Tag Archives: pandemic

COVID: Agents’ Chance to Rethink Insurance

When dealt a hand of cards, the goal is to play them as best you can. In other words, be constructive. The COVID-19 virus has given agents a wonderful opportunity to rethink insurance in general and their operations specifically. I’m going to start with a brief synopsis of what insurance is designed to protect.

Many writers have written that the pandemic is a Black Swan event (a few creative writers have stretched for more exotic animals, but a Black Swan is more applicable to insurance). Black Swan events were brought to the financial world’s attention through Nassim Nicholas Taleb’s book, “The Black Swan,” which gained considerable popularity for its seemingly prescient prediction of the credit crisis. Taleb considers how luck, uncertainty, randomness and risk all coincide and how, as the subtitle suggests, The Impact of the Highly Improbable can be managed.

The pandemic was absolutely expected by the scientific community, if not by regular citizens and politicians. I think one might conclude that insurance carriers expected it, too, because of the exclusions they built into their policies. Insurance is designed for Black Swan events, but in many ways carriers, agents and the public have lost this perspective. Insurance is designed to restore the policyholder to the financial status (a balance sheet position) enjoyed immediately prior to the unexpected loss. Insurance would not be affordable if the losses were expected. Those are maintenance policies.

Moreover, insurance would not be affordable if the events were unexpected but occurred frequently. A really good example of how insurance companies have lost track of this point is in my home state of Colorado. For some reason, insurance company after insurance company has opened up in this state for property without realizing that hail happens all the time in all of the major population centers. Hail should be expected to affect a large number of properties on a fairly regular basis, if on an irregular schedule.

A good play to make with poor cards is to simply rethink and go back to the basics of what insurance is designed to do. Then, build your agency and value proposition to clients from there. Insurance is a fantastic tool for reinstating a person’s wealth to its position immediately prior to a highly unexpected and relatively rare event. While auto crashes occur all the time, auto crashes per capita are relatively rare, and outside of fraud, always unexpected.

E&O claims often occur because agents fail to address unexpected and rare events. Business income coverage is a great example in this environment. Claims are virtually always unexpected and relatively one of the rarer insurance claims. Insureds are, therefore, less likely to recognize this exposure as an important insurance coverage. Agents are less likely to recognize it. too (ignoring for the moment most agents’ lack of adequate understanding of this coverage). If both parties fail to recognize its importance, the odds of an insured having adequate coverage if an unexpected business income claim occurs is low.

I read a quote from a business owner who had a pandemic-related business income claim denied. He said something to the effect of, “But that is what I thought insurance was for! That is what I thought I’d bought.” I don’t know anything about that particular claim, but my guess is that he never read his policy and maybe even if he did read it he did not understand the need for pandemic business income coverage. There is no reason to expect he should have.

See also: 5 Transformations for a Post-Pandemic World

Humans have an incredibly difficult time understanding the unknown. Humans do not have a great ability to appreciate the importance of Black Swan events. (I encourage you to read Taleb’s book “The Black Swan” and his book on fragility, “Antifragile: Things That Gain From Disorder.”) Yet insurance is designed for Black Swan events. Arguably, insurance is designed for larger-probability events than Black Swan events but still at the tail end of the normal curve. This is why actuaries are employed. This is also why claim stories are so much fun and fascinating and often earn the sobriquet of, “You can’t make this stuff up!” You can’t make up the claims stories, because they are rare and unexpected.

This re-established insurance foundation provides the cornerstone for helping manage the agency, remotely or otherwise, helping clients and navigating insurance distribution going forward. There are two classes of insurance agents — “order-takers” and “professionals.” Agents who are order-takers work from the assumption or presumption that insureds know what rare and unexpected claims they want insurance to protect. The insured orders these coverages, and the agents obtain those coverages to the best of their ability. It’s pretty simple, except that most insureds have a limited knowledge of what the unexpected events are for which they are likely to need coverage, and, in my experience, most order-taking agents are even less knowledgeable. The blind leading the blind is a great combination for eventual disputes, unhappy clients and E&O claims.

