All posts by Jeff Dunsavage

Technology

Algorithms, A.I.and Insurance: Promise and Peril

Leave a comment

By Max Dorfman, Research Writer

A couple of articles crossed our desk recently that discussed the benefits and pitfalls of algorithms and artificial intelligence (AI). Neither discussed insurance, but they offered important lessons for the industry.

Algorithms and AI can work quickly, but they aren’t perfect.

An algorithm is a simple set of instructions for a computer.  Artificial intelligence is a group of algorithms that can modify and create new algorithms as it processes data. Broadly, these smart technologies can drive untold change for the industry.

As the Financial Times wrote earlier this year, “Insurance claims are, by their nature, painful processes. They happen only when something has gone wrong and they can take months to resolve.”

Chinese insurer Ping An uses AI to accelerate decision making, and New York-based insurance start-up Lemonade employs algorithms and AI to help pay clients more quickly. Other insurers use smart technologies for fraud detection, risk management, marketing, and other functions.

What could go wrong?

Algorithms and AI can work quickly, but they aren’t perfect. A recent article by Osonde A. Osoba, an information scientist and professor with the RAND Corporation, details what data scientists call an “algorithm audit.” An algorithm audit detects biases or blind spots that skew results, making it necessary to review and test the underlying data.

In the case Osoba discusses, Apple Pay was assailed on Twitter by tech executive David Heinemeier Hansson for giving him a credit limit 20 times larger than his wife’s, despite their sharing all assets, among other factors. Hansson concluded that the algorithm was sexist – causing a furor on the social media platform among both those who vehemently agreed and disagreed with him.

Apple Pay said it doesn’t have information about applicants’ gender or marital status. Yet no one from Apple could answer why Hansson received a significantly higher credit limit. They responded: “Credit limits are determined by an algorithm.”

Still, these algorithms and AI are informed by something – perhaps the implicit biases of the programmers. For example, systems using facial recognition software have yielded decisions that appear biased against darker-skinned women.

Are algorithms easier to fix than people?

An article in The New York Times by Sendhil Mullainathan, a professor of behavioral and computational science at the University of Chicago, discusses human and algorithmic biases. He cites a study in which he and his co-authors examined an algorithm that is commonly used to determine who requires extra levels of health care services. This algorithm has affected approximately 100 million people in the U.S. In this case, black patients were routinely rated to be at lower risk. However, the algorithm was inherently flawed: it used data on who receives the highest amount of health care expenditures.

Black patients already spend less money on health care than white patients with the same chronic conditions, so the algorithm only served to reinforce this bias. Indeed, without the algorithmic bias, the study estimated that the number of black patients receiving extra care would more than double. Yet Mullainathan believes that the algorithm can be fixed fairly easily.

Contrast this to a 2004 study Mullainathan conducted. He and his co-author responded to job listings with fabricated resumes: half the time they sent resumes with distinctively black names; the other half with distinctively white names. Resumes with black names received far fewer responses than those with white names.

This bias was verifiably human and, therefore, much harder to define.

“Humans are inscrutable in a way that algorithms are not,” Mullainathan says. “Our explanations for our behavior are shifting and constructed after the fact.”

Don’t write algorithms off

As RAND’s Osoba writes, algorithms and AI “help speed up complex decisions, enable wider access to services, and in many cases make better decisions than humans.” It’s the last point that one must be particularly mindful of; while algorithms can reproduce and intensify biases of their programmers, they don’t possess inherent prejudices, as people do.

As Mullainathan puts it, “Changing algorithms is easier than changing people: software on computers can be updated; the ‘wetware’ in our brains has so far proven much less pliable.”

Technology

What’s Insurtech, Anyway?

Leave a comment

Perhaps it’s a symptom of buzzword fatigue that everyone in the insurance industry seems to use the word “insurtech” without agreeing on – or maybe even really thinking about – what it means.

