Tag Archives: tripra

Actuaries Beware: Pricing Cyber Risk Is a Different Ballgame

Growth in the cyber insurance market has recently occurred at warp speed, with more than 60 companies writing in the U.S. alone and with market premiums amounting to approximately $2.5 billion annually. The impressive year-over-year growth is expected to continue into the foreseeable future, with a variety of estimates placing market premium between $7.5 billion and $20 billion by the end of 2020.

This impressive premium growth is because of several factors — perhaps most notably, reporting of the various types of cyber attacks in the news on a regular basis, driving both awareness and fear. Not surprisingly, cyber risk has become a board-level concern in today’s increasingly connected world. Additionally, recent growth of the Internet of Things has given rise to the seemingly infinite number of attack vectors affecting every industry. Individuals and entities of any size, spanning all regions of the world, are potential victims.

The apparent need for new apps and devices that link to one another without focus toward security of those apps or devices gives reason to worry. It also creates an immediate need for a suite of security analytics products that helps insurance companies write cyber insurance more confidently.

State of Data

Actuaries are creative and intelligent problem solvers, but this creativity and intelligence is tested thoroughly when pricing cyber insurance. Actuaries still need the same suite of products used within any other catastrophe-exposed lines of business, but there are many challenges and complications with respect to cyber insurance that make this a particularly difficult task. That is, we still need an underwriting tool, an individual risk-pricing tool and a catastrophe-aggregation model, but certain aspects of these tools vary significantly from what we’ve seen in the past or have grown accustomed to as actuaries.

Data lies at the center of any actuarial project, but data in this space is very limited for a number of reasons. To consider why this is the case, let’s take a step back and consider the wider context. We first want to think about both how to define the cyber peril and what types of attacks are possible.

Risks could lie anywhere between smaller attacks on individuals involving brute-force attempts to steal credentials and conduct identity theft; and state-sponsored attacks on another government entity involving both physical damage and theft of critically sensitive intelligence. We may see malware deployed on a commonly used piece of software or hardware at a massive scale; infrastructures or processes taken down using denial of service; or a breach of a popular database or platform that affects many entities simultaneously.

Many of the attack variants in this hypothetical list have never happened, and some may never happen. Even within those that have happened, information pertaining to the breach — both in terms of the attack specifics used or the actual dollar impact of the attack — is hard to come by.

Several third-party data sources are currently available, but they tend to concentrate primarily on those pieces of data or attack types that are most accessible — particularly data breach and privacy violation claims. This, naturally, is a very small subset of what we need to price for as actuaries.

Unfortunately, there is fairly loose regulation around the reporting of different types of attacks. Even within the data breach family, there exists tremendous lack of standardization across states with respect to reporting. Criteria for whether a report is required may include whether the data is encrypted, how many people were actually affected by the breach and the type of data stolen (PHI, PII, PCI, etc.).

See also: How Actuaries Can Be Faster, More Efficient  

External research can be done on public sources to find the aggregate amount of loss in some cases, but there is little to no incentive for the breached entity to provide more information than is absolutely required. Thus, while we want to price data breach events at a very granular level, it’s often difficult to obtain dollar figures at this level. For instance, a data breach will lead to several costs, both first party and third party. A breached entity, at minimum, will likely have to:

  • Notify affected customers;
  • Offer credit monitoring or identity-theft protection to those affected;
  • Work with credit card companies to issue new credit cards;
  • Foot bills associated with legal liability and regulatory fines; and
  • Endure reputational damage.

It’s impractical to assume that a breached entity would find it attractive to publicize the amount lost to each of these individual buckets.

Worse, other events that either don’t require reporting or have never happened clearly give us even less to work with. In these cases, it’s absolutely critical that we creatively use the best resources available. This approach requires a blend of insurance expertise, industry-specific knowledge and cyber security competence. While regulation will continue to grow and evolve — we may even see standardization across both insurance coverages offered and reporting requirements by state or country — we must assume that in the near future, our data will be imperfect.

Actuarial Challenges

Though many companies have entered the cyber insurance space, very few are backed by comprehensive analytics. Insurers eager to grab market share are placing too much emphasis on the possibility of recent line profitability continuing into the future.