Going forward then, managing the agency should perhaps start with deciding whether your agency will be an order-taker or a professional agency. Once you make this decision, you can then best determine how to manage your agency and help your clients. Because, as an order-taker, you will not be making thorough coverage recommendations, if any recommendations at all, the key is going to be speed and low cost.

These are the benefits you will thrive upon because these are the benefits best appreciated by this class of customers. You will want to hire people focused on speed and efficiency. You will want to invest in technology that emphasizes speed and low cost. The entire agency must be focused on speed and low cost.

This may mean online quoting systems. It may also mean hiring employees who can process emails, calls, paper, etc. at a fast pace but are not skilled in insurance coverages. The technology used is different from the technology of professional agencies because coverage analysis, intimate meetings with clients — “close” work, in other words — is unnecessary in the order-taker environment. Employees who fit the order-taker environment will have a different personality than those who focus on coverages. Hiring specific to your model is vital.

From an E&O perspective, the historic middle ground is being eliminated due to the pandemic. The lines are being drawn more clearly than ever. Agents need to choose to operate as one type of agency or the other because the middle ground has become a dangerous trap. The best way to play this hand of cards is to fold on the strategy of following the middle ground.

The professional agent will focus on hiring people who have excellent communication skills, great insurance technical knowledge and critical thinking skills. These three skills are mandatory for “close” client work at the professional level. These people will educate clients on their exposures. Exposures are common and identified. The question is whether, once a client understands the exposures, the client wants to buy insurance for the unlikely event that an accident (unexpected) occurs relative to that exposure. The education required for this kind of service is challenging, and not everyone has the skills or patience to achieve it.

See also: Managing Risk in a Pandemic

The technology required for a professional agency is different from order-taking agencies because quality Zoom-like meetings will be far more important. The agencies will probably want to train their people on Zoom backgrounds, voice delays and other improvement protocols and will likely find ways to meet in person with clients when possible. These agencies will, more than ever, focus heavily on insurance technical training.

No universal answer exists to this paradigm change other than deciding which kind of agency you will be. Just like a hand of cards — other than the fact that every hand needs to be played — no universal answer exists. Be constructive and decide who you will be going forward. Decisions become much, much easier when you know your point of origination.

You can find this article originally published here.

Growing Risks of Social Inflation

“Social inflation,” an on-again, off-again issue for the insurance industry for more than four decades, is on again as a major factor in insurance claims and, thus, rates. The issue, related to beliefs and trends that lead people to expect ever-higher compensation and for juries to grant it, has been growing for several years and seems to have accelerated since last summer.

The pandemic and the economic crisis that resulted may exacerbate the problem for insurers — or may mute it. There are arguments on both sides. Some see social inflation being dampened as financially strapped people and businesses become more willing to settle a claim and as the logistical complications that come with less face-to-face interaction drag out negotiations and judicial proceedings. Some see social inflation increasing as people feel wronged and try to take out their anger on those that they distrust and that have enough assets to make them tempting targets — read, insurers (among others).

Me? I see the pandemic boosting social inflation.

The term goes back at least to 1977, when Warren Buffett used it in his annual letter to shareholders of Berkshire Hathaway. The issue is often described in extreme terms — like the guy who sued for $67 million over a $10 dry cleaning bill — but shows up in all sorts of more pedestrian ways. People increasingly are inclined to bring the lawyers in, rather than take the settlement offer from an insurer, and claimants insist on higher amounts. The problem builds on itself — this is the “social” part of the inflation — because who wants to take what feels like a lowball offer when others have been receiving more in similar situations? (The dry cleaning plaintiff lost his suit and had to pay court costs, but no one seems to remember that part of the story.)

The issue surfaced from time to time in the decades since Buffett used the term, then steadily increased starting five or six years ago, according to this white paper from The Institutes. The paper notes that, from 2013 through 2018, commercial auto claim losses increased at an annualized rate of 10.9%, compared with a 1.0% annualized rate in the prior six years. The trends were similar in personal auto and medical malpractice. In product liability, incurred losses grew at an annualized rate of 17% from 2014 through 2018, after decreasing at an annualized rate of 7.1% in the prior five years. 