Some use it as a noun, suggesting a type of company – typically a startup – that applies cutting-edge technology to insurance-related challenges. Others use it as an adjective to describe the technologies and applications themselves. Still others seem to take the position of U.S. Supreme Court Justice Potter Stewart, writing on a very different topic: “I know it when I see it.”

Whatever it is, insurtech is a rapidly growing feature of the insurance landscape, and many traditional insurers and venture capitalists are investing in it.

Insurtech doesn’t just mean offering products more quickly online. It means transforming the offerings and the customer experience.
Modernizing the value chain

Insurtech emerged around 2010 as an offshoot of a similar movement in banking, known as “fintech.” With providers of just about every other product and service embracing “Amazonation,” consumers have come to expect absolutely seamless service – wherever and whenever. Like those industries, insurers need to satisfy their customers while growing profitably and managing operational costs.

But insurtech doesn’t just mean offering products more quickly online. It means transforming the offerings and the customer experience.

Insurtech most consistently refers to the use of apps, wearables, big data, machine learning, and other technologies to automate and improve processes across the insurance value chain – from marketing and policy origination through underwriting, services, and claims.

Some applications focus on reducing friction in transactions; the time required to fill out an application and receive a quote is a classic example. Others seek to streamline and enhance back-end functions, such as risk assessment, pricing, loss control, and settling claims.

Claims: Ripe for insurtech

The claims process is particularly well suited for transformation. Insurers typically hire adjusters to determine the extent of their liability for a loss, damage, or injury and come up with a settlement. This can be time consuming, expensive, error prone, and, in some cases, dangerous.

Drivers can submit photos to their insurers via app immediately after an accident. Some insurers use machine learning and publicly available data to detect fraud.

Today, new approaches aid the claims process.

For example, drivers can submit photos to their insurers via app immediately after an accident. Some insurers also use machine learning and publicly available datasets to detect and flag potentially fraudulent claims.

As technology helps improve underwriting, policy administration and claims, new products are being developed and traditional ones can be handled differently.

One emerging approach – enabled by the intersection of telecommunications and big data known as “telematics” – is usage-based insurance (UBI), priced according to drivers’ own voluntarily provided behavioral data. A more recent stage in UBI’s evolution is pay-as-you-drive insurance, with monthly billing that varies based on mileage driven.

A similar trend involves using data from smart-home technology, such as water-monitoring systems that can anticipate and prevent leaks that might otherwise lead to claims. Advances in telematics and the Internet of Things are increasing the quantity and range of the data insurers will have at their disposal.

Obstacles remain

 Insurtech offers tremendous opportunities for innovation, but – as one of the most heavily regulated and publicly scrutinized industries – it faces obstacles. Many technologists driving the movement come from outside insurance. Few have navigated the legal, regulatory, and cultural minefields surrounding personal privacy and security.

Unlike many other industries, in which maximizing speed and satisfaction has become the prime directive, insurers are required by law to protect customers from privacy breaches and bias. Perusing social media for insights to help optimize user experience or using machine learning to anticipate and address changes in users’ buying behavior may be acceptable if you’re selling cars or cosmetics – but for insurers, their clients, and regulators it raises a host of red flags that have to be addressed.

Business Insurance

When Must Insurers Defend Motelsin Trafficking Cases?

Leave a comment
Hotels and motels are routinely used for sex trafficking. Two recent lawsuits highlight the complexity of determining who bears legal costs associated with trafficking.

Human trafficking is a crime with enormous individual and societal impacts, and it relies on legitimate businesses to sustain it. Motels, for example – and, arguably, insurers.

“Hotels and motels are routinely used for sex trafficking,” reports the Polaris Project, a nonprofit that aims to “eradicate modern slavery.” Two recent lawsuits involving insurers of motels used by traffickers highlight the complexity of determining who bears legal costs associated with such activities.

