This article was originally published when the insurance industry was just beginning to wrestle with denials in business interruption claims from COVID-19 closures and 2020’s record-smashing natural disaster tally was coming into focus. These events forced a reevaluation of the residual risk associated with insurance claims being denied.
Since then, numerous cyber attacks, most notably the Colonial Pipeline (which triggered a class action lawsuit), presented another example of this concept in the form of cyber insurance. In the article What Execs Get Wrong About Cyber Coverage, Scott Godes, a partner at Barnes & Thornburg notes it’s “a really bad day when you think that you've got a full policy limit available for a multimillion-dollar loss and then the carrier says, ‘not so fast, you only have six figures of coverage’.”
The groundbreaking use of “cyber war” as a means of denial in the Mondelez case opens the door to a complete restructuring of what cyber insurance actually covers and the likelihood of increased exposure for any organization attempting to transfer cyber risk.
"The precedent Zurich has set with its denial of the Mondelez claim is rather chilling. In the wake of this decision, insureds – large and small – are left uncertain as to whether their cyber policies will protect them in the event of a cyber attack or data breach, or could insurers play the “cyber war” card to escape their contractual duties. This is particularly troubling because while actual wars are a rarity, cyber crime is an all too frequent occurrence." — Scott Lyon, Denial of a NotPetya-Related Claim Shakes the Cyber Insurance World
Given the scope of cyber insurance coverage, and the potential liabilities involved, any lack of clarity in coverage could have disastrous implications. Munich Re board member Torsten Jeworrek notes, “The economic costs of large-scale cyber attacks already exceeds losses caused by natural disasters. Where small and medium-sized enterprises are affected, such attacks can soon threaten their very existence.”
All of this uncertainty lies on top of an already difficult market. In the article Buying cyber insurance in 2021? Expect greater scrutiny, higher premiums Jack Kudale, founder and CEO of Cowbell Cyber, a US-based provider of AI-powered cyber insurance notes, “we are currently seeing traditional carriers in some cases doubling the premium, reducing the limits in half or simply unwilling to renew certain industry classes in order to maintain their aggregated risk.”
While these recent developments place a different spotlight on the need to identify areas where insurance may not actually transfer risk, the recommendations in the original article still hold true.
Original article published January 26, 2021
Insurance is foundational to the risk transfer strategies of every organization. If an insurer can’t, or won’t, pay out promptly then the consequences can be catastrophic. One lesson learned from 2020 is that coverage may not be applied exactly when the enterprise needs it most. Unless data is unified between traditional risk and enterprise risk managers, the organization could be blind to a large threat from insurance risk transfer strategy that fails to transfer risk.
How organizations deal with risk has changed
Just as 9/11 forced an across-the-board reconsideration of physical security processes, the pandemic has brought a similar reckoning to enterprise risk. The PwC Ireland article COVID-19: Considerations for risk management notes how dramatically perspectives have shifted:
“Chief Risk Officers (CROs) and the heads of risk and leadership teams are familiar with managing the largest risks to achieve the organization's strategic goals. Current circumstances, though, are something entirely new. Previous assumptions may no longer be valid. Applying a risk management lens can help eliminate or minimize the impact of COVID-19 on your business' strategy and help you prepare for the new normal.”
One of the assumptions that “may no longer be valid” is that an insurance policy will provide financial relief when a business interruption insurance claim is filed. Blanket denials of these claims in the face of staggering pandemic-closure related losses is a clear demonstration that expectations surrounding insurance as a risk transfer mechanism need to be recalibrated.
Post-2020 era requires identifying the risk inherent within insurance
Over 100 federal lawsuits have been filed (with scores more on the state level) over insurers refusing to pay for COVID-19 related losses. Jim Sams explains in the article Number of Federal COVID-19 Business Interruption Lawsuits at 101 and Rising, “The central question binding all of the lawsuits is whether the novel coronavirus amounts to a physical loss of property that triggers insurance coverage for business income lost because of government ordered closures.” With the number of cases expected to grow into the thousands, Sams notes “that question is being asked by restaurants, taverns, dental practices, day care centers and hair salons all across America.”
Many of these businesses are relying on these payments to weather especially challenging times. For example, 40% of National Restaurant Association members state “it is unlikely their restaurant will still be in business six months from now” without additional assistance according to a September 2020 survey. Sams cites one estimate that pegs estimated losses from business closures to businesses with less than 500 employees at about half a trillion dollars each month.
Indications are that these cases may take years to resolve, with potentially conflicting results. Many businesses cannot afford to wait. Authors Jef Feeley and Katherine Chiglinsky detail in Insurers Winning Most, But Not All, COVID-19 Business Interruption Lawsuits how a denial of business interruption claims led Century 21 stores to say it could no longer survive. A lawyer interviewed in the article underscores the urgency. “This insurance is make-or-break for a lot of businesses,” he states. “People like my client paid for coverage for these kinds of losses and it isn’t right that insurers don’t want to pay.”