These trends became very public last fall when Travelers added hundreds of millions of dollars to reserves and cited social inflation.

To understand where we go from here, it may help to look at what The Institutes’ white paper lists as the main drivers of social inflation. I’ll quote from the paper and address each issue, or group of issues, in turn.

“Changes in underlying beliefs about the appropriateness of filing lawsuits and expectations of higher compensation”

Although it’s hard to predict what will drive “underlying beliefs,” the white paper says that income inequality has driven many people to demand more and notes a general distrust of corporations. The result is anger.

The paper says: “In its 2019 annual report on emotional states around the world, Gallup reported that 22% of Americans reported feeling angry ‘during a lot of the day yesterday’ — the highest level of anger measured by Gallup in more than a decade.”

Although Gallup didn’t ask people to identify the source of their anger, I’m sure we can all imagine some reasons, and I’d guess that anger has risen, not dropped, in the crazy year that is 2020.

So, I suppose it’s possible that financially strapped people and businesses will be more inclined to settle, but I don’t, in general, expect that people will become less litigious or demanding of compensation.

“Rollbacks of previously enacted tort reforms intended to control costs

“Legislative actions to retroactively extend or repeal statutes of limitations”

If we project those factors forward to imagine the likely effect of the pandemic, it’s hard to see legislatures taking any actions on tort reforms or statutes of limitations that would reduce social inflation. State legislatures have been moving in the other direction, with many trying to find ways to make insurers liable for costs of the pandemic even when business interruption policies don’t cover such costs. And, if people remain angry, well, legislators who want to be reelected (as in, all of them) tend to react to anger among citizens.

“Increased attorney advertising and increased attorney involvement in liability claims

“The emergence and growth of third-party litigation financing

“Increasing numbers of very large jury verdicts, reflecting an increase in juries’ sympathy toward plaintiffs and in their willingness to punish those who cause injury to others

“Proliferation of class-action lawsuits

If people do somehow change their underlying beliefs about filing lawsuits and about seeking big awards, then, yes, these drivers of social inflation will fade. But history suggests that it’s wrong to expect society to become less litigious. When Thomas More was chancellor of England under King Henry VIII in the 1530s, he often had no cases on his docket. When John Jay was the first chief justice of the U.S. Supreme Court, he heard only four cases and resigned after six years, in 1795; he was elected governor of New York and thought that position was more important. As for litigation today….

Lawyers have made loads of money through advertising and “litigation financing” — having third parties provide funds so plaintiffs can afford to continue a court fight much longer than they could have on their own — so lawyers won’t back off unless there’s a huge change in public attitudes.

Lawyers have also become more effective at winning “nuclear verdicts” — judgments that are at least $10 million and that can reach the billions of dollars — by tapping into what is referred to as the “reptile brain” of jurors. The strategy tries to trigger the “fight or flight” response in people, using techniques to make them so scared of the defendant that they react in a highly instinctive, emotional way that overwhelms rational arguments.

If the approach is working — and it certainly seems to be producing bigger jury verdicts — why would lawyers back off?

While the pandemic has made all of us humbler about our ability to predict, I just don’t see any reason to expect social inflation to abate because I don’t see any of the pressures going away. I think that the pandemic will encourage cash-strapped people and businesses to ask for bigger settlements and that sympathetic juries will be inclined to go along.

Stay safe.

Paul

P.S. Following my own advice from last week’s Six Things about the need to find a devil’s advocate to challenge your thinking, I found a very different take on social inflation. Here is a consumer group, affiliated with a law school, arguing that insurers manufacture social inflation claims to justify rate increases.

P.P.S. Here are the six articles I’ll highlight from the past week:

The Real Disruption of Insurance

The future of insurance isn’t incremental change: Technology is enabling direct threats to carriers, not just their partners and providers.