The problem here is obvious: Cyber insurance needs to be priced at a low loss ratio because of catastrophic or aggregation risk. Once the wave of profitability ends, it could do so in dramatic fashion that proves devastating for many market participants. The risk is simply not well understood across the entirety of the market, and big data analytics is not being leveraged enough. In addition to the glaring data and standardization issues already discussed, actuaries face the following eight key challenges:

1. No Geographical Limitation

On the surface, the cyber realm poses threats vastly different from what we’ve seen in other lines of business. Take geography. We are used to thinking about the impact of geography as it pertains to policyholder concentration within a specific region. It’s well understood that, within commercial property insurance, writers should be careful with respect to how much premium they write along the coast of Florida, because a single large hurricane or tropical storm can otherwise have an absolutely devastating effect on a book of business. Within the cyber world, this relationship is a bit more blurry.

We can no longer just look at a map. We may insure an entity whose server in South Africa is linked to an office in Ireland, which, in turn, is linked to an office in San Francisco. As existing threat actors are able to both infiltrate a system and move within that system, the lines drawn on the map have less meaning. Not to say they’re not important — we could have regulatory requirements or data storage requirements that differ by geography in some meaningful way — but “concentration” takes a different meaning, and we need to pay close attention to the networks within a company.

2. Network Risk From an External Perspective

In the cyber insurance line, we need to pay attention to the networks external to an insured company. It’s well documented that Target’s data breach was conducted through an HVAC system. By examining Target’s internal systems alone, no one would have noticed the vulnerability that was exploited.

As underwriters and actuaries, we need to be well aware of the links from one company to another. Which companies does an insured do business with or contract work from? Just as we mentioned above with apps and devices that are linked, the network we are worried about is only as strong as the weakest link. Another example of this is the recent attacks on a Bangladeshi bank. Attackers were able to navigate through the SWIFT system by breaching a weaker-than-average security perimeter and carrying out attacks spanning multiple banks sharing the same financial network.

3. Significance of the Human Element

Another consideration and difference from the way we traditionally price is the addition of the human element. While human error has long been a part of other lines of business, we have rarely considered the impact of an active adversary on insurance prices. The one exception to this would be terrorism insurance, but mitigation of that risk has been largely assisted by TRIA/TRIPRA.

However, whenever we fix a problem simply by imposing limits, we aren’t really solving the larger problem. We are just shifting liability from one group to another; in this case, the liability is being shifted to the government. While we can take a similar approach with cyber insurance, that would mean ultimately shifting the responsibility from the insurers to the reinsurers or just back to the insureds themselves. The value of this, to society, is debatable.

See also: Cyber Insurance: Coming of Age in ’17?  

A predictive model becomes quite complex when you consider the different types of potential attackers, their capabilities and their motivations. It’s a constant game of cat and mouse, where black hat and white hat hackers are racing against each other. The problem here is that insurers and actuaries are typically neither white hat nor black hat hackers and don’t have the necessary cyber expertise to confidently predict loss propensity.

4. Correlation of Attacks

In attempting to model the “randomness” of attacks, it is important to think about how cyber attacks are publicized or reported in the news, about the reactions to those attacks and the implications on future attacks. In other words, we now have the issue of correlation across a number of factors. If Company A is breached by Person B, we have to ask ourselves a few questions. Will Company A be breached by Person C? Will Person B breach another company similar to or different from Company A? Will Person D steal Person B’s algorithm and use it on entirely different entity (after all, we’ve seen similar surge attacks within families such as ransomware)? If you as the reader know the answers to these questions, please email me after reading this paper.

5. Actuarial Paradox

We also have to consider the implications on the security posture of the affected entity itself. Does the attack make the perimeter of the affected company weaker, therefore creating additional vulnerability to future attacks? Or, alternatively, does the affected company enact a very strong counterpunch that makes it less prone to being breached or attacked in the future? If so, this poses an interesting actuarial dilemma.

Specifically, if a company gets breached, and that company has a very strong counterpunch, can we potentially say that a breached company is a better risk going forward? Then, the even-more-direct question, which will surely face resistance, is: Can we charge a lower actuarial premium for companies that have been breached in the past, knowing that their response to past events has actually made them safer risks? This flies directly in the face of everything we’ve done within other lines of business, but it could make intuitive sense depending on incident response efforts put forth by the company in the event of breach or attack.

