Risk Management

There are many factors that can affect a company’s credit ratings and it appears that cyber risk is moving up a notch in importance in corporate credit analysis.

In a new report, ratings agency Moody’s Investors Service said it views material cyber threats in a similar vein as other extraordinary event risks, such as a natural disaster, with any subsequent credit impact depending on the duration and severity of the event.

Moody’s reports:

While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios.”

According to the report, “Cyber Risk of Growing Importance to Credit Analysis,” assessing how prepared an issuer or organization is for a cyber threat presents challenges, owing to the complexity of the problem.

Moody’s identifies several key factors to examine when determining a credit impact associated with a cyber event, including: nature and scope of the targeted assets or businesses; the duration of potential service disruptions; and the expected time to restore operations.

On a positive note, more cyber security expertise is being added to boards and trustee governance in response to the growing cyber threat.

A press release cites Jim Hempstead, Moody’s associate managing director and lead author of the report:

We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive.”

Moody’s said industries housing significant amounts of personal data, such as financial institutions, health care entities, higher education organizations and retail companies are at greatest risk of a large-scale data breaches resulting in serious reputational and financial damage.

Critical infrastructure sectors such as electric utilities, power plants, or water and sewer systems are more exposed to attacks that could result in large-scale service disruption, causing substantial economic—and possibly environmental—damages to sovereign, state and local governments or utilities.

However, Moody’s believes this type of attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk.

Hat tip to Reuters for its article here.

Check out the I.I.I.’s latest paper Cyber Risk: Threats and Opportunities.

Whether it’s the VW emissions scandal or rebuilding a company’s reputation after a cyber attack, we’re reading a lot about the challenges of managing reputation risk in the business world.

How important—and valuable—a positive reputation and ethical C-suite leadership is for an organization to attract talent is highlighted by recent findings of a survey of 1,012 U.S. adults by Corporate Responsibility Magazine and Cielo Healthcare.

(Hat tip to the WSJ’s Risk & Compliance Journal for flagging this survey.)

The research identified bad behaviors most harmful to a company’s culture and reputation as:

  • Public exposure of criminal acts (33 percent);
  • Failure to recall defective products (30 percent);
  • Public disclosure of workplace discrimination (21 percent);
  • Public disclosure of environmental scandal (15 percent).

What’s the true cost of a bad corporate reputation? According to the survey, companies perceived as unethical face a potential talent shortage and increased recruiting costs as they struggle to successfully recruit women and millennials.

Only 67 percent of employed Americans surveyed would take a job with a company that had a bad reputation if they were offered more money, compared to 70 percent in 2014.

In contrast, 92 percent would consider leaving their current jobs if offered another role with a company with an excellent corporate reputation.

It would also take a substantial pay increase for many to take a job with a company with a bad reputation, with 46 percent of survey respondents needing a pay increase of 50 percent or more to consider moving to an unethical company.

Women are more motivated to work for an ethical company, the survey found. Some 86 percent of women who responded said they would not join a company with a bad reputation compared to only 67 percent of men.

In contrast, 92 percent of men and women would consider leaving their current jobs if offered another role with a company with a stellar corporate reputation.

Check out the I.I.I. online resource for business insurance here.

A poll of board directors and executives from Forbes Global 2000 companies finds that cybersecurity is being taken much more seriously in the boardroom these days, as is cyber insurance.

Nearly two-thirds (63 percent) of respondents to the study developed by the Georgia Tech Information Security Center (GTISC) say they are actively addressing computer and information security, up from 33 percent in 2012.

There has also been a significant shift in the number of boards reviewing cyber insurance. Nearly half (48 percent) of respondent boards were reviewing their company’s insurance for cyber-related risks, compared with just 28 percent in 2012.

However, the 2015 survey suggests there may be confusion over what type of insurance to purchase or appropriate coverage limits. Only about half of the respondents (47-54 percent) indicated that they had quantified their business interruption and loss exposure from cyber events.