Expanding Options for Communications

Messaging and platforms, business texting, chatbots, voice and even augmented reality can help customers–while cutting costs.

How to Thrive Using Emerging Tech

A survey finds that 75% believe AI can provide a competitive advantage through better decision-making, and early adopters report gains.

Optimizing Experience for Life Beneficiaries

Focusing on beneficiaries can not only help facilitate the claims process but also provide life insurers with opportunities for growth.

4 Keys to Agency Modernization

Agencies must modernize to survive, but where do you start? Here are four guideposts that can help.

COVID-19: Next Steps in Construction

As more projects resume, contractors can draw lessons from areas where work was never halted to reduce risks and rebuild momentum.

Mental Health Even More Critical Now

Mental health is in the forefront as an impact of the coronavirus pandemic. A new article in The Atlantic discusses widespread increases of anxiety, depression and substance abuse since the onset of COVID-19. A Kaiser Family Foundation survey found that this public health crisis has hurt the mental health of 56% of adults. The manifestations of post-traumatic stress – from spontaneous conflicts in retail stores to healthcare workers taking their own lives – have become common on the daily news.

Now, more than ever, the mental health of employees in the workplace is an immediate concern for employers. The impacts on productivity, quality control and business continuity are there alongside the health and safety of all workers. Financial insecurity and lost jobs raise concerns over workplace violence. For many workers, their home has become their new workplace, and adverse impacts of domestic and child abuse are emerging with disturbing frequency.

A variety of mental illness factors cost American employers more than half a trillion dollars annually. Investment in improving employee mental health and alleviating some of the stresses causing anxiety and depression yield valuable human and economic returns. Employers can take concrete actions to help their employees get the assistance they need.

Remove the Stigma of Mental Illness — Although it has been almost 25 years since passage of the Mental Health Parity Act, which considers mental illness on the same basis as any other illness, the stigma of mental health hangs on. Mental illness is too often viewed as a weakness, those who suffer from it characterized as “disturbed,” or worse, and the troubles it causes as “all being in your head.” The truth is that mental illness is real illness and requires treatment in the same way that cancer, diabetes or pneumonia does. By communicating supportively and offering real help for employees’ mental health, employers can break down the stigma and encourage early treatment before mental health issues become a crisis.

See also: 6 Life, Health Trends in the Pandemic

Communication That Educates — Employers that deal with workplace mental health realistically are doing more than just eliminating negative attitudes about mental illness. They are educating employees on how mental health affects their work, teaching them valuable skills for managing stress and resolving the kind of issues that lead to depression, anxiety or burnout. Resources for educating the workforce in stress reduction, conflict management and personal resiliency are among the training available through Keenan SafeSchools/Keenan SafeColleges/Keenan SafePersonnel platforms.

Supervisors Who Are On Board — Your supervisory and management team are the front line who work directly with the most employees. Just as important as general employee education on mental health, educating supervisors about mental health and supporting their employees helps mitigate the impact of mental illness in the workplace. An empathetic relationship between supervisors and their employees is a key success factor in addressing potential mental health issues early and encouraging the use of available mental health resources.

Professional Assistance Through Employee Benefits — Mental health benefits are vital to employees getting the treatment they need for mental health conditions. As one of the Essential Health Benefits provided under the Affordable Care Act (ACA), employer-sponsored health plans generally provide the range of treatments to address workplace mental health. In addition, an Employee Assistance Program (EAP) is effective for intervention for many immediate issues and response to major crises. These benefits make a real difference in people getting help without creating a financial burden or forgoing treatment altogether.

Employers bear a significant amount of the impacts of mental health. Confronting the challenges of workplace mental health compassionately and realistically, employers can also go a long way to reduce those impacts. While improving the vitality and safety of their facilities, they are also enriching the lives of their employees.

COVID and the Need for Devil’s Advocates

Over the weekend, two articles made a compelling case that we need to better vet academic studies before they become set in the public consciousness on controversial topics like possible systemic racism and the coronavirus. Both recommended a solution that has been a focus of my career — devil’s advocates — and that we all should use as we formulate personal and corporate strategies in these turbulent times.