Duty to defend

Both cases revolve around “duty to defend” — an insurer’s obligation to provide a legal defense for claims made under a liability policy. Before proceeding, let me say: I’m not a lawyer.  Everything that follows is based on published reporting, and no one should act on anything I write without first consulting an attorney.

In the first case, a woman sued motel operators for letting her be trafficked at their motels when she was a minor. The Insurance and Reinsurance Disputes Blog says, “The allegations of physical harm, threats, being held at gun point, and failure to intervene were wrapped up into claims ranging from negligence per se to intentional infliction of emotional harm.”

One of the motels sought defense from its insurer, Nautilus Insurance Co. Nautilus argued it was not obligated to defend based on a policy exclusion for claims arising out of assault or battery. The court agreed, and an appellate court affirmed.

In other words, the motel owners were on the hook for their own legal costs.

In the second case, a court found the insurer – Peerless Indemnity Insurance Co. – must defend its client in a suit brought by a woman claiming she was imprisoned by a man grooming her for prostitution while the owners turned a blind eye. A lower court had dismissed the case, finding insufficient evidence the motel was engaged in trafficking. An appeals court overturned that decision.

“The relevant question,” the judge said, is whether the victim’s injuries constitute personal injury. This is because the definition of personal injury under the policy included injuries arising from false imprisonment.

Because her injuries, at least in part, arose from false imprisonment, the judge said, “the answer to that question is ‘Yes’.”

So, the court said, Peerless must pay to defend the motel.

Trafficking is a $32 billion-a-year industry. Insurers might want to review their policy language to avoid funding defenses of criminals and businesses that enable them.
Language matters

The differences between these rulings seem to have more to do with nuances in policy language than trafficking facts.

In the Nautilus case, the appeals court found the exclusion – stating Nautilus “will have no duty to defend or indemnify any insured in any action or proceeding alleging damages arising out of any assault or battery” – unambiguous. It declared: “Nautilus had no duty to defend and indemnify” because the claims “arose from facts alleging negligent failure to prevent an assault or battery.”

The Peerless case involved two policies – a general liability and an umbrella – both of which contained exclusions for “‘personal and advertising injury’ arising out of a criminal act committed by or at the direction of the insured.”

The “personal” in “personal and advertising injury” includes false imprisonment.

To a non-lawyer like me, this seems as unambiguous as the Nautilus case: the Peerless policies excluded personal injury “arising out of one or more” of a variety of offenses, including false imprisonment.

The U.S. District Court for the District of Massachusetts disagrees. Its analysis goes into semantic tall grass, parsing phrases like “arising out of” and “but for” and is peppered with case law citations like:

  • “Ambiguities are to be construed against the insurer and in favor of the insured” and
  • “The insurer bears the burden of demonstrating that an exclusion exists that precludes coverage.”

It would exceed the bounds of my non-existent legal training – and the length of a blog post – to critique the court’s analysis. I recommend reading the decision.

But it doesn’t take a lawyer to see insurers have a stake in reviewing and possibly tightening their policy language to avoid having to fund defenses of criminals and businesses that enable them.

Trafficking is a $32 billion-a-year (and growing) industry, according to the Polaris Project.  With that kind of money involved, cases like these won’t just go away.

Cyber Risk, Health & Safety

Life & Death: Cyberattacks Interrupt More Than Business

1 Comment

Cyberattacks on hospitals can lead to increased death rates among heart patients, recent research suggests. This research emerges as attacks on health facilities are reported to have increased 60 percent in 2019.

Researchers at Vanderbilt University‘s Owen Graduate School of Management drilled down into Department of Health and Human Services records on data breaches from more than 3,000 Medicare-certified hospitals. They found that, for facilities that experienced a breach, the time for suspected heart attack patients to receive an electrocardiogram (ECG) increased by more than two minutes.

Health care is the seventh-most targeted industry, but attacks on this sector are on the rise.
When seconds count

The study focused on the impact of remediation efforts on health care outcomes following a data breach.  It found that common remediation approaches, such as additional verification layers during system sign-on, can “delay the access to patient data and may lead to inefficiencies or delays in care.”

