Technology


Everyone wants to talk about autonomous vehicles, and for proof I.I.I. chief actuary Jim Lynch offers the AIPSO Residual Market Forum, at which he spoke in mid-April.

AIPSO manages most of the automobile residual market, where highest risk drivers get insurance. Each state has a separate plan for handling risky drivers and AIPSO services most of them in one way or another, acting as the linchpin in the $1.4 billion market, about 0.7% of all U.S. auto insurance written in 2013, according to Auto Insurance Report.

Though small, the residual market is important, but it’s not an area that would naturally lend itself to discussing the self-driving car. If cars could drive themselves, of course, there wouldn’t be much of a residual market.

Even so, I was one of three speakers at the forum’s panel exploring industry trends, and at AIPSO’s request, all three of us touched on autonomous cars.

Though he spoke last, Peter Drogan, chief actuary at AMICA Mutual Insurance, probably did the best job of laying out the future technology and some of its challenges. Particularly spooky was a 60 Minutes clip in which a hacker took over a car Lesley Stahl drove over a parking lot test course. She wasn’t driving fast, but she couldn’t stop after the hacker took over the brakes of her car.

Karen Furtado, a partner at Strategy Meets Action, a consultancy that helps insurers plan for the future, laid out the case for disruption. Autonomous vehicles will not only make vehicles safer, they will change driving habits. Fewer cars will be on the road, and more people will share them, summoning self-driving vehicles through ride-sharing apps, all of which could potentially shrink the $180 billion auto insurance market.

I’ve made my thoughts clear before, both in this blog and elsewhere: the technology will change driving forever, but it takes about three decades for auto technology to become common on roadways, giving insurers a lot of time to adjust. And some coverages, like comprehensive, will not be affected, as they protect cars when they aren’t in accidents.

A PowerPoint of my presentation is posted here.

A new report from across the pond points to a large gap in awareness when it comes to cyber risk and the use of insurance among business leaders of some of the UK’s largest firms.

Half of the leaders of these organizations do not realize that cyber risks can be insured despite the escalating threat, the report found.

Business leaders who are aware of insurance solutions for cyber tend to overestimate the extent to which they are covered. In a recent survey, some 52 percent of CEOs of large organizations believe that they have cover, whereas in fact less than 10 percent does.

Actual penetration of standalone cyber insurance among UK large firms is only 2 percent and this drops to nearly zero for smaller companies, according to the report.

While this picture is likely a result of the complexity of insurance policies with respect to cyber, with cyber sometimes included, sometimes excluded and sometimes covered as part of an add-on policy, the report says:

This evidence suggests a failure by insurers to communicate their value to business leaders in coping with cyber risk. This may, in part, reflect the new and therefore uncertain nature of this risk, with boards more focused on security improvement and recovery planning than on risk transfer. It nevertheless risks leaving insurance marginalized from one of the key risks facing firms.”

Senior managers in some of the UK’s largest firms were interviewed for the report published jointly by the British government and Marsh, with expert input from 13 London market insurers.

As a first step to raising awareness, Lloyd’s, the Association of British Insurers (ABI) and the UK government have agreed to develop a guide to cyber insurance that will be hosted on their websites.

Reuters has more on the report here.

I.I.I. chief actuary Jim Lynch looks into the future of self-driving cars:

I wrote about autonomous vehicles and insurance for the March/April edition of Contingencies magazine.

I argue that while the safety improvements will reduce the number of automobile accidents, any predictions of the end of automobile insurance look overblown today.

The first cars to drive themselves will only do so for a few minutes at a time – far from the curbside-to-curbside Dream Vehicle that gets most of the media attention. Any new auto technology takes two or three decades to cascade from a pricey option on luxury vehicles to standard equipment found on every used Chevy.

The slow rollout means claim frequency – the number of claims per hundred vehicles – is likely to decline over the next few decades at about the same rate as it has over the past five decades, giving insurers plenty of time to adapt, just as they have since the first policy was issued in Dayton, Ohio, in the 1890s.

Here is an excerpt:

The property/casualty industry will react as it has for decades, as regulation and innovation have made auto, products and the workplace safer. The impact will be carefully measured by actuaries, who will adjust rates as the innovations prove out. Insurers will find new coverages that customers will want.

The Dream Vehicle will change auto insurance, sure, but it won’t destroy it.”

The I.I.I. has an Issues Update on Self-Driving Cars and Insurance.

