Tag Archives: fiscal crisis

Where to Start on Cyber Security?

Because of the recent and hugely public spate of cyber “events,” the world of cyber security and subsequently cyber insurance is firmly in overdrive. According to the UK Department for Innovation & Skills, 81% of large businesses and 60% of small businesses suffered a cyber-security breach in the last year, and the average cost of breaches to business has nearly doubled since 2013.

We have all seen the headlines, from Sony last year to British Airways earlier this month to the French TV Channel TV5Monde. The severity and importance of each of these has material impacts on not only their ability to do business but also their brand and reputation as a customer, employee and partner.

Sony was clearly hugely public, by far one of the biggest and most public I have seen hit the news for a long time. It was all over most news channels, causing outcry from customers and employees, some of whom threatened to sue their employer or former employer for failing to protect their data. Sony, of course, has had many attacks, including one taking down its PlayStation online platform for days on end. As for BA, the first I heard of this was an email saying, “Someone has accessed your account.” Please come change your password! This is the brand that I trust with my personal details, my location and much more.

Finally, TV5Monde seems to be particularly worrying to me. In a scene that reminded me of the wonderfully played Elliot Carver from 007’s “Tomorrow Never Dies,” the media giant was quite simply disabled, their TV taken off air, their public online presence taken over and more. An attack of this scale and power to me simply highlights what Hollywood has been portraying for years (remember “Die Hard,” where the bad guys take over the airport by hot wiring a few cables nearby?). Interestingly, subsequent reports again point to human error here – for instance, a TV interview showed passwords stuck to Post-It notes.

If we are under any doubt by the frequency, scale and impact of attacks, I found a great website (www.informationisbeautiful.net) recently that visualizes some of the data breaches by year, industry and size, reason and more; see here for the full interactive chart.

data

Cyber threats have been defined by many; however, as with many other critical business issues, lots of other things are being added to the overall “cyber” definition. The recent report from the UK Government on UK cyber security: the role of insurance talks through both the threat and, importantly, the opportunity for insurers.

The World Economic Forum in its 10th Annual Global Risks Report has cyber risks up with water crisis and natural catastrophe and ahead of WMD, infectious disease and fiscal crisis (in terms of likelihood of occurrence). Given what we have all experienced in the last recession, I don’t think we could have a stronger wake up call.

data 2
– Top Global Risks According to the World Economic Forum

For now, and certainly as I write today, there is a small correlation between cyber-attacks and loss of human life. However, as we become ever more connected with IoT (Internet of Things) or IoE (Internet of Everything), future devices will all be connected. In the latest report, the government said that 14 billion objects are already connected to the Internet, 40 million of them in the UK. By 2020, it could be as many as 100 billion worldwide.

The upside of being able to monitor your heart pacemaker or your insulin levels from an app are already upon us; “wearables” is the buzzword for 2015. When these devices move from monitoring to controlling, the threat just increases. A cyber-attack at a local level, shutting down a hospital, airport, city traffic system, taking over a driverless car or airplane – it’s far too easy to paint a picture here.

What’s the role of the insurer in all of this?

The insurance provider has a huge role in this, not only to pick up the pieces when an event occurs, but also across the entire lifecycle. At the outset, we have an opportunity to better educate the market on cyber risks in general, in creating insurance capacity for the event and ultimately better prepare ourselves for the continuing advancement and frequency of attacks.

This goes far beyond the cyber essentials to better prepare small and medium-sized businesses (SMEs) and large enterprises alike. This is not collecting a badge; this is time to get ready for a battle. Not just a battle against cyber threats, but a battle for your reputation and brand. A brand that says to your employees, customers and partners, you can trust me with your information – I have a plan in place that’s tried and tested! The government scheme has covered the bare minimum essentials, which is like passing your driving theory test. We need expert drivers here to navigate roads no one has previously seen.

The UK, and London market specifically, is already well-placed given its deep experience in insuring against specialty risks, but capacity in the market will continue to increase as the threats and frequency of events increases, giving rise to new, more tailored products and opportunities for the entire market. How long will it be before we all have our own personal cyber Insurance policy?

Move to prevention rather than cure

We need to better help organizations truly understand the cost of putting this right after the event. As an example, some estimate that the cost of the Target breach in the U.S. has cost them north of $100 million to correct. In the early earnings call post the event, Target executives said, “The breach resulted in $17 million of net expenses in the fourth quarter…, with $61 million of total expenses partially offset by the recognition of a $44 million insurance receivable.”