Let’s spend a minute on why they’re so important and how you can use them — rather easily, in fact.

The article related to the coronavirus argues that a serious attempt at research wasn’t vetted quickly enough and, when published in April, had obvious shortcomings that allowed many to believe that the virus wasn’t as dangerous as it has turned out to be. The one concerning a paper on possible systemic racism by police went through peer review, but the authors say the process isn’t designed to catch fraud and is vulnerable to rigging. In the case of the paper they discuss, a reader caught a major error shortly after publication, and the paper was withdrawn — but not before many used it to dismiss the notion of racism in policing.

Both articles obviously touch on hot buttons, and the specifics of the arguments about the research they discuss could distract from the point I want to make, so I won’t go into more detail. You can read the articles and reach your own conclusions. I’ll just note that both say problems would have been avoided if the virus and racism research had been put in front of devil’s advocates — people whose task is solely to identify potentially bad assumptions, in time to do something about them.

That need for devil’s advocates is a theme I’ve been sounding with corporate America for a dozen years and is especially important now. The New York Times and the Wall Street Journal ran articles recently saying that corporations are starting to believe both that the economic crisis caused by the pandemic will last longer than they had hoped and that the new normal will look quite different. So, a strategic rethink is happening all at once in a whole lot of C-suites, which creates opportunities both for progress and for mischief caused by bad assumptions — that devil’s advocates could head off.

My belief in the power of devil’s advocates dates back to a book, “Billion Dollar Lessons,” that Chunka Mui and I published in 2008, on the lessons to be learned from corporate failures. Out of the 750 major writeoffs that we spent two years investigating in detail, with the help of 20 researchers, we found that 46% stemmed from strategies that should have been identified ahead of time as brain-dead. Think Avon deciding that its main asset wasn’t its door-to-door sales force but was its “culture of caring,” which led the company to buy a medical equipment manufacturer and operator of retirement homes — then quickly selling them at a loss because the cosmetics company had no idea what to do with them. Or, think Blue Circle Cement, one of the world’s biggest cement companies, deciding that it was really a home products company and should make and sell lawn mowers, among many other things — then filing for bankruptcy protection and being acquired.

We posited in the book that loads of people internally must have seen the problems coming but couldn’t stop the strategies because of internal dynamics — for instance, the CEO is often the one championing a new strategy, so the tendency is to want to confirm the idea, not to challenge it. Our subsequent research and consulting, as devil’s advocates, has confirmed our thesis. (We’re not alone, either. Much has been written in recent years about the value of a devil’s advocate, sometimes referred to as a red team/blue team exercise.)

The key issue is: How do you identify problems in a way that’s acceptable within the complex culture of a C-suite? How do you help the company win without making some powerful individual lose — or see the devil’s advocate process quashed if it looks like the CEO will be the loser?

The main answer is to turn the devil’s advocate process into a bloodless exercise. You don’t give the devil’s advocate the power to rule on whether a strategy is right or even to hazard an opinion. The decision needs to stay with the CEO. You simply have the devil’s advocate interview senior executives to probe for vulnerabilities, then use the concerns to identify the assumptions that have to be true for a strategy to succeed. Because the CEO has authorized the process, he or she can face the evidence and kill the strategy without losing face. If the decision is to proceed, the CEO will have a better idea about the pitfalls that may lie ahead.

Choosing a devil’s advocate can be tricky. You can hire an outsider, who will bring objectivity but may take time to get up to speed. You can ask for a volunteer among senior insiders, but few want to be known as the naysayer, at least on more than a one-time basis. It seems to work best to designate an insider, so the whole team knows that the person is simply playing a role. (Irving Janis, in his pioneering 1982 book “Groupthink,” described how President Kennedy designated his brother Bobby to be the devil’s advocate after the administration had botched the Bay of Pigs invasion; Bobby then routinely challenged claims by military leaders during the Cuban missile crisis and may well have saved the world from nuclear war. Quite the endorsement for a designated devil’s advocate….)

