A Worldwide Need for a Better Cyber Insurance Market

A new report from the European Network and Information Security Agency (ENISA) claims that Europe’s citizens and businesses could benefit from better protection for their computer systems and data if the cyber insurance market can be kick-started.

Though cyber security is an important concern for European and national policy makers, businesses and citizens, there is concern that traditional coverage offered by Europe’s insurance providers may not comprehensively address digital risk, according to the report, “Incentives and Barriers to the Cyber Insurance Market in Europe.”

ENISA has made four recommendations to address this issue:

  • Collect empirical data on cyber insurance in Europe, looking at types of risk insured, premiums paid and levels of payouts to determine future trends. The action could be taken by insurance underwriters, firms or regulatory authorities.
  • Examine incentives for firms to improve their data security as a way for them to reduce their risk and financial liability if they breach data protection regulations. Fact finding with the European Commission would be a first step to understanding this area.
  • Establish agreed frameworks to help firms put a measurable value on their information. The work could be assisted by privacy and information security advisors, underwriters and the European Commission. ENISA could also provide further support.
  • Explore the role of governments as an insurer of last resort, following other models where policy intervention is in evidence when catastrophic risk is involved. This could be investigated by EU Member State governments and the European Commission.

Meanwhile, in the U.S., the topic of cyber liability exposures and coverage was of top concern at the Casualty Actuarial Society’s Seminar on Reinsurance, held earlier this month in Boston. There, it was noted that 72% of large U.S. companies do not have cyber liability insurance, while 33% believe they don’t have significant data exposure, since they believe their internal controls are adequate (according to a study by Towers Watson).

The business of cyber insurance is growing, however. Michael L. McCarthy, a vice president of professional liability treaty reinsurance at Axis Capital, estimated the market at about $500 million in premium per year, most of it in the United States, and growing at 10 to 25% per year.

According to a release from the Casualty Actuarial Society, John Merchant, of Freedom Specialty Insurance Company, divided coverage into five broad categories:

  1. Liability coverage, which covers damages from loss or compromise of sensitive third party data, like patient medical records. It also covers liability arising from damage to a third party’s network because the insured’s network caused a data breach, such as if a virus traceable to the insured’s network infects another network. And it covers e-media issues, like libel or slander or misuse of a company’s trademark.
  2. Expense coverage, which covers the cost to notify every person whose privacy has been breached. Often that includes providing the victim services like credit monitoring, identification theft monitoring or restoration of a stolen identity.
  3. Regulatory coverage, which covers the company’s costs if the breach triggers investigation by state or federal authorities.
  4. Industry group coverage, which handles fines assessed by industry associations for data breaches. For example, Visa, MasterCard and Discover have established a Payment Card Industry-Data Security Standard. If a credit card issuer fails to adhere to the standard, it can be fined. The coverage handles the fine.
  5. First party coverage, which handles loss of revenue from network interruptions caused by a security breach, or the cost of restoring lost data.

However you divide it or analyze it, the fact remains that there is still an inadequate market for cyber insurance, both in the States and abroad. Though recent statistics have shown growth, we must remember that it is an emerging market and with that comes risks, mistakes and lessons.

Supreme Court Upholds Health Care Law

In one of the most closely-watched decisions in recent years, the Supreme Court upheld the Affordable Care Act, including the controversial individual mandate requiring most Americans to purchase health insurance or face a financial penalty. SCOTUS Blog posted a succinct one paragraph summary of the decision:

The Affordable Care Act, including its individual mandate that virtually all Americans buy health insurance, is constitutional. There were not five votes to uphold it on the ground that Congress could use its power to regulate commerce between the states to require everyone to buy health insurance. However, five Justices agreed that the penalty that someone must pay if he refuses to buy insurance is a kind of tax that Congress can impose using its taxing power. That is all that matters. Because the mandate survives, the Court did not need to decide what other parts of the statute were constitutional, except for a provision that required states to comply with new eligibility requirements for Medicaid or risk losing their funding. On that question, the Court held that the provision is constitutional as long as states would only lose new funds if they didn’t comply with the new requirements, rather than all of their funding.

The 5-4 decision was seen as a victory for the Obama Administration and will certainly become a key issue in the upcoming November election as Mitt Romney has already vowed to repeal the law should he win the presidency. In fact, this division was likely anticipated by Chief Justice John Roberts in his majority opinion:

We do not consider whether the Act embodies sound policies. That judgment is entrusted to the Nation’s elected leaders. We ask only whether Congress has the power under the Constitution to enact the challenged provisions.

Roberts did conclude, however, with regard to the constitutionality of the individual mandate:

The Affordable Care Act is constitutional in part and unconstitutional in part. The individual mandate cannot be upheld as an exercise of Congress’s power under the Commerce Clause. That Clause authorizes Congress to regulate interstate commerce, not to order individuals to engage it. In this case, however, it is reasonable to construe what Congress has done as increasing taxes on those who have a certain amount of income, but choose to go without health insurance. Such legislation is within Congress’s power to tax.

