The reinsurance industry has recently seen a rise in mergers and acquisitions among some of its biggest players, such as Axis Capital Holdings Ltd. and PartnerRe Ltd. Faced with challenges like soft market conditions and impending regulation around the globe, many companies have turned to consolidation. Case in point: In 2014, acquirers spent $17 billion on property and casualty, multi-line insurance and reinsurance deals – the most since 2011, according to data compiled by Bloomberg.

Claude Lefebrvre, chief underwriting officer at Hamilton RE, described M&A as part of a cycle that tends to take place during the soft market. Last year, about 390 insurance transactions were announced for a combined value of almost $50 billion, making it the busiest year for deals since 2008. This begs the question: Is bigger actually better?

At a recent roundtable in Bermuda, a group of executives talked about the pros and cons surrounding the current spate of mergers and acquisitions in the reinsurance and insurance markets. The discussion noted that M&A may not be as beneficial to the reinsurance market as previously conceived, and looked specifically at the long-term benefits (or lack thereof), the potential for culture clashes among merged organizations and the impact of investors.

Here is what some of the conversation entailed:

Long-term benefits of M&A

With a rise in the number of consolidations, many smaller reinsurance companies are under pressure to make a deal sooner rather than later. But does this ultimately increase shareholder value, especially in cases of like-for-like companies?

Brenton Slade, chief operating officer at Horseshoe Group, believes there would be far less M&A activity if management teams took the time to look at the rationale behind the proposed deal and how it would benefit shareholder value over the long term. With this strategy, he believes we would see more money being returned to investors or being deployed into new product lines as opposed to just expanding equity bases.

As stated by Robert Johnson, president at Aon Benfield Bermuda, being a company with $10 billion of capital does not necessarily provide access to much more business than being a $5 billion size company. Potential challenges, such as ensuring companies have the right synergies and the loss of good employees, may outweigh the benefits of a merger.

Culture Clashes

A major issue seen with the rise of mergers is combining two company cultures and their legacy systems into one cohesive unit. A recent study from Xuber showed that cultural integration and incorporation of multiple systems was the biggest challenge faced by companies following M&A.

Issues such as determining what team members stay on, what the company will be called and where the company will be based are huge decisions and can cause a great deal of tension. The integration of existing data systems, legacy systems, contracts and processes is just as challenging.

Companies need to take culture into consideration when acquiring another organization and determining how they will mitigate issues that arise. This can also be used as an opportunity to refresh old legacy systems and integrate new data storage systems to replace outdated technologies.

Additionally, it poses an opportunity for smaller companies to have an advantage when it comes to the M&A process, as they have fewer systems in place and can adjust easier. Smaller companies are also at an advantage when larger companies merge, as they can capitalize on dislocated teams and bring in new lines of business.

Investor Impact

Some believe that investors, and their desire to increase their capital base, are driving much of the current M&A activity. Previously, investors wanted to manage performance; this has changed dramatically as investors have become less focused on performance or meeting certain return or risk policies. Now investors are less involved and often do not understand the reinsurance industry. They are simply looking to increase the size of companies and in turn their capital base, without looking at the long-term impact of consolidation or the benefits of having two smaller companies.

Will Things Keep Getting Bigger?

Bloomberg predicts that we will continue to see a rise in M&A activity as the demand for bigger and more diversified portfolios increases and companies see it as the only option to remain competitive. Smaller companies will likely feel the pressure to become involved and see it as the only way of securing any kind of substantial future.

On the other hand, this may present an opportunity for smaller companies to shine. As their larger competitors struggle with the challenges brought on by the M&A process and are not able to focus on day to day activities, smaller companies can produce higher quality work and scoop up some of the larger company’s lost talent.

The debate will likely continue as to whether the pros outweigh the cons, or vice versa, in the recent spate of M&A activity in reinsurance and insurance. It is yet to be seen that we can truly prove bigger is better. What do you think?

{ 0 comments }

Background check

Is your company guarding against the threat of insider attack? If you responded with, “well, we do background checks when they are hired,” that’s a good start, but what about risk assessment during the course of an individual’s employment?

The 2015 Insider Threat Spotlight Report from Infosec Buddy found that less than half of companies have the proper tools to fight insider threats. And, according to 62% of security professionals, that threat has increased in the past year. The average company faces four insider attacks every year, with an estimated price tag of $500,000 each, in addition to the astronomical impact a breach can have on an organization’s reputation.

