The State of the Insurance Market

Yesterday, a meeting of minds discussed the state of the insurance market and the RIMS Benchmark Survey in a webinar that was broadcast live from the RIMS offices in Manhattan. The panel of experts included:

  • Jim Blinn, principal at Advisen (moderator)
  • Richard W. Sarnie, vice president of risk management for The Great Atlantic & Pacific Tea Company
  • Carol Fox, director of strategic and enterprise risk practice for RIMS
  • Pamela Ferrandino, executive vice president, national practice leader casualty, placement and senior director for Willis North America

Presented as insider views and opinions from behind-the-scenes, the webinar allowed the audience of buyers and brokers to gain a perspective that is intentionally broad and could influence how they adjust their risk appetite for the second half of 2012.

Jim Blinn: What is driving the increase in total cost of risk (TCOR)?

Rich Sarnie: I expand the TCOR beyond just the insurable cost. Look at things like the cost of capital. We also look at our safety expenditures. What I try to do is use the benchmark data as a starting point, but then add to it.

Blinn: In 2011, a record year for catastrophes, how have they had an impact on risk management and the types of questions you see underwriters asking?

RS: They’re really drilling down on our supply chain. Risk managers really need to be in tune with operations — where you’re getting your products and how you’re going to get it to marketplace, and if there’s a supply chain interruption, how are you going to deal with that?

What challenges do you see and how do you explain them to senior management and the board?

Carol Fox: I have an embarrassing example in regards to that. We had budgeted for a four-time increase and we missed it. My recommendation is to communicate with underwriters and brokers about cycles. If they aren’t communicating throughout the year, you really don’t get an opportunity to forecast things.

RS: This is what we get paid to do. Anyone can purchase cheap insurance. We have to say ‘listen, this is where pricing is going’ and if it comes to a certain point, you don’t buy it. This is were you really show your value to senior management. Again, it goes back to TCOR. Buying insurance is just one tool of many, it’s not the only one.

Pamela Ferrandino: I think it’s also a responsibility of the broker to communicate with you well in advance about a renewal.

As concerns risk, what are the biggest issues for senior management?

RS: Senior management is now much more focused on risk management. But their biggest concern is not insurance or insurable risks, it’s other risks, such as availability of affordable finance, supply chain, reputation, social media. you should have tools to address those risks. Those are the things senior management cares about the most.

Are there similar concerns at the board level?

CF: They’re most concerned about strategic risks. The other thing we’re hearing is that they’re getting a lot of data, but not a lot of information. To Rich’s point, the board is not necessarily focusing on insurance, but the question really is, what are the deviations? It all ties back to the risk appetite of an organization and its tolerances.

The workers comp industry has been under stress. How have comp carriers responded and how has this affected your clients?

PF: We have an aging workforce and that has presented a problem in the workers comp market.

What about reputation risk? cyber issues?

Carol: Organizations that actually rate reputation impact separately from any other impact they may have have a better handle on their risks. Reputation is always going to be important. From an emerging risk perspective, the biggest concern is not being prepared. Organizations may identify an emerging risk but they’re doing it in a very siloed way.

The 3 Most Curious Claims

As an editor of a publication, I get a lot of emails that don’t amount to much — mostly press releases. But every once in a while, there is a gem in a pile of useless information. Today, I found a gem. The following are the three most curious claims as reported by Mercury Insurance’s Special Investigations Unit:

  1. A Shot in the Dark — An LAPD gang detective reported his expensive BMW stolen from a Los Angeles-area strip mall. Police responded quickly, but became suspicious when the detective’s nephew arrived on scene seconds later to give him a ride home. Doubts deepened when the detective suffered a mysterious gunshot wound shortly after they theft. He alleged the shooting and theft were gang retaliation for his work fighting gang crime in the city, but the real story turned out to be quite different. LAPD and Mercury’s SIU were able to prove the detective orchestrated everything, including the shooting, in an attempt to defraud Mercury out of thousands of dollars. The investigation revealed the detective was more than $1 million in debt and he faked the carjacking to collect on his insurance policy. He then shot himself trying to bolster his disintegrating story, but later pled guilty to all charges and was sentenced to prison. His claim was denied.
  2. Oscar-Worthy…Not So Much — The insured’s car lightly collided with a stationary public bus. The much larger bus didn’t budge and no damage occurred to either vehicle, though one woman onboard claimed she suffered significant neck and back injuries. The SIU went to work investigating this injury claim and uncovered video footage of what transpired.  You be the judge:  (click here to watch the video). That flop puts soccer players to shame. No surprise, her suit was dismissed by the court.
  3. Let It Burn — The insured owned a $160,000 motor home and was having trouble selling it. Conveniently, it became the target of an arsonist – setting up the insured for a major payday. Think that sounds a bit too good to be true? So did investigators. The arsonist, who turned out to be the insured’s next door neighbor, was severely burned during the crime and quickly arrested. SIU investigators then obtained the name of a middleman, a 22-year-old friend of the insured, who hired the arsonist. Prior to any interrogation, though, he died in a suspicious motorcycle accident following a night of drinking with, you guessed it, the insured. As SIU’s investigation continued, the arsonist was handed a 16-year prison sentence. While serving time, his recorded prison phone calls implicated the insured as the architect of the crime and the ploy was exposed. The insured received a hefty prison sentence and his claim was…denied.

