Risk Insider: Kevin Kalinich

Lights Out! Can Insurance Help?

By: | January 25, 2016 • 3 min read
Kevin Kalinich is the global cyber risk practice leader for Aon Risk Solutions, focusing on identifying exposures and developing insurance solutions. He can be reached at [email protected]

In “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,” author Ted Koppel suggests that a catastrophic cyber attack on America’s power grid is likely and that we’re unprepared.

Advertisement




Let’s examine his assertions from a risk management perspective.

• Power Grid Attack Likely?

Clients tell us that they are hacked more frequently than is reported. A Dec. 21, 2015 article, “Biggest U.S. Electric Company Battles Off Steady Cyberattacks,” reported that Duke Energy’s computer systems that manage dams, nuclear power plants and other types of generating plants are under constant attack. A reported cyber attack last month caused one-half of Western Ukraine to lose power.

• U.S. Unprepared?

Opinions differ on whether we have seen improved prevention, mitigation, response and resiliency since the Northeast power outage of 2003. Mr. Koppel described a bureaucracy that is moving slowly and with poor focus against a dynamic threat.

For example, the National Protection and Programs Directorate at the Department of Homeland Security, responsible for coordinating risk reduction to critical American infrastructure, is divided in two separate and distinct parts –- one physical and one cyber-related.

We are, however, seeing certain governmental actions and changes. The Cybersecurity Information Sharing Act of 2015, signed into law December 2015, provides immunity from liability to participating organizations that share certain cyber-threat information with the federal government and vice versa.

Federal and state agencies such as the Federal Energy Regulatory Commission may consider increased fines for grid failures that have ranged from $50,000 to $350,000. By way of example, Florida Power and Light Company was fined $25 million in 2009 for a February 2008 blackout.

However, most reported cases of cyber damage and regulatory action to date relate to protection of personally identifiable information, such as the Federal Communications Commission’s $25 million fine against AT&T and $100 million fine against Lifelock.

• Catastrophic?

According to search engine Shodan, the U.S. has more than 57,000 industrial controls systems connected to the internet. But how do we quantify potential losses? Information on how companies and the government respond to hacks is often protected and sometimes classified, which can defeat transparency.

Untitled-1

A 2015 Lloyd’s of London/University of Cambridge report, “Business Blackout,” sets forth the insurance implications of a cyber attack on the U.S. power grid. The report estimated a hypothetical worst case scenario of $243 billion to $1,024 trillion in direct and indirect losses, with between $21.398 billion and $71.109 billion in estimated insurance industry losses.

Currently there are not enough stand-alone cyber limits to pay for such losses.

Many property and general liability insurers are inconsistent and/or hesitant to cover cyber exposures likely because there’s insufficient actuarial data. Since we don’t have sufficient actuarial data for cyber exposures, we should borrow from other complex modeling situations like typhoons, earthquakes and hurricanes — relatively rare events that could have catastrophic impacts.

Advertisement




We’ve come to the conclusion that we need to break down the silos between the insurance company property/GL groups and cyber groups, and develop a combined all-risk policy that combines the actuarial data of property losses with cyber experts to identify and quantify frequency and severity. To analogize, a similar approach is used to build terrorism insurance programs, with mixed success (see graphic).

By combining an objective risk management context based on data analytics, we can learn from natural weather incidents and terrorism threats to develop robust public-private partnerships to help improve our preparedness and reduce losses stemming from a cyber attack.

2018 Most Dangerous Emerging Risks

Emerging Multipliers

It’s not that these risks are new; it’s that they’re coming at you at a volume and rate you never imagined before.
By: | April 9, 2018 • 3 min read

Underwriters have plenty to worry about, but there is one word that perhaps rattles them more than any other word. That word is aggregation.

Advertisement




Aggregation, in the transferred or covered risk usage, represents the multiplying potential of a risk. For examples, we can look back to the asbestos claims that did so much damage to Lloyds’ of London names and syndicates in the mid-1990s.

More recently, underwriters expressed fears about the aggregation of risk from lawsuits by football players at various levels of the sport. Players, from Pee Wee on up to the NFL, claim to have suffered irreversible brain damage from hits to the head.

That risk scenario has yet to fully play out — it will be decades in doing so — but it is already producing claims in the billions.

This year’s edition of our national-award winning coverage of the Most Dangerous Emerging Risks focuses on risks that have always existed. The emergent — and more dangerous — piece to the puzzle is that these risks are now super-charged with risk multipliers.

Take reputational risk, for example. Businesses and individuals that were sharply managed have always protected their reputations fiercely. In days past, a lapse in ethics or morals could be extremely damaging to one’s reputation, but it might take days, weeks, even years of work by newspaper reporters, idle gossips or political enemies to dig it out and make it public.

Brand new technologies, brand new commercial covers. It all works well; until it doesn’t.

These days, the speed at which Internet connectedness and social media can spread information makes reputational risk an existential threat. Information that can stop a glittering career dead in its tracks can be shared by millions with a casual, thoughtless tap or swipe on their smartphones.

Aggregation of uninsured risk is another area of focus of our Most Dangerous Emerging Risks (MDER) coverage.

The beauty of the insurance model is that the business expands to cover personal and commercial risks as the world expands. The more cars on the planet, the more car insurance to sell.

The more people, the more life insurance. Brand new technologies, brand new commercial covers. It all works well; until it doesn’t.

As Risk & Insurance® associate editor Michelle Kerr and her sources point out, growing populations and rising property values, combined with an increase in high-severity catastrophes, threaten to push the insurance coverage gap to critical levels.

This aggregation of uninsured value got a recent proof in CAT-filled 2017. The global tally for natural disaster losses in 2017 was $330 billion; 60 percent of it was uninsured.

Advertisement




This uninsured gap threatens to place unsustainable pressure on public resources and hamstring society’s ability to respond to natural disasters, which show no sign of slowing down or tempering.

A related threat, the combination of a failing infrastructure and increasing storm severity, marks our third MDER. This MDER looks at the largely uninsurable risk of business interruption that results not from damage to your property or your suppliers’ property, but to publicly maintained infrastructure that provides ingress and egress to your property. It’s a danger coming into shape more and more frequently.

As always, our goal in writing about these threats is not to engage in fear mongering. It’s to initiate and expand a dialogue that can hopefully result in better planning and mitigation, saving the lives and limbs of businesses here and around the world.

2018 Most Dangerous Emerging Risks

Critical Coverage Gap

Growing populations and rising property values, combined with an increase in high-severity catastrophes, are pushing the insurance protection gap to a critical level.

Climate Change as a Business Interruption Multiplier

Crumbling roads and bridges isolate companies and trigger business interruption losses.

 

Reputation’s Existential Threat

Social media — the very tool used to connect people in an instant — can threaten a business’s reputation just as quickly.

 

AI as a Risk Multiplier

AI has potential, but it comes with risks. Mitigating these risks helps insurers and insureds alike, enabling advances in almost every field.

 

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]