As Halloween nears, people’s thoughts inevitably turn to ghoulies and ghosties, and long-leggedy beasties, and things that go bump in the night. At the Wire we take this opportunity to reflect on the scariest risks our clients faced this year. Which one scares you most? Take our poll at the end and let us know.
Tech, Media & Telecom: The Internet of Scary Things
by Jim Devoe
Last week showed us that the emergence of the Internet of Things can lead to frightening new variants of old threats. The distributed denial of service (DDoS) attack against a single company was able to take down major portions of the Internet. Reportedly 1 Terabit of data per second (akin to downloading the Library of Congress every 2 minutes) was hurled at the targeted company by hundreds of thousands (if not tens of millions) of baby monitors, DVRs, security cameras and similar devices—collectively making up the “Internet of Things” (IoT). The notion that baby monitors could be unwitting participants in a massive DDoS attack such as this is both alarming and not surprising. Awareness that this is possible is important. As we understand how the IoT works – that baby monitors, or DVRs, or any other intelligent devices are basically miniature “PCs” with less control and visibility to their owners – it’s not difficult to see how these devices could be hacked and misused. And awareness, of course, is the first step toward correction.
Abrupt climate change
Efforts to adapt to the impacts of climate change are high on the agenda of governments and international organizations around the world. Last year, the milestone agreements made in Paris at COP21, have helped set us on a more sustainable and resilient path. However, the challenge to meet the target of limiting global warming to 2 degrees Celsius above the pre-industrial global average, looms large, and the future for generations to come will have to deal with our choices today. The insurance industry has a part to play in helping to build resilience to the extreme events, both in our current climate and in a future warmer world where extremes such as droughts, storms, floods and others, may occur more frequently. Science can help us quantify these changes and inform the best strategies for managing extreme risks. But scarier still is the concept of climate tipping points. One such theoretical example is a loss of permafrost due to Arctic warming leading to a release of stored methane into the atmosphere. Being a highly effective greenhouse gas, this methane release could conceivably accelerate global warming, to induce a runaway effect known as the ‘clathrate gun hypothesis’, and could thereby bring about an abrupt change of climate state within a human lifetime. There are many theories that describe similar climate ‘tipping points’, which would make adaptation more difficult, so the best way to avoid these would be through mitigating climate change, but this presents different challenges. There is no “silver bullet” solution to climate change, and it is likely to be a concerted effort that makes the difference. By furthering climate impact research, fostering multisectoral partnerships, developing new financial tools to provide climate resilience, and supporting climate conscious investments, the insurance and reinsurance industries have great potential to contribute to this global challenge.
Transportation: Dependence on third parties
by Mark Hue-Williams
In the era of the alliance, the potential for third-party risks looms large for the transportation sector. Like phantoms, the threat they pose often remains hidden until it is too late. As the collapse of Hanjin Shipping taught participants in the global maritime supply chain, every member is vulnerable to the weaknesses of its partners and, through them, the partners they may not know they have. In Hanjin’s case, many beneficial cargo owners who had no commercial contract with the Korean carrier had their goods held hostage on stranded ships as creditors circled, reputations were tarred and customers fumed. But how well can you know your partners in a commercial environment where they also operate as your competitors? The answer is: too often, not well enough. In the connected world of the transport provider, the more partners a business has, the more risks it assumes. Even the most robust company must assume their partners’ appetite for risk, awareness of risk and their ability to defend against it. When airlines make promises to their customers about frequent-flier plans, their reputations rely on their partners’ ability to deliver; when a rail carrier compiles consumer credit card numbers, their security relies on the strength of shared platforms; and when shipping lines promise delivery dates, it is their partners who often fulfill those obligations. As commercial pressures continue to fuel the pursuit of economies of scale, alliances and partnerships will continue to multiply and the hidden risks will grow. So companies will be known by the company they keep.
Health care industries: Flooding exacerbating Zika
by Deana Allen
Another communicable disease made headlines this year with the Zika outbreak and it is not over yet. The recent tropical storms and hurricanes (with high probability of more) left many with flooding and standing water. This is the perfect breeding environment for mosquitos. The CDC has reported there are over 2,475 pregnant women with lab evidence of possible Zika virus, which can cause devastating birth defects. There are still unanswered questions concerning the spread of Zika and the potential long-term health effects. Zika also continues to cause disruption in the travel and hospitality industries. Many countries and cities have been hard hit as their economies are dependent on tourism and business travel. Communicable diseases will continue to be a “scary” issue for our world for many years to come and its citizens must work together to prevent, educate and overcome these outbreaks.
