Category Archives: Emerging Risks

Will Workers Comp Claims for COVID-19 Be Paid?


While health workers and first responders might be more likely to be exposed, whether COVID-19 is compensable under workers comp is uncertain.

Whether workers compensation claims related to COVID-19 will be paid is a question to be answered case by case and state by state.

The world has seen numerous epidemics whose impact on public health is well documented, so you might expect to find guidance on compensability from these experiences. But according to the National Council on Compensation Insurance (NCCI), “You would be hard pressed to find meaningful information on how or even if the workers compensation system was affected” by the SARS, H1N1, Ebola, and Zika outbreaks.

Workers comp insurance typically covers employers for employee claims regarding “bodily injury by accident or bodily injury by disease.” Many state statutes, however, exclude “ordinary disease of life.”

While some occupations – for example, health care workers and first responders – might be said to have a higher probability than others for exposure to COVID-19, whether the disease is compensable under workers comp is uncertain.

“’Would time away from work during recovery be considered ‘temporary disability’,”’ NCCI asks, “or is it just normal ‘sick time’?”

Guaranteed benefits for some

Workers’ comp insurers in at least two states have said they will guarantee benefits for health workers and first responders.

Kentucky Employers Mutual Insurance Co. said it will pay wage-replacement benefits for any first responder or employee in the medical field who is quarantined because of direct exposure to a person diagnosed with COVID-19. The announcement follows a decision by the Washington State Department of Labor and Industries to pay wage-loss and medical treatment expenses for any health care worker or first responder who is quarantined because of coronavirus exposure. Washington operates a monopoly workers comp system, so that policy affects every employee covered by the state system.

It remains to be seen if other states will take the same measures relative to workers comp. For general health insurance, however, NCCI says at least 10 states have issued mandates to cover COVID-19. The mandates vary, but they include coverage for testing and visits to emergency rooms or urgent care facilities either in-network or out-of-network without deductibles or copays.

If expanded to more states, NCCI says, these mandates could limit workers comp claims in cases where only testing or quarantine are necessary.

COVID-19 Meets Cyberrisk

As COVID-19 spreads, we’ve been hearing more about the importance of hygiene and maintaining “social distance.”

Last night I found out the cyberrisk conference I was scheduled to attend this morning had been changed to a “virtual” meeting. With so many events being canceled or postponed out of an abundance of caution over the spreading COVID-19 virus, it was nice to know the show would go on safely.

I’d already been working from home (thank you, Triple-I!) to avoid exposure during my train commute and potentially becoming a “vector” to family, friends, and co-workers. As I waited for the event to begin, I scrolled through my news feed and spotted several stories about risks related to increased remote work.

Cyberrisk featured prominently in these articles. Unprotected devices, they warned, can lead to data losses, privacy breaches, and ransomware attacks.

One article alluded to campaigns designed specifically to tap into concerns around COVID-19.

“We are already seeing targeted phishing campaigns globally,” said New Zealand Health IT chief executive Scott Arrol. “The cyber virus taking advantage of the biological virus.”

Arrol said hackers seeking to exploit fears of Covid-19 are sending fake ads or links with online viruses.

The message “might look like it has come from the World Health Organization, inviting you to register for more information,” he said. “You click on that link, you’ll be taken to fill out a form and then suddenly…you’re giving away personal information you shouldn’t.”

Technology can help us maintain social distance, but the devices we rely on need to be managed and protected, lest they make us even more vulnerable.

Insurance broker Aon has issued an advisory cautioning employers to take steps to ensure that work-from-home employees can connect to secure remote networks, a Claims Journal article says.

“Any time you’re taking about employees who are not used to working from home, who may not have the correct cybersecurity posture, a virtual private network (VPN) is critically important and having two-factor authentication is critically important,” Aon Senior Vice President Stephanie Snyder said.

A VPN connects remote users or regional offices to a company’s private internal network. Two-factor authentication adds a layer of security beyond a password to make sure a user is authorized to access the system.

