Three emerging risks that will keep insurers and actuaries busy in the years to come.
Technology has always tempted us with visions of a brave new world. We can imagine ourselves commuting to work in a car that’s essentially its own chauffeur, one that automatically whisks us through the traffic that we used to dread — while we read or text or even catch up on a few minutes’ sleep — and delivers us safely to the door.
Or we can imagine that Super Bowl Sunday when the old TV bites the dust and we finally get to order that big-screen behemoth we’ve always coveted — and have it delivered safely to our door two hours later by a hovering delivery drone, just in time for kick-off.
And we don’t even have to imagine how we pay for it. We pay for it like we do now, with a piece of plastic or a smart phone or some other magic device yet to be devised that makes money change places in a nanosecond.
All these gizmos may make our lives better, but, as with any new or emerging technology, there are risks and costs. Some of them we know about already, and some we don’t. Nevertheless, it’s the job of actuaries and the insurance companies they work for to identify those risks and quantify the costs.
Battle in Cyberspace
One such risk we know is going to be costly because it’s already hit the headlines. Hard.
During the end-of-2013 holiday shopping season, cyber thieves stole payment data on about 40 million credit and debit card accounts of customers of the retail giant Target. The criminals used malware they installed on Target’s store checkout systems. They also stole personal information on up to 70 million individuals. Latest reports show $248 million in losses incurred as of November 1, 2014, and directly attributed to the data breach, partially offset by expected insurance recoveries of $90 million, for a net loss of $158 million.1 And this doesn’t include the reputational damage to Target or that its CEO lost his job after the breach.
And, of course, Target wasn’t alone; PF Chang, Neiman Marcus, Home Depot, and JP Morgan Chase also experienced high-profile breaches that have cost untold millions (or billions) of dollars. And who knows how many more have happened since this was written? [Editor’s note: The hacking of Sony Corporation came to light in late 2014.]
“When it comes to emerging technologies, cyber is the one risk that affects them all,” says Alex Krutov, president of Navigation Advisors, NYC. “We can see it everywhere from medical devices and autonomous vehicles to the so-called Internet of Things. However, cyber risk is certainly not just about new technologies. It is something that’s here and now, not just in the future. And it’s rapidly growing”
The problem seems almost insurmountable: As soon as security experts erect impregnable defenses around their sensitive data, hackers devise ways to get through them. And hackers don’t just hit and run. As in the case with the JP Morgan breach, they not only broke in multiple times, they hung out for a while to look around. Is any of our information safe? Will it ever be?
“It has always been an ongoing battle between hackers and the defenders against them,” says Hank Haldeman, executive vice president and director, The Sullivan Group, Los Angeles. “An Internet security insurance consultant made an analogy to medieval times — the constant development of weapons technology resulted in new defenses and then even newer weapons. Unfortunately, that means the cyber attackers are always one step ahead of the defenders, so it’s always a matter of responding.”
Alan Paller is director of research for the SANS Institute, a firm that specializes in providing computer security education and training for companies. During a panel discussion on NPR’s Diane Rehm Show, he was asked if teaching good guys how to protect against data breaches doesn’t give ideas to the bad guys. His response: “They already know.”
Most of the high-profile retail cases (Target, Neiman Marcus, Home Depot) have involved compromised credit cards. Improvements in credit card technology, such as the “chip and PIN” system widely adopted in Europe, have helped reduce the risk of fraud somewhat. But chip and PIN works only if the card itself is present; it has no effect on Internet transactions. For that, companies like VISA are experimenting with a system called “tokenization” that replaces sensitive information with coded “tokens.” But even that, experts say, isn’t foolproof.
At the risk of being fanciful, it’s not difficult to imagine this as an epic conflict in a DC comic book, where valiant cyber risk managers in a blasted landscape endlessly battle shadowy villains who are always one step ahead. But trying to manage this all-but-unmanageable risk isn’t the same as insuring against it. Is this wild and chaotic territory really any place for the insurance industry? Cyber insurance may be the fastest growing line of insurance right now, but how do you quantify a risk when everything is constantly changing?
“That is exactly the difficulty,” says Krutov. “In dealing with cyber risk, one of the greatest challenges is its quantification. Insurance companies need to assess cyber risk in quantitative financial terms rather than only the qualitative terms that are so often used in cyber security and cyber risk management. Those are important — by themselves and in assuring compliance with specific standards — but they don’t always lend themselves to translation into quantitative measures that describe probability and magnitude of potential losses. That’s what’s needed for proper pricing of cyber insurance and it’s a very significant challenge. But, right now, very often purely qualitative as opposed to quantitative methods are used for cyber risk assessment. It’s not surprising because so many aspects of cyber risk are poorly understood.”
