited data transmission between different cloud platforms and enterprise data centers.  

See also: Cloud Takes a Starring Role  

Despite being such a thorny aspect, internet connection still has the status of a no-man’s land. On decision-makers’ side, connection tends to be overshadowed by other seemingly more pressing matters such as security, compliance or interoperability. What is more, there is still no consensus about who should take full responsibility for cloud outages—the owner or the service provider. While 65% of businesses rely on cloud software providers for recovery and continuity, according to the Forbes Insights and IBM survey, less than half of them have confidence that vendors would meet their SLAs in case of emergency. 

In reality, both the business and the vendor should be accountable for network connection and data recovery. While the latter has its side of the bargain to deliver on, enterprises might well take a more aggressive stance on cloud uptime provision and immediate network recovery. Thus, employing a single network manager to provide for connectivity now can spare you from hiring a whole emergency support team later.

Challenges, not risks 

Cloud computing is a very young technology that is as attractive to potential adopters as it is intimidating. However, when examined closely, cloud-related risks are reduced to surmountable challenges.

For each of the “risky” aspects — security, cost of ownership, vendor lock-in, management difficulties and connectivity maintenance — the maturing industry is coming up with appropriate solutions. Cloud service providers also recognize the imperatives and fears of today’s enterprises and work to bridge the existing gaps, be it GDPR-compliant data processing or direct connectivity in hybrid clouds. Therefore, one may expect cloud software to become a more sustainable and safer option for enterprises in all verticals.

The insurance industry relies heavily on catastrophe modeling to set capital adequacy, adhere and respond to evolving regulatory requirements and stress test portfolios. The same is now increasingly true of the cyber catastrophe sphere, in which key areas of focus include how models can help with capital allocation, stress testing and informing development of underwriting guidelines and insurance products. Parallels can be drawn from the cyber catastrophe and natural catastrophe risk management sectors when modeling these risks.

The introduction of models provided critical insight into the potential for catastrophic claims for all risk policies or policies without clear exclusionary language. Historical events such as the April 1906 San Francisco earthquake (leading to unanticipated claims for fire policies), 2005 Hurricane Katrina flooding (resulting in unanticipated claims for homeowners wind policies) or the 9/11 U.S. terrorist attacks (experiencing unanticipated war exclusion interpretation and definition of a single event), and the current unfolding of the coronavirus pandemic crisis highlight the criticality of understanding the triggers and correlation of potential loss due to a single event.

In many cases, insurers paid losses to avert “reputational risk” and have since used models to provide insight into realistic structuring of policy, reinsurance and other risk transfer vehicles. Clear exclusionary language, endorsements and coverage-specific terms evolved over the decades in concert with evolving scientific knowledge of the risks and modeled loss potential. 

Today, we are seeing the same evolution with respect to insuring cyber risk, but over a highly compressed period, without the decades of experience of systemic insured loss events. Many cyber catastrophe risk managers attempt to apply the same lens of current natural catastrophe model availability of data resolution, data quality, catastrophic event knowledge and model validation expectations. But by embracing the commonality of lessons learned from the evolution of the property catastrophe insurance market, we can prepare for an event considered to be a case of not “if” but “when.”

The role of data in models

A first common theme is to recognize that the understanding and availability of information for a rapidly evolving risk means that there is value in aggregate data in the absence of detailed data. This has been and is still the case for property catastrophes and is also the case for cyber catastrophe risk models. Confidentiality obligations in portfolio data as well as the lack of high-quality data is an issue for all models. However, new sources of data as well as sophisticated data science and artificial intelligence analytics are being incorporated into models that provide an increased confidence in assessing the potential risk to an individual company or entity. 

See also: Coronavirus Boosts Cyber Risk

A second related common theme is the ability of catastrophe risk models to augment lack of risk-specific data capture at the time of underwriting. This is where all catastrophe risk models add significant value, where context for what should be captured as well as what can be captured is provided. In the case of cyber, this can include access to both inside-out (behind the firewall) and outside-in (outside the firewall) data. Inside-out data refers to aggregate data for segments of the economy, measuring the anonymized trends of security behaviors (such as frequency of software patching). Outside-in data is made up of specific signals that can be identified from outside an organization and that give indications of overall cybersecurity maturity (such as the use of unsupported end-of-life products). 

A third commonality is the value in extrapolating the impact of past events into the future given evolving available data on the changing causes of frequency and severity of cyber events. The property catastrophe arena is grappling with very similar issues relative to the rapid and uncertain evolution of climate models. For cyber risks, history is not a predictor of the future in terms of modeling threat actors, the methods they deploy and the vulnerabilities they exploit. However, it is possible to examine historic data and the types of cyber incidents that have occurred while addressing the challenges in the way that information is collected, curated and used. This historic data is used against the backdrop of a near-term threat actor and technological trends to understand future potential systemic losses due to large-scale attacks on bigger and more interconnected entities. 

The role of probabilistic models

At the enterprise level, the market is struggling with how to assess potential aggregations within and across business lines. Event clash due to a single event causing multiple loss triggers to policies and reinsurance treaties is a key concern across all lines of business. Use of common cyber and other catastrophe risk loss metrics that can be combined across perils and lines of business are being explored. In addition, regulatory groups are considering requirements similar to property catastrophe risk to address solvency requirements relative to cyber risk. 