Snyder added that telecommuters may be tempted to work from their laptops at a coffee shop – potentially exposing their computers to intrusion. She said employers need to have strict security protocols in place to avoid such exposures.

So, I wasn’t surprised when one of the first speakers at the event I was “attending” mentioned viral epidemics like COVID-19 as something underwriters just a few years ago would not have considered a factor in assessing cyber risk but now should.

As I’ve written before, increasingly interconnected risks require a holistic approach to risk management – one that takes into account preparation, mitigation, and built-in resilience. As COVID-19 has spread beyond its origins in Asia, we’ve been hearing more about the importance of hygiene and of maintaining “social distance.”

Technology can help us maintain social distance, but the devices we rely on need to be managed and protected, lest they make us even more vulnerable.

COVID-19: A Teachable MomentFor Thinking About Risk

As we take our precautions and wait for the World Health Organization (WHO) and the U.S. Centers for Disease Control and Prevention (CDC) to declare COVID-19 a pandemic, now might be a good time to breathe and think about what this outbreak and other perils in the news can teach us about how we think about risk.

COVID-19 has spread far beyond its origins in China. People worldwide have been infected. Many in China and some beyond have died.

In addition to the human toll, concerns exist about disruptions to global supply chains, economic systems, and markets.

Nothing I’m about to say should be read as minimizing these dangers.

Not our first outbreak

But this isn’t the first infectious outbreak we’ve faced, and it won’t be the last. With people and products traveling the world and economies increasingly interconnected, disease transmission and commercial disruption related to it are inevitable.

How we handle them will be predicated upon how we think about risk.

At this writing, there are 60 cases of COVID-19 in the United States – none considered “Serious” or “Critical.” There have been no deaths and six recoveries. Compare these numbers with the 280,000 to 500,000  flu hospitalizations and 16,000 to 41,000 flu deaths this year to date, as reported by the CDC.[i]

Americans aren’t panicking about influenza, and the media aren’t giving the flu nearly as much attention as COVID-19. These facts appear to be related. As we previously reported, research suggests public anxiety about potential causes of death correlates with the amount of media play they receive; and the media often underreport threats that are statistically more substantial than dangers they emphasize.

We’re not panicking because we’re familiar with the flu and know the drill: wash your hands frequently; cough into your sleeve; avoid crowds as much as is reasonable.

Good news! Following this advice also helps slow the spread of COVID-19.

If we’re panicking over COVID-19, it’s due largely to the coverage it’s receiving and the fact that markets are reacting dramatically. Our reactions have little to do with the likelihood of our being infected.

Pedestrian dangers

Until WHO and CDC tell us otherwise, do you know what’s more likely to kill you than the coronavirus?

That’s right: An automobile.

According to a report published this week by the Governors Highway Association (GHA), pedestrian auto fatalities in 2019 were at their highest since 1988.

“During the 10-year period of 2009 to 2018,” the report says, “the number of pedestrian fatalities in the U.S. increased by 53 percent, from 4,109 in 2009 to 6,283 in 2018.”

It estimates 6,590 pedestrian fatalities occurred in 2019, the most in more than 30 years.

Possible reasons include smart phone use by pedestrians and drivers; increasing purchases of light trucks and SUVs relative to passenger cars; even more people walking due to warming temperature trends.

As word of this report spreads, don’t expect people to change their phone, car-buying, or walking habits. We accept these risks because we enjoy the freedom and control that goes with making our own decisions. We roll with them because they feel familiar and manageable.

As a colleague expressed it: “That’s why Jaws didn’t scare me. All I had to do to avoid sharks was to stay out of the ocean. Now, Freddy Krueger was another story….”

If you’d like to be better informed about relative mortality risks, the chart below is a good place to start. The list – which represents only accidental deaths – is by no means exhaustive.  In fact, a different study, based on data from the same year (2017), found accidental deaths were the third-largest mortality category, after heart disease and cancer.

