Business Risk


The cyber insurance market for small- to mid-sized companies is much friendlier than the market for larger insureds, according to the findings of an annual survey just released by Betterley Risk Consultants.

The Cyber/Privacy Insurance Market Survey 2015 notes that there are many insurance products competing for the business of small and mid-sized (SME) organizations.

Brokers are actively selling cyber policies to their SME insureds, and more are buying than ever before, as they realize the potential for liability, breach and response costs, arising out of the possession of private data.

The report says:

Rates for the SME segment are still competitive and renewals are generally flat, even a bit soft, undoubtedly affected by the numerous insurers getting a foothold in the cyber insurance market. Smaller insureds tend to have lower limits and often have relatively modest claims.”

In contrast, cyber coverage for larger organizations, especially those in retail and healthcare, are finding it more difficult to buy adequate limits at a reasonable price, the report suggests, as insurers are increasingly strict about adherence to cyber security and payment card industry standards.

For the larger/retail/healthcare insured, rates are rising, with increases in the 10-25 percent range most common. But the report points out:

This is for untroubled organizations; it’s worse (up to 200 percent) if they have claims experience that has yet to result in significantly improved cybersecurity measures.”

While annual premium volume information about the U.S. cyber insurance market is hard to come by, the report concludes that annual gross written premium is growing and may be as much $2.75 billion in 2015, up from $2 billion in last year’s report.

We think the market has nowhere to go but up—as long as insurers can still write at a profit.”

This year’s report includes products offered by 31 insurers, up from 28 in 2014.

Check out the Insurance Information Institute’s (I.I.I.) online resource for business insurance here.

 

Technology is not enough in the fight against cybercrime, effective cybersecurity measures require policy and process changes as well.

That’s the takeaway from an analysis of cyber-risk spending included in the 2015 U.S. State of Cybercrime Survey recently released by PwC.

While cybersecurity budgets are on the rise, companies are mostly reliant on technology solutions to fend off digital adversaries and manage risks.

Among the 500 U.S. executives, security experts and others from public and private sectors responding to the survey, almost half (47 percent) said adding new technologies is a spending priority, higher than all other options.

Notably, only 15 percent cited redesigning processes as a priority and 33 percent prioritized adding new skills and capabilities.

When asked whether they have the expertise to address cyber risks associated with implementation of new technologies, only 26 percent said they have capable personnel on staff. Most rely on a combination of internal and external expertise to address cyber risks of new solutions.

PWCCyberSpending2015

As PwC advises:

Companies that implement new technologies without updating processes and providing employee training will very likely not realize the full value of their spending. To be truly effective, a cybersecurity program must carefully balance technology capabilities with redesigned processes and staff training skills.”

Employee training and awareness continues to be a critical, but often neglected component of cybersecurity, PwC said. Only half (50 percent) of survey respondents said they conduct periodic security awareness and training programs, and the same number offer security training for new employees.

Some 76 percent of respondents to the survey said they are more concerned about cybersecurity threats this year than in the previous 12 months, up from 59 percent the year before.

As PwC noted, in today’s cybercrime environment, the issue is not whether a business will be compromised, but rather how successful an attack will be.

Check out Insurance Information Institute (I.I.I.) facts and statistics on cybercrime here.

The percentage of businesses purchasing commercial insurance increased in the second quarter of 2015, according to the latest Commercial P/C Market Index survey from the Council of Insurance Agents & Brokers (CIAB).

An overwhelming 90 percent of brokers responding to the survey said that take-up rates had increased, in part as premium savings drove interest in new lines of coverage and/or higher limits.

Cyber liability continues to gain traction, brokers noted, and this trend is expected to continue as the cyber insurance market matures, new insurers, products and capacity come to market and as companies realize the true extent of their cyber exposure.

Broker comments came as The Council’s analysis shows that rates declined across all commercial lines in the second quarter, continuing the downward trend from the first three months of 2015.

Premium rates across all size accounts fell by an average of 3.3 percent compared with a 2.3 percent decrease in the first quarter of 2015.

Large accounts once again saw the steepest drop in prices of 5.2 percent, while medium sized accounts fell 3.5 percent and small accounts fell 1.3 percent.

Commercial property, general liability and workers’ compensation premiums were most frequently reported down across all regions, with a slight uptick in commercial auto.

Ken Crerar, president and CEO of The Council said:

As the soft market continues in 2015, carriers are competing for good risks and are willing to work with brokers on price and terms.”

Meanwhile, average flood insurance rates saw an uptick across all regions, most frequently in the Southeast and Southwest regions, the Council noted.