Common remediation approaches, such as additional verification during system sign-on, can delay access to patient data and lead to delays in care.

“Especially in the case of a patient with chest pain,” the report says, “any delay in registering the patient and accessing the patient’s record will lead to delay in ordering and executing an ECG.”

The researchers found that “a data breach was associated with a 2.7-minute increase in time to ECG three years after the breach.”

A bit over two minutes may not seem like much – but during a coronary or a stroke it can be the difference between life and death.

Increasingly targeted

Vanderbilt’s research was based on data collected before ransomware attacks against health care facilities became common. The authors caution that such attacks – in which systems or data are held hostage until a ransom can be paid – “are considered more disruptive to hospital operations than the breaches considered in this study.”

The medical sector is the seventh-most targeted industry, according to a report by internet security firm Malwarebytes, based on data gathered between October 2018 and September 2019. But Malwarebytes warns that attacks on this sector are on the rise.

“Threat detections have increased for this vertical,” the report says, “from about 14,000 healthcare-facing endpoint detections in Q2 2019 to more than 20,000 in Q3, a growth rate of 45 percent.”

Comparing all of 2018 against the first three quarters of 2019, Malwarebytes said it has observed a 60 percent increase in such attempted intrusions.

“If the trend continues,” Malwarebytes reports, “we expect to see even higher gains in a full year-over-year analysis.”

 

Insurance Industry

Advisen Event Panelists Proclaim Hard Market in Property Insurance

Leave a comment

 

In a hard market, demand for coverage is strong, supply weak. Insurers impose strict underwriting standards, and buyers pay higher premiums.

For those still tiptoeing around whether the property insurance market is yet officially “hard,” two speakers at Advisen’s Property Insights Conference last week unabashedly used the “H-word,” and none of the 300-plus insurance and risk-management professionals attending seemed to disagree.

Gary Marchitello, head of property broking for Willis Towers Watson, was first to say it in an on-stage conversation with Michael Andler, executive vice president/U.S. property practice leader at Lockton Cos.

Andler concurred: “If it walks like a hard market and talks like a hard market, it’s a hard market.”

Some presenters during the daylong event quibbled over when pricing went from merely “hardening” to “hard”.  Some said the hard market is eight quarters old, while others said it began as recently as the second quarter of 2019 – but no one piped up to deny it’s here.

Hard, soft, and why it matters

In a hard market, demand for coverage is strong, supply weak. Insurers impose strict underwriting standards and issue fewer policies. Consequently, buyers pay higher premiums. During soft markets, customers can negotiate lower prices as insurers compete for business. When the market hardens again, prices rise as insurers adjust rates at renewal.

Marchitello, with four decades’ experience, said this hard market is different: “With prices rising, you’d expect new entrants to the market. That is absolutely not happening.”

“It’s going to get worse before it gets better,” he added. “Two years of combined ratios above 100 have forced underwriters to drive profitability” rather than pursue market share, as many did during the soft market.

 We brought it on ourselves

In a room packed with insurers, brokers, and buyers, one might expect some finger pointing for the dramatic price increases. I heard little to none.

“We as underwriters allowed it to happen,” said Erik Nikodem, senior vice president at Everest Insurance.

“We lost the script during the soft market,” said Michal Nardiello, senior vice president at CNA. “We pushed deals that weren’t sustainable in the long haul.”

And it wasn’t only underwriters accepting responsibility.

“I never turned down a lower rate” when the market was soft, said Lori Seidenberg, global director of real assets insurance for BlackRock. Not that she should have – but professional risk managers know a soft market isn’t going to last forever and need to plan accordingly.

Despite this admirable accountability, it’s important to remember larger forces have been at work. As CNA’s Nardiello put it: “There’s been a massive shift of wealth and people into areas prone to fire, tornados, hail, and flood” – perils that are themselves changing in frequency and intensity.