Almost all boards (90 percent) are reviewing risk assessments, and an increasing number of them (53 percent) are hiring outside experts to assist on risk issues. Interestingly, the highest degree of attention was being paid to cyber risks associated with supplier relationships.

The survey, which was supported by Forbes, the Financial Services Roundtable (FSR), and Palo Alto Networks, found that some of the biggest improvements over time have been organizational.

For example, the majority of boards (53 percent) have established a risk committee, separate from the audit committee, with responsibility for oversight of cyber risk. In 2008, just 8 percent of boards had this in place.

The financial sector far exceeds other industry sectors with 86 percent having a board risk committee separate from the audit committee, followed by the IT/Telecom sector at 43 percent.

Another positive sign? Boards are now placing much more importance on risk and security experience when recruiting board directors, with 59 percent saying their board had a director with risk expertise, and nearly one quarter (23 percent) one with cybersecurity expertise.

Something to bear in mind: the response rate to the 2015 survey was low – with results received from just 6 percent, or 121 respondents at the board or senior executive level at 1,927 Forbes Global 2000 companies.

As European governments approved a controversial plan to share 120,000 refugees between most of the European Union countries, there’s an important insurance story playing out amid the ongoing flow of thousands of refugees into Europe.

The risk management challenges and costs for freight transporters, haulers and shipowners arising from the refugee crisis are outlined in a recent Business Insurance article.

It reports that with thousands of refugees attempting to board trains and trucks heading for the United Kingdom at the French port of Calais this has caused problems for companies transporting goods.

Some of the risks they face include potential loss of earnings due to delays at ports, risk of damage to goods, fines for illegally transporting refugees if they board trucks undetected as well as driver safety.

Shipowners must also have emergency procedures in place to help their crews deal with situations given their legal and moral obligation to help ships in distress, Business Insurance notes.

A Reuters report suggests that more and more commercial ships are being drawn in to rescue refugees from unsafe and overloaded vessels in the Mediterranean:

Since January 2014, more than 1,000 merchant ships have helped rescue more than 65,000 people, according to estimates from the International Chamber of Shipping. That’s more than one in 10 of the estimated 585,000 migrants and refugees who crossed the Mediterranean over the period.”

Some of the merchant ships’ risks are covered by insurance, Reuters says.

Mutual marine insurers, also known as P&I clubs, provide cover for a wide range of liabilities including crew injury, pollution and cargo loss and damage.

So, if a refugee attacks and injures a crew member or breaks into a container and damages cargo, insurance would cover the shipowner.

But because rescue operations can take ships off course into uncharted waters, Reuters reports that other risks including fines for late arrival or the cost of chartering another vessel at short notice may not be covered.

Uncertainties also surround liability in the case of death or injury of a refugee while being rescued by a ship’s crew.

In June the Maritime Safety Committee (part of the International Maritime Organization) agreed that there was an urgent need for the international community to make greater efforts to address the problem through safer and more regular migration pathways, and to take action against criminal smugglers.

Check out I.I.I. facts and statistics on marine accidents here.

Insurance Information Institute (I.I.I.) chief actuary James Lynch on an innovative actuarial approach.

It was a record-breaking rainy day in Colorado Springs when I attended a panel last month describing a new climate index the actuarial community is introducing.

The 1.58 inches of rain that fell May 19 almost doubled the previous record for that day. The Actuaries Climate Index (ACI)–a joint effort between the Casualty Actuarial Society (CAS), the American Academy of Actuaries, the Canadian Institute of Actuaries, and the Society of Actuaries–is intended to monitor how often extreme events – blistering heat, shivering cold, record winds and rain – strike 12 regions in North America.

It addresses an interesting conundrum about insurance and climate change. Given that the climate is changing – though quite a few in the industry dispute that – how can insurance incorporate the change into pricing?

