Tag Archives: ty sagalow

Is It Possible to Insure Bitcoin Technology?

In the mid- to late 1990s, the insurance industry was struggling with “the Y2K crisis,” not only in connection with its own systems but, more importantly, with the systems of all its policyholders. As the chief underwriting officer of one of the largest subsidiaries of one of the largest insurance companies in the world, AIG, I had to determine our potential exposure if the computer systems of our policyholders failed. My conclusion: hundreds of millions of dollars of potential liability payouts.

Y2K — a problem that threatened to confuse computers about chronology beginning on Jan. 1, 2000, because years had historically been represented in software with just two digits, meaning that the year 2000 (represented as “00”) was indistinguishable from 1900 (also “00”) — was the insurance industry’s introduction to the hazards of insuring technology. To reduce that exposure, we had to figure out a way to motivate our corporate policyholders to take reasonable steps to manage their Y2K problem. Because one of the central purposes of an insurance policy is to motivate specific risk-reducing behavior, such as wearing a seat beat, the question became how to motivate risk reduction in connection with the impending problem.

So we created “Y2K insurance” and made it available only to those companies that took the right steps.

Well, the Y2K crisis came and went, and the insurance industry was relatively unscathed. Whether the introduction of a new insurance product helped, we will never know. What we do know is that the Y2K experience inspired the insurance industry to contemplate other technology risks we might insure. In the year 2000, the answer was immediately clear: yhe Internet. Many of us realized that the Internet presented a permanent change in the sociological and economic system; that life would never be the same. But how does one insure a new technology and a completely new way of conducting business? It was scary thing to contemplate.

Fundamental to the insurance business is an analysis of historical actuarial information about frequency and severity of loss. We have decades of data on automobile accidents, broken down in every way imaginable. But how do you determine the right premium for a risk that has never existed?

For most carriers, the answer was, “You don’t.” But for a few, a different response emerged. A response that arose from a different culture—a risk-taking culture. A culture of innovation. “Cyber insurance” was born.

It took a while, but eventually we became comfortable with underwriting the frequency and severity of potential cyber attacks against our policyholders’ computer systems. Today, 15 years later, cyber insurance is a robust $1.3 billion industry, with more than 45 carriers providing some type of cyber insurance. And, despite the almost daily reports of cyber attacks, the industry is somehow making enough money to stick around.

Bitcoins 

Once again, the insurance industry is faced with a new risk in the technology space. Once again, the global economy is being transformed with a new way of conducting transactions. Once again, the insurance industry is faced with a dilemma: Do we ignore this new risk or face it head on?

There are more than 8 million Bitcoin “wallets” in existence today, and this is expected increase to 12 million by the end of the year. The total value of Bitcoins worldwide is around $4 billion. There are more than 100,000 Bitcoin transactions happening every day. More than 80,000 companies, from Microsoft to Dell to Expedia.com, accept Bitcoins as payment.

But how do you insure Bitcoins? More specifically, how do you insure the theft of the electronic private keys that are used to access Bitcoins? A smart insurer realizes that such a task is an exercise in both the familiar and the foreign. A private key is, after all, an electronic file. In many ways, the policies and procedures used in the network security space to protect any computer system holding any file are the same as those used to protect an electronic private key file. Equally true is that a good portion of private keys are stored in “cold storage,” meaning that they are not held in a computer that has access to the Internet. Some are actually stored in a bank vault. Storing valuables in a bank vault is also a well-understood risk and insurable. Finally, many companies that would be interested in purchasing Bitcoin theft insurance are themselves technology providers. Insurance for technology companies has existed for some time.

However, that’s where the analogy ends, and things begin to become difficult. First, the “cyber” insurance policies provided today actually do not insure the intrinsic value of the electronic file stolen. The policies do not cover the “value” of a Social Security number, for example. Furthermore, best practices in the securing of private keys in “hot storage” (computers connected to the Internet) rely upon the multisig, or multiple signature, technology, something with which insurance underwriters are generally unfamiliar. At best, underwriting the theft of Bitcoins requires coordination of multiple underwriting departments within an insurance company. More likely, it means creating new underwriting techniques and protocols.

Will the insurance industry be able to respond to the call? The insurance industry historically has not been known for innovation. So, how will we respond when we are faced with a new and potentially important risk, for which there is no historical actuarial data? Do we run away, or do we embrace a new need and a new opportunity as we did 15 years ago?