6. Definition of a Cyber Catastrophe

Even something as simple as the definition of a catastrophe is in play. Within some other lines of insurance business, we’re used to thinking about an aggregate industry dollar threshold that helps determine whether an incident is categorized as a catastrophe. Within cyber, that may not work well. For instance, consider an attack on a single entity that provides a service for many other entities. It’s possible that, in the event of a breach, all of the liability falls on that single affected entity. The global economic impact as it pertains to dollars could be astronomical, but it’s not truly an aggregation event that we need to concern ourselves with from a catastrophe modeling perspective, particularly because policy limits will come into play in this scenario.

We need to focus on those events that affect multiple companies at the same time and, therefore, provide potential aggregation risk across the set of insureds in a given insurance company’s portfolio. This is, ultimately, the most complicated issue we’re trying to solve. Tying together a few of the related challenges: How are the risks in our portfolio connected with each other, now that we can’t purely rely on geography? Having analytical tools available to help diagnose these correlations and the potential impacts of different types of cyber attacks will dramatically help insurers write cyber insurance effectively and confidently, while capturing the human element aspect of the threats posed.

7. Dynamic Technology Evolution

If we can be certain of one thing, it’s that technology will not stop changing. How will modelers keep up with such a dynamic line of business? The specific threats posed change each year, forcing us to ask ourselves whether annual policies even work or how frequently we can update model estimates without annoying insurers. Just as we would write an endorsement in personal auto insurance for a new driver, should we modify premium mid-term to reflect a newly discovered specific risk to an insured? Or should we have shorter policy terms? The dynamic nature of this line forces us to rethink some of the most basic elements that we’ve gotten used to over the years.

8. Silent Coverage

Still, all of the above considerations only help answer the question of what the overall economic impact will be. We also need to consider how insurance terms and conditions, as well as exclusions, apply to inform the total insurable cost by different lines of insurance. Certain types of events are more insurable, some less. We have to consider how waivers of liability will be interpreted judicially, as well as the interplay of multiple lines of business.

It’s safe to assume that insurance policy language written decades ago did not place much emphasis on cyber exposure arising from a given product. In many cases, silent coverage of these types of perils was potentially entirely accidental. Still, insurers are coming to grips with the fact that this is an ever-increasing peril that needs to be specifically addressed and that there exists significant overlap across multiple lines of business. Exclusions or specific policy language can, in some cases, be a bit sloppy, leading to confusion regarding which product a given attack may actually be covered within. This becomes the last, but not least, problem we have to answer.

Conclusion

The emerging trends in cyber insurance raise a number of unique challenges and have forced us to reconsider how we think about underwriting, pricing and aggregation risk. No longer we can pinpoint our insureds on a map and know how an incident will affect the book of business. We need to think about both internal and external connections to an insured entity and about the correlations that exist between event types, threat actors and attack victims. In cases when an entity is attacked, we need to pay particular attention to the response and counterpunch.

As the cyber insurance market continues to grow, we will be better able to determine whether loss dollars tend to fall neatly within an increasing number of standalone cyber offerings or whether insurers will push these cyber coverages into existing lines of business such as general liability, directors and officers, workers’ compensation or other lines.

Actuaries and underwriters will need to overcome the lack of quality historical data by pairing the claims data that does exist with predictive product telemetry data and expert insight spanning insurance, cyber security and industry. Over time, this effort may be assisted as legislation or widely accepted model schema move us toward a world with standardized language and coverage options. Nonetheless, the dynamic nature of the risk with new adversaries, technologies and attack vectors emerging on a regular basis will require monitored approaches.

See also: Another Reason to Consider Cyber Insurance  

In addition, those that create new technology need to realize the importance of security in the rush to get new products to market. White hat hackers will have to work diligently to outpace black hat hackers, while actuaries will use this insight to maintain up-to-date threat actor models with a need for speed unlike any seen before by the traditional insurance market.

Some of these challenges may prove easier than they appear on paper, while some may prove far more complicated. We know actuaries are good problem solvers, but this test will be a serious and very important one that needs to be solved in partnership with individuals from cyber security and insurance industries.