Cyber risk: Cyber extortion takes a turn for the even nastier
by Jamie Monck-Mason
The cyber criminal’s modus operandi of choice in 2016 has undoubtedly been the use of ransomware – i.e. encrypting or locking an organisation’s computer system and then demanding a ransom to decrypt or release it. Whilst the technology has been there for years, the last 12-18 months has seen a dramatic increase in its adoption. The Australian Government has claimed that 72% of surveyed businesses had been victims of ransomware attack in 2015, and leading cyber security experts Kaspersky Lab estimates that ransomware attacks increased fivefold in the 12 months leading up to March 2016. And yet something approaching 50% of cyber insurance policies offer no ransomware protection at all: such policies typically cover only extortion demands by hackers threatening a future attack, rather than where the attack has taken place and the ransom is demanded so as to bring the adverse effects to an end. And that’s before one considers the legality of paying ransoms to criminals who may be subject to sanctions; or the practical implications of notifying law enforcement agencies (as typically required by cyber insurers) in jurisdictions where the inevitable response is to seize all the victim organisation’s computer hardware as evidence. And if that’s not scary enough, just imagine the potential for ransomware attacks on autonomous cars, e-enabled aircraft and perhaps electronic medical implants. Be afraid; be very afraid! So what can one do to protect against ransomware? The FBI amongst other agencies provides some useful tips covering the basics, but no defence is watertight. Hence the value of appropriately worded cyber insurance policies (rather than many un-vetted off-the-shelf products).
Terrorism: Lone wolves
by Rohini Sengupta
As our world becomes increasingly more connected, it no longer takes a coordinated effort on behalf of terrorist groups to inflict terrible damage on societies across the globe. With the advent of interconnected communication systems like social media, recent terror attacks have been largely conducted by a single or small group of assailants not specifically associated with terror groups, but simply inspired by terrorist ideology. Terror attacks in 2016 no longer have the same profile as attacks in 1990 or 2001: recent events also demonstrate a shift from targeting property toward inflicting mass casualties — from the November 2015 Paris attacks to the San Bernardino Shootings, the Orlando Shootings, and the July 2016 attack in Dhaka, Bangladesh. As recent events signal a shift away from large property damage, we have seen a spate of new product offerings looking to cover the gaps in coverage that result from insuring terrorism from just a property-based lens. New products, such as active assailant coverage, which does not require property damage to trigger business interruption cover, are helping insureds protect themselves from the changing nature of terrorism.
Energy: Real-life destruction from cyber attack
From an energy industry perspective, the scariest risk in 2016 is an offshore cyber-attack leading to significant property destruction, pollution and loss of life on the scale of the Deepwater Horizon incident in 2017. The potential exposure, running into multiple billions of dollars, may well be enough to threaten the very viability of the affected company. To date, no viable risk transfer solution exists for such an eventuality; not only is offshore cyber risk cover involving physical loss or damage virtually non-existent, but even if it existed, current insurance market capacity for business interruption, pollution liability and operators extra expense – approximately US$1.5-2 billion — are in themselves unlikely to be sufficient to absorb such a risk.
Natural catastrophe: Large volcanic eruption in Europe
by Rosa Sobradelo
Most dangerous and explosive volcanoes erupt at intervals of several decades or more – long enough for populations and businesses to become established within range. In Europe alone we have two large “currently dormant but potentially active” dangerous volcanoes—Vesuvius (Italy) and Teide (Spain) —with traced records of major explosive and violent eruptive behavior. These volcanoes could reawake at any time in the near future. The modest eruption of the Eyjafjallajökull volcano in Iceland in 2010 caused millions of pounds in losses from international business interruption owing to the closure of air routes across Europe. A scary thought is to think about the damage, losses and devastation that a large volcanic eruption from Teide or Vesuvius could cause to the European economy, as well as the impact on global climate and the threat from secondary perils such as tsunamis, pyroclastic flows, lahars and landslides. We need to raise awareness of volcanic risk and look at ways of enhancing safety and resilience, especially when living in the shadow of a volcano.
Captives: Base erosion and profit shifting – the bogeyman under the bed
by Alexandra Gedge
For some, Base Erosion and Profit Shifting (BEPS) may be causing nightmares, but should it be? BEPS is the OECD’s response to tackling tax avoidance on an international scale, with captive insurance companies specifically referenced on the BEPS target list. However, is it really as scary as it seems? After all, BEPS merely formalises some good practice that, for most captive owners, is already in place. Take a few sensible steps, and BEPS needn’t cause sleepless nights. Like the bogeyman, the ‘threat’ might be more imaginary than you think.
Reinsurance: A turn to a hard market
by Jens Peters
This ought to scare all of our clients across all lines of business, not only the sophisticated insurance buyers we come across in the alternative risk transfer (ART) space. Recent commentary suggests that we are approaching, if not already past(!), the bottom of the insurance cycle. Swiss Re’s Group Chief Underwriting Officer, Mathias Weber, made such comments at the recent “Rendez Vous de Septembre” in Monte Carlo. Many market experts seem to agree with him. A major event, or a combination of significant events, will decrease supply of both traditional and alternative capital. The consequences could be dramatic and include increased price and limited cover – per definition a turn of the market. This is a scenario every risk manager will be nervous about. Those who may be a little less scared probably have explored alternative risk transfer solutions and locked in portions of their risk cover as long-term deals (three to five years) — one way to hedge against price volatility.
