Tag Archives: mayer

4 Keys on Cyber-Risk Accumulation

As the sale of cyber policies grows and other types of policies are extended to include cyber coverage, the industry is taking on a massive amount of new risk. Although it is true that auto, workers compensation, environmental policies and so many others were all new offerings at one time, there are some things about cyber that make it more unusual, more uncertain and more potentially dangerous for the insurance industry than new offerings of the past.

Simultaneity

It is entirely possible for hackers to plan and launch simultaneous attacks on a large number of targets. Those targets may be corporations, infrastructure such as power plants, government bodies, hospitals, or any other type of entity.

If a successful, very harmful simultaneous attack, whether ransomware, malware, or any other type of IT weaponry, was to be made on a sizeable number of entities, the losses occurring at one point in time could create serious liquidity pressures and even jeopardize solvency for an insurer.

See also: Urgent Need on ‘Silent’ Cyber Risks  

Individual insurers are modeling their aggregate exposures, but are they doing it comprehensively enough? Analysis must take into account not only the limits and reinsurance on their cyber policies (including such add-ons as contingent business interruption or other enhancements) but also what level of coverage is afforded in existing casualty and property policies as well as any other policies that may be triggered (such as D&O, E&O, reputation, etc.). In addition, correlated risks that have nothing to do with claims liabilities per se should also be considered. For example, what will they do if their contracted vendor networks, which are supposed to help insureds after a breach, are not resourced sufficiently to handle simultaneous attacks.

Ubiquity

Given the global nature of the internet, attacks may be not only simultaneous but ubiquitous. The entities affected may be all over the world. An insurer that relies on geographic diversity to protect its capital can lose the benefit of diversification when it comes to cyber.

A global event or series of events could have significant capital implications for insurers that have considered their cyber portfolio in part rather than in whole.

Unpredictability

There is scant history upon which to base underwriting and pricing decisions when it comes to cyber. The earliest policies were geared toward system failures, not cyber attacks. More recent policies were focused on data breaches and stolen data and the actual cover involved handling some of the expertise needs and certain expenses post breach. Now, cyber policies are dealing with ransomware attacks and cover business interruption and other loss. This is heady stuff when there are no historical patterns to use in predicting frequency and severity as there is with property or workers compensation. Ransomware attacks continue to escalate at a rapid pace. Who knows how much faster or greater this trend line will grow.

Some cyber attacks have been targeted while others are random. In either case, they test the ability of insurers to make predictions. This, in turn, makes it difficult for actuaries to price the product appropriately. How much business should an insurer write of a particular kind until it can be sure the business is priced correctly for the exposure?

A random attack might seem to better fit the principle of insuring against fortuitous events, however, it does mean that an insurer that relies on customer segment diversity to protect its capital can lose the benefit of such diversification. This is similar to the situation mentioned above in connection with geography.

A targeted attack will likely strike an entity (or entities) with the most money, records or other treasure worth capturing or destroying. Hence, the losses generated will be greater.

Initial attacks were focused mostly on retailers with hospitality and with banking and healthcare following. The great fear is that power and infrastructure will be next. The impact from attacks on power and infrastructure could be catastrophic in the extreme.

The flexibility to strike randomly or with fixed intent leaves underwriters in a quandary about which classes of business are riskier than others. How, then, can they manage their customer mix as do with other lines of business?

See also: What if You Had a Cyber Risk Score?  

Sponsorship

Hackers can work alone or in groups. They can also be actors for foreign governments. When Marissa Mayer spoke about the Yahoo attack, she commented on the unevenness between a company’s attempts at IT security versus an attack potentially perpetrated by a nation state. This phenomenon is something insurers must consider when parsing the words in their contracts. To what extent should there be exclusions, as there are in terrorism policies or other policies that exclude acts of war? To what extent is a future federal backstop needed?

Conclusion

This is not to say that cyber insurance should not be offered. Society has a protection need, and insurers have been answering that need since the first handshake at Lloyds. In addition, this line of business has been streaming new revenues into an industry that, in recent years, has had excess capacity. Rather, it is to say that insurers must put robust and innovative solutions in place to manage aggregation risk.

3 Ways AI Improves P&C Economics

It’s crunch time for P&C. Investment yields are declining while combined ratios are holding up in the 97% range.  This has P&C insurers wondering: “What can we change in our operations to improve our economics?

Conclusive answers are now coming from the field of cognitive technology, the variety of artificial intelligence that deals with knowledge and textual information.

In this post series, I want to share three areas where cognitive is delivering unprecedented productivity gains and insight, and leading to deep changes in how P&C insurers do business.

Why cognitive technology is a great match for P&C

P&C insurance is particularly people- and paperwork-intensive. Both underwriting and claims management revolve around the production or retrieval of information from documents – a policy or a claim package – that capture the specifics of the insured’s case. These are particularly time-consuming tasks that up to now have entirely fallen into the lap of human operators and typically represent 20% of the combined ratio.

What cognitive technology brings to this picture is its ability to read documents much in the same way humans do, in a fraction of the time. It automatically harvests a case’s characteristic pieces of information and reasons on them. This reduces the time operators need to spend on such tasks from hours to seconds. As a result, insurance professionals can focus on the highest-value areas of their jobs, such as decision-making, rather than the more time-consuming, menial tasks. And it takes significantly less time to service a case.

See also: P&C Insurers: Come Out of the Dark Ages  

As a first example, let’s look at how this plays out in claims.

Accelerate Claims

  • Automate claim routing
  • Summarize key claim characteristics
  • Suggest claim valuation
  • Focus claim handlers on high value activities

Because claims workflows critically depend on proper information flows, grooming even ancillary information may take up a disproportionate share of claims handlers’ time. Cognitive technology alleviates a large part of this issue.

When dealing with automotive claims, for example, it can review claim packages automatically to evaluate their complexity and route them accordingly, recover essential aspects of accident descriptions to support liability determination and suggest an appropriate settlement value based on the facts of the case, such as which injuries were incurred, what medical tests or treatments were applied, what the medical history is and how the prognosis looks. Overall, this accelerates the claims workflow and helps claims handlers focus on the highest value part of their work: decision making.

A second area where cognitive plays well is underwriting.

Accelerate Underwriting

  • Consistently grade risk and flag exposure
  • Accelerate quotes
  • Optimize risk engineers’ time

An essential part of underwriters’ jobs is to evaluate the risk profile of the customer they will be insuring. In commercial property insurance, for example, this involves analyzing third-party risk reports that describe the facilities to be insured, their particular risk factors (such as building combustibility, presence of flammable materials …) and mitigators (smoke detectors, sprinklers, fire extinguishers, site surveillance …).

Cognitive technology quickly and consistently extracts each of these indicators and reports an overall, evidence-based, risk grade to the facilities. This means risk engineers can allocate more of their time to direct verification of the most complex cases, and underwriters can turn around quotes on new policies faster.

When applied to the review of existing policies, cognitive can analyze clauses and compare them to reference policies to flag misalignments and excessive exposure. This means underwriters can more easily prioritize which clauses of a policy they may need to renegotiate in the future.

See also: P&C Core Systems: Beyond the First Wave  

That’s it for today, but in part 2 of this series we’ll look at a third area where cognitive can help, as well as some ideas on how you can start building a business case for applying cognitive to your own business. If the suspense is too hard to bear, you can also download the full white paper here.

Let’s discuss it! My co-author Pamela Negosanti and I are curious for your insights. If you’re involved in applying cognitive to insurance, we’d love to know how you see it from your vantage point — so please share your thoughts below and let’s connect.