How to Find Coverage for Terrorism Risks

As companies that depend on the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA) for terrorism coverage work to understand what its Dec. 31, 2014, expiration means to them, some are likely turning to the standalone terrorism insurance market for solutions. With capacity available but potentially limited for this market, risk differentiation can be important. Terrorism risk models and effective business continuity plans can play a key role in improving business resiliency and allowing access to alternative terrorism insurance markets.

TERRORISM RISK INSURANCE

Standalone terrorism contracts — either to cover all or part of an organization’s terrorism risk — may provide immediate coverage in the absence of the federal insurance backstop. Maximum achievable limits in the standalone market for terrorism risks are approximately $3.5 billion; available capacity is significantly lower for exposures in the central business districts of major cities such as New York, Chicago, Washington and San Francisco. Organizations may need to access alternative sources of terrorism insurance such as stopgap coverage on a standalone basis or to approach their existing insurers to ask for non-implementation of sunset provisions.

DIFFERENTIATING RISKS

Organizations that have terrorism exposures in major metropolitan cities will be competing for a diminishing supply of terrorism capacity and may need to better differentiate their terrorism risks for underwriters. Organizations should carefully set their limits amid scarce capacity and increased pricing. However, this can be complicated where contractual agreements define needed limits. For example, real estate companies and construction firms may find that their lenders require proof of terrorism insurance in loan convenants for commercial real estate borrowers.

QUANTIFYING TERRORISM RISKS

Terrorism risk modeling and other analytical tools can help organizations determine how much coverage to purchase in a marketplace where capacity is in short supply. Such models can help organizations understand the relationship between vulnerable sites and the potential likelihood of impact from terrorist acts — or other risks — on their operations and profitability. These models seek to quantify the potential economic losses from a terrorist attack, which can inform risk quantification, insurance program design and risk financing. In a potentially scarce terrorism insurance market, the financial quantification of terrorism-related risks through risk models can help companies to:

  • Better understand their financial exposure.
  • Determine appropriate insurance deductibles and limits.
  • Optimize risk finance strategies.
  • Rate the terrorism risk to negotiate insurance premiums.
  • Understand the risk’s potential impact on capital.
  • Prioritize risk-mitigation strategies.
  • Build efficient business continuity plans.
  • Understand the correlation and potential benefits of diversification among sites, locations and regions — a key component in addressing terrorism risk aggregation issues.

SHARPEN BUSINESS CONTINUITY PLANS

To improve their risk profile for underwriters and their own business resiliency, organizations should review and update their business continuity plans to ensure they are well-prepared in the event of a terrorist attack. Insurers often look for current and well-formulated business continuity plans as a foundation of good risk management.

Many companies have already developed business continuity, emergency response and crisis management plans that consider the effects of a terrorist attack. Such plans may suffer from outdated facility floor plans, contact information and technology. Staff awareness of roles, responsibilities and actions to be taken during an event also may be an issue. To ensure that business continuity plans help preserve and protect operations and people, organizations should assess their plans and validate them through training and exercises, with scenarios ranging from walk-throughs to tabletops to full-scale simulations. Such measures can help organizations think through their terrorism-related risks and get a better understanding of their exposures ahead of insurance negotiations or an actual event.

For more information, visit Marsh’s TRIPRA Update Center.

TRIA Non-Renewal: Your Next Steps

Two days after Congress adjourned for the year without reauthorizing the Terrorism Risk Insurance Program Reauthorization Act of 2014 (TRIPRA), many organizations are working to understand the impact on their insurance programs when the federal insurance backstop expires on Dec. 31, 2014.

Most experts had expected Congress to reauthorize the law in some form. The failure to do so has implications for insureds with TRIPRA terrorism coverage in most any line, with particular concerns for property, primary and excess liability, workers’ compensation and captive programs.

Organizations that purchased terrorism coverage as part of their insurance programs (and not as a standalone program) may be affected. Potential solutions will depend on individual programs and needs but may include:

  1. Re-approaching insurers to see if they will not invoke sunset clauses or conditional terrorism exclusions, and provide stop-gap coverage until either Congress renews TRIPRA or the policy expires.
  2. Looking to the global standalone terrorism insurance markets for stop-gap coverage. The standalone market has large but limited capacity — it will not be able to fill all requests.
  3. Canceling and rewriting insurance programs with new markets that are able to offer terrorism limits (without sunsets).
  4. Seeking agreement from markets without sunsets to assume terrorism risk from sun-setting markets on the same risks.