“I’m continually amazed by some people’s brazen, foolish attempts to cheat the system,” said Dan Bales, Mercury’s national director of special investigations. Brazen and foolish seem like a bit of an understatement.

Will “Voluntary Standards” Make for an Effective Cybersecurity Bill?

The debate over revisions to the Cybersecurity Act of 2012 has been fierce and, of course, mostly partisan. Recently, sponsors dropped a measure that would require critical private sector companies to adopt security standards, rather than making such measures voluntary. On the one side, critics say the bill is a step in the right direction for preventing cyberattacks; others feel it is too lax and wrought with problems.

One thing is clear, however. President Barack Obama does not take this topic lightly. Last week he published an op-ed in the New York Times in which he called the cyber threat to our nation, “one of the most serious economic and national security challenges we face.” He writes:

It doesn’t take much to imagine the consequences of a successful cyber attack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we’ve seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.

Frightening. And true.

An earlier version of the bill required companies who run the power grid, gas pipelines, water supply systems and other critical infrastructure to meet a certain level of security. Republicans opposed, so the newer, revised bill says companies can recommend their own security regulations and volunteer to have their security practices inspected by the government, making it, essentially, a bill that merely suggests that these companies take certain measures. A recent article on the Huffington Post site states:

The new bill “basically depends on the industry to make a good faith effort to improve security, and up until now they haven’t done anything,” said Joe Weiss, a security expert on critical infrastructure. “The question is, ‘Why would you expect all of a sudden for that to change?'”

James Lewis, a senior fellow at the Center for Strategic and International Studies, said, “The problem is the bill doesn’t give the government any new capabilities. You don’t need this bill. Nothing really changes.”

Without comprehensive, mandatory cybersecurity legislation, how can we hope to prevent such nationwide, debilitating events?

Some Banks Held Liable for Cyberattacks Against Small Business Accounts

When a hacker infiltrates your personal checking account to pilfer money, your bank, in most cases, will assume liability and resolve the matter of missing money. When a business account is hacked, however, the business owner is held liable. The reasoning? Banks feel that owners should have proper security measures in place to protect their assets. Basically, as a business owner, it’s your responsibility, not the bank’s.

But that sentiment is slowly swaying in favor of the businesses. Two recent court rulings have found banks to be liable for funds stolen by hackers, many of whom have targeted small businesses for their unsophisticated, or complete lack of, cybersecurity measures.

The Boston-based First Circuit Court of Appeals ruled earlier this month that Ocean Bank in Maine lacked reasonable safeguards against hackers who siphoned nearly $600,000 from an account held by Patco Construction Company Inc., a Maine contractor and builder.

Separately, a federal district judge in Detroit last year ruled that a bank owned by Dallas-based Comerica Inc. was on the hook for $561,399 in funds stolen from accounts held by Experi-Metal Inc., a custom metals shop in Sterling Heights, Mich. Experi-Metal was the victim of a phishing scheme that lured an employee into providing account access information, according to court documents.

These rulings come at a time when small businesses need them most. The June 2012 Symantec Intelligence Report shows 36% of all targeted attacks (58 per day) during the last six months were directed at businesses with 250 or fewer employees. “There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones. It almost seems attackers are diverting their resources directly from the one group to the other,” said Paul Wood, cyber security intelligence manager, Symantec.

Will banks’ liability for cyber attacks spread from these few, small business cases mentioned here? It seems like a lofty and unrealistic expectation. But hey, I doubt anyone ever thought legal action would be taken against banks for not protecting the assets of their business clients. The tables may be turning.