Tag Archives: reputation risk

New Risks Coming From Innovation

The triggers that have induced the insurance industry to innovate have dramatically changed in this millennium. Up until the 21st century, little innovation occurred, because insurers were looking to create products for emerging risks or underinsured risks. Innovation occurred most often as a reaction to claims made by policyholders and their lawyers for losses that underwriters never intended to cover. For example, the early cyber policies, which insured against system failure/downtime or loss of data within automated systems, were created when claims were being made against business owners policies (BOPs) and property policies that had never contemplated these perils. Similarly, some exclusions and endorsements were appended to existing policies to delete or add coverage as a result of claims experience. Occasionally, customer demand led to something new. Rarely was innovation sought as a competency.

Fast forward to today, when insurers are aggressively trying to develop innovative products to increase revenue and market share and to stay relevant to customers of all types. Some examples include: supply chain, expanded cyber, transaction and even reputation coverages.

With sluggish economies, new entrants creating heightened competition, emerging socio-economic trends and technological advances, insurers must innovate more rapidly and profoundly than ever. The good news is that there is movement toward that end. Here is a sampling of the likely spheres in which creativity will show itself.

Space

Insurers have already started to respond to the drone phenomenon with endorsements and policies to cover the property and liability issues that arise with their use. But this is only the tip of iceberg in comparison with the response that will be needed as space travel becomes more commonplace. Elon Musk, entrepreneur and founder of SpaceX, has announced his idea for colonization of Mars via his interplanetary transport system (ITS). “If all goes according to plan, the reusable ITS will help humanity establish a permanent, self-sustaining colony on the Red Planet within the next 50 to 100 years” according to an article this September by Mike Wall at Space.com.

See also: Innovation — or Just Innovative Thinking?  

Consider the new types of coverages that may be needed to make interplanetary space travel viable. All sorts of novel property perils and liability issues will need to be addressed.

Weather

Weather-related covers already exist, but with the likelihood of more extreme climate change there will be demand for many more weather-related products. Customers may need to protect against unprecedented levels of heat, drought, rain/flood and cold that affect the basic course of doing business.

The insurance industry has just taken new steps in involving itself in the flood arena, where until now it has only done so in terms of commercial accounts. Several reinsurers — Swiss Re, Transatlantic Re and Munich Re — have provided reinsurance for the National Flood Insurance Program (NFIP), for example. Insurance trade associations are studying and discussing why primary insurers should do more in terms flood insurance as a result of seeing that such small percentages of homeowners have taken advantage of NFIP’s insurance protection.

Sharing Economy

As a single definition for the sharing economy begins to take shape, suffice it to say that it exists when individual people offer each other products and services without the use of a middleman, save the internet. Whether the product being offered is a used handbag, a piece of art or a room in a private house or whether the service is website design, resume writing or a ride to and from someplace, there are a host of risk issues for both the buyer and seller that are not typically contemplated by the individual and not covered in most personal insurance policies. This is fertile ground for inventive insurers. How can they invent a coverage that is part personal and part commercial? Smart ones will figure out how to package certain protections based on the likely losses that individuals in the sharing economy are facing.

Driverless Cars

So much has already been written about the future of driverless cars, but so many of the answers are still outstanding. How will insurance function during the transition; who will be liable when a driverless car has an accident; who will the customer be; what should the industry be doing to set standards and regulations about these cars and driving of them; how will subrogation be handled; how expensive will repairs be; how will rates be set? A full list of unanswered questions would be pages long. The point for this article is – how innovative will insurers be in finding answers that not only respond to these basic questions but also provide value-added service that customers will be willing to pay for?

See also: Insurance Innovation: No Longer Oxymoron  

The value added is where real innovation comes into play. Something along the lines of Metromile’s offerings for today’s cars is needed, such as helping drivers to find parking or locate their parked cars. Such added value is what might stem the tide of the dramatic premium outflows that are being predicted for insurers once driverless cars are fully phased in.