Also a factor is “social inflation” – rising litigation costs that drive up insurers’ claim payouts, loss ratios, and, ultimately, policyholder premiums. It’s been estimated that social inflation “could ultimately blow a $200 billion hole in global reserves.”

 What’s next?

 Carriers, customers, and brokers all acknowledged the need to do things differently. While much was said about using technology, data, and analytics to improve underwriting and reduce expenses, the dominant theme was communication. All parties recognized they must communicate early and often.

As Duncan Ellis, head of retail property, North America for AIG, put it: “Bad news doesn’t get better with time.”

“It’s important for brokers to get a handle on the data,” said Theresa Purcell, director of risk management for real estate giant Kushner. She also recommended that brokers “get creative. Suggest different structures. Educate us about other services” that might better suit individual customer needs.

Stephanie Hyde, executive director at P-E Risk, an insurance and risk management consultancy, echoed Purcell, adding that brokers need to “educate yourselves about all lines of coverage your clients need so you can understand what they’re going through.”

Maria Grace, vice president and chief underwriting officer for property and inland marine at Everest, urged brokers to “put us [underwriters] in front of your clients” to help them understand why prices are increasing and, where possible, offer more appropriate solutions.

 

Insurance Industry

2019 Hurricane Season: “Slightly Above Average”

Leave a comment

Colorado State University’s Department of Atmospheric Science released a summary of the 2019 Atlantic hurricane season today.

Seven of the named storms lasted 24 hours or less – the most on record with such short longevity.

The 2019 season yielded 18 named storms, six of which became hurricanes, including three major ones (Category 3 or higher, with maximum sustained winds of at least 111 mph). While 18 is quite a bit more than the seasonal average of 12 , seven of the named storms lasted 24 hours or less – the most on record with such short longevity.

“The season ended up slightly above average when looking at integrated metrics, such as accumulated cyclone energy, that account for frequency, intensity and duration of storms,” said Dr. Phil Klotzbach, research scientist in the Department of Atmospheric Science, non-resident scholar at the Insurance Information Institute (I.I.I.), and lead author of the report. “We generally forecast a near-average season, so we slightly under-predicted overall levels of Atlantic hurricane activity.”

Dorian: most destructive

Of the three major hurricanes, Dorian was the most destructive. Forming in late August, it devastated the northwestern Bahamas at Category 5 intensity, causing over 60 fatalities and economic losses that could be as much as $7 billion, according to a recent Artemis report. It then made landfall near Cape Hatteras, North Carolina, as a Category 1 hurricane and later caused significant damage in the Atlantic Provinces of Canada. Insurance broker Aon estimates the economic value of the damage Dorian inflicted on the United States at approximately $1.2 billion.

Hurricane Humberto, forming in September, caused much less damage than Dorian, as it remained hundreds of miles offshore. Nevertheless, it caused large swells across the U.S. East Coast and resulted in one fatality when a man drowned due to a rip current in North Carolina. Another man was reported missing in St. Augustine, Florida after the storm. Bermuda officials reported that no fatalities occurred on the island during Humberto’s passage.

Hurricane Lorenzo became a Category 5 hurricane in the central subtropical Atlantic – the farthest east Cat 5 Atlantic formation on record. It generated 49-foot waves, with an occasional rogue wave nearing 100 feet, sending swells to both sides of the Atlantic. Lorenzo caused 10 fatalities.

She nearly didn’t get a name

The most destructive storm to hit the continental United States in the 2019 season almost didn’t have a name. Two hours before dumping 40 inches of rain in some parts of Texas, Tropical Storm Imelda was just “a tropical depression,” Dr. Klotzbach said. Imelda was upgraded to a named storm 90 minutes before landfall, but it proceeded to deluge southeast Texas, causing at least $2 billion in economic damage and at least five deaths, according to Aon.