As insurers reformulate strategies to prepare for what could be an extended economic crisis and for a rather different world on the other side of it, they should build a devil’s advocate into the process. Companies are making a lot of assumptions, many of which they don’t even know they’re making or made long enough ago that the assumptions have been forgotten. Some of those assumptions are wrong — and many senior executives either know or suspect which ones should be challenged and rethought. (If I had to bet, the biggest mistake that companies in general will make in this go-’round is to underestimate what competitors are doing. The tendency is to see competitors as static, but they’re working just as hard and perhaps as creatively in their strategy rooms as you are in yours.)

By the way, a devil’s advocate approach can help you get better feedback on personal issues, just by having you rephrase questions. Don’t ask a friend or family member if some plan of yours is a good idea. They’ll know you want affirmation and give it to you. Instead, present a plan neutrally, say you’re looking for holes in the idea and ask your friend or relative to help you identify the potential problems. Then, on your own, you can weigh those concerns against the benefits that you’ve already seen.

Knowing about pitfalls won’t always matter. I consistently underestimate how long it will take me to write something, even though I allow for the fact that I always underestimate. But at least a devil’s advocate process will open your eyes to many of the problems that lie in wait out there.

So, challenge those assumptions.

And stay safe.

Paul

P.S. Here are the six articles I’d like to highlight from the past week:

Why Traditional Insurance Won’t Work

With the sudden shift to remote-only interactions, insurers can no longer dictate the speed of their transformations.

Tipping Point for Claims Automation

While virtual estimating for auto claims—using photos in place of a physical inspection—is not new, the pandemic has made it the preferred method.

Time to Focus on Cyber Resilience

Here are five ways that businesses should be shoring up potential weak spots in their cyber security program’s incident response plan.

Increased Threats for Manufacturers

Manufacturers must understand that the digital push to run more efficiently creates a security gap that must be addressed.

Blockchain: Golden Opportunity in LatAm

Blockchain provides a golden opportunity for real, tangible operating efficiencies in Latin America and for transforming the region’s image.

How to Recruit Claims Adjusters

One of the most promising solutions to recruiting and retaining workers lies with artificial intelligence—and not in the way that you might think.

Time to Focus on Cyber Resilience

From a cyber security standpoint, the move back to a work setting for employees should not be the challenge that moving to “work from home” may have been for many organizations. Network security in the workspace is already in place, and employees are quite familiar and at ease working in the work environment.

By now, businesses should have already addressed issues of remote access, the use of multifactor authentication and virtual private networks (VPNs). But in the wake of COVID-19, as businesses return to the workplace, organizations should take some lessons from the COVID-19 pandemic. We recommend they use this information to shore up potential weak spots in their cyber security program’s incident response plan.

The greatest lesson to take away from the pandemic has to do with preparedness. What has been witnessed over the last three months is crisis response, on a global level, taken to its extreme. Every business and local, county and state government, and even individuals were forced into some form of crisis management. Some were able to respond better than others.

“Something like this will never happen”

One of the reasons that many were not prepared for the pandemic and did not respond well was because they believed that “something like this will never happen.” It’s a phrase that is heard often by those in the cyber security industry. Organizations often rationalize they are able to live with less than optimal cyber security because they feel they are too small to attract hackers, or they don’t have anything that anyone would want to steal. We know now that “something like this” can happen, and the results can be catastrophic.

Additionally, an organization does not have to possess something that a hacker wants to steal, to be a desirable target. All it has to possess is an opening; some vulnerability that allows a bad guy entry to exploit the opportunity to interrupt business and maybe even demand a ransom.

See also: How to Fight Rise in Cyber Criminals

Lessons from the COVID-19 pandemic

As businesses begin to return to workplace operations, now is a great time for them to reevaluate their approach to cyber security as a whole, and cyber resilience in particular, while drawing some comparisons to what the world has experienced in the pandemic.