The ACI, which will be introduced later this year, tries to address that. It will measure how many severe events occur every quarter. Since catastrophes are an important component of claim costs, changes in the long-term trend can affect insurance prices.

As I wrote for the CAS:

The index is an educational tool that could help pricing actuaries incorporate long-term trends into their mathematical models; it could also help actuaries and others working in enterprise risk management by quantifying the risk in a subtle, long-term trend.”

Insurance prices are famously based on historical data, trended forward. The index would help show whether extreme events are becoming more or less common, and actuaries could trend this information forward to set rates.

Actuaries have been working on the index for a couple of years. Historical data has shown that over the past few years, the frequency of extremely hot days has increased, while the frequency of extremely cold days has decreased. The overall ACI climbed from the 1990s on, though it appears to have leveled off in recent years.

In its Facts and Statistics section, the I.I.I. gives comprehensive snapshots about catastrophes, both in the United States and worldwide.

A new report from ratings agency Standard & Poor’s warns that the credit ratings of U.S. financial services companies could be vulnerable to cyber risks in future.

In its analysis, S&P says:

Although the many successful cyber-attacks have not yet resulted in any changes in Standard & Poor’s Ratings Services’ ratings on financial services companies, we view cyber-security as an emerging risk that we believe has the potential to pose a higher credit risk to financial services firms in the future.”


It’s not difficult to envisions scenarios in which criminal or state-sponsored cyber-attacks (for credit implications, we don’t differentiate the sources of intrusion) would result in significant economic effects, business interruption, theft, or reputational risk.”

S&P goes on to explain that while cyber attacks can result in losses, and possible market disruptions, so far they have not resulted in negative rating actions because the exposure of targeted companies has been contained by their own financial wherewithal and to some extent insurance programs.

Nevertheless, the damage to reputation, brand, or competitive position may likely only truly be known in the years ahead.

S&P notes that threat alone does not determine rating responses and threat risk varies by sector:

Our credit opinion takes a balanced view incorporating other related factors, including how susceptible a firm’s competitive position would be to a cyber attack, the effectiveness of its response plan, and what is the firm’s financial flexibility, liquidity, and capitalization regarding its ability to replenish capital post-event.

While all financial services companies targeted by major data breaches have emerged intact, S&P says it is increasingly wary about the persistence of cyber attacks and what that might mean for consumer confidence to engage in commerce with the brand going forward.

S&P says it views the threat for the insurance industry overall as medium, albeit risks for health insurers are higher. Adequate/strong enterprise risk management programs and the very strong capitalization of insurers are some of the offsetting risk factors.

While the cyber insurance market is still emerging, S&P expects premiums to more than double to $10 billion in the next five to 10 years from $2.5 billion now.

Hat tip to Insurance Journal which reports on this story here.


The decision by Texas-based Blue Bell Creameries to recall all of its products after two samples of its ice cream tested positive for listeria is a timely reminder of the importance of product recall insurance.

Product recalls can be costly and logistically complex. In Blue Bell Creameries’ case the expanded voluntary recall announced Monday night includes ice cream, frozen yogurt, sherbet and frozen snacks distributed in 23 states and international locations.

Blue Bell said it was pulling its products “because they have the potential to be contaminated with listeria.”

The company had issued an earlier more limited recall last month after the U.S. Centers for Disease Control and Prevention (CDC) linked ice cream contaminated with listeria to three deaths in Kansas.

As of April 21, 2015, the CDC says a total of 10 people with listeriosis related to this outbreak have been confirmed from four states.

A 2014 report by Aon notes that the number of product recalls in the United States and Canada for both food products and nonfood products continues to grow year over year.

Each year, hundreds of products are recalled in the U.S. Some historically significant recall events have included such well-known brands as Tylenol, Perrier, Firestone Tires, Pepsi and Coca-Cola.

The Insurance Information Institute (I.I.I.) reminds us that product recalls can be financially devastating and potentially put a company out of business. No organization is immune to the risk of a product recall—even those with the best safety records, operational controls and manufacturing oversight.