According to Karl Olson, vice president of Sullivan Brokers Wholesale Insurance Solutions, San Francisco, there are basically two types of cyber exposure: network security and privacy. Network security has to do with the storage or processing of data, which would include any company’s internal software systems, databases, or cloud servers. Privacy liability involves first- and third-party exposures, which include personally identifiable information (PII) and protected health information (PHI).
The 50 or so companies that cover these exposures price their products competitively and aggressively but each product is different. They all contain more than one insuring clause — a clause for network security, one for privacy, one for notification and credit monitoring, a clause for media — specifying what the insurer will pay in that area.
“There are now 47 states that have laws that require some action in the event of a data breach,” says Olson, “and I’d say that the regulatory exposure is certainly one emerging risk. What that means is that there are 47 different platforms or thresholds or definitions of PII and PHI. Not only do you have 47 different state platforms but you have all these different carrier products that call the same exposure different things, providing similar coverages under different names. You have limit structures that in some cases make sense and in some cases are deficient from the insured’s perspective. There’s no real commonality to the viewpoint of risk. It’s taken about 12 years to get to where we are now — the first was California in 2003 — and it’s still evolving.”
Cyber risk insurance has been underwritten by insurance companies for some time now, according to Alex Krutov, but the industry still has to develop expertise in the analysis of this risk. He believes that actuaries need to work with other disciplines — risk managers, IT experts, attorneys, data analysts — to improve the way cyber risk is analyzed and underwritten.
“I believe that significant improvements can be made in cyber risk modeling. This will allow us to make cyber insurance pricing more risk sensitive, with higher premiums charged where the risk is higher. The risk is rapidly evolving, which may require changing insurance rates more frequently than in other lines and possibly making adjustments to the risk margins in insurance premiums,” Krutov says. He acknowledges that if interpreted very broadly, in some cases this could be seen as a controversial position and may run into regulatory resistance.
“It’s surprising how few of the smaller organizations that are involved in capturing credit card information aren’t protected,” says Haldeman. “They’re liable if they’re negligent with the information that crosses their thresholds. New exposures arise out of the use of the cloud for storing information and data, and many insurance policies don’t deal effectively with data that you’re not actually storing onsite. What is your responsibility versus that of the purveyor of the data storage? Insufficient attention has been paid to that question. Technology is often changing beyond the scope of the policies, so a company that bought a policy five years ago and thinks it’s covered may not be as covered as it thinks it is.”
Who’s Driving Miss Daisy?
The response to cyber risk may still be emerging, but the risk itself is here and has been for quite some time. The same cannot be said for the driverless car. Though many believe they’re inevitable and won’t be long in coming, they’re not here yet. At least not on our roads and highways. But they’re definitely being driven, tested and developed.
Go to http://www.google.com/about/careers/lifeatgoogle/self-driving-car-test-steve-mahan.html and you can see Steve Mahan, who is legally blind, sit behind the steering wheel while his autonomous Toyota takes him down local streets, to the dry cleaner and even the Taco Bell drive-through.
Not long ago, for about 45 minutes on Google corporate campus and the highway in California, Alex Krutov was also a passenger in one of Google’s test models.
“It was a unique, unusual experience, being in a car that didn’t really have a driver,” he says. “There was a Google test engineer with me who could take control at any moment, but the car was driving itself. Five years ago we would have seen it as science fiction. I wasn’t anxious at all. Despite my natural focus on risk and the analysis of uncertain events, this experience felt absolutely safe. To the best of my knowledge, none of Google’s self-driving cars has been in an accident where it was the car’s fault. Somebody did rear-end one when it stopped at a traffic light but that couldn’t be blamed on the car’s software or hardware.”
Who’s going to be liable? Will driverless cars really eliminate “driver error”? … Who does the human sue when he gets hit by an autonomous car? The owner? The manufacturer? The computer programmer?
Which raises one of the most important questions insurers will have to face when these vehicles finally start to hit the road: Who’s going to be liable? Will driverless cars really eliminate “driver error”? Obviously, it’s easier for driverless cars to operate if there are only driverless cars on the road. But at least for a while they’ll have to share road with cars driven by humans. So who does the human sue when he gets hit by an autonomous car? The owner? The manufacturer? The computer programmer?
According to Google, one of the most difficult problems its developers have to deal with is programming the car to react to completely unexpected actions by human drivers. And humans are good at making unexpected actions that make no sense to a computer.
Many cars on the road today are already equipped with computers designed to reduce the risk of human error: blind spot monitoring devices, rearview cameras, and lane-departure warnings. Vehicle-to-vehicle (V2V) communication systems in some high-end models can help drivers avoid collisions.