Regardless of its ultimate fate, the Affordable Care Act stands, much to the benefit of the some 30 million Americans without health insurance. To illustrate where these uninsured are concentrated, the Atlantic offered the following map.


Do Quiet Leaders Make Better Leaders?

Last week at the annual Wharton Leader Conference, I was presented with an interesting theory: Quiet leaders, oftentimes, make for better leaders. This goes against what we all know as the stereotypical leader — loud, strong-willed and and an all-around extravert. But Adam Grant, associate professor of management at the Wharton School of Business, claims quiet leaders are more effective motivators.

He told of his experience working with a call center whose employee turnover rate exceeded 400% annually. The call center’s mission was to contact university alumni to solicit donations. Employees sat for eight hours a day, reading from a dry script and accepting continuous hang-ups as a part of the job (for about every 100 calls, one person would donate). As part of Grant’s consulting job with the call center, he was faced with a monumental task: Figure out how to motivate employees.

He decided to bring in scholarship recipients so call center employees could see that their hard work has afforded individuals the opportunity for a higher education. First, he brought in an outspoken, enthusiastic student who was class president in high school and involved in various activities within his university. He had a prepared speech and, according to Grant, was a natural born public speaker.

Grant tracked the success rate of calls for the next four weeks and found that employees were making more calls and more donations were coming in. His plan had worked. But could it work better?

After one month, he brought in another scholarship recipient. But this one was quiet, shy and uneasy speaking to groups. What sounds like a awkward presentation that would have little to no effect on employee motivation turned out to be exactly the opposite. The impact was powerful and surprising. The number of calls made almost doubled and donations spiked to a level never before seen.

The conclusion: The introvert provided the most motivation. Grant stressed that extraverted leaders are so obsessed with being the center of attention that they very rarely inspire or motivate others, besides themselves, that is.

According to Grant, the following can help one lead more quietly:

  1. Lead by doing
  2. Outsource inspiration (Grant points to programs that John Deere, Volvo and other companies use)
  3. Embrace the other 80/20 rule (introduced by Jim Quigley, who will never speak more than 20% of the time in meetings he leads, claiming he learns not by speaking, but by listening)

Other resources on the topic:


Governments Need Enterprise Risk Management

Tomorrow is World Risk Day. It will be the first ever World Risk Day. But in reality, it’s a moment more than a decade in the making.

Starting with 9/11 in 2001, the world has seemingly become exponentially more risky by the day. From Enron to Katrina to pandemic scares to cyberattacks to the 2008 financial collapse to the BP oil spill to Japan’s earthquake to the ongoing eurozone crisis to JPMorgan’s trading loss, transformative moments and trends have continued to shape and re-shape the way businesses, organizations and governments think about risks they face. (Here is a look back at the last decade of risk.)

In 2012, risks are more interconnected and potentially more devastating than ever before.

For this, breaking down organizational blindspots and miscommunication is more important than ever. Risk management must become a priority across the entire culture. And for this, organizations need enterprise risk management.

While many businesses have recognized this and adopted ERM (or at least ERM principles), government uptake lags. That is unfortunate. Because as the folks who put together World Risk Day note, here are five very good reasons why government agencies need enterprise risk management.

  • Proactive management of risk. Whether its economic meltdowns or global health scares like H1N1, the government faces more widespread, complex risks than any other type of organization. Today’s citizens want a government that not only manages the consequences of risk, but also anticipate and handle issues before they turn catastrophic. Effective risk management policies help to force all decision makers to think and work proactively.
  • Organization-wide visibility. ERM practices provide government agency leaders with visibility into their organization’s entire portfolio of programs. This practice not only improves transparency across departments, but also helps break down silos between each program – greatly improving proactive communication about risks and the sharing of best practices.
  • Budget management. Given large federal budget deficits and an unsustainable long-term fiscal path, program managers for government programs are challenged to anticipate and manage the impacts of budget re-allocations and continuing resolutions. A strategic risk management approach will aid in this challenge and enable organizations to stay on budget under notoriously fluctuating circumstances.
  • Reputation development and protection. Reputation is an intangible indicator of past performance and future success.  For government agencies, a solid reputation is a critical asset. ERM can not only help an organization to identify reputational risks in advance, it can also improve the agencies reputation by improving program delivery timelines, ensuring more accurate bids and stronger customer relationships.
  • Improved reporting for improved decision making. Lack of information, control and time are the major drivers of the risks facing government organizations. An ERM plan, and ideally an ERM technology that goes beyond just spreadsheets, helps to ensure that real-time, data-driven, interactive reports are delivered to all necessary parties.