This is the third blog in a series of four blogs examining three potential “protection gaps” and the importance of “protection gap analytics”. To read the first blog post in this series, click here.
In 1975, 83 percent of the value of the S&P 500 companies was invested in physical assets: factories, refineries, ships and offices. By 2015 that percentage had fallen to 16 percent, leaving 84 percent of the assets as intangible. Intangibles included intellectual property, data on clients, brand value and innovation potential. This massive shift has had huge significance for insurance.
The insurance product was designed to cover tangible risks: first ships and their cargoes, then houses, factories, cars and airplanes. Each item could be independently valued. A claims assessor could be sent out to inspect the damage and measure the costs of repair and replacement.
Now, much of business value is intangible. The “Intangibles Protection Gap” includes all those situations where insurance fails to cover losses suffered by non-physical business assets. How does one assess the value of intangibles — how does one measure loss? Some intellectual property (IP) has been stolen — how much is it worth? You are a cloud service provider hit by a deadly cyberattack which has released some confidential data. What is the value of your lost business, the damage to your reputation and of the penalties levied by the regulator and your customers.
Some elements of physical insurance provide a bridgehead to the world of intangibles. Take business interruption (BI) insurance.
Between 2005 and 2012 business interruption costs soared two times faster than the rise in commercial property damage. Supply lines were becoming increasingly attenuated and increasingly fragile. Between 2002 and 2004, 23 percent of commercial claims were BI. By 2016 to 2017, for larger commercial, BI made up 58 percent of claims.
Traditionally, BI covered business income or revenues lost as a result of physical damage. But in a world of intangibles there may be nothing to be damaged, so business interruption is being hurriedly rewritten to become intangible business interruption — also known as non-damage BI.
Yet without a physical damage trigger, how do we define what part of reduced business is insurable? There are a host of reasons why a company might lose business, through gaining a new competitor, from an economic downturn, from a failure in a new line of business or a change in fashion. None of these would be deemed insurable. Only unforeseen interruptions in supply and distribution would be covered. Yet if the supply is intangible: data, adverts, ideas, designs, information, models, we may need to find new ways of measuring the interruption. It will take forensic accounting to distinguish the different causes of revenue loss, those which are potentially insurable and those that would be considered business risks.
Another area where the protection gap has expanded is around liability. A 2011 Towers Watson survey showed that in 1973 all but six percent of tort costs were picked up by insurers. By 2010, as insurers wrote more and more exclusions in their policies, the gap had expanded sevenfold to 44 percent. Insurers were making themselves less relevant to supporting their clients.
In 2016, Mike McGavick head of XL Catlin said the (re)insurance industry’s solutions “…have almost nothing to do with the risks that are being created by the unique dependence society now has on technology.”
Some insurers names set out to evoke a functional paradigm from a former century: the “Hartford Steam Boiler Company” in a world where the machine at the heart of a company is massively parallel cloud computing, driving real time facial recognition. Or “Factory Mutual” in a Silicon Valley world without factories. When will we have Intangible Re?
Cyber is the model for the future. Going forward most insurance classes will have cyber risks embedded within them. Some 70 percent of business is now said to be linked with technology. Think cyber in the risk for auto, aviation, fire and theft insurance lines. See what happens when cyber disrupts the world’s largest shipping company and a major drugs manufacturer in the same (Not-Petya) incident, originally launched at Ukraine.
The five principal cyberattack styles highlight the range of intangible risks:
- While robbery of cash and bullion has a rich history, whether from banks, stagecoaches, trains or airplanes, today there are much higher stakes in financial theft, as the money is no longer in a material form.
- Data exfiltration, whether of customer data or company blueprint data, has no real equivalent in the material industrial world. Today data can be the unique raw material of the company, the seed corn on which the business is built. Exposing client data and revealing that data is insecure, can badly damage the business.
- The potential to sabotage or threaten multiple companies at the same time, with contagious malware, without any physical presence of the attackers, extends far beyond anything previously possible, blurring what constitutes an act of war.
- A Cloud outage can be like shutting down all paths to work, all the streets, and the shops, not just in a single town but everywhere.
- A denial-of-service attack is like dealing with a worldwide virtual mafia.
Much in the new world of cyber risk cannot simply be mapped onto the world of tangible risks. In this rapidly evolving environment, insurers are wary of the magnitude of potential losses as well as the degree to which many individual companies could be impacted by the same attack. In 2013 to 2014, individual cyber lines were typically for a maximum cover of US$100 million, but now lines are available up to US$500 million, while the total coverage is expanding at an estimate 30 percent per year. This still leaves a large protection gap. And the insurance offering on its own does not provide full redress to an attack, which beyond restituting the damage may require fortifying defenses.
In 2017 the losses spilled into other “silent” non-damage BI covers with insurance payouts for the nine principal cyber loss events exceeding US$3 billion. This still left a protection gap of non-covered losses estimated as 70 percent. Meanwhile the amount spent on raising defenses in response to cyber attacks was more than twenty-times higher (between US$57 billion and US$109 billion for the U.S. alone in 2016).
To have any chance of closing the “Intangibles Risk Protection Gap” will require adapting the insurance product. In the cyber sector, insurers need to offer larger lines of coverage while modeling a wide range of ways in which losses can be correlated across different organizations, so that reinsurers can play an effective role in worldwide portfolio management. Meanwhile cloud service providers and the largest online retailers are all trying to diversify the risk of interruptions to their operations in ways that might formerly have been handled by a reinsurer. In the same way chief risk officers are designing in redundancy to their supply chains so they do not have to rely on contingent business interruption insurance.
Increasingly the economic losses that follow a terrorist incident are not the direct damages but the costs of disruption to businesses in the exclusion zone cordoned off after the attack and, longer term, to businesses such as hotels and restaurants dependent on tourism to that city. While insurance coverages are available to provide for these situations, these are rarely adopted, leaving a significant protection gap around terrorist incidents. An Allianz study in 2017 found that supplier failure caused a third of the non-damage BI claims, cyber incidents 29 percent and ten percent from terrorism.
Perhaps the new hazard in the world of intangibles is the contagion of fear, which spreads like wildfire through social media. Fear led commercial insurers to cancel all coverage after 9/11, and drove passengers to refuse to fly. Fear has led to a big increase in anti-vaccination campaigns and come the next “higher-lethality-than-average” pandemic will lead to workers refusing to take public transport, or to send their children to school, or even come to the workplace, potentially paralyzing food distribution, co-commuting, even the functioning of hospitals. Consider what that will mean for business interruption. Look at the big “event-cancellation” insurance costs from Florida, triggered days before actual landfall, merely by the fear of the approaching Hurricane Irma.
Click here to read the final blog in this four-part series, entitled “Protection Gap Analytics: The Role of Risk Modeling“.