It must be noted that these options may come with additional premium charges. Also, organizations should explore any loan, lease or other contracts or covenants that may require them to purchase terrorism coverage.

Congress is set to reconvene on Jan. 6, 2015. It is unclear how congressional leadership will deal with the issue, although some have already been quoted in the media as saying TRIPRA will be a top priority for the new Congress. Among the possible scenarios are:

  1. Immediately after reconvening, Congress could pass a short-term reauthorization to allow the new Congress to formulate a long-term reauthorization bill, which could be materially different than the 2014 version.
  2. Alternatively, both the House and Senate could immediately reintroduce new legislation mirroring the 2014 bill and pass it on an expedited basis.

For more information from the Marsh TRIPRA Update Center, click here. 

Terrorism Risk: A Constant Reminder

With just months to go until the year-end 2014 expiration of the government-backed Terrorism Risk Insurance Program Reauthorization Act (TRIPRA), the debate between industry and government over terrorism risk is intensifying.

The discussion comes in a year that marks the one-year anniversary of the Boston Marathon bombing—the first successful terrorist attack on U.S. soil in more than a decade. The April 15, 2013, attack left three dead and 264 injured.

Industry data shows that the proportion of businesses buying property terrorism insurance (the take-up rate for terrorism coverage) has increased since the enactment of the Terrorism Risk Insurance Act (TRIA) in 2002, and for the last five years has held steady at around 60% as businesses across the U.S. have had the opportunity to purchase terrorism coverage, usually at a reasonable cost.

However, should TRIPRA not be extended, brokers have warned that the availability of terrorism insurance would be greatly reduced in areas of the U.S. that have the most need for coverage, such as central business districts. Uncertainty around TRIPRA’s future is already creating capacity and pricing issues for insurance buyers in early 2014, reports suggest.

New Aon data show that retail and transportation sectors face the highest risk of terrorist attack in 2014. Both sectors were significantly affected in 2013, as highlighted by the Sept. 21, 2013, attack by gunmen on the upscale Westgate shopping mall in Nairobi, Kenya, as well as the Boston bombing.

The vulnerability of the energy sector to a potential terrorist attack has also been highlighted following an April 2013 assault on a California power station when snipers took down 17 transformers at the Silicon Valley plant.

The Boston Marathon attack—twin explosions of pressure cooker bombs occurring within 12 seconds of each other in the Back Bay downtown area—adds to a growing list of international terrorism incidents that have occurred since the terrorist attack of Sept. 11, 2001, and highlights the continuing terrorism threat in the U.S. and abroad.

Following 9/11, the 2002 Bali bombings, the 2004 Russian aircraft and Madrid train bombings, the London transportation bombings of 2005 and the Mumbai attacks of 2008 all had a profound influence on the 2001 to 2010 decade. Then came 2011, a landmark year, which simultaneously saw the death of al-Qaida founder Osama bin Laden and the 10-year anniversary of the Sept. 11 attacks.

While the loss of bin Laden and other key al-Qaida figures put the network on a path of decline that is difficult to reverse, the State Department warned that al-Qaida, its affiliates and adherents remained adaptable and resilient and constitute “an enduring and serious threat to our national security.”

A recently published RAND study finds that terrorism remains a real—albeit uncertain—national security threat, with the most likely scenarios involving arson or explosives being used to damage property or conventional explosives or firearms used to kill and injure civilians.

The Boston bombing serves as an important reminder that countries also face homegrown terrorist threats from radical individuals who may be inspired by al-Qaida and others, but have little or no actual connection to known militant groups.

In a recent briefing, catastrophe modeler RMS assesses that the U.S. terrorist threat will increasingly come predominantly from such homegrown extremists, who because of the highly decentralized structure of such “groups,” are difficult to identify and apprehend.

Until the Boston bombing, many of these potential attacks had been thwarted, such as the 2010 attempted car bomb attack in New York City’s Times Square and the attempt by Najibullah Zazi to bomb the New York subway system.

Other thwarted attacks against passenger and cargo aircraft indicate the continuing risk to aviation infrastructure. The investigation into the March 7, 2014, disappearance of Malaysia Airlines flight 370 over the South China Sea aircraft with 239 passengers has raised many concerns over the vulnerability of aircraft to terrorism.