U.S. financial institutions: The Hill has eyes
Capitol Hill has been one of the scariest spots on earth for financial executives this year. In any election year politicians are anxious to make headlines, and this year financial institutions have been a favorite scapegoat for both parties. Dodd-Frank now makes senior management more liable for problems at their institutions (as well as potentially putting their compensation at risk). A subpoena to appear before a congressional investigatory committee, especially if it means responding to allegations of malfeasance or mismanagement, should terrify any sane executive. Grandstanding politicians with the opportunity to browbeat well-compensated financial institution executives – well, that’s a dream for ambitious politicians and a nightmare for financial executives. The best way to chase away these nightmares is transparency. Clear policies, strong controls and independent audit staff will help keep those scary politicians at bay.
U.K. executive risk: Reputation rot
by Francis Kean
It’s your reputation, stupid! We’ve all heard about the personal liability exposure for senior managers caught up in regulatory investigations and enquiries in the post-financial crash era. But what about the risk that your reputation becomes tarred by association with a big loss or scandal without you first having had an opportunity even to put your side of the case? Against the rules of natural justice? Well, that’s one of the arguments which will be run by a manager formerly in charge of the London office of one of the world’s largest investment banks in the infamous London Whale case, which is due to be heard by the U.K. Supreme Court before the end of this year. An even greater element of this nightmare scenario is that many D&O polices do not provide this type of protection for reputational expenses for managers in the absence of a claim.
U.K. construction: Brexit
by Peter London
Uncertainties about the impact of BREXIT weigh heavily in the boardrooms of U.K. construction and property sector businesses. Will investment disappear and projects be cancelled? Will significant design changes be necessary to manage a limited investment? Time will tell, but for now uncertainty is about the only certainty. And financial uncertainty is, for most businesses, their single biggest fear. Much of the U.K. Government’s pipeline of GBP51bn of projects was uncertain even before the 23 June 2016 vote. Some 60% of this pipeline relies on private sector investment, now likely jeopardised by the current climate. Will foreign investment fall away given the doubt about the shape of future trade agreements between the U.K. and the E.U.? Large infrastructure projects will lose a key source of funding – the European Investment Bank (made up of E.U. Members) lent EUR5.5bn to U.K. infrastructure projects in 2015. Previously approved projects will likely proceed, but obtaining approval going forward will certainly get harder. Confidence is needed to encourage investment and promote stability. Perhaps the Government’s decision on Hinckley Point is a step in the right direction – on that front at least.
The scariest risk in 2016 for P&C in Brazil was terrorism, as the country hosted the Olympics. Government and businesses have had to contemplate the heightened threat of terrorists targeting the country. Transport facilities, stadiums, shopping malls, hotels, hospitals, storage tanks of flammable materials, bridges, tunnels, tourist attractions, water treatment and supply plants, and offices of iconic brands were all on higher alert. The risk and the product got the attention of media and customers.
Human capital: Rumor as communication strategy
by Lisa Beyer
The scariest communication risk is not sharing benefits information with your employees on a regular and consistent basis — relying instead on spooky “water cooler” conversations to fill in the gaps. This can lead to “scary” misunderstandings and even more horrifying rumors. To foster employee engagement, ensure understanding, and help employees understand those mysterious benefits and use them wisely, strive to communicate year round. A communications plan with a production schedule will minimize your toil and trouble and keep the information hounds at bay.
U.S. health and group benefits: HIPAA audits
While we’ve spent the better part of the last 6 years being scared by the next ACA shoe to drop (and that might still be scary), employers have new compliance issues to be wary about. The recent EEOC guidance on wellness plans and their interaction with the ADA and GINA caused many to have sleepless nights as they upended the status quo. Even scarier perhaps is that the Office of Civil Rights in Health and Human Services is analyzing the results of their Phase II HIPAA audit programs. The goal is to then take the information and apply those findings to employer sponsored group medical plans generally. So, for employers who have not kept up to date with the HIPAA obligations of their group medical plans, they should not delay in getting those plans reviewed as the audit program may be rolled out at any time.
U.S. compensation: Fair Labor Standards Act (FLSA) updates
On May 18, 2016, the Department of Labor (DOL) issued the long-awaited final regulations updating the overtime pay rules. The final regulations primarily focus on increasing the salary thresholds needed to qualify as an employee who is exempt from the FLSA’s overtime and reporting requirements. These new rules, increasing the minimum salary threshold to $913/week, will have a major impact on many employers as they extend the overtime protection to 4.2 million employees that were not previously covered – and employers have been scrambling to prepare all year. Effective December 1, 2016, how will these changes affect your organization and what do you need to do to prepare?
Did we miss any? Tell us about it in the Comments section. Meanwhile, tell us which of these you worry about most in your business.