In this environment, consistent and structured definitions of risk measures are critical for assessing and communicating potential systemic catastrophic loss. Both deterministic cyber scenario event analyses as well as probabilistic stochastic cyber event analyses are required. Given this context, cyber catastrophe risk models that can withstand validation scrutiny similar to property catastrophe risk models require the same level of rigorous attention to transparency in communication of model methodology.

Similarities… but some differences

There are some key differences between the systemic risks of natural disasters and cyber events. One material contrast is that cyber perils manifest with active adversaries seeking to cause malicious damage to individuals and companies globally. The factors affecting modeling include the changing nature of geopolitical threats, the dramatic increase in the use of digital means for criminal enterprises, the hyperconnectivity of developed economies and an ever-increasing reliance on networked technologies. Cyber event scenarios are developed to represent a range of potential systemic events in which technological dependencies affect individual insured companies, due to a common vulnerability or a “single point of failure.” Examples include common cloud service providers, payment systems, mobile phone networks, operating systems and other connected technologies. 

See also: Risks, Opportunities in the Next Wave  

There are limitations in any model relating to cyber risk, given the inherent uncertainties. Nevertheless, these models provide valuable insights to better decision-making relating to capital planning, reinsurance and addressing regulatory issues. By learning from previous insurance shocks, we can support a more stable and resilient cyber risk insurance market.

The last several months have shown the fragile and connected nature of our global economy. If four months ago you would have told someone that we would be in a situation with record global unemployment, historic government economic stimulus, people sheltering in place, all occurring in less than six weeks, you would have been met with disbelief and disdain. Our bitter reality, however, is that the changes that we have experienced in the last 60 days will continue and will accelerate the impact and consequences for the future.  

In many ways, we have been contemplating our current situation for years, as evidenced by the numerous models, books and films that have all described a “post-apocalyptic” world that fundamentally changes society.  The previous contemplations were like an amusement park roller coaster experience, fun to momentarily experience the fear and uncertainty, but then easy to return to solid ground when the ride was over. The primary issue is that the entire world is now on the roller coaster and desperately wants to get off but has to wait for the ride to end.  

Several authors who focused on historical crises and their long-term impact see common patterns. The crises create fundamental shifts in society, business and culture. The Covid-19 situation will inevitably lead to some of the greatest changes we have seen in the last 100 years.  

See also: 10 Moments of Truth From COVID-19 

One of the primary factors underlying our future “new normal” is the steady march to more detailed and prevalent public information about people and their physical state. We have been moving down this path for many years through the ubiquitous sharing of data in both social and business settings. Facebook, Twitter, Instagram and a slew of other software is primarily designed to be a data sharing platform. The virtual sharing of data is done literally by everyone, regardless of age, gender, race or socioeconomic status. In our post-pandemic world, data that describes our health and physical state will become more valuable than currency.

Narrowing this data focus on the worker, the new normal will be greatly different than what we left behind just 90 days ago. First, and most importantly, worker health and safety will be monitored and evaluated more than ever from a strategic, operational and financial perspective. 

Strategically, companies will need to rethink worker roles, locations, supply chain and output models. The work from home shift for a majority of historically white collar industries occurred in a matter of hours. Our networking infrastructure, software and excess home working space were quickly converted into a new working model. Moving forward, this more fluid work model will continue with an inevitable reduction in physical office space and the ability to work within different environments. Company campuses will become virtual; physical location will be secondary; interaction will be through a digital camera and microphone. The consequences of this shift are still developing and will change the office working model.

For those blue collar workers where the worker’s body is the means of production, there will also be fundamental shifts. Tracking of worker-specific data and location will become commonplace. Prior to the “new normal,” we saw regulation and case law about the use of biometric data and limitations based on privacy concerns. The new normal, however, will require that people expose specific biometric data (temperature, antibodies) to ensure that workers are not creating or accepting undue risk. Access to locations will be based on a physical and biometric review of workers and will inevitably extend to clients, customers, vendors and any others within company locations. A driver's license and other forms of ID will now include your health card and current physical state.

On the foundation of this additional information, the speed of risk identification will become a primary metric, and the ability to respond will become a determination of operational and management efficacy. The experience with cyber-attacks provide a good parallel. An organizational leader’s responsibility is to take reasonable and rapid efforts to protect the organization and its assets from cyberattacks. We have seen large D&O cases brought for the failure to meet these reasonable standards. A similar effect will occur with infectious diseases, related to how to mitigate and avoid the risk across an organization. The organization's need for identification and response will be measured in minutes.  

In 12 months, the only accurate statement is that the world will be a much different place than today. The “new normal” will include the use of people’s personal health and biometric scanning. Temperature scanners will be implemented for access to locations including work, school and entertainment. Our personal data tracking and sharing will take on greater importance, to show the employers, public entities, schools and others our current state of health and ability to safely interact with others.  

See also: How to Win in the New Normal  

Technology and data are, and will continue to be, the primary driver of this awareness for our health and safety. As more people are willing or required to share data for the collective safety in the connected world, our privacy standards will evolve.  

The direction is clear. Data creates insight, insight creates action and action avoids risk.