This increase is likely due to premium increases, assessments, and surcharges, mandated by both the Biggert Waters Act and the Homeowner Flood Insurance Affordability Act (HFIAA), which went into effect April 1.

Find out more about business insurance from the Insurance Information Institute (I.I.I.).

You may have read that the Justice Department is warning food manufacturers that they could face criminal and civil penalties if they poison their customers with contaminated food.

Recent high profile food recalls, such as the one at Texas-based Blue Bell Creameries and another at Ohio-based Jeni’s Splendid Ice Creams, have drawn attention to this issue once again.

Now a new report by Swiss Re finds that the number of food recalls per year in the United States has almost doubled since 2002, while the costs are also rising.

Half of all food recalls cost the affected companies more than $10 million each and losses of up to $100 million are possible, Swiss Re says. These figures exclude the reputational damage that may take years for a company to recover from.

Contaminated food also takes a financial toll on the public sector. According to the U.S. Department of Agriculture, costs for the U.S. public health system from hospitalized patients and lost wages in 2013 alone was $15.6 billion. In total, 8.9 million people fell ill from the 15 pathogens tracked, with over 50,000 hospitalized and 2,377 fatalities.

Demographic change is putting more sensitive consumer groups at risk. Ageing societies, an increase in allergies in the overall population and the fact that malnourishment is still prevalent in many countries are significant drivers of the increase in exposure, Swiss Re notes.

Which brings us to insurance.

A variety of insurance products are available to help companies protect their bottom line from this potentially catastrophic exposure.

Product recall/contaminated product insurance will cover the costs of recalling accidentally or maliciously contaminated food from the market, and impaired or mislabeled products that cause bodily injury, sickness, disease or death.

Product liability insurance also provides compensation of third party liability claims for bodily injury and property damage caused by an impaired product.

As Roland Friedli, risk engineer at Swiss Re and co-author of the report says:

Food recalls can be caused by something as simple as a labeling error on the packaging, or as complex as a microbial contamination somewhere along a vast globalized supply chain. Yet event a simple mistake can cost a food manufacturer millions in losses and even more in terms of reputation. Insurance and sound risk management are essential for keeping affected businesses afloat.”

Further information on product liability, recall and contamination insurance and is available from the Insurance Information Institute (I.I.I.) here.

The unfolding story on what is being described as the largest cyberattack into the systems of the United States government reads like an episode out of CSI Cyber.

Today the head of the Office of Personnel Management (OPM) Katherine Archuleta resigned as fallout continued in the wake of Thursday’s revelation that the second of two massive data breaches exposed the personal data of 21.5 million federal employees, contractors, applicants and family members.

This follows the previous breach OPM announced in June in which some 4.2 million federal personnel records were exposed.

The magnitude of the second breach is incredible. In a release, OPM states:

OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”

As the New York Times reports here, every person given a background check for the last 15 years was probably affected (that’s 19.7 million people), as well as 1.8 million others, including their spouses and friends.

It is thought that both OPM attacks emanated from China, though this is not confirmed.

In a week in which reported technical issues halted trading on the New York Stock Exchange, grounded United Airlines flights and took the Wall Street Journal’s website offline for several hours, the OPM announcement once again highlights the limitless nature of cyber exposures.

Meanwhile, a joint report from Lloyd’s and the University of Cambridge, points to the insurance implications of a cyber attack on the U.S. power grid and potential aggregation issues for insurers.

A hypothetical blackout that plunges 15 states into darkness, including New York City and Washington DC, leaving 93 million people without power would result in estimated insurance claims of $21.4 billion, rising to $71.1 billion in the worst case scenario, the report suggests.

Insurers would see losses across many lines of business, including property damage, business interruption, contingent business interruption, liability, homeowners and events cancellation.

Claims across other areas of insurance not included in the estimate are also possible, such as: injury-related claims; auto; property fire; industrial accidents; and environmental liability.

As Lloyd’s says in the report, one of the biggest concerns for insurers is that cyber risk is not constrained by the conventional boundaries of geography, jurisdiction or physical laws:

The scalability of cyber attacks – the potential for systemic events that could simultaneously impact large numbers of companies – is a major concern for participants in the cyber insurance market who are amassing large numbers of accounts in their cyber insurance portfolio.”

A California Labor Commission ruling that an Uber driver is a company employee, not an independent contractor may dampen fears that the on-demand economy spells the end for workers compensation, liability and health insurance. At least for now.

As reported by numerous news outlets, here and here, the decision out of California – though it applies to a single driver – could significantly increase costs for the ride-sharing business if it is copied by other states and in other cases.

It could also have potential implications for other segments of the economy important to property/casualty insurers.