Close behind accidents were respiratory disease and stroke.


Public anxiety over COVID-19 is due more to media coverage and market reactions than likelihood of infection.

[i] Because influenza surveillance does not capture all cases of flu that occur in the U.S., CDC provides these estimated ranges to better reflect the larger burden of influenza. These estimates are calculated based on CDC’s weekly influenza surveillance data and are preliminary.

2020 Insurance Fact Book Includes New Section On Emerging Risks

The Insurance Information Institute (Triple-I) 2020 Insurance Fact Book is now available.

The 234-page digital publication features facts, figures, statistical tables, and charts on U.S. and global insurance markets. It also includes detailed data on direct premiums written and factors affecting U.S. auto, homeowners, and business insurance costs.

Three unique insurance risks—cybersecurity, extreme weather, and social inflation—are highlighted in a new section called Emerging and Evolving Insurance Issues. Other new components include:

“As we welcome a new decade, the challenges before the insurance industry are vast,” said Triple-I CEO Sean Kevelighan. “The catastrophic shock and losses from the last few years, from California wildfires and the Atlantic hurricane season, are telling. What the last decade has foreshadowed could be, as some say, the new abnormal. Our new Insurance Fact Book reflects the new risks insurers face.”

The 2020 Insurance Fact Book is available for purchase from the Triple-I’s online store.  Copies may be obtained free of charge by Triple-I member companies and associate members via the Triple-I’s members-only website. Previous editions have been popular with policymakers, journalists, academics, business leaders, and others.

Interconnected Perils Demand Holistic Risk Management

Few risks exist in isolation.

The most primal ones – those associated with wind, fire, and water – often travel in pairs.  Modern, more complicated risks – supply chain, business interruption, cyber, political, and financial – are like tapestries so tightly woven that any effort to address this or that hazard can threaten to unravel much of what you’re trying to protect.   

A new report from Verisk looks at complex emerging risks and why they matter to insurers and risk managers.

Between 1990 and 2008, natural hazards were the cause of 16,600 hazardous material releases.

When nature meets technology

Ever heard the word “natech”? I hadn’t until I read the 2019 Verisk Perspectives.

“Accidents in the industrial sector can be catastrophic, and up to five percent of all accidents in this sector are caused by natural events,” writes Alastair Clarke of Verisk’s AIR Worldwide in an article titled “Where Climate Change and Natech Risk Meet.”

Between 1990 and 2008, Clarke reports, natural hazards were the cause of 16,600 reported hazardous releases.

“In each case,” he writes, “a natural event triggered a technological malfunction that led to the release of hazardous material.”

That’s a natech, and the insurance implications are significant.

Many examples exist of catastrophic casualty claims from natechs. The report cites the 2010 collapse of a dam at the Ajka alumina plant in Hungary.  The dam broke after days of heavy rain, releasing toxic sludge and causing 10 deaths and 150 injuries, along with the contamination.

In 2005, Hurricane Katrina triggered 200 hazmat releases. When storm surge ruptured a storage tank at a Louisiana oil refinery, Clarke writes, “the release of 25,000 barrels of crude oil affected 1,800 homes and resulted in a $330 million settlement.”

“Natechs show how liability can arise from natural events that can be traced back to the suppliers of a faulty service,” Clarke writes.  “With climate change, the threads are deeply tangled. ”

IoT unites us, for better and worse

Globalization has connected the world through commerce and culture as never before, and the Internet of Things (IoT) aims to finish the job. But supply-chain risks – already subject to the vagaries of weather, politics, and global finance – only become more complex as machines whisper among themselves.

Utilities alone are expected to deploy more than 800 million connected IoT devices by the end of 2019. Each one is a potential cyberattack portal.

In “Cyber Risks Loom Large in an Interconnected World,” Tim Campbell of Verisk Maplecroft and Kamban Parasuraman of AIR report that a survey of more than 1,000 U.K. and U.S. risk professionals indicated the average company shares confidential information with about 583 third parties. Of those surveyed, 59 percent experienced a data breach linked to a vendor or other third party in 2018.