Cyber attacks against businesses may dominate the news headlines, but recent events point to the growing number and range of cyber threats facing public entities and government agencies.

City officials yesterday confirmed that city and county computer systems in Madison, Wisconsin were being targeted by cyber attackers in retaliation for the shooting death of Tony Robinson, an unarmed biracial man, by a Madison police officer last Friday. A Reuters report says the cyber attack is thought to have been initiated by hacker group Anonymous.

Then on Sunday the website of Colonial Williamsburg was hit in a cyber attack attributed to ISIS. The attack targeted the history.org website and comes just a week after the living history museum offered to house artifacts at risk of destruction in Iraq.

Meanwhile, Florida’s top law enforcement agency is reported to be investigating testing delays in public school districts caused by cyber attacks on the Florida Standards Assessment (FSA) testing system.

And a recent cyber attack at multiple New York City agencies including the office of the NYC mayor recently took down computer systems for most of a day.

There are many more examples.

Given the large amounts of confidential data held by public entities and government agencies, it’s not surprising that they are a target for cyber attacks.

Last year data breaches in the government/military sector accounted for 11.7 percent of U.S. breach incidents, according to the Identity Theft Resource Center (ITRC).

A GAO report here points to the cyber security risk to Federal agencies and critical infrastructure.

In a viewpoint at American City & County blog, Robin Leal, underwriting director at Travelers Public Sector Services recently warned of the growing cyber risks facing public sector organizations.

Leal cited data from a survey at the 2014 Public Risk Management Conference and 2014 National Association of Counties (NACo) conference showing that public officials’ confidence in their cyber protections is alarmingly low.

Only 13 percent of respondents to the survey were “very confident” that their public entity has adequate protection against cyber threats.

As well as written policies and procedures to handle cyber threats, Leal said public entities should consider cyber insurance.

Only 10 percent of current public sector clients add cyber protections to existing insurance policies, and for the majority of new business submissions cyber insurance is not part of their current coverage, Leal noted.

Check out the I.I.I. white paper Cyber Risks: The Growing Threat.

Much hay is being made of an apparent decline in the number of identity theft victims and losses, amid an ongoing number of significant data breaches.

The headlines follow release of the 2015 Identity Fraud Study by Javelin Strategy & Research. The study found that there were 12.7 million identity fraud victims in 2014, down 3 percent from the near record high of 13.1 million victims in 2013.

At the same time, some $16 billion was stolen from fraud victims in 2014, an 11 percent decline from $18 billion in 2013. Javelin attributes the decrease to the combined efforts of industry, consumers and monitoring and protection systems that are catching fraud more quickly.

As we know, 2014 saw a number of major data breaches, notably from retailers Home Depot, Neiman Marcus, Staples and Michael’s as well as financial institutions such as JP Morgan Chase.

But lest you think that the swift response to data breaches has nullified the identity theft threat, think again.

Javelin found that two-thirds of identity fraud victims in 2014 had previously received a data breach notification in the same year. Also, individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.

Meanwhile, identity theft just topped the Federal Trade Commission’s (FTC) national ranking of consumer complaints for the third consecutive year, accounting for 13 percent of all complaints.

Government documents/benefits fraud (39 percent) was the most common form of reported identity theft, followed by credit card fraud (17 percent), phone or utilities fraud (13 percent), and bank fraud (8 percent), the FTC said.

Whether or not identity theft is caused by a data breach (remember, stolen laptops, wallets, dumpster diving, phishing scams are some of the most common causes of identity theft), or whether an individual even knows how their information was compromised (many don’t), it’s important to stay vigilant to this threat.

A 3 percent decline in identity fraud victims in one year isn’t much. As Al Pascual, director of fraud & security at Javelin notes:

Despite the headlines, the occurrence of identity fraud hasn’t changed much over the past year, and it is still a significant problem.”

Wondering if your homeowners insurance policy includes coverage for identity theft? Check out these useful tips from the I.I.I.

In what is being described as potentially the largest breach of a health care company to-date, health insurer Anthem has confirmed that it has been targeted in a very sophisticated external cyber attack.

The New York Times reports that hackers were able to breach a company database that contained as many as 80 million records of current and former Anthem customers, as well as employees, including its chief executive officer.

Early reports here and here suggest the attack compromised personal information such as names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

On a website – www.AnthemFacts.com — set up to respond to questions, Anthem noted that there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.

Anthem said the breach was discovered on January 27 and that the company is fully cooperating with the FBI investigation. The health insurer has been praised for its initial response in promptly notifying the FBI after observing suspicious activity.

