Category Archives: Risk Management

Private Market Looks Closely At Flood Insurance

Almost all private insurers have shunned covering flood since the 1950s, but that could be changing fast, writes Insurance Information Institute (I.I.I.) chief actuary James Lynch:

At the Cat Risk Management 2017 conference I attended earlier this month, flood was the hottest topic. Here’s why:

  • Insurers have become increasingly comfortable with using sophisticated models to underwrite insurance risk, and modeling firms are getting better at predicting flood risk.
  • The federal government, which insures the vast majority of flood risk, is looking for ways to share the risk with private industry. Key reasons:
    • The National Flood Insurance Program (NFIP) owes the Treasury more than $20 billion (thanks to flooding from Hurricane Katrina and superstorm Sandy). It has no practical way to pay that back, and the government has made it clear that it doesn’t want to fund more losses. So the NFIP is purchasing private reinsurance. More on that below.
    • The number of people who lack flood insurance is distressingly high. I.I.I. surveys show that only about 12 percent of Americans have flood insurance. The government wants people to be protected, and encouraging a private flood insurance market could do that.

Here are some of my notes from #catrisk17 on flood insurance:

  • The NFIP reinsurance deal (effective January 1, 2017) means that reinsurance would reimburse NFIP for 26 percent of the losses from an event where losses exceed $4 billion. The maximum recovery is $1.046 billion, and the cost, according to my notes, is $150 million. (If you work in reinsurance it may be easier to think of the pricing this way: NFIP cedes 26 percent of the $4 billion excess $4 billion occurrence layer at a 14.3 percent rate on line.) There have only been a couple of floods that big in NFIP history (Hurricane Katrina and superstorm Sandy), so the cover is in place primarily to protect against storm surge. However, it would cover other major types of flood as well.
  • A significant obstacle to modeling flood risk is the fact that much of the most important data (underwriting and claims information) is in the federal government’s hands. The government wants to share the data responsibly, but its hands are tied by federal rules on sharing data about individuals. The rules are driven both by privacy concerns and cyber security laws. The government will likely be developing a certification process so that professionals could qualify to have access to the data on a limited basis.
  • A live poll found that flood modeling was the most important topic at the conference, cited by 56 percent of respondents – outpacing severe convective (thunder) storm models, cyber insurance models or terrorism models.

From Many Models, One Decision

Insurance Information Institute chief actuary James Lynch previews one of the most important conferences in the catastrophe modeling world.

I will be attending Cat Risk Management 2017 in Orlando next week, and the reason is as close as the weather forecast I’m looking at early Wednesday.

By now, the weather models have more or less converged: my own sliver of New Jersey is forecast to get about 6 inches of snow. The key word in that last sentence is models.

The many organizations that forecast the weather – the Weather Channel, Accuweather, Weather Underground, the National Weather Service – even the hearty jokester on your local station – use multiple models to predict sun, rain or snow.

The similarity to actuarial work is striking. Like an actuary, the weatherman hasn’t built the models but has to understand the strengths and weaknesses of each. And she has to make a single, certain prediction, yet couch that certainty within a pocket of doubt. The National Weather Service predicts 6.7 inches for my hometown: as much as 7 but as little as 3 (Editor’s Note: total snowfall 6.3 inches by Thursday evening).

Actuaries do that with your insurance policy – many uncertainties but one price. Of the many risks with which they must contend is how their portfolio of policies will perform under a catastrophe. Years ago this risk was estimated crudely – the old Casualty Actuarial Society exams included a section on the ISO Excess Wind calculation. Now catastrophe models do the job. And insurers need a lot of catastrophe models, which is what will be taking me to Orlando.

Next week’s conference is a cornucopia of cat models – hurricane models and wildfire models, earthquake and flood models. There is even discussion of how to coordinate the many models insurers must juggle. The conference, presented by the Reinsurance Association of America, is sold out; about 500 will attend.

I will be live-tweeting and will post a report. I.I.I. wants to draw attention to the importance of resilience – helping people understand that the best way to rebound from cataclysm is to prepare for it. Explaining how insurers do their part – in this case using models so that a policy’s price reflects its risk – helps everyone understand how much risk they must prepare for.

And I suppose, yes, will be good to visit balmy Florida after digging out from a half-foot of snow.

I.I.I.’s Facts and Statistics on global catastrophes gives a good idea of the scope of disasters that insurers protect against.

Cyberattacks Top Risk To Doing Business in North America

Cyberattacks are now the greatest risk to doing business in North America, according to the just-released World Economic Forum’s (WEF) Global Risks Report 2016.

In North America, which includes the United States and Canada, cyberattacks and asset bubbles were considered among the top risks of doing business in the region.