In February 2015, one company successfully designed the first true Bitcoin theft insurance policy along with a global “A”-rated insurance carrier for the benefit of BitGo, a leader of multi-sig technology. Will this policy be the only of its kind? Or, as with cyber insurance 15 years ago, will that be only the first of hundreds of thousands of “Bitcoin theft” policies.

Only time will tell.

Insurance Product Development (Excerpt, Part 3)

CHAPTER 4: Roadmap to Creativity

Culture of Creativity

Creating a culture of creativity is an essential building block for a successful product development company. To succeed, every profit center leader should ingrain a culture of creativity into every aspect of its daily routine. The start of this creative journey begins with the support, process, rewards and goals. silhouettes-81830_640 Each of these steps is discussed in this chapter.

New Product Directors

It is advantageous for each profit center or business unit to appoint a new-product director as a resource charged with overseeing product idea generation and development. This can be a full-time or part-time position. Responsibilities could cover a wide range of activities, including:

  • Idea generation – Interact with staff, brokers and clients about product needs.
  • Idea validation – Review ideas with the product innovation council.
  • Project oversight – Assign a product champion to each new idea.
  • Post-launch performance review – Track new product sales.

Having a new-product director who is responsible for this journey — “the navigator” — can be extremely helpful to a profit center’s success. Experience has shown that it is most effective if the new-product director is a full-time, dedicated employee who is an experienced executive who can command respect and attention. If the organization has a centralized new-product department, this department partners with each new-product director and assigns a staff member who will provide support and assistance.

Product Innovation Council

The formation of a product innovation council in each profit center can provide the company and its new-product director with an organized approach to finding and vetting ideas. The new-product director will lead and organize the product innovation council within that division and should consist of managers from each of the profit center’s major product lines. Regional, legal and marketing participation should also be included. The purpose of the product innovation council is to find new products ideas, review ideas submitted and recommend to senior management developed ideas for evaluation. For smaller organizations, a single product innovation council, sometimes called a product innovation steering committee, can be very satisfactory.  

New-Product Champion

Finally, for each individual new product, the profit center should choose a champion who steers a particular product through development. The new-product champion will be a crucial part of the product development team.

Usually, the new-product champion is a manager or underwriter who will have the ultimate responsibility for the product once launched.

Product Development Process

The key to the success of a creative culture is the establishment of a methodology to develop, design, test, launch and confirm the validity of a new product.

New-Product Award Program

To maintain momentum on this creative journey, it is important to recognize profit center participants who contribute to the development process. Therefore, it is advantageous to have some standing reward program. A program might look like this:

  • Idea Accepted for Development, $100
  • Launched Product Idea, $500
  • Financially Successful Product, a percent (usually very small) of the first-year revenue, up to a fixed amount, such as $10,000

Non-monetary rewards, however, should not be underestimated. Psychologists tell us that a nice letter of recognition from the CEO or an acknowledgment in the company newsletter can often
be more valued by the employee than a $100 gift card. Some companies use sophisticated surveying techniques to find the most optimal combination of rewards, often finding that the monetary rewards do not have the level of impact they were thought to have. The following are a few examples of items that could be offered:

  • A letter of appreciation from the profit center executive
  • Recognition in the profit center newsletter
  • Lunch with the profit center executive
  • A photo with the CEO
  • An additional personal day off

Specific New Product Goals

That which is measured is that which is done. It thereby goes without saying that a product in development must have specific, measurable goals before launch. Also, however, the entire organization should have specific, measurable goals for product development.

How much are new products contributing to the top line? To the bottom line? What are the other measurements such as speed (“cycle of development”), account retention, cross-selling impact, etc.?

Once the firm has its overall goals, these must be incorporated within the budget and goal setting of every profit center so that the goals and strategies of the profit center align with those of the firm as a whole.

Insurance Product Development (Excerpt, Part 2)

CHAPTER 3: Creating and Working With a Centralized Product Development Department

There is no single corporate structure for developing a successful product development process. However, there are numerous advantages of creating some type of centralized function. The size and scope of the function depends not only on the size and scope of the corporation itself but also its product development goals. In general, the more robust the product development goals, the greater the need for some centralized unit. For companies that are not large enough to support a centralized division of any size, there is wisdom is creating a senior position that could help the CEO direct innovation within the company. This position has been called the chief innovation officer, the chief strategy officer or even the chief scientist.

Mission Statement

The mission of a centralized product development department is to assist in the creation of innovative and profitable products and services, contributing substantially to the bottom line. Usually working in partnership with the company’s profit centers and the brokerage and risk management communities, a centralized team of creative, experienced professionals can provide a full range

of customer and results-driven solutions, including idea generation and validation, product design and implementation, and post-launch evaluation.