Hindsight is wonderful, but perhaps a fraction of this upfront would have saved this money and, importantly, provided time to focus on the business strategy, not remedial work.

Reputation, Reputation, Reputation

It’s already been widely discussed, but insuring an organization’s reputation is challenging for a number of reasons. Of course, almost anything can be insured, but defining what the impact is and then working out what you need to be covered for will no doubt bring additional challenge for something that most would describe as intangible. The Insurance Times has a good piece here on this.

More importantly, what’s the short-, medium- or long-term impact and value on the reputational damage? Take your favorite or most-used retailer, give it all your personal financial data and shopping habits. It then suffers a breach – how likely are you to use or recommend the retailer again? Maybe you would forgive it for one breach; what if it happened again? It’s too easy to move. I read that in the UK you are more “likely to suffer a theft from your bank than a physical burglary” these days.

Does this affect your future choice? How long does it take you to re-establish trust with your customers, employees and partners?

Typically, reputation risk is around 5% to 20% of cyber cost. However, in reality, it’s the gift that can keep on giving, that no one really wants.

What if you are an online-only business? What if you were the ones who disrupted your market through technology and now that has been taken away from you. You don’t have the luxury of physical outlets as a backup or alternative part of your business plan. Dealing with other breaches such as shoplifting has been an occurrence since retail began, but these were isolated to the individual locations.

SMEs, especially, are not as well-equipped. On one hand, digital makes access open to anyone to create a new business, but on the other hand we must now factor in the cost of doing business online, of which cyber is a now business-critical.

What do you think?

Are we prepared and doing enough across the sector?
Is this at the forefront of your business continuity strategy?
Have you a plan in place to protect your employees, customers and partners?
Do you have adequate cover that is well-enough defined?
Are you investing ahead of the curve to prevent it?

The FIO Report on Insurance Regulation

The December 2013 issuance of the Federal Insurance Office (FIO) report, How to Modernize and Improve the System of Insurance Regulation in the United States, may in hindsight be regarded as more momentous an occasion for the industry and its regulation than the muted initial reaction might suggest. History’s verdict most likely will depend on the effectiveness of the follow-up to the report by both the executive and legislative branches, but current trends in financial services regulation may serve to increase the importance and influence over time of the FIO even in the face of inaction in Washington.

Insurance regulation has traditionally been the near-exclusive province of the states, a right jealously guarded by the states and secured by Congress in 1945 after the Supreme Court ruled insurance could be regulated by the federal government under the Commerce Clause of the Constitution.

Any fear that the FIO report would call for an end to state regulation proved unfounded, but industry members might be well-advised to prepare for the eventualities that may result as the FIO uses both the soft power of the bully pulpit and the harder power of the federal government to achieve its aims. As the designated U.S. insurance representative in international forums that more and more mold financial services regulation, and as an arbiter of standards that could be imposed on the states, the FIO and this report should not be ignored.

Having met with the FIO’s leadership team, we believe there are concerns that uniformity at the state level cannot be achieved without federal involvement. We further believe the FIO plans to work to translate its potential into an actual impact in the near future, making a clear-eyed understanding of the report and what it may herald for insurers a prudent and necessary step in regulatory risk management.

The concerns

The biggest surprise about the FIO report may well have been that there were no surprises. There were no strident calls for a wholesale revamp of the regulatory system, and praise for the state regulatory system was liberally mingled among the criticisms.

The lack of any real blockbusters in the details of the FIO report may seem to lend implicit support to those who foresee a continuation of the status quo in insurance regulation. But, taken as a whole, this report and the regulatory atmosphere in which it has been released should be considered a subtle warning of changes that may yet come.

The report may quietly help to usher in an acceleration of the current evolution of insurance regulation. The result could be a regulatory climate that offers more consistency and clarity for insurers and reduces the cost of regulation. The result could also be a regulatory climate that offers more stringent regulatory requirements and increases both the cost of compliance and capital requirements. Most likely, the result could be a hybrid of both.

Either way, preparing to influence and cope with any possible changes portended in the report would be preferable to ignoring the portents.

Part of the disconnect between the short-term reception and the long-term impact of this report may be because of the implicit FIO recognition in the report of the lack of political will needed to enforce any real changes in current U.S. insurance regulation, most especially any that would require increased expenditures or personnel at the federal level. In our current economic and political environment, plugging gaps in state regulation by using measures that would require federal dollars may quite reasonably be construed to be off the table.