The WEF noted that in the United States, the top risk is cyberattack, followed by data fraud or theft (the latter ranks 7th in Canada, which is why it scores 50 percent in the table below).

The risks related to the internet and cyber dependency are considered to be of highest concern for doing business in the wake of recent important attacks on companies, the WEF observed.

WEF2016NorthAmericaTopRisks

On a global scale, cyberattack is perceived as the risk of highest concern in eight economies: Estonia, Germany, Japan, Malaysia, the Netherlands, Singapore, Switzerland, and the United States.

Public sector bodies in at least two of these countries have recently been disrupted by cyberattacks: the US Office of Personnel Management and the Japanese Pension service, the WEF noted.

Attempts to detect and address attacks are made harder by their constantly evolving nature, as perpetrators quickly find new ways of executing them. Businesses trying to match this speed in their development of prevention and response methods are sometimes constrained by a poor understanding of the risk, a lack of technical talent, and inadequate security capabilities.”

Defining clear roles and responsibilities for cyber risk within corporations is crucial, the WEF noted.

Who in the corporation is the actual owner of the risk? While there are many “C” level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management.”

Outdated laws and regulations also inhibit the ability of governments to capture criminals, but also to expedite the often lengthy procedure of implementing legal and regulatory frameworks to reflect evolving realities.

Check out the Insurance Information Institute’s latest report on cyber risks here.

Cyber Risk: Impact on Corporate Credit Ratings?

There are many factors that can affect a company’s credit ratings and it appears that cyber risk is moving up a notch in importance in corporate credit analysis.

In a new report, ratings agency Moody’s Investors Service said it views material cyber threats in a similar vein as other extraordinary event risks, such as a natural disaster, with any subsequent credit impact depending on the duration and severity of the event.

Moody’s reports:

While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios.”

According to the report, “Cyber Risk of Growing Importance to Credit Analysis,” assessing how prepared an issuer or organization is for a cyber threat presents challenges, owing to the complexity of the problem.

Moody’s identifies several key factors to examine when determining a credit impact associated with a cyber event, including: nature and scope of the targeted assets or businesses; the duration of potential service disruptions; and the expected time to restore operations.

On a positive note, more cyber security expertise is being added to boards and trustee governance in response to the growing cyber threat.

A press release cites Jim Hempstead, Moody’s associate managing director and lead author of the report:

We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive.”

Moody’s said industries housing significant amounts of personal data, such as financial institutions, health care entities, higher education organizations and retail companies are at greatest risk of a large-scale data breaches resulting in serious reputational and financial damage.

Critical infrastructure sectors such as electric utilities, power plants, or water and sewer systems are more exposed to attacks that could result in large-scale service disruption, causing substantial economic–and possibly environmental–damages to sovereign, state and local governments or utilities.

However, Moody’s believes this type of attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk.

Hat tip to Reuters for its article here.

Check out the I.I.I.’s latest paper Cyber Risk: Threats and Opportunities.

Companies Behaving Badly

Whether it’s the VW emissions scandal or rebuilding a company’s reputation after a cyber attack, we’re reading a lot about the challenges of managing reputation risk in the business world.

How important–and valuable–a positive reputation and ethical C-suite leadership is for an organization to attract talent is highlighted by recent findings of a survey of 1,012 U.S. adults by Corporate Responsibility Magazine and Cielo Healthcare.

(Hat tip to the WSJ’s Risk & Compliance Journal for flagging this survey.)

The research identified bad behaviors most harmful to a company’s culture and reputation as:

  • Public exposure of criminal acts (33 percent);
  • Failure to recall defective products (30 percent);
  • Public disclosure of workplace discrimination (21 percent);
  • Public disclosure of environmental scandal (15 percent).

What’s the true cost of a bad corporate reputation? According to the survey, companies perceived as unethical face a potential talent shortage and increased recruiting costs as they struggle to successfully recruit women and millennials.

Only 67 percent of employed Americans surveyed would take a job with a company that had a bad reputation if they were offered more money, compared to 70 percent in 2014.

In contrast, 92 percent would consider leaving their current jobs if offered another role with a company with an excellent corporate reputation.

It would also take a substantial pay increase for many to take a job with a company with a bad reputation, with 46 percent of survey respondents needing a pay increase of 50 percent or more to consider moving to an unethical company.

Women are more motivated to work for an ethical company, the survey found. Some 86 percent of women who responded said they would not join a company with a bad reputation compared to only 67 percent of men.

In contrast, 92 percent of men and women would consider leaving their current jobs if offered another role with a company with a stellar corporate reputation.

Check out the I.I.I. online resource for business insurance here.