Expertise and Services

Expertise

Product development as a process includes underwriting, actuarial, legal, compliance, marketing and, perhaps most importantly, project management. The larger the centralized department, the more of these services can be housed in the department. However, as mentioned above, there is no single solution. In many cases, some of these services are provided by a department outside of product development such as the office of general counsel. In my 30 year career, I have led large departments which housed centralized all the necessary product development functions as well as smaller departments which housed some of the function and then partnered with other departments for those services not found within the centralized department. At its most robust, the make-up of a centralized product development team is made up of seasoned professional with experience across all general insurance lines, including Specialty Lines, Personal Lines, General Liability, Property, Casualty, Small Business, Accident & Health, and Financial Lines. Together with these insurance SMEs are a team of dedicated “support staff” including legal, actuarial, marketing etc. An example of a robust centralized new product development team is included in the appendix. This team of professionals works closely with the profit centers, brokers, agents, and risk managers to provide total “end-to-end” services for all areas of product development.

Services:

The following is a comprehensive list of potential services that could be offered by a centralized product development department:

  • Innovation Education and Culture Creation
  • Idea Generation
  • Total Project Management
  • Comprehensive Research
  • Product Demand Analysis
  • Underwriting Assessment Analysis
  • Distribution Assessment Analysis
  • Legal Drafting
  • Actuarial and Rating Plan Creation
  • Reinsurance
  • Financial Analysis and Proforma P&L Creation
  • Marketing Strategies and Communications Implementation
  • Claims Analysis
  • Sales and Business Development
  • Technology, Operations, and Systems
  • Liaison with Risk Managers/Brokers

Each corporate profit center should be encouraged to use as many of the services as their new product development requires. This may mean total end-to-end project management or an a la carte selection of services. This team leads the process of new product development as described in the father chapters of this Guide which include:

Innovation: The process of creating a “culture of creativity” (Chapter 4).

Trend Identification (Generating the idea): Early awareness of societal changes, creating new or increased risk that could be the subject of an insurance product (Chapter 5).

Preliminary Analysis (Evaluating the idea): The new product idea is reviewed to determine viability through an analysis of product Demand, Underwriting, and Distribution (Chapter 6).

Scope and Definition (Developing the idea): Partnering with a profit center, the new product idea is sufficiently assessed to determine a final go/no-go decision on the product idea (Chapter 7).

Design: Partnering with a profit center to create all the components of an insurance policy are created – policy form, rater, application, marketing plan, etc .(Chapter 8).

Implementation (Launching the product): Underwriting and broker training sessions are completed and a “launch event’’ for the product is scheduled. (Chapter 10 -13)

Product Performance Review (Monitoring the product): Three-, six-, and twelvemonth reviews of the product’s performance are done with the profit center to determine if the product needs to be adjusted (Chapter 14).

All of the detailed tasks, research, and analysis that are performed at each stage of the product development process are outlined in this Guide.

Tracking and Managing Innovation

It is a good idea to have a database which tracks the submission and progress of innovative ideas that come to the company. This can be done as simply as a spreadsheet with internal protocol that all ideas are eventually submitted to the holder of the spreadsheet, or could be done by way of a more sophiscated web based data base specially designed for this purpose. Regardless of method, it is advantageous to have all new product ideas entered into the database. In addition, at the time of final product resolution either through product launch or termination of development, it is recommended the database be updated as to the new product status. If terminated a reason should be given (e.g., insufficient demand). As discussed in chapter 3.5 below, best practices to have a dedicated new product web page and intranet site which would allow the easy submission (via a simple to use form) to the centralized department for tracking, and assistance if desired. This will also prevent duplication of effort and the sharing of information across the enterprise.

New Product Web site

It is advantageous to have a dedicated intranet new product web site which is linked to the company’s intranet home page. This site can offer a comprehensive overview of the activities of the centralized department, encouraging executives and employees as well as (if there is an internet site version) brokers and risk managers to participate more fully in the product development process, while providing business unit partners with a convenient, centralized means of promoting their new product activities.

The site offers descriptions of recently developed products as well as some of those currently in development; provides news items of relevant interest; offers easy access to idea submission; and familiarizes the reader with the product development process. Anyone seeking information about new product initiatives will find a centralized source of information on the site.

Employees, brokers, and risk managers who are interested in submitting a new product idea may do so easily and quickly through the portal. Business units that are engaged in new product development or have recently launched a new product can reach interested audiences worldwide by posting information, knowing that readers who access this central repository of new product knowledge have already demonstrated interest in product development, creating a robust marketing opportunity.