“Just as companies need to be aware of the cyber risks introduced by third parties in their supply chains,” Campbell and Parasuraman write, “insurers may need to consider how the insureds within its own book of business are interconnected. In fact, the lack of full visibility into each insured’s interdependencies may create risks that are unidentifiable from an underwriting standpoint.”

Utilities alone are expected to deploy more than 800 million connected IoT devices by the end of 2019, reports Ben Kellison of Verisk’s Wood Mackenzie in “Power Utilities Face Emerging Cyber Threats.”

Each one is a potential cyberattack portal.

“The power grid is also becoming more decentralized,” Kellison writes. “Tens of millions of small generators and loads are being integrated into more power markets and local power systems that may or may not be owned or operated by the utility.”

The risks go on

The Verisk report, produced by the data and analytics provider’s ISO Emerging Issues team, examines these and other risk areas. As I reflect on these articles in the context of many hours spent reading about, discussing, and listening to others discuss risk and insurance, it becomes clear – from a resilience perspective – that a more holistic, epidemiological approach  to risk management is needed.

Your building can be designed and built well above code; if your neighbors’ buildings aren’t, you’re at risk when a tornado turns their HVAC units into projectiles. This reality becomes more insidious when your billing system is threatened by malware introduced through a customer’s “smart” lightbulb.

Intent and ability distinguish cyberrisk from natural perils

Cyberrisk is often compared with natural catastrophe-related threats, but a recent study by global reinsurer Guy Carpenter and analytics firm CyberCube suggests a better analogy is with terrorism.

“Probability is assessed in terms of intent and capability.”

The report – Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study – quotes Andrew Kwon, lead cyber actuary for Zurich: “Extending the lessons learned from property cats to the cyber space is intuitive and logical, but cyber continues to be a unique force unto itself. A hurricane does not evolve to bypass defenses; an earthquake does not optimize itself for maximum damage.”

This passage resonated as I read it because a few hours earlier I’d been reading a FreightWaves article about risks posed to international shipping by digitalization and pondering the fact that the same technology that helps vessels anticipate and avoid adverse weather also subjects them – and the goods they transport – to a panoply of new risks.

The FreightWaves article quotes U.S. Navy Captain John M. Sanford – who now leads the U.S. Maritime Security Department within the National Maritime Intelligence Integration Office – describing how the NotPetya virus inflicted $10 billion of economic damage across the U.S. and Europe and hobbled company after company, including shipping giant Maersk, in 2017.

Sanford said Russian military intelligence was behind the hacker group that spread NotPetya to damage Ukraine’s economy. The virus raced beyond Ukraine to machines around the world, crippling companies and, according to an article in Wired, inflicting nine-figure costs where it struck.

“Maersk wasn’t a target,” Sanford said. “Just a bystander in a conflict between Ukraine and Russia.”

Collateral damage.

The FreightWaves article describes how supply chains, ports, and ships could be disrupted more intentionally through GPS and Electronic Chart Display and Information System (ECDIS) systems onboard ships, or even via a WiFi-connected printer: “Pirates working with hackers could potentially access a ship’s bridge controls remotely, take control of the rudder, and steer it toward a chosen location, avoiding the expense and danger of attacking a vessel on the high seas.”

The Carpenter/CyberCube report identifies parallels in the deployment of “kill chain” methodologies in both conventional and cyber terrorism: “Considering terrorism risk in terms of probability and consequence, probability is assessed in terms of intent and capability.”

As our work and personal lives become increasingly interconnected through e-commerce and smart thermostats and we look forward to self-driving cars and refrigerators that tell us when the milk is turning sour, these considerations might well give us pause.

Hurricanes, earthquakes, fires, and floods might be scary, but at least we never had to worry that they were out to get us.

 

I.I.I. Report: Marijuana legalization raises concerns about drugged driving

The “green gold rush” shows no sign of slowing.