An FBI statement quoted in an LA Times article noted:

Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”

On the dedicated website, Anthem president and CEO, Joseph R Swedish, offered a personal apology to members. Anthem has also established a toll-free number – 1-877-263-7995 FREE – that both current and former members can call if they have questions related to the breach.

In 2014, the medical/healthcare sector accounted for 42 percent of data breaches – the largest among industry sectors – as reported by the Identity Theft Resource Center (ITRC).

In fact, breaches in the medical/healthcare industry have accounted for the largest percentage of data breaches by industry sector since 2012, which ITRC attributes primarily to the mandatory reporting requirement for healthcare breaches to the Department of Health and Human Services (HHS).

If the estimate of 80 million records compromised holds, this will put the Anthem data breach up there with recent mega breaches of 2014 such as eBay (145 million people affected), JP Morgan (76 million households and 7 million small businesses affected) and Home Depot (56 million unique payment cards).

While 2014 was dubbed the year of the mega breach, the Ponemon Institute recently warned that 2015 is predicted to be as bad or worse as more sensitive and confidential information and transactions are moved to the digital space and become vulnerable to attack.

As of January 27, 2015, some 455,377 records had been exposed in 64 breaches reported to the ITRC. This followed a record high of 783 U.S. data breaches exposing 85.6 million records tracked by the ITRC in 2014.

For an analysis of cyber risk and insurance, download this Insurance Information Institute (I.I.I.) white paper.

Measures and methods widely used in the financial services industry to value and quantify risk could be used by organizations to better quantify cyber risks, according to a new framework and report unveiled at the World Economic Forum annual meeting.

The framework, called “cyber value-at-risk” requires companies to understand key cyber risks and the dependencies between them. It will also help them establish how much of their value they could protect if they were victims of a data breach and for how long they can ensure their cyber protection.

The purpose of the cyber value-at-risk approach is to help organizations make better decisions about investments in cyber security, develop comprehensive risk management strategies and help stimulate the development of global risk transfer markets.

Among the key questions addressed by the cyber value-at-risk model concept are: how vulnerable are organizations to cyberthreats? how valuable are the key assets at stake? and, who might be targeting them?

The proposed framework is part of a new report, Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats, that was created in collaboration with Deloitte and the input of 50 leading organizations around the world.

As the report states:

The financial services industry has used sophisticated quantitative modeling for the past three decades and has a great deal of experience in achieving accurate and reliable risk quantification estimates. To quantify cyber resilience, stakeholders should learn from and adopt such approaches in order to increase awareness and reliability of cyber threat measurements.”

One potential option, it suggests, is to link corporate enterprise risk management models to perspectives and methods for valuing and quantifying “probability of loss” common to capital adequacy assessment exercises in the financial services industry, such as Solvency II, Basel III, albeit customized to recognize cyber resilience as a distinct phenomenon.

The report points out that the goal is not to provide a single model for quantifying risk. Indeed for cyber resilience assurance to be effective, it says participants need to make a concerted effort to develop and validate a shared, standardized cyber threat quantification framework that incorporates diverse but overlapping approaches to modeling cyber risk:

A shared approach to modeling would increase confidence regarding organizational decisions to invest (for risk reduction), distribute, offload and/or retain cyber threat risks. Implicit is the notion that standardizing and quantifying such measures is a prerequisite for the desirable development and smooth operation of cyber risk transfer markets. Such developments require ERM frameworks to merge with insurance and financial valuation perspectives on cyber resilience metrics.”

 

We’re reading that self-driving cars are no longer a thing of the future, but it’s in the subhead of this Time article: how long will it be before your car no longer needs you? where the heart of the story lies.

Jason H. Harper writes of how he earned one of the first new driverless motor licenses – technically known as an “autonomous vehicle testing” permit – from the California DMV.

He then describes his chauffeured ride by a prototype Audi from Silicon Valley to Las Vegas for last week’s Consumer Electronics Show:

The car uses an array of sensors, radars and a front-facing camera to negotiate traffic. At this point, the system works only on the freeway and cannot handle construction zones or areas with poor lane markings. When the car reaches a construction zone or the end of a highway, a voice orders you to take the wheel back.”

Before taking the 550-mile road trip, Harper had to get special instruction on how not to drive, per California regulations:

The training included basics like turning the system on and off and learning the circumstances in which it could be used. The rest was about handling emergencies, such as making lane changes to avoid crashing.”