Cybersecurity Governance Moves Up Boardroom Agenda

A poll of board directors and executives from Forbes Global 2000 companies finds that cybersecurity is being taken much more seriously in the boardroom these days, as is cyber insurance.

Nearly two-thirds (63 percent) of respondents to the study developed by the Georgia Tech Information Security Center (GTISC) say they are actively addressing computer and information security, up from 33 percent in 2012.

There has also been a significant shift in the number of boards reviewing cyber insurance. Nearly half (48 percent) of respondent boards were reviewing their company’s insurance for cyber-related risks, compared with just 28 percent in 2012.

However, the 2015 survey suggests there may be confusion over what type of insurance to purchase or appropriate coverage limits. Only about half of the respondents (47-54 percent) indicated that they had quantified their business interruption and loss exposure from cyber events.

Almost all boards (90 percent) are reviewing risk assessments, and an increasing number of them (53 percent) are hiring outside experts to assist on risk issues. Interestingly, the highest degree of attention was being paid to cyber risks associated with supplier relationships.

The survey, which was supported by Forbes, the Financial Services Roundtable (FSR), and Palo Alto Networks, found that some of the biggest improvements over time have been organizational.

For example, the majority of boards (53 percent) have established a risk committee, separate from the audit committee, with responsibility for oversight of cyber risk. In 2008, just 8 percent of boards had this in place.

The financial sector far exceeds other industry sectors with 86 percent having a board risk committee separate from the audit committee, followed by the IT/Telecom sector at 43 percent.

Another positive sign? Boards are now placing much more importance on risk and security experience when recruiting board directors, with 59 percent saying their board had a director with risk expertise, and nearly one quarter (23 percent) one with cybersecurity expertise.

Something to bear in mind: the response rate to the 2015 survey was low — with results received from just 6 percent, or 121 respondents at the board or senior executive level at 1,927 Forbes Global 2000 companies.

Marine, Transport Risks of Refugee Crisis

As European governments approved a controversial plan to share 120,000 refugees between most of the European Union countries, there’s an important insurance story playing out amid the ongoing flow of thousands of refugees into Europe.

The risk management challenges and costs for freight transporters, haulers and shipowners arising from the refugee crisis are outlined in a recent Business Insurance article.

It reports that with thousands of refugees attempting to board trains and trucks heading for the United Kingdom at the French port of Calais this has caused problems for companies transporting goods.

Some of the risks they face include potential loss of earnings due to delays at ports, risk of damage to goods, fines for illegally transporting refugees if they board trucks undetected as well as driver safety.

Shipowners must also have emergency procedures in place to help their crews deal with situations given their legal and moral obligation to help ships in distress, Business Insurance notes.

A Reuters report suggests that more and more commercial ships are being drawn in to rescue refugees from unsafe and overloaded vessels in the Mediterranean:

Since January 2014, more than 1,000 merchant ships have helped rescue more than 65,000 people, according to estimates from the International Chamber of Shipping. That’s more than one in 10 of the estimated 585,000 migrants and refugees who crossed the Mediterranean over the period.”

Some of the merchant ships’ risks are covered by insurance, Reuters says.

Mutual marine insurers, also known as P&I clubs, provide cover for a wide range of liabilities including crew injury, pollution and cargo loss and damage.

So, if a refugee attacks and injures a crew member or breaks into a container and damages cargo, insurance would cover the shipowner.

But because rescue operations can take ships off course into uncharted waters, Reuters reports that other risks including fines for late arrival or the cost of chartering another vessel at short notice may not be covered.

Uncertainties also surround liability in the case of death or injury of a refugee while being rescued by a ship’s crew.

In June the Maritime Safety Committee (part of the International Maritime Organization) agreed that there was an urgent need for the international community to make greater efforts to address the problem through safer and more regular migration pathways, and to take action against criminal smugglers.

Check out I.I.I. facts and statistics on marine accidents here.

Actuarial Tool Adjusts for Climate Change

Insurance Information Institute (I.I.I.) chief actuary James Lynch  on an innovative actuarial approach.

It was a record-breaking rainy day in Colorado Springs when I attended a panel last month describing a new climate index the actuarial community is introducing.

The 1.58 inches of rain that fell May 19 almost doubled the previous record for that day. The Actuaries Climate Index (ACI)—a joint effort between the  Casualty Actuarial Society (CAS), the American Academy of Actuaries, the Canadian Institute of Actuaries, and the Society of Actuaries—is intended to monitor how often extreme events — blistering heat, shivering cold, record winds and rain — strike 12 regions in North America.

It addresses an interesting conundrum about insurance and climate change. Given that the climate is changing — though quite a few in the industry dispute that – how can insurance incorporate the change into pricing?