But the difference between identified problems and feasible solutions may offer an opportunity. States, industry and other stakeholders could act together to bring needed reform to the insurance regulatory system in a way that adds uniform national standards to regulation, reduces the possibility of regulatory arbitrage and maintains the national system of state-based regulation, all while recognizing the industry’s strengths and needs and not burdening the industry with unnecessary, onerous regulation.

There is much to praise in the current state regulatory system. A generally complimentary federal report on the insurance industry and the fiscal crisis of the past decade noted, “The effects of the financial crisis on insurers and policyholders were generally limited, with a few exceptions…The crisis had a generally minor effect on policyholders…Actions by state and federal regulators and the National Association of Insurance Commissioners (NAIC), among other factors, helped limit the effects of the crisis.”

While the financial crisis demonstrated the effectiveness of the current insurance regulation in the U.S., it is also evident that, as in any enterprise, there are areas for improvement. There are niches within the industry – financial guaranty, title and mortgage insurance come to mind – where regulatory standards and practices have proven less than optimal.

There are also national concerns that affect the industry. The lack of consistent disciplinary and enforcement standards across the states for agents, brokers, insurers and reinsurers is one obvious concern. Similarly, the inconsistent use of permitted practices and other solvency-related regulatory options could lead to regulatory arbitrage. At a time when insurance regulators in the U.S. call for a level playing field with rivals internationally, these regulatory differences represent an example of possible unlevel playing fields at home that deserve regulatory attention and correction.

A Bloomberg News story in January 2014, for example, quoted one insurer as planning to switch its legal domicile from one state to another because the change would allow, according to a spokeswoman for the company, a level playing field with rivals related to reserves, accounting and reinsurance rules.

For insurers operating within the national system of state-based regulation, one would hope that that level playing field would cross domiciles, and no insurer would be disadvantaged because of its domicile in any of the 56 jurisdictions.

But perhaps one of the greatest challenges to the state-based system of regulation is the added cost of that regulation, partly engendered by duplicative requests for information and regulatory structures that have not been harmonized among states. How to respond to that may represent the biggest gap in the FIO report. It may also be the biggest opportunity for both insurers and regulators to rationalize the current regulatory system and ensure the future of state-based regulation.

Cost

The FIO report notes that the cost per dollar of premium of the state-based insurance regulatory system “is approximately 6.8 times greater for an insurer operating in the United States than for an insurer operating in the United Kingdom.” It quotes research estimating that our state-based system increases costs for property-casualty insurers by $7.2 billion annually and for life insurers by $5.7 billion annually.

According to the report, “regulation at the federal level would improve uniformity, efficiency and consistency, and it would address concerns with uniform supervision of insurance firms with national and global activities.”

Yet the report does not recommend the replacement of state-based regulation with federal regulation, but with a hybrid system of regulation that may remain primarily state-based, but does include some federal involvement.

At least one rationale for this is clearly admitted in the report. As it says, “establishing a new federal agency to regulate all or part of the $7.3 trillion insurance sector would be a significant undertaking … (that) would, of necessity, require an unequivocal commitment from the legislative and executive branches of the U.S. government.”

The result of that limitation is a significant difference between diagnosis and prescription in the FIO report. Having diagnosed the cost of the state-based regulatory system as an unnecessary $13 billion burden on policyholders, the FIO's policy recommendations may possibly be characterized as, for the most part, the policy equivalent of “take two aspirin and call me in the morning.”

Still, as the Dodd-Frank Act showed, even Congress can muster the will to impose regulatory solutions if a crisis becomes acute enough and broad enough. Unlikely as that may now seem, the threat of federal radical surgery should not be what is required for states to move toward addressing the recommendations of the FIO report.

Indeed, actions of the NAIC over the past few years have addressed much of what is in the FIO report. Now the NAIC, industry and other stakeholders can take the opportunity provided by the report to work to resolve some of the issues identified in it. The possible outcome of an even greater federal reluctance to become involved in insurance regulation would only be a side benefit. The real goal should be a regulatory system that is more streamlined, less duplicative, more responsive, more cost-efficient and more supportive of innovation.

Kevin Bingham has shared this article on behalf of the authors of the white paper on which it is based: Gary Shaw, George Hanley, Howard Mills, Richard Godfrey, Steve Foster, Tim Cercelle, Andrew N. Mais and David Sherwood. They can reached through him. The white paper can be downloaded here