“From a wind perspective, Imelda was practically a non-event,” Dr. Klotzbach continued. “But the rain it brought made it the most expensive tropical cyclone to hit the United States during the 2019 season.”

The 2019 Atlantic hurricane season began on June 1 and ends officially on November 30. Colorado State’s full summary and verification report is available here.

 

Business Insurance, Business Risk, Health & Safety

Despite Safer Skies, Aviation Claims Rise: What’s Up With That?

Leave a comment

 Flying has never been safer.

You’re more likely to die from being attacked by a dog than in an airline accident (see chart).

Today’s aircraft contain more sophisticated electronics and materials than those flying in the 1960s. When they bump into each other or come down too hard, they cost more to repair.

And yet, according to a recent Allianz Global Corporate & Specialty (AGCS) report, the aviation sector’s insurance claims continue to grow in number and size.

The report – Aviation Risk 2020 – says 2017 was the first in at least 60 years of aviation in which there were no fatalities on a commercial airline. The year 2018, in which 15 fatal accidents occurred, ranks as the third safest year ever.

Of more than 29,000 recorded deaths between 1959 and 2017, the report says, fatalities between 2008 and 2017 accounted for less than 8 percent – despite the vast increase in the number of people and planes in the air since 1959.

So, what gives?

Safety is expensive

Some of the reasons for the increased claims are good ones: Safer aircraft cost more to repair and replace when there are problems.

The report analyzed 50,000 aviation claims from 2013 to 2018, worth $16.3 billion, and found “collision/crash incidents” accounted for 57 percent, or $9.3 billion. Now, this may sound bad, but the category includes things like hard landings, bird strikes, and “runway incidents.”

The AGCS analysis showed 470 runway incidents during the five-year period accounted for $883 million of damages.

Engine costs more than the plane

Today’s aircraft contain far more sophisticated electronics and materials than those flying in the 1960s. When they bump into each other or come down too hard, they cost more to repair.

“We recently handled a claim where a rental engine was required while the aircraft’s engine was repaired,” said Dave Watkins, regional head of general aviation, North America, at AGCS. “The value of the rental engine was more than the entire aircraft.”

When entire fleets have to be grounded – the report cites the 2013 grounding of the Boeing Dreamliner for lithium-ion battery problems and the more recent fatal crashes involving the Boeing 737 Max – costs can really soar. Boeing reportedly has set aside about $5 billion to cover costs related to the global grounding of the 737 Max.

Even after a fix is found, the task of retrofitting a fleet takes considerable time – and, in the aviation industry, time truly is money.

Liability awards take off

Compounding the claims associated with the costs of safer flight, the report says, liability awards have risen dramatically.

“With fewer major airline losses,” Watkins said, “attorneys are fighting over a much smaller pool and are putting more resources into fewer claims, pushing more aggressively for higher awards.”

Today’s aircraft carry hundreds of passengers at a time. With liability awards per passenger in the millions, a major aviation loss could easily result in a liability loss of $1 billion or more.

Auto Insurance, Homeowners Insurance, Legal Environment

Florida’s AOB Crisis: A Social-Inflation Microcosm

Leave a comment

Never heard of “social inflation”? It’s a fancy term to describe rising litigation costs and their impact on insurers’ claim payouts, loss ratios, and, ultimately, how much policyholders pay for coverage.

The number of auto glass AOB lawsuits statewide in 2013 was over 3,800; by 2017, that number had grown to more than 20,000.

While there’s no universally agreed-upon definition, frequently mentioned aspects of social inflation are growing awards from sympathetic juries and a trend called “litigation funding”, in which investors pay plaintiffs to sue large companies – often insurers – in return for a share in the settlement.

Less discussed are state initiatives that inadvertently invite costly abuse. Florida’s assignment of benefits crisis is an excellent example.

Assignment of benefits (AOB) is a standard insurance practice and an efficient, customer-friendly way to settle claims. As a convenience, a policyholder lets a third party – say, an auto glass repair company – directly bill the insurer.