As the New York Times reports:

The classification of freelancers is in dispute across a number of industries, including at other transportation companies. And the debate is set to escalate as the number of online companies and apps like Uber and others rises.”

The ruling, which commentators say could hurt Uber’s $40 billion-plus valuation, orders Uber to pay Barbara Berwick, $4,152 in expenses for the time she worked as an Uber driver last year.

Here are a couple of key excerpts from the California Labor Commission decision:

Plaintiffs’ work was integral to Defendants’ business. Defendants are in business to provide transportation services to passengers. Plaintiff did the actual transporting of those passengers. Without drivers such as Plaintiff, Defendants’ business would not exist.”

And:

Defendants hold themselves as nothing more than a neutral technological platform, designed simply to enable drivers and passengers to transact the business of transportation. The reality, however, is that Defendants are involved in every aspect of the operation.”

In response to the ruling (which it has appealed) Uber stated:

The California Labor Commission’s ruling is non-binding and applies to a single driver. Indeed it is contrary to a previous ruling by the same commission, which concluded in 2012 that the driver ‘performed services as an independent contractor, and not as a bona fide employee.’ Five other states have also come to the same conclusion.”

Potential insurance issues arising out of the on-demand or sharing economy are a recurring topic of conversation these days.

In a recent presentation I.I.I. president Dr. Robert Hartwig noted that traditional insurance will often not cover a worker engaged in offering labor or resources through these on-demand platforms.

For example, private passenger auto insurance generally won’t cover you while driving for Uber and a homeowners insurance policy won’t cover a homeowner for anything other than occasional rents of their property.

Also, Dr. Hartwig said: “Unless self-procured, on-demand workers (independent contractors) will generally have no workers comp recourse if injured on the job.”

A new report from ratings agency Standard & Poor’s warns that the credit ratings of U.S. financial services companies could be vulnerable to cyber risks in future.

In its analysis, S&P says:

Although the many successful cyber-attacks have not yet resulted in any changes in Standard & Poor’s Ratings Services’ ratings on financial services companies, we view cyber-security as an emerging risk that we believe has the potential to pose a higher credit risk to financial services firms in the future.”

And:

It’s not difficult to envisions scenarios in which criminal or state-sponsored cyber-attacks (for credit implications, we don’t differentiate the sources of intrusion) would result in significant economic effects, business interruption, theft, or reputational risk.”

S&P goes on to explain that while cyber attacks can result in losses, and possible market disruptions, so far they have not resulted in negative rating actions because the exposure of targeted companies has been contained by their own financial wherewithal and to some extent insurance programs.

Nevertheless, the damage to reputation, brand, or competitive position may likely only truly be known in the years ahead.

S&P notes that threat alone does not determine rating responses and threat risk varies by sector:

Our credit opinion takes a balanced view incorporating other related factors, including how susceptible a firm’s competitive position would be to a cyber attack, the effectiveness of its response plan, and what is the firm’s financial flexibility, liquidity, and capitalization regarding its ability to replenish capital post-event.

While all financial services companies targeted by major data breaches have emerged intact, S&P says it is increasingly wary about the persistence of cyber attacks and what that might mean for consumer confidence to engage in commerce with the brand going forward.

S&P says it views the threat for the insurance industry overall as medium, albeit risks for health insurers are higher. Adequate/strong enterprise risk management programs and the very strong capitalization of insurers are some of the offsetting risk factors.

While the cyber insurance market is still emerging, S&P expects premiums to more than double to $10 billion in the next five to 10 years from $2.5 billion now.

Hat tip to Insurance Journal which reports on this story here.

 

Survey more than 800 corporate counsel representing companies across 26 countries on litigation trends and issues and you get some insightful findings.

Such is the case with the recently released Norton Rose Fulbright 2015 Litigation Trends Annual Survey.

For example, class action lawsuits were listed as the top issue by respondents in the United States, Canada and Australia.

U.S.-based respondents also reported a more litigious business environment than their peers, with 55 percent facing more than five lawsuits filed against their companies in the previous 12 months, compared with 23 percent in the United Kingdom and 22 percent in Australia.

There are also significant differences in the types of litigation that U.S. companies face compared with their peers worldwide.

For example, personal injury litigation is much more prevalent in the U.S. than elsewhere, with 21 percent of those polled selecting it as one of the most numerous types of cases faced in the previous 12 months, compared to just 15 percent in the survey overall.

In addition, intellectual property/patents (18 percent) and product liability (17 percent) cases were more common in the U.S. than worldwide (13 percent and 11 percent, respectively).