In a post in the Wall Street Journal’s Morning Risk Report, crisis management experts note that how well a company succeeds at regaining customer trust following a product recall will likely determine whether it recovers from the negative hit to its reputation and bottom line.

True. Insurance can also help defray the financial hit on a company.

Product recall insurance helps cover a wide range of costs including advertising and promotional expenses to launch a recall, as well as the costs related to product destruction and disposal, business interruption and repairing a damaged reputation, the I.I.I. says.

Another coverage worth considering is product contamination insurance, which protects a company’s bottom line in the event its product is accidentally or maliciously contaminated.

Towers Watson just released its annual survey on predictive modeling with some notable results.

The percentage of U.S. property/casualty executives reporting a positive impact on profitability has dramatically increased over the past six years, while the breadth and depth of predictive modeling applications has grown.

Some 87 percent of property/casualty executives report that predictive modeling had a favorable impact on profitability in 2014, an increase of eight percentage points over 2013. The increase continues a pattern of growth over several years, and is up significantly from 57 percent six years ago.

A positive impact on rate accuracy helps explain the boost in profits, Towers Watson said.

In fact, the percentage of carriers citing a positive impact on rate accuracy has increased every year since 2010, when 70 percent cited a positive impact. By 2014, 98 percent of insurers reported that predictive modeling has improved their rate accuracy.

More accurate rates also positively impact loss ratios, which have improved in parallel, according to p/c insurance executives. In 2014, 91 percent cited the favorable impact of predictive modeling on loss ratios, an increase of 14 percentage points over 2013.

The survey shows the use of predictive modeling in risk selection and rating/pricing has increased significantly for all lines of business over the last year, continuing a long-term trend.

For personal lines, auto saw the largest increase with 97 percent of participants saying they used predictive modeling in underwriting/risk selection or rating/pricing in 2014, up from 80 percent in 2013 – a 17 percentage-point increase.

Even more noteworthy is the increased use of predictive modeling in commercial lines.

For commercial property/commercial multiperil (CMP)/business-owner peril (BOP) as well as commercial auto the use of modeling increased 19 percentage points – to 51 percent and 41 percent respectively, year-to-year.

But it was specialty commercial lines that saw the largest increase, where 44 percent of p/c executives said they use predictive modeling in risk selection and rating/pricing in 2014, up from 13 percent in 2013 – a 31 percentage point increase.


While the survey suggests that insurers are increasingly comfortable with predictive modeling and using it in a growing number of capacities, more progress is still possible, according to Towers Watson.

Treating data as an asset and more effectively using predictive modeling applications to improve claim and other functional results could make a significant difference in the profitability of insurance companies, it suggests.

More on the survey results in this Insurance Journal article.

Towers Watson gauged the views of 52 U.S. insurance executives in personal lines and commercial lines carriers for the survey.



If you’re reading about the rising number of measles cases in California, you may also be thinking about pandemic risk.

First, let’s look at the status of measles cases and outbreaks in the United States.

The CDC notes that from January 1 to January 28, 2015, 84 people from 14 states were reported to have measles. Most of these cases are part of a large, ongoing outbreak linked to Disneyland in California.

On Friday (January 30, 2015), the California Department of Public Health released figures showing there are now 91 confirmed cases in the state. Of those, 58 infections have been linked to visits to Disneyland or contact with a sick person who went there.

At least six other U.S. states – Utah, Washington, Colorado, Oregon, Nebraska and Arizona—as well as Mexico have also recorded measles cases connected to Disneyland, according to this AP report.

What about last year?

The U.S. experienced a record number of measles cases during 2014, with 644 cases from 27 states reported. Many of the cases in the U.S. in 2014 were associated with cases brought in from the Philippines, which experienced a large measles outbreak, according to the CDC.