Corporate Culture and Reputation

Recent events indicate that corporations need some risk transfer when it comes to the effects of major corporate scandals that become public knowledge. The impact from the size and scope of situations such as the Wells Fargo, Chrysler, Volkswagen and other such scandals is huge. Some of the cost involves internal process changes, public relations activities, lost management time, loss of revenue, fines and settlements. Reputation insurance is in its infancy and warrants further development. And though insurance typically does not cover loss from deliberate acts, especially those that are illegal, there is enough gray area in many scandals that some type of insurance product may be practical despite the moral hazard and without condoning illegal behavior.

And the Risk

All innovation poses risk. Risk is uncertainty, and innovation leads to uncertain outcomes. Just as insurers must create solutions, they must be willing to acknowledge risk, assess risk, mitigate risk and prepare for some level of risk to materialize. So, as insurers are now actively trying to innovate, they must make sure that their enterprise risk management practices are up to addressing the risks they are taking.

For each new product, some of these risk areas must be explored:

  • Is there a risk that projections for profitability will be wrong?
  • If wrong, by how much, and how will this shortfall affect strategic goals?
  • What is the risk appetite for this product initiative?
  • What is the risk the new product will not attract customers, making all development costs wasted expense?
  • What is the risk that price per exposure will be incorrectly estimated, hurting profitability?
  • What is the risk for catastrophic or shock losses relative to the product?
  • How will aggregation risk be handled?
  • What is the risk that litigation concerning the policy coverages will result in unintended exposures being covered?

Conclusion

Regardless of whether or not they have been dragged into innovation by disruptive forces, insurers are finally ready to do more than tweak products around the edges. The risk of not innovating appears to be greater than the risk associated with innovating.

How Much Cyber Risk Should You Take?

I have been spending a fair amount of time over the last few months, talking and listening to board members and advisers, including industry experts, about cyber risk.

A number of things are clear:

  • Boards, not just those members who are on the audit or risk committee, are concerned about cyber and the risk it represents to their organizations. They are concerned because they don’t understand it – and the actions they should take as directors. The level of concern is sufficient for them to attend conferences dedicated to the topic rather than relying on their organizations.
  • They are not comfortable with the information they are receiving on cyber risk from management – management’s assessment of the risk that it represents to their organization; the measures management has taken to (a) prevent intrusions, (b) detect intrusions that got past defenses and (c) respond to such intrusions; how cyber risk is or may be affected by changes in the business, including new business initiatives; and, the current level and trend of intrusion attacks (some form of metrics).
  • The risk should be assessed, evaluated and addressed, not in isolation as a separate IT or cyber risk, but in terms of its potential effect on the business. Cyber risk should be integrated into enterprise risk management. Not only does it need to be assessed in terms of its potential effect on organizational business objectives, but it is only one of several risks that may affect each business objective.
  • It is impossible to eliminate cyber risk. In fact, it is broadly recognized that it is impossible to have impenetrable defenses (although every reasonable effort should be made to harden them). That recognition mandates increased attention to the timely detection of those who have breached the defenses, as well as the capability to respond at speed.
  • Because it is impossible to eliminate risk, a decision has to be made (by the board and management, with advice and counsel from IT, information security, the risk officer and internal audit) as to the level of risk that is acceptable. How much will the organization invest in cyber compared with the level of risk and the need for those same resources to be invested in other initiatives? The board members did not like to hear talk of accepting a level of risk, but that is an uncomfortable fact of life – they need to get over and deal with it!

The National Association of Corporate Directors has published a handbook on cyber for directors (free after registration).

Here is a list of questions I believe directors should consider. They should be asked of executive management (not just the CIO or CISO) in a session dedicated to cyber.

  1. How do you identify and assess cyber-related risks?
  2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk and so on) and not just “IT-risk”?
  3. How do you evaluate the risk to know whether it is too high?
  4. How do you decide what actions to take and how much resource to allocate?
  5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
  6. How do you assess the potential risks introduced by new technology? How do you determine when to take the risk because of the business value?
  7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
  8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
  9. Can you respond appropriately at speed?
  10. What procedures are in place to notify you, and then the board, in the event of a breach?
  11. Who has responsibility for cybersecurity, and do they have the access they need to senior management?
  12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce risks by signing up for new cloud services?

I welcome your thoughts, perspectives and comments.