1. Identify assets

Using the National Institute of Standards and Technology (NIST) Cyber Security Framework as a guide, consider the first risk category of IDENTIFY. The first objective of cyber security is for an organization to understand its assets. A business must ask itself, “What do we have that needs to be protected? What are our high-value/high-criticality assets? What are the risks and vulnerabilities associated with those assets? Where are those assets located? Are they on the cloud? On the premises? Do we have all of our assets accounted for in an inventory? Do we verify that inventory regularly?”

When the pandemic hit, many entities found themselves without a full understanding of the assets they possessed and what they still needed. Assets including hospital beds, ventilators, usable test kits and procedures and personal protective equipment. In many cases, the result was a scramble over a long period to acquire the necessary assets.

2. Protect assets

Following the NIST framework, once assets have been identified, and risks assessed and ranked for criticality, what protective controls are in place to protect those assets? In the towns, cities and states that we live in, there are healthcare systems, networks of healthcare providers, nursing homes, pharmacies and other components all geared to providing protection to our countries’ most valuable assets: people.

What about in the business community? Are businesses providing their most critical assets, such as data, hardware, software and even business processes, with the protections aligned with their importance? Do these businesses segment their critical assets or encrypt critical data? Do they educate their employees about cyber security and the roles they play in maintaining it? Do they provide their employees with the proper amount of access to IT assets?

3. Detect the problem

The third risk category in the NIST framework is DETECT. How can businesses know when something bad might be happening? How do businesses monitor for indicators of compromise within their networks? In the pandemic, the World Health Organization has been acting as a parallel to a managed security services provider (MSSP) or a security operations center (SOC) for the network of countries around the world. The job is to detect the initial outbreak and alert the rest of the world to the danger.

4. Respond to the crisis

Each business needs to assess its ability to detect potentially malicious activity in corporate networks. Is each organization engaging a third-party MSSP? Is it performing up to expectations? If a business is doing its own monitoring, is that monitoring complete and effective? Is the business monitoring the most valuable or risky assets closely enough? Is it processing all the right information? Does the business even know what malicious behavior looks like or how to find it?

5. Find a path to recovery

With these steps developed, businesses can finally consider what response and recovery will look like. NIST suggests considering how to handle response and recovery in our networks compared with how the various government agencies have handled theirs.

See also: 10 Tips for Moving Online in COVID World

First, businesses should have a documented incident response plan for their networks and should make sure it has been reviewed recently for adequacy. The incident response plan needs to clearly define roles and responsibilities for all participants. It needs to include procedures for identification, containment, eradication, recovery and lessons learned. The plan should also state how the business will communicate information about the incident to internal and external audiences. In developing the incident response plan, it is key for businesses to line up and perhaps even contract with third parties for technical response services that they don’t have in-house.

Businesses also should make sure their incident response plan is designed to consider a “black swan” event, which is an unexpected, catastrophic event that forces a complete shutdown of a company’s network and its services. As rare as black swan events may be, they do occur. Many remember the first outbreak of ransomware just a few years ago and how it caused the complete shutdown of some global networks. Even some companies with what might be considered very good cyber security were severely hurt. Why? Because they did not contemplate such an event and therefore did not build their response plan for effectiveness against a black swan event. The development of an incident response plan is not complete until it contemplates and prepares for such a rare and devastating event.

Finally, with respect to response and recovery, testing plans is incredibly important. Plans that are in place, but have not been tested for several years, are likely to be missing some details that will limit their usefulness when it really counts – in a cyber event. Businesses that test their plans regularly – minimally once per year – and update the plan based on lessons learned from both tests and actual events will have experiences in actual cyber events that are probably much less painful than if they did not plan and test the plan regularly.

The COVID-19 pandemic of 2020 is real – it’s not a test – and the lessons learned from the event are substantial and painful. The phrase “Never let a good crisis go to waste” has been repeated in a cynical manner many times, but it does have value in the context of current events. City, state and federal governments will certainly be revisiting their pandemic crisis management policies and procedures in the near term. It’s also a good time to revisit cyber risk management and incident response procedures.

Visit Zurich’s COVID-19 Resource Hub for more information.