Measles, which can be prevented by vaccine, is one of the most contagious of all infectious diseases. The virus is transmitted by direct contact with infectious droplets or by airborne spread when an infected person breathes, coughs, or sneezes.

Approximately 9 out of 10 susceptible persons with close contact to a measles patient will develop measles, the CDC reports.

This is an important point. A study published by Risk Management Solutions (RMS) last year compared the low transmissibility of Ebola (Ebola can only be transmitted through direct contact with bodily fluids), with other infectious diseases such as measles.

RMS noted that each person infected with measles can generate on average more than 10 additional cases in an unvaccinated environment.

What about mortality risk?

Measles is one of the leading causes of death among young children, the World Health Organization (WHO) says. In 2013, there were 145,700 measles deaths globally—about 400 deaths every day or 16 deaths every hour.

One or two out of every 1,000 children who become infected with measles will die from respiratory and neurologic complications, according to the CDC.

One dose of the Measles, Mumps, Rubella (MMR) vaccine is approximately 93 percent effective at preventing measles, CDC notes, while two doses are 97 percent effective. Measles vaccination resulted in a 75 percent drop in measles deaths between 2000 and 2013 worldwide, WHO reports.

A CDC-issued health advisory here provides guidance to healthcare providers nationwide on the multi-state measles outbreak.

The potentially devastating impact of the rapid and massive spread of infectious diseases was a risk underscored by respondents to the recently released World Economic Forum (WEF) Global Risks 2015 report.

This reflects the need for a higher level of preparedness for major pandemics at both the country and international levels, the WEF noted.

The I.I.I. has facts and statistics on mortality risks here.

Most actuaries know about projections that go awry, so we have quite a bit of sympathy for the weather forecasters who missed the mark early this week, says I.I.I.’s Jim Lynch:

Weather forecasts have improved dramatically in the past generation, but this storm was odd. Usually a blizzard is huge. On a weather map, it looks like a big bear lurching toward a city.

This storm was relatively small but intense where it struck. On a map, it looked like a balloon, and the forecasters’ job was to figure out where the balloon would pop. They were 75 miles off. It turned out they over-relied on a model – the European model, which had served them well forecasting superstorm Sandy, according to this NorthJersey.com post mortem.

There are lessons for the insurance industry from the errant forecast and the (as it turns out) needless shutdown of New York City in the face of the blizzard that wasn’t:

  • • Models aren’t perfect. Actuaries, like weather forecasters, have multiple forecasting models. Like forecasters, actuaries have to know the pros and cons of each model and how much to rely on each one given the circumstances. Actuaries and forecasters both bake their own experience into their final predictions.
    Property catastrophe models are considerably cruder than the typical weather forecasting model. By crude I mean less accurate. Cat models project extreme events, where data are sparse and everything that happens has an oversize influence on everything else that is happening. Woe to the insurer that over-relies on cat models, something cat modelers themselves say regularly.
  • • It’s hard to pick up the flag once you have planted it. Forecasters suspected late Monday that New York City would be spared the brunt of the storm, but acknowledge now they were reluctant to make too big a change because it could hurt their credibility, particularly if the new forecast had proved too mild. This is a human failing both by the forecaster and its recipient, both of whom worry about crying wolf.
    The tendency also helps explain why it is hard to project market turns, whether they are from growth to recession or from rising insurance rates to falling.
  • • Policymakers have egg on their faces today, but they appear to have been following sound risk management principles. It’s not unusual to prepare for disasters that don’t happen, something to think about next time you unbuckle a seatbelt or unlock a door. The scale this week was much larger, but the principle was the same. Needlessly closing a subway is better than stranding hundreds on it, and the occasional forecaster’s error is certainly better than the crude prognostication that gave us the Galveston hurricane or the Schoolchildren’s Blizzard.

I.I.I. has Facts and Statistics about U.S. catastrophes in general and winter storms in particular.

Check out this timelapse video of the blizzard hitting Boston:

Next Page »