When risk becomes “uninsurable”
The sobering report An Investigation into the Insurability of Pandemic Risk by the Geneva Association explains the core reason insurers may not be able to pay these claims — unfortunate math.
“[T]he maximum possible loss is not manageable from the insurer’s solvency point of view. The uncontrollable aggregation of losses could be ruinous to the risk pool and, ultimately, to the insurance industry as a whole. This in turn could lead to significantly further financial stability risks across the wider economy.”
The report estimates that insurers would have to collect business interruption insurance premiums for 150 years in order to pay for 2020’s losses. Risk pools exist on the premise that risk can be diversified by balancing those localized organizations filing claims with the larger pool making payments without requiring claims. Since, by definition, pandemics occur simultaneously across the globe, there is no way to diversify the risk. “Therefore, pandemic business continuity risks are uninsurable,” the report concludes.
This means that many organizations have relied on insurance risk transfer strategies for an uninsurable risk.
A wider view on insolvency
Insurer solvency traditionally has not been considered a risk to factor when evaluating policy management strategically. The Geneva Associates report highlights how the pandemic is supposedly much different from other catastrophic risks. “Some other risks such as terrorism or natural catastrophes are diversifiable on a global level and routinely transferred via re/insurance or Alternative Risk Transfer (ART) instruments. These disasters impact a limited number of policyholders for a limited period of time.” However, assuming that these types of disasters will remain local in nature could create exactly the same kind of cascading risk the pandemic exposed.
State-sponsored cyber attacks, for example, have proven to demonstrate remarkable breadth and sophistication and could be trained on an ailing power grid that experts have warned for years is susceptible to attack. Similarly, concentrated attacks on a handful of linchpins supporting much of the global internet infrastructure could cause catastrophic business interruptions. It isn’t difficult to see how extended power blackouts (through waves of attacks and counter-attacks) or large-scale disruption of internet service around the globe could mimic the same type of problematic math that makes pandemic business interruption “uninsurable.”
Applying the “local in scope” label to natural disasters may also be missing a larger trend. Climate change is leading to more simultaneous events, greater damage from each event, and disasters moving into areas historically spared from their effects.
"As with COVID-19, climate change will be a huge test of global resilience," Jerome Jean Haegeli, Swiss Re group chief economist, said in the statement. "But while COVID-19 has an expiry date, climate change does not, and failure to 'green' the global economic recovery now will increase costs for society in future," he warned.” — From storms to wildfires: Natural and man-made disasters cost insurance industry $187 billion in 2020
Just like a bank run, where a financial institution collapses when everyone wants to withdraw funds at the same time, any of the above scenarios could lead to the same type of all-at-once financial stress we currently see from the pandemic.
Applying familiar techniques to new challenges with Unified Risk Management
Traditional risk management, focusing on insurable risk and TCOR, is often completely isolated from ERM and GRC programs. Yet, as the pandemic has shown, there are enterprise risks embedded inside each act of risk transfer. Only by unifying the data and tools across both sides of risk (insurable and non-insurable) can all aspects of risk transfer be properly assessed.
Treating insurance the same as any other internal risk control, with the same need to be properly tested and evaluated, allows Internal Control Management (ICM) techniques to be applied. Policies should be evaluated by counsel for potential coverage exclusions that may pose a higher risk for denials with action plans then assigned to the ones with the most residual risk. Business Continuity Management techniques could focus on creating plans for ensuring continuity of operations if insurance payments are delayed or contested.
Similarly, data from the RMIS side regarding the financial rating of insurers could be used to help provide a more comprehensive evaluation of insolvency risk. Lowering TCOR by obtaining critical policy coverage from an insurer with a lower financial rating, for example, could lead to unwitting acceptance of greater long-term risk that may be above the organization’s risk tolerance. Origami Risk allows users to monitor the AM Best ratings of an organization’s insurers and send out notifications if a rating is downgraded. In this way, all parts of the enterprise are working off of the same shared data, and decision-making becomes more strategic.
A time for all types of risk professionals to shine
Organizations are increasingly relying on risk professionals to solve unprecedented problems, especially given the risk inherent in an increasingly interconnected global economy. The traditional divide between insurable and non-insurable risk is blurring. Moving to a Unified Risk Management model, where data, solutions, and practices from all risk-facing parts of the enterprise can seamlessly influence and impact one another is the only way to address multi-domain challenges like denial of business interruption coverage.
To learn more about moving to a Unified Risk Management model and how to connect BCM, ERM, and ICM to traditional risk management, contact us.