So where is the disconnect? It starts with how we assess individual risk.

The limitations of the current employee screening model

The majority of companies conduct a one-time background check on new employees before they are hired. This is a necessary part of the risk assessment process, and the majority of background screening companies are great at what they do, but this model is built on a flawed assumption: that employee risk remains constant over time.

While an employee may not have posed a risk when hired, that can change quickly. Stressful life events such as a bankruptcy, a DUI, a divorce or a negative performance review can change an individual’s risk profile in an instant. It is also important to note that traditional background checks typically focus exclusively on criminal records, failing to analyze other important information sources like human resource documents, financial records, and social media activities.

And it’s not just employees. Insider threats can come in the form of third-party contractors, vendors, suppliers, and partners – in other words, any parties with the ability to access sensitive corporate information. A recent Accenture survey found that 76% of companies believe supply chain risk management is “very important.” The reality is that people are dynamic, and so are their motivations, which is why companies need comprehensive tools for managing personnel risk as it evolves over time.

The future of background checks: continuous identity screening

Getting proactive about managing the risks of insider threats starts with finding ways to continuously monitor personnel risk after they are brought into the organization. Advances in software offer one way to approach this challenge. Programs now exist that allow companies to actively monitor changes in personnel risk as it evolves, throughout an individual’s tenure with the company.

Continuous identity screening software automatically gathers and analyzes risk data from all relevant information sources, such as public records and HR documents, and proactively alerts risk and security managers to the most pressing threats. This allows risk managers to be continuously updated in real time, instead of traditional methods of pre-hire or periodic screening, which can uncover risk after it’s too late.

Take the example of a city bus driver who has received a recent DUI charge. Many employers would not be notified of that until a regularly-scheduled periodic background screening, if at all. Most employers rely on their employees to self-report incidents, but that does not always happen for obvious reasons. By implementing continuous screening, companies can immediately learn about that bus driver’s DUI charge, which prompts an investigation that could lead to further action.

Today’s continuous screening tools can also be customized by industry. For instance, the financial services industry may attribute more risk to an employee filing for bankruptcy than a transportation company would, whereas the healthcare industry may view odd activity on the network as a greater indicator of potential IP theft. Every industry has its own unique challenges and obstacles in meeting the mandates and regulations necessary. Tailoring the screening process accordingly can help proactively address those issues.

What does this mean for you?

By bringing together identity data from external sources like criminal and financial records with internal sources like network activity and personnel reviews, organizations can reduce the risk of insider threats. It also allows organizations to maintain compliance through a legally defensible audit trail designed to meet critical regulations such as FCRA, FTC, and EEOC.

{ 0 comments }

A cyberattack targeting the U.S. power grid would have widespread economic implications, resulting in insurance claims of between $21.4 billion and $71.1 billion in a worst case scenario, according to a report by Lloyd’s.

Lloyd’s and the University of Cambridge’s Centre for Risk Studies recently released “Business Blackout,” which examines the insurance implications of a major cyberattack using the U.S. power grid as an example. In the scenario outlined, malware is used to infect control rooms for generating electricity in areas of the Northeastern U.S. The malware goes undetected and locates 50 generators that it can control, forcing them to overload and burn out. The scenario, described as “improbable but technologically possible,” leaves 15 states in darkness, meaning that 93 million people are without power.

Economic impacts include direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue for businesses and disruption to the supply chain. The total impact to the U.S. economy is estimated at $243 billion, rising to more than $1 trillion in the most extreme version of the scenario.

Claimant types fell into six categories:

Power generation companies

• Property damage to their generators.

• Business interruption from being unable to sell electricity as a result of property damage.

• Incident response costs and fines from regulators for failing to provide power.

Defendant companies

• Companies sued by power generation businesses to recover a proportion of losses incurred under defendants’ liability insurance.

Companies that lose power – companies that suffer losses as a result of the blackout.

• Property losses (principally to perishable cold store contents).

• Business interruption from power loss (with suppliers extension).

• Failure to protect workforces or causing pollution as a result of the loss of power.

Companies indirectly affected – a separate category of companies that are outside the power outage but are impacted by supply chain disruption emanating from the blackout region.

• Contingent business interruption and critical vendor coverage.

• Share price devaluation as a result of having

inadequate contingency plans may generate claims under their directors’ and officers’ liability insurance.

Homeowners

• Property damage, principally resulting from fridge and freezer contents defrosting, covered by contents insurance.

Specialty

• Claims possible under various specialty covers, most importantly event cancellation.