Protecting Your Corporate Reputation

A company’s reputation, which is core to its profitability and long-term competitiveness, faces new challenges as information speeds blindly through online media and social networks. Lanny Davis, former assistant to President Clinton on crisis management and principal in Lanny J. Davis & Associates, recently noted that, in the age of the Internet, “you never get a second chance to change a first impression. Once your reputation is smeared and your character unfairly attacked, the eternal misinformation echo chamber of the search engine allows the harm to continue eternally, unless you fight back — early, with all the facts, often yourself — until the truth gets in the way of the search engine lies.”

When a corporate reputation is tarnished, a company can lose its trust factor; investor confidence is weakened; and a company’s share price can be reduced.  In extreme cases, a damaged reputation can lead to a company’s downfall. “Hackgate,” “Rupertgate,” or “Murdochgate” -– names given by the press to the News International phone-hacking scandal – led to the demise of News of the World newspaper.

Let’s make a list of some leading triggers to reputation failure: 

  • unethical behavior such as Sears’ management team’s unrealistic performance quotas for its car repair business, which led to overbilling and created a scandal in the 1990s.
  • financial irregularities, such as those that led to Enron’s bankruptcy.
  • executive misconduct, such as the conviction tied to insider trading that led to Martha Stewart’s resignation.
  • environmental violations, such as Nike’s exploitation of workers in sweatshops, failure to provide work environments that are safe and contact with cotton factories using slave labor—issues that dogged Nike through the 1990s and beyond.
  • safety & health product recalls, such as followed allegations of “unintended acceleration” in Toyota cars.
  • security breaches, such as the recent one at Target in which tens of millions of people had credit-card data stolen.

In other words, much as Murphy’s Law says:  “Anything that can go wrong will go wrong.” 

What should a corporation do to protect its reputation? 

  • Use your CEO: Fred Smith, FedEx’s legendary founder, is a good example.  A good CEO embodies and reiterates a company’s values, code of ethics and vision.  Your CEO regularly communicates honesty and transparency and is trusted with your corporate reputation. 
  • Perform an S.W.O.T. analysis: Identify your company’s strengths, weaknesses, opportunities and threats. 
  • Develop a corporate reputation strategy:  Johnson & Johnson is still reaping reputation benefits more than 30 years after its swift and sweeping recall of Tylenol and institution of tamper-proof packaging after some maniac laced some pills with cyanide and put them in bottles on store shelves, killing seven people.
  • Monitor your reputation online.  Constantly check social media sites and your own website. No company can afford to be reputation-blind, and no suit of armor is impenetrable.
  • Be honest, factual and open with the media. 
  • Create a plan to manage an unexpected crisis.  Execution is the cornerstone. Train everyone on identifying the crisis, what to do and who gets contacted.   Preparation is essential to managing potential and actual crises in a timely fashion.  Communication is no longer one-way; it’s now two-way. 
  • Evaluate the purchase of corporate reputation insurance. For 20 years, the insurance industry has known that how a company manages a reputation crisis will have a dramatic impact on the cost of civil litigation arising out of that crisis.  For this reason, insurance purchased for the risk of shareholder lawsuits, directors and officers insurance, has from time to time included an option to purchase, or included automatically, “crisis management” insurance. This reimburses the company for the cost of crisis management expert fees up to a set amount, usually $50,000 to $200,000.

However, since 2010, there has been an outbreak of “new and improved” reputation insurance policies from name-brand insurance carriers like Zurich (Brand Assurance), AIG (ReputationGuard), Munich Re (Reputation Insurance) and a number of Lloyds syndicates, including a standalone reputation policy produced by Steel City Re.

Some carriers emphasize reimbursement of crisis-management expenses while others are more geared toward reimbursing a company for a loss. Finding the right one, or right combination, can be challenging, but they are worth a look.

Be sure to check out Thought Leader Ty Sagalow's recent appearance on New York News!

New York News

A Case For Cyber Insurance

The Need Is There

There were more than 26 million new strains of malware released into circulation in 2011, the last year with solid data on malware. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records.  The Ponemon Group whose Cost of Data Breach Study is widely followed every year indicated a total cost per record of $194 in 2011, an increase of over 40% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent.  NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability” forum the results of their analysis of 153 data or privacy breach claims paid by insurance between 2006 and 2011.  On average, the study said, payouts on claims made in the first five years total $3.7 million per breach.

And, attacks simply don’t target large companies. According to Symantec’s 2010  SMB Protection report (again the last report with good data on SME), small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report’s opinion that 96% of such breaches could have been prevented with appropriate controls.