Harper says the training was far more difficult and involved than a regular driving test. However, average buyers will not need such training.

Why?

Because rollout of this technology is gradual. Audi’s program for example would allow the car to self-drive in stop-and-go highway traffic, but when traffic clears the driver takes the wheel again.

It’s at the very end of the article that a voice from academia reminds us that this approach may be no bad thing as both technology and driver acceptance need time to mature.

Dr. Jeffrey Miller, an associate professor at the University of Southern California, tells Time that in his opinion licenses and drivers will never be obsolete because “the driver will always have to take over in case of a failure.”

It’s an interesting point. From the insurance perspective, too, while self-driving cars are definitely on the way, the implications for insurers are evolving. In its issue update Self-Driving Cars and Insurance, the I.I.I. notes:

Except that the number of crashes will be greatly reduced, the insurance aspects of this gradual transformation are at present unclear. However, as crash avoidance technology gradually becomes standard equipment, insurers will be able to better determine the extent to which these various components reduce the frequency and cost of accidents.”

And:

They will also be able to determine whether the accidents that do occur lead to a higher percentage of product liability claims, as claimants blame the manufacturer or suppliers for what went wrong rather than their own behavior.”

More on auto insurance here.

While the Sony cyber attack has put the spotlight on sophisticated external attacks, a new report suggests that insiders with too much access to sensitive data are a growing risk as well.

According to the survey conducted by the Ponemon Institute, some 71 percent of employees report that they have access to data they should not see, and more than half say this access is frequent or very frequent.

In the words of Dr. Larry Ponemon, chairman and founder of The Ponemon Institute:

This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences.”

While the focus in recent weeks has been on the risk of external attacks, the Ponemon study finds that data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks they present.

Some 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

In a workplace environment where employees are under pressure to deliver more, faster, cheaper, it’s easy to overlook security risks in the name of efficiency.

Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half believe their companies strictly enforce security policies related to use of and access to company data.

The flip side is that businesses need to be reticent of going to the other extreme, limiting data that their employees or customers need.

Some 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs. And 68 percent say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Ponemon interviewed 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees in a range of industries including financial services, public sector, health and pharma, retail, industrial and technology and software.

More on insider threats in this I.I.I. paper on cyber risks.

More news keeps tumbling in the wake of the recent cyber attack at Sony Pictures Entertainment—Sony’s second major hacker attack in three years—and it’s not good.

The fact that the breach has exposed employee information ranging from salaries to medical records to social security numbers to home addresses, not to mention five yet-to-be-released Sony movies, causing a major shutdown of the company’s computer systems, appears to break new ground.

First up, the Wall Street Journal says the attack revealed far more personal information than previously believed, including the social security numbers of more than 47,000 former employees along with Hollywood celebrities like Sylvester Stallone.

According to the WSJ:

An analysis of 33,000 Sony documents by data security firm Identity Finder LLC found personal data, including salaries and home addresses, posted online for people who stopped working at Sony Pictures as far back as 2000 and one who started in 1955.”

And:

Much of the data analyzed by Identity Finder was stored in Microsoft Excel files without password protection.”

Aren’t most businesses run in Excel?

A well-timed piece over at the New York Times Bits Blog makes the point that companies that continue to rely on prevention and detection technologies, such as firewalls and antivirus products, are considered sitting ducks for cyber attacks.

Bits Blog cites Richard A. Clarke, the first cybersecurity czar at the White House, who says:

It’s almost impossible to think of a company that hasn’t been hacked—the Pentagon’s secret network, the White House, JPMorgan—it is pretty obvious that prevention and detection technologies are broken.”

So what approaches are working?

According to the Bits Blog post, experts say the companies best prepared for online attacks are those that have identified their most valuable assets, like Boeing’s blueprints to the next generation of stealth bomber or Target’s customer data.

Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.”

Breach detection plans and more secure authentication schemes, in addition to existing technologies, are the key to being better prepared.

Insurance too, is seen as a vital preparedness step.

Earlier this week, a top U.S. regulator said banks should consider cyber insurance to protect themselves from the growing financial impact in the wake of cyber attacks.

Let’s hope companies take heed.

As of December 2, the Identity Theft Resource Center (ITRC) reports that 2014 has seen 708 data breaches, exposing 85.1 million records (this list includes the Sony attack, listing the number of records exposed at 7,500).

Those figures are even higher than 2013, when the total number of data breaches and records exposed, soared.

More on the potential fallout and growing identity theft threat facing consumers here.

Next Page »