“As crash avoidance technology gradually becomes standard equipment,” says an Insurance Information Institute paper,2 “insurers will be able to better determine the extent to which these various components reduce the frequency and cost of accidents. They will also be able to determine whether the accidents that do occur lead to a higher percentage of product liability claims, as claimants blame the manufacturer or suppliers for what went wrong rather than their own behavior.”
According to the 2008 National Motor Vehicle Crash Causation Survey (NMVCCS), 93 percent of accidents are caused by human error. But this statistic doesn’t account for driverless vehicles. Last year, the Casualty Actuarial Society created a Task Force on Automated Vehicles (CAS AVTF) to look into what impact this new technology will have on insurance and risk management. The task force found that the standards referenced in the NMVCCS survey really don’t apply to automated vehicles. “Automated vehicles can be expected to address up to 51 percent of accidents, not the 93 percent that is commonly referenced,” the task force said in its executive summary.3 “Things that cause accidents today may or may not cause accidents in an automated vehicle era.”
If reducing accidents can reduce the cost of liability insurance, what about comprehensive coverage of driverless cars? With all that computer hardware and software aboard, they’re going to be expensive to repair or replace. But, according to a 2014 RAND study on driverless vehicles, the lower risk of accidents may offset the higher cost of insuring the equipment, resulting in lower insurance costs overall.
Watch the Skies!
“Widespread commercial use of drones is probably 15 or 20 years away,” says Karl Olson. “When you’ve got a sky littered with drones, like flocks of birds…that’s too far on the horizon for me to speculate.”
Maybe. Maybe not.
Drones — also known as unmanned aircraft systems (UAS) or even flying robots — are already controversial when they’re used as weapons in Afghanistan, Iraq and other modern battlefields. They’re even more controversial when contemplated in civilian air space. Some are used today in a variety of peacetime uses — including law enforcement, firefighting, disaster relief, and search and rescue. Drones were used by insurance companies in the aftermath of Hurricane Sandy to assess damage in areas it was difficult or impossible to get to. Only recently, the Federal Aviation Administration (FAA) decided to allow filmmakers to use drones for aerial shots in the United States — cheaper and safer than a helicopter.
But their use is largely unregulated. Air space in many areas is already crowded and adding unmanned aircraft to the mix can be dangerous. And any discussion of civilian use of drones inevitably turns to violation of privacy issues, with dire predictions of airborne robotic cameras hovering and leering outside our bedroom windows.
In March 2013, Rep. Ed Markey (D-MA) introduced the Drone Aircraft Privacy and Transparency Act, which attempts to set up a regulatory framework for the use of drones that includes protection of privacy, data collection and enforcement. So far it seems to be grounded in committee. Even so, Congress has given the FAA until September 2015 to devise and implement a regulatory policy.
Meanwhile, as of February 2013, the FAA had already issued more than 1,000 drone licenses to government and private users. According to Vikki Stone, senior vice president of Poms and Associates, an insurance broker in Los Angeles, insurers are trying to figure out how they’re going to cover these things once they eventually do get off the ground.
“Coverage for drones is currently being negotiated with a number of different insurance companies,” Stone told A.M. Best. “There isn’t an actual policy out there right now that will pick up the kinds of exposures we’d be seeking when the FAA approves the commercial use of drones. There are certainly drones in use right now and those are, of course, being insured. But at this time we’re in the negotiation phase of our program.”
The kinds of exposures insurers will be looking at include the drone itself, property damage it might cause, liability (both general and aircraft product), cyber insurance against the hacking of drone data, workers’ compensation, employment practice liability, and directors and officers liability. And who knows what other exposures might reveal themselves in practice?
In July 2014, the TEAL Group, defense and aerospace industry consultants, predicted that worldwide annual spending on drones would almost double over the next decade, from a current $6.4 billion to $11.5 billion a year, totaling close to $91 billion in the next 10 years. This is going to translate into major bucks for insurance companies.
“Drones will affect the insurance industry in many ways,” says Stone, “but the major effect will be to provide a new income stream.”
“I think we’re in an exciting time for entirely new insurance products to be developed,” Karl Olson agrees. “From the carrier perspective, there are many talented individuals who are directly addressing these exposures.”
Steven Sullivan is a freelance writer and editor in Baltimore, MD.
1 U.S. Securities and Exchange Commission Form 10-Q, Quarterly Report [of Target Corporation] Pursuant to Section 13 or 15(d) of the SEC Act of 1934, for the quarterly period ended November 1, 2014.
2 “Self-Driving Cars and Insurance,” III, September 2014.
3 “Restating the National Highway Transportation Safety Administration’s National Motor Vehicle Crash Causation Survey for Automated Vehicles,” http://www.casact.org/pubs/forum/14fforum/CAS%20AVTF_Restated_NMVCCS.pdf