The ACI, which will be introduced later this year, tries to address that. It will measure how many severe events occur every quarter. Since catastrophes are an important component of claim costs, changes in the long-term trend can affect insurance prices.

As I wrote for the CAS:

The index is an educational tool that could help pricing actuaries incorporate long-term trends into their mathematical models; it could also help actuaries and others working in enterprise risk management by quantifying the risk in a subtle, long-term trend.”

Insurance prices are famously based on historical data, trended forward. The index would help show whether extreme events are becoming more or less common, and actuaries could trend this information forward to set rates.

Actuaries have been working on the index for a couple of years. Historical data has shown that over the past few years, the frequency of extremely hot days has increased, while the frequency of extremely cold days has decreased. The overall ACI climbed from the 1990s on, though it appears to have leveled off in recent years.

In its Facts and Statistics section, the I.I.I. gives comprehensive snapshots about catastrophes, both in the United States and worldwide.

Cyber Security: A Credit Ratings Risk Factor?

A new report from ratings agency Standard & Poor’s warns that the credit ratings of U.S. financial services companies could be vulnerable to cyber risks in future.

In its analysis, S&P says:

Although the many successful cyber-attacks have not yet resulted in any changes in Standard & Poor’s Ratings Services’ ratings on financial services companies, we view cyber-security as an emerging risk that we believe has the potential to pose a higher credit risk to financial services firms in the future.”

And:

It’s not difficult to envisions scenarios in which criminal or state-sponsored cyber-attacks (for credit implications, we don’t differentiate the sources of intrusion) would result in significant economic effects, business interruption, theft, or reputational risk.”

S&P goes on to explain that while cyber attacks can result in losses, and possible market disruptions, so far they have not resulted in negative rating actions because the exposure of targeted companies has been contained by their own financial wherewithal and to some extent insurance programs.

Nevertheless, the damage to reputation, brand, or competitive position may likely only truly be known in the years ahead.

S&P notes that threat alone does not determine rating responses and threat risk varies by sector:

Our credit opinion takes a balanced view incorporating other related factors, including how susceptible a firm’s competitive position would be to a cyber attack, the effectiveness of its response plan, and what is the firm’s financial flexibility, liquidity, and capitalization regarding its ability to replenish capital post-event.

While all financial services companies targeted by major data breaches have emerged intact, S&P says it is increasingly wary about the persistence of cyber attacks and what that might mean for consumer confidence to engage in commerce with the brand going forward.

S&P says it views the threat for the insurance industry overall as medium, albeit risks for health insurers are higher. Adequate/strong enterprise risk management programs and the very strong capitalization of insurers are some of the offsetting risk factors.

While the cyber insurance market is still emerging, S&P expects premiums to more than double to $10 billion in the next five to 10 years from $2.5 billion now.

Hat tip to Insurance Journal which reports on this story here.

 

Time to Consider Product Recall Insurance?

The decision by Texas-based Blue Bell Creameries to recall all of its products after two samples of its ice cream tested positive for listeria is a timely reminder of the importance of product recall insurance.

Product recalls can be costly and logistically complex. In Blue Bell Creameries’ case the expanded voluntary recall announced Monday night includes ice cream, frozen yogurt, sherbet and frozen snacks distributed in 23 states and international locations.

Blue Bell said it was pulling its products “because they have the potential to be contaminated with listeria.”

The company had issued an earlier more limited recall last month after the U.S. Centers for Disease Control and Prevention (CDC) linked ice cream contaminated with listeria to three deaths in Kansas.

As of April 21, 2015, the CDC says a total of 10 people with listeriosis related to this outbreak have been confirmed from four states.

A 2014 report by Aon notes that the number of product recalls in the United States  and Canada for both food products and nonfood products continues to grow year over year.

Each year, hundreds of products are recalled in the U.S. Some historically significant recall events have included such well-known brands as Tylenol, Perrier, Firestone Tires, Pepsi and Coca-Cola.

The Insurance Information Institute (I.I.I.) reminds us that product recalls can be financially devastating and potentially put a company out of business. No organization is immune to the risk of a product recall–even those with the best safety records, operational controls and manufacturing oversight.

In a  post in  the Wall Street Journal’s Morning Risk Report, crisis management experts note that how well a company succeeds at regaining customer trust following a product recall will likely determine whether it recovers from the negative hit to its reputation and bottom line.

True. Insurance can also help defray the financial hit on a company.

Product recall insurance  helps cover a wide range of costs including advertising and promotional expenses to launch a recall, as well as  the costs related to product destruction and disposal, business interruption and repairing a damaged reputation, the I.I.I. says.

Another coverage worth considering is product contamination insurance, which protects a company’s bottom line in the event its product is accidentally or maliciously contaminated.