RECENTLY THWARTED TERRORIST ATTACK ATTEMPTS IN THE U.S.
Source: Federal Bureau of Investigation (FBI); various news reports; Insurance Information Institute

Counterterrorism success in 2011 came as a number of countries across the Middle East and North Africa saw political demonstrations and social unrest. The movement known as the Arab Spring was triggered initially by an uprising in Tunisia that began back in December 2010. Unrest and instability in this region continues in 2014 and has spread to other parts of the world with violent protests seen most recently in Ukraine, Venezuela and Thailand.

Another evolving threat is cyber terrorism. The threat both to national security and the economy posed by cyber terrorism is a growing concern for governments and businesses around the world, with critical infrastructure, such as nuclear power plants, transportation and utilities, at risk.

All these factors suggest that terrorism risk will be a constant, evolving and potentially expanding threat for the foreseeable future.

For the full report on which this article is based, click here.

Workers’ Compensation Issues to Watch in 2014

Rates Continue to Climb

In most of the U.S., rates for workers’ compensation insurance are continuing to climb, driven by rising medical costs, the low-interest-rate environment and the general unprofitability of the line of business.  This is in spite of the fact that many states have undertaken regulatory reform aimed at controlling medical costs and driving costs out of the system.  Despite significant investment in medical management efforts, workers’ compensation costs are consistently higher than group health costs for the same diagnosis. Why is this? Numerous studies have shown that a small percentage of medical providers are driving a large percentage of the workers’ compensation costs. Implementing treatment guidelines, drug formularies and utilization review protocols is a step in the right direction. However, until regulators find a way to remove abusive medical providers from the workers’ compensation system, high costs will always be a problem. Rather than treating the symptoms, we need to address the causes of rising costs.

The Potential Expiration of TRIPRA

Unless Congress takes action, the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA) will expire on Dec. 31, 2014. Carriers are now writing coverage without the backstop of TRIPRA. What does this mean to the workers’ compensation industry? Companies with high employee concentrations in certain cities are already seeing fewer options, with some carriers scaling back their writings to reduce their exposure to a potential terrorism event.  Some carriers are setting policy expiration dates to coincide with the expiration of TRIPRA or are advocating for unilateral mid-term premium increases if TRIPRA is not renewed or is materially modified.  Many workers’ compensation underwriters are pushing for higher rates because of this issue.  If TRIPRA is allowed to expire, companies in certain industries and geographic areas may have no option but to obtain future coverage from their state funds as the commercial marketplace pulls back to avoid the increased risk.  The longer it takes Congress to act, the more pronounced this issue will become.

Impact of the Affordable Health Care Act (AHCA)

There has been much speculation about the potential impact that the ACHA will have on workers’ compensation.  Some feel it will increase leakage from group health to workers’ compensation, while others feel it will have the opposite effect. One thing for certain is that with increased coverage being provided on the group health side, the overall utilization of services will go up. With a finite number of medical providers available, this means it is imperative that workers’ compensation payers identify the providers who deliver the best clinical outcomes for injured workers. The focus on workers’ compensation medical networks in the future will need to shift from fee-for-service discounts to quality of care and best outcomes. This may cost more on a fee-for-service basis, but getting appropriate and timely care will generally lead to faster return-to-work, ensure the proper treatment and ultimately lower costs.

Integrated Disability Management

More employers are realizing that the impact of federal employment laws like the Americans with Disabilities Act (ADA) and the Family Medical Leave Act (FMLA) must be considered on workers’ compensation claims. Companies are also realizing the value of managing non-occupational disability so that valued employees can get back to the workplace and be productive. As a result, companies are requesting that their TPAs develop integrated disability management programs designed to handle both occupational and non-occupational disability in a consistent and effective manner. These integrated disability management programs are the next generation of claims handing and will expand in the future.

State Legislative Issues

Several states that passed significant reform legislation in the last two years are working to implement those reforms. Passing a law is only the first step, as the rules, regulations and implementation of those laws determines if they will achieve their intended purpose. The most significant issues to watch are in California, New York and Oklahoma.