Going forward, more U.S. respondents say regulatory/investigations are a top concern (48 percent) compared with the broader sample (39 percent).

Intellectual property (IP)/patents disputes are also of greater concern in the U.S. (30 percent) compared with all respondents (21 percent).

In addition, more U.S. respondents list class actions (25 percent) and product liability (18 percent) as top concerns compared with the total sample (18 percent and 14 percent, respectively).

In the words of Richard Krumholz, head of dispute resolution and litigation, United States, Norton Rose Fulbright:

Our survey clearly demonstrates that the litigation and regulatory environment in the United States continues to pose some of the greatest risks which businesses from around the world face. This is reflected in rising litigation budgets and the size of disputes-focused staff compared to peer companies around the globe.”

Just to be clear, the average U.S. company has 20 in-house lawyers to handle disputes and the number of U.S. companies with an annual litigation spend of $1 million or more increased from 52 percent to 69 percent from 2012 to 2014.

Slightly more than half of the survey respondents are from companies with headquarters in the U.S.

The Insurance Information Institute (I.I.I.) has an excellent resource on business liability insurance here.

The financial impact of cyber exposures is close to exceeding those of traditional property, yet companies are reluctant to purchase cyber insurance coverage.

These are the striking findings of a new Ponemon Institute  survey sponsored by Aon.

Companies surveyed estimate that the value of the largest loss (probable maximum loss) that could result from theft or destruction of information assets is approximately $617 million, compared to an average loss of $648 million that could result from damage or total destruction of property, plant and equipment (PP&E).

Yet on average, only 12 percent of information assets are covered by insurance. By comparison, about 51 percent of PP&E assets are covered by insurance.

The survey found that self-insurance is higher for information assets at 58 percent, compared to 28 percent for PP&E.

In some ways, these results are not surprising.

Cyber insurance is a relatively new product, and while interest continues to increase, it will take time for the purchase rate to catch up with traditional insurances.

That said, the values at stake are enormous and as the report states, the likelihood of loss is higher for information assets than PP&E.

Another important takeaway from the survey is that business disruption has a much greater impact on information assets ($207 million) than on PP&E ($98 million).

This suggests the fundamental nature of probable maximum loss (PML) varies considerably for intangible assets vs. tangible assets, Ponemon says.

Business disruption represents 34 percent of the PML for information assets, compared to only 15 percent of the PML for PP&E.

A footnote states that while the survey results suggest PML in the neighborhood of $200 million, a growing number of companies are using risk analysis and modeling to suggest potential losses in excess of $500 million to over $1 billion and seek cyber insurance limit premium quotes and policy terms for such amounts.

More information on the growth in cyber insurance is available from the I.I.I. here.

Some 2,243 individuals involved in cyber and enterprise risk management at companies in 37 countries responded to the Ponemon survey.

The decision by Texas-based Blue Bell Creameries to recall all of its products after two samples of its ice cream tested positive for listeria is a timely reminder of the importance of product recall insurance.

Product recalls can be costly and logistically complex. In Blue Bell Creameries’ case the expanded voluntary recall announced Monday night includes ice cream, frozen yogurt, sherbet and frozen snacks distributed in 23 states and international locations.

Blue Bell said it was pulling its products “because they have the potential to be contaminated with listeria.”

The company had issued an earlier more limited recall last month after the U.S. Centers for Disease Control and Prevention (CDC) linked ice cream contaminated with listeria to three deaths in Kansas.

As of April 21, 2015, the CDC says a total of 10 people with listeriosis related to this outbreak have been confirmed from four states.

A 2014 report by Aon notes that the number of product recalls in the United States and Canada for both food products and nonfood products continues to grow year over year.

Each year, hundreds of products are recalled in the U.S. Some historically significant recall events have included such well-known brands as Tylenol, Perrier, Firestone Tires, Pepsi and Coca-Cola.

The Insurance Information Institute (I.I.I.) reminds us that product recalls can be financially devastating and potentially put a company out of business. No organization is immune to the risk of a product recall—even those with the best safety records, operational controls and manufacturing oversight.

In a post in the Wall Street Journal’s Morning Risk Report, crisis management experts note that how well a company succeeds at regaining customer trust following a product recall will likely determine whether it recovers from the negative hit to its reputation and bottom line.

True. Insurance can also help defray the financial hit on a company.

Product recall insurance helps cover a wide range of costs including advertising and promotional expenses to launch a recall, as well as the costs related to product destruction and disposal, business interruption and repairing a damaged reputation, the I.I.I. says.

Another coverage worth considering is product contamination insurance, which protects a company’s bottom line in the event its product is accidentally or maliciously contaminated.

Next Page »