Easy.

In Florida, however, legislative wrinkles have spawned a crisis.

The state’s “David and Goliath” law was meant to level the playing field between policyholders and economically powerful insurers. It lets plaintiffs’ attorneys collect fees from the insurer if they win their case – but not vice versa. If the insurer wins, the plaintiff owes the insurer nothing.  This creates an incentive for attorneys to file thousands of AOB-related suits because there is no limit on the fees they can collect and no risk. Legal fees can dwarf actual damages paid to the policyholder – sometimes tens of thousands of dollars for a single low-damage claim.

AOBs are an efficient, customer-friendly way to settle claims…. In Florida, however, legislative wrinkles have spawned a crisis.

This type of arrangement is unique to Florida. And, despite efforts to contain it through reforms to the state’s personal injury protection (PIP) program, the abuse has spread beyond its origins in the southern part of the state and to other lines than personal auto and homeowner’s insurance. More than 153,000 AOB suits were filed in Florida in 2018 – a 94% increase from about 1,300 five years earlier.

Contributing to the crisis is the ease with which unscrupulous contractors can “find” damage unrelated to an insured incident or overbill for work done and file a claim. Florida statutes let policyholders assign benefits to a third party without insurer consent – which limits the insurer’s ability to monitor a claim to make sure costs aren’t inflated.

A measure signed into law by Gov. Ron DeSantis earlier this year aimed to curb AOB litigation by putting new requirements on contractors and letting insurers offer policies with limited AOB rights, or none at all.  However, it excludes auto glass repairs. The number of auto glass AOB lawsuits statewide in 2013 was over 3,800; by 2017, that number had grown to more than 20,000.

Florida’s experience provides an ongoing study into how hard it can be to stuff the social inflation genie back into its bottle.

For more details, see I.I.I.’s white paper, “Florida’s Assignment of Benefits Crisis: Runaway Litigation Is Spreading, and Consumers are Paying the Price”.

Cyber Risk

Are Cyberrisk Insurers This Decade’s Mortgage-Securities Investors?

Leave a comment

An awkward moment during  Advisen’s Cyber Risk Insights 2019 conference last week:

Are cyber insurers falling down on the job, as many say lenders, regulators, and rating agencies did before the 2008 financial crisis?

Panelists recalled how, in the early days of cyber, insurers often sought more information to write policies than clients could (or wanted to) provide. So, they started asking for less.

Most attendees remembered the “old days.” Many nodded. They understood.

The awkwardness came when one audience member observed that insurers “still chase market share” despite lacking complete policyholder risk information. “That sounds a lot like mortgage-backed securities before the financial crisis!”

Are cyber insurers falling down on the job, as many say lenders, regulators, rating agencies, and investors did before the 2008 financial crisis and subsequent recession?

The analogy may sound fair, but it falls apart on examination.

Mortgages and the financial crisis

In the early 2000s, it was easy to get a mortgage. Lenders would bundle loans to be sold as mortgage-backed securities. The theory: Few people would stop making payments and risk losing their homes. The rest would pay, and the security would deliver a fair return.

This made sense when lenders did their job. But too many abandoned their standards. Because they could sell them, lenders had no stake in whether the mortgages were paid.

Regulators and rating agencies, it has been argued, didn’t ask enough questions about the securities the loans supported. This gave investors more confidence than the investments warranted. When loans that should never have been made in the first place defaulted, the resulting dislocation of the homebuying and financial markets ushered in the Great Recession.

Where the analogy breaks down

Cyber insurers understand the risks they’re taking and price their policies accordingly. In fact, a recent I.I.I./J.D. Power survey found two of the top four reasons small companies choose not to buy cyber coverage are that it costs too much and contains too many exclusions.

Unlike the lenders and borrowers and investment banks in the early oughts, insurers have skin in the game. If they write bad business, they can’t simply pass it along to some naïve investor.