Most recently, New Jersey legislators reportedly announced a bill that would permit recreational marijuana. If signed into law, New Jersey would join ten other states and D.C. that currently permit recreational marijuana. More than 30 states and D.C. also permit medical marijuana programs of some kind.

click to enlarge

But as legalization spreads, concerns about driving under the influence of marijuana continue unabated.

Today, the I.I.I. has published a report that examines the current state of the issue.

A rocky road so far: Recreational marijuana and impaired driving” dives into the hazy questions surrounding marijuana impairment: its effects on driving abilities, how traffic safety might be impacted, and how states are grappling with the issue of “stoned driving.” (Download the report here.)

Unfortunately, there are still many unknowns when it comes to stoned driving. Marijuana impairment degrades cognitive and motor skills, of course – but marijuana-impaired driving is an evolving issue with many questions and few concrete answers. Legalization is still relatively recent. Data are still being gathered. How to understand and measure marijuana impairment are still open questions.

Do the rates of marijuana-impaired driving increase following recreational legalization? Answer: probably. Does marijuana-impaired driving increase crash risks? Answer: probably, but we still don’t concretely know to what degree. What about traffic fatalities – do those increase after legalization? There’s evidence that traffic fatalities could increase following legalization, but there is still quite a bit of discussion about this issue.

click to enlarge

There is active research, discussion and debate being conducted to answer these and other questions. As more states legalize recreational marijuana, forthcoming answers will become ever more critical to help best guide public policy and traffic safety initiatives.

To learn more, download the report here.

Medical marijuana is not a prescription drug

marijuana is a drug, but not a “drug”

I’m going to get a little wonky here, bear with me.

The standard homeowners insurance policy only explicitly mentions the word “marijuana” once: to exclude it from liability coverage. Basically, the policy says that the insurer won’t pay for any bodily injuries or property damage to another person arising out of any controlled substance, including marijuana.

But there’s an interesting wrinkle to this. The exclusion also states the following: “However, this exclusion does not apply to the legitimate use of prescription drugs by a person following the orders of a licensed physician.”

“Wait,” you say. “Isn’t there a conflict here? Wouldn’t the policy cover damages from medical marijuana, since it’s a prescription drug?”

Sorry to rain on your parade, but the answer is no.

All together now: Medical marijuana is not a prescription drug

You can be forgiven for thinking that medical marijuana is a prescription drug. After all, that’s how it’s often described by news outlets the world over: Wall Street Journal, New York Times, Washington Post, etc.

But medical marijuana is not a prescription drug under any state’s current medical marijuana program.

Physicians don’t “prescribe” marijuana like they do painkillers and other drugs. Rather, physicians will “certify,” “recommend,” or “authorize” (the exact wording depends on the state) that a patient qualifies under a state program to purchase marijuana products. Often this qualification depends on whether a patient suffers from any of a list of “qualifying conditions” – which vary by state.

With a “recommendation” in hand, the patient can then purchase medical marijuana products from a dispensary, subject to various state-specific limitations (like how much marijuana they can buy in any given month).

“Prescription”, on the other hand, has a specific meaning. The Kansas City Medical Society notes that medical drugs are supported by years of study that can provide guidelines for dosages and plans of care. The U.S. Food and Drug Administration regulates these drugs. Patients with a prescription receive these drugs from a certified pharmacist.

Not so with marijuana. Though some states do require physician dosage recommendations, these are not well understood. The FDA has “not approved marijuana as a safe and effective drug for any indication.” Medical marijuana dispensaries are not pharmacies. They don’t employ pharmacists. The people selling the marijuana are basically like knowledgeable sommeliers at a fancy liquor store.

As we saw above, this distinction has insurance implications. As another example, consider workers’ compensation insurance: do these policies reimburse for an injured worker’s medical marijuana? The answer is far more complicated than you’d think.

One more time: medical marijuana is not a prescription drug.