 Other key findings of the report include:

• Responding to these challenges will require innovation by insurers. The pace of innovation will likely be linked to the rate at which some of the uncertainties revealed in this report can be reduced.

• Cyberattack represents a peril that could trigger losses across multiple sectors of the economy.

• A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.

• The sharing of cyberattack data is a complex issue, but it could be an important element for enabling the insurance solutions required for this key emerging risk.

{ 0 comments }

As cyber threats emerge and evolve each day, they pose challenges for organizations of all sizes, in all industries. Even though most industries are investing heavily in cybersecurity, many companies are still playing catch up, discovering breaches days, months, and even years after they occur. The 2015 Verizon DBIR shows that this “detection deficit” is still increasing: The time taken for attackers to compromise networks is significantly less than the time it takes for organizations to discover breaches.

The risk posed by third parties complicates the issue further. How can an organization allocate time and resources to trust their partners’ security when they are struggling to keep up with their own? Over the years, audits, questionnaires, and penetration tests have helped to assess third party risk. However, in today’s ever-changing cyber landscape, these tools alone do not offer an up-to-date, objective view. While continuous monitoring solutions can improve detection and remediation times for all organizations, the retail, healthcare, and utilities industries can especially benefit from greater adoption.

Retail

Some of the most notable data breaches have occurred in the retail sector. Recently, eBay asked its 145 million customers to change passwords after names, e-mail addresses, physical addresses, phone numbers and dates of birth were stolen. Retailers frequently work with new vendors and suppliers over time. Moreover, companies rely on point-of-sale systems (PoS) that are often susceptible to new types of malware. Compounded with the challenge of dealing with a large number of vendors and keeping up with new vulnerabilities, retail often ranks low in detection times. A recent study by Arbor Networks and the Ponemon Institute found that retailers take an average of 197 days to detect advanced threats on their networks.

Retail companies with tight budgets may not be able to commit the same amount of resources towards security as the Finance sector. Yet, implementing a continuous monitoring solution will enable companies to better monitor their own networks and stay on top of threats in their vendor ecosystem in a more cost-effective manner. Furthermore, it will also help retailers reduce detection and remediation times.

Healthcare

Healthcare providers have recently dominated headlines with large data breaches. In January, Premera disclosed that it lost information for roughly 11 million of its customers. A month earlier, Anthem Inc., said information of close to 70 million current and former employees and customers was stolen. Both of these breaches exposed personally identifiable information (PII) including SSNs and birthdays, and possibly medical information as well.

In general, healthcare providers have an immense amount of devices connected to their networks. Following widely known breaches in this sector, many criticized organizations for failing to encrypt files containing sensitive customer information. While stronger encryption would certainly help, these companies must also ensure their networks are secure in the first place. Weeks before the Premera breach, federal auditors told the organization that some of its network security practices were inadequate and vulnerable to attack. If Premera had been monitoring their networks with greater frequency, they may have learned of these vulnerabilities earlier, on their own. Subsequently, they may have had significantly more time to patch and prevent a breach.

Utilities

Companies in the Utilities sector are challenged with protecting critical infrastructure. These companies also hold a large amount of customer data, making them big targets for hackers looking to destroy or exfiltrate data. In 2014, nearly 70% of companies in the utility sector said they had been breached. Many companies also have reported attempts to have their data completely deleted or destroyed.

Breaches of Utility companies are often not disclosed, so the full scope of vulnerable companies are in this industry is not fully understood. However, a recent study found that 52% of companies in the Utilities industry had significant botnet infections. Greater monitoring will be necessary for companies in this sector to decrease the breadth of infection. Without it, our critical infrastructure and personal information remain vulnerable.

Narrowing the gap

For this “detection deficit” to narrow, companies need to monitor their own networks with greater frequency. As business have increasingly outsourced their operations over the years, they will also need to monitor third parties –and even fourth parties– to manage risk.

A recent survey found that 46% of companies that experienced a data breach took more than four months to detect a problem on their networks. Perhaps even more concerning is that 70% of these breaches were detected by a third party. Continuous monitoring solutions will enable organizations to detect intrusions as they occur. As a result, IT teams can spend more time and resources on fixing and remediating threats rather than detecting them in the first place.

Nobody wants to live the embarrassment of being told over the phone that they’ve been breached, or worse, read about it in the news. But as more organizations adopt continuous monitoring solutions, this experience should become far less frequent.

{ 0 comments }