They also have a stake in customer relationships. They aren’t pushing policies, pricing them to sell, and hoping for the best. They’re working with clients to understand and address the clients’ vulnerabilities.

Cyber insurers understand the risks they’re taking and price their policies accordingly…. They also have a stake in customer relationships.

Seventy percent of small companies that bought cyber said their insurer helps with risk mitigation (up from 65 percent last year), according to the I.I.I./J.D. Power survey.  At the Advisen event, I heard insurers and policyholders discussing how they can address these perils. Policyholders clearly wanted insurers to do more than write policies and pay claims, and the insurers were listening.

Conversations like these, and the spirit of transparency and shared responsibility they reflect and promote, are essential to staving off and mitigating the impact of cyberattacks. Insurers and insureds, together, are visibly seeking solutions to a real and growing problem.

The people behind the financial crisis quietly created problems in pursuit of opportunities, studiously unmindful of the collateral damage they were generating.

Cyber Risk

Cyber Insurance: Why Do Small Firms Do Without?

Leave a comment
Small-business owners know cyber risk threatens them – but many still are dubious about cyber insurance. Why?

Smaller businesses seem to be getting the message that cyber risk isn’t just something for big companies to worry about; nevertheless, many still balk at buying cyber insurance, according to a new survey from the Insurance Information Institute (I.I.I.) and J.D. Power.

The 2019 Small-Business Cyber Insurance and Security Spotlight found that 12 percent of survey respondents experienced at least one cyber incident in the past year, up from 10 percent in 2018.  Nearly 71 percent said they are “very concerned” about cyber incidents, up from 59 percent, and 75% said they believe the risk of being attacked is growing at an alarming rate, up from 70 percent last year.

Two of the top four reasons cited for not buying cyber coverage are within insurers’ control.

Respondents with cyber insurance increased this year, to 35 percent from 31 percent; but of the 44 percent who said they don’t have cyber coverage and the 21 percent who didn’t know if they do, 64 percent said they don’t plan to buy it in the next 12 months.

Why the hesitation?

Why are many smaller firms so reluctant to insure against a threat they recognize to be real and growing?

The top two reasons given were: cost (42 percent) and the belief that the companies’ risk profiles don’t warrant coverage (35 percent). Twenty-seven percent said they believe they handle cyber risk sufficiently well internally, and 17 percent cited “too many exclusions” as a reason for not buying coverage. For the non-insurers in the audience, “exclusions” are provisions in an insurance agreement that limit the scope of coverage.

So, in other words, two of the top four reasons cited by insureds for not buying cyber coverage – cost and exclusions – are within insurers’ control.

As David Pieffer, head of J.D. Power’s property and casualty insurance practice, put it:

“Given small companies’ growing awareness and concerns about cyberrisk, insurers and agents and brokers might be able to increase their overall support of this market by addressing the issues of affordability and coverage limitations that seem to be an obstacle to purchasing.”

Risk-mitigation support may help

Closely related to cost is the question of value. What do insureds get for their premium dollar?

Among the respondents with cyber coverage, 70 percent said their insurer helps with cyberrisk mitigation, up from 65 percent in 2018. Fifty-one percent said their insurer offers contingency planning for data breaches, up from 40 percent, and 53 percent said their insurer will assess their vulnerability to data breaches, up from 51 percent.

“We’re seeing more insurers work with commercial customers to mitigate risks – in particular, with small and mid-size businesses,” said Sean Kevelighan, I.I.I. president and CEO. “We know many of the large cyber incidents can be sourced back to a smaller business or vendor, and, thus, it’s increasingly critical to assist in loss prevention measures that can make the customer more resilient, while also reducing claims and damages.”

It’s hard to say based on the data, but perhaps such insurer involvement plays as significant a role in small companies’ increased adoption of cyber insurance as does their growing anxiety about cyber perils. As companies increasingly see cyber insurers as trusted risk-management partners – not just writers of policies and payers of claims – perhaps take up rates will accelerate.