Seemingly, not a week goes by without a reference to cyber risk hitting the mainstream press. Recently, a cyber attack was successfully launched against ATMs in 27 countries withdrawing over $40 million in over 30,000 transactions in less than 10 hours.  The New York Times recently reported that universities are facing a rising barrage of cyberattacks, mostly from China.1   And last year saw a number of denial of service attacks against financial institutions brought by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against the U.S. infrastructure.

All This Has Prompted Insurers To Enter The Market (And Make A Nice Profit To Boot)

Cyber-insurance began in earnest in 2000 when American International Group’s AIG eBusiness Risk Solutions unit launched AIG netAdvantage. Starting from scratch, premium jumped to over $100 million by the time the unit was merged into larger subsidiaries of AIG, just four years after its creation. AIG eBusiness was extremely profitable with estimates of loss ratio in the extremely low double digits.

Fast forwarding to today, the cyber-insurance market, according to the 2012 Betterley Report is “in the $1 billion range” in terms of premium (up from $800 million in the 2011 report) with close to 40 insurance carriers providing a standalone insurance policy.  Premium continues to increase with most carriers, accordingly to Betterley, reporting increases from 25% to 100% year over year.  Hard profit figures are difficult to come by; however, strong anecdotal evidence suggests that this line of insurance continues to be highly profitable.  Third party litigation continues to be slow to develop outside the privacy arena and first party claim losses, outside of breach funds, is non-existent.

From an underwriting point of view, some attention should be paid to theft of personal identifiable information (PII), especially with respect to first party costs associated with forensics and customer notification costs.  However, there are established methods to manage this risk successfully for the underwriter.  Indeed, in a widely followed report, Verizon reports that 90% of all breaches can be prevented with proper risk management guidelines.   Of course, like any other portfolio of business, care must be taken with respect to avoidance of catastrophic exposure, adverse selection and moral hazard.  There are underwriting guidelines and processes that can be developed to manage these exposures.

Yet The Market Still Has Plenty Of Room To Grow

Despite the increased attention to cyber incidents, most reports indicate only a minority of companies currently purchase cyber-insurance.  According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about cyber risk. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy. A risk area with a high level of concern but little purchase of insurance? That’s an insurance carrier’s dream

It is unclear why there aren’t more buyers, but most of the industry believes it’s a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber is covered under their general corporate liability.

Regardless of the reason, with respect to foreign corporations whose securities are traded on U.S. exchanges, a recent “Guidance” report2 published by the U.S. Securities and Exchange Commission on October 13, 2011 is likely to increase sales.  The report begins simply enough:

For a number of years, registrants (companies who register their securities with the SEC) have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity has also increased … As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.

The “guidance” report goes on to specify five “suggested” disclosures that may be “appropriate” to companies trading with securities registered with the SEC.  The fifth suggestion is the one that caught the eye of the insurance industry.  It reads simply:

Description of relevant insurance coverage.

This is the first time that I am aware that the SEC included insurance in one of their guidance reports.  The SEC tends to start investigations 18-24 months after issuing a guidance report. It is difficult to imagine how a general counsel would be able to meet this disclosure without an investigation, at least, of specific cyber insurance.  This is especially true given that over the course of the last few years, general liability underwriters have continued to tighten up any language in a general liability policy to a point where an insured would be foolish to even think the policy applies to cyber risks.3

Thus, it is then perhaps not surprising that the Betterley 2012 market report stated “we think this (cyber) market has nowhere to go but up.”  Although, they quickly qualified,  “as long as carriers can still write at a profit.”

And With A Private-Public Partnership There Is Even More Potential

Unlike many other countries, 80% or more of the critical infrastructure of the United States is in private hands.  As we have seen in the last year, cyber attacks are increasingly being brought by companies associated with hostile nation states.  Cyber-terrorism – even cyber-war – is close at hand and, in some minds, is already here.  The insurance industry can and should play a vital role in providing private sector incentives to foster increased network security in the critical infrastructure.  However, the insurance industry cannot do this alone.  The answer lies in a private-public partnership between the insurance industry and the federal government.  Productive discussions are already underway between the Department of Homeland Security and the insurance industry with specific proposals to safeguard and enhance our country’s security being reviewed.

For more details on the need for this public-private partnerships, and what is going on to bring it about, stayed turned for our next article.

1 Universities Face a Rising Barrage of Cyberattacks

2 Cybersecurity

3 While from time to time, this is tested by insureds (see Sony vs. Zurich), almost all commentators have admitted that the “die is cast.”