When California passed SB 863 in 2012, the expectation from the state’s legislature was that it would increase benefits to injured workers while lowering costs for employers in the state. While the benefit levels for permanent disability have been increased, the savings components are still a work in progress. Litigation and unanticipated consequences of the bill have resulted in increased complexity and continually rising insurance rates.  For example, a significant component of the intended cost savings was to result from the new Independent Medical Review (IMR) process.  However, in recent months the volume of IMR requests has been many times what was anticipated, preventing the IMR provider from meeting the required turn-around guidelines and adding significant administrative costs to the system.  Based on their analysis of the higher costs, the California WCIRB recommended an 8.7% pure premium increase for 2014. There is currently talk of potential clean-up legislation to go along with the continued efforts at implementation. We will know by the end of the year whether SB 863 will be able to produce the promised cost savings.

New York streamlined its assessment process, resulting in a significant reduction of the assessment rate for most employers. These rates are adjusted annually and have varied significantly in the past few years.  It remains to be seen if these assessment savings will continue into the future.  In addition, New York has been struggling to implement the reforms that were passed in 2007 legislation, and it was 2013 before the last of the regulations were issued for this law. This 2007 bill was another piece of legislation that promised cost savings that have yet to fully materialize.

The big news in Oklahoma is the bill that allowed employers to opt-out of workers’ compensation starting in February 2014. The Oklahoma Supreme Court recently upheld the constitutionality of the legislation, clearing the way for its implementation. However, there have been delays in developing the rules and regulations supporting the opt-out plans, and this has in turned delayed carriers’ development of policies to cover new benefit plans. It appears unlikely that everything will be in place so that employers will be able to opt out beginning in February. In addition, the Oklahoma legislation included significant reforms to the underlying workers’ compensation system, so many employers considering opt-out will wait to see the impact these system changes will have on their workers’ compensation costs before proceeding.

Vendor Consolidation

In the last few years, there has been significant vendor consolidation in the worker’s compensation industry. First on the TPA side, and most recently on the medical management side. Much of this consolidation was driven by private equity investments where the tremendous medical spend in workers’ compensation is seen as an opportunity for a profitable return on investment.

All this consolidation is making buyers of these services uneasy. They question how this consolidation will affect the quality of the services they receive and wonder how their goals of reducing costs align with private equity’s goals of increasing revenues. These are legitimate concerns, and it is imperative that buyers remain vigilant concerning vendor partners.

Analytics

Despite the huge amount of premium, exposure and claims data produced by the workers’ compensation industry, many complain about the lack of actionable information. Dashboards and many other analytic tools do a nice job pulling data together in one place, but ultimately the data is only as good as what one does with it. As an industry, we will see a continued focus on the use of more meaningful analytics that can assist in identifying savings opportunities, formulating action plans and measuring the impact of change.

Assessing Return on Investment for Medical Cost Management Efforts

In the last few years, the money spent on medical management has been steadily increasing.  Programs including bill review, utilization review and nurse case management are all necessary components of any successful workers’ compensation program. However, it is important that these programs are constantly monitored to ensure they are being utilized appropriately. If left unchecked, these “cost-saving” issues can actually become cost drivers.

Impact of Presumption Laws on Municipal Budgets

In 2013, there were a handful of municipalities that filed for bankruptcy because of large underfunded workers’ compensation and pension obligations. This trend is not only likely to continue, but could get worse. The presumption laws in most states can turn common health conditions like heart disease and cancer into workers’ compensation claims. In California and Nevada, for example, a large number of retired police officers and firefighters are collecting both their pension and the benefits from a workers’ compensation presumption claim. The statute of limitations for linking these diseases to the workplace has been extended to more than 10 years in some jurisdictions. The resulting burden for paying the costs of these benefits in the case of public entities ends up falling on taxpayers.

Medicare Set-Asides

Many felt that the passage of the SMART Act in January 2013 was the end of the battle on Medicare Secondary Payer compliance issues. In fact, this was just the beginning of the fight. Implementation of the SMART Act has been slower than expected and the legislation did nothing to address the huge costs associated with Medical Set-Aside arrangements. The rules and case law associated with Medicare are constantly evolving, and now it appears that these reimbursement rights will be expanded to Medicaid coverage, which would create an entirely new monitoring and compliance area.  This is an issue payers need to remain diligent on.

Please join me on Jan. 15, 2014, for a Marsh-sponsored webinar to discuss these issues and other potential legislative developments to watch in 2014.  Click here to register.