Cyber Risk—The Great Fire of London Issue of Our Time
By Edmund Douglas
 was ruined.” Rebuilding the city took many years, with one of the offsprings of the process being the world’s first insurance company. Fire brigades were formed, and many laws on the local and national level have since been enacted to reduce the risk of another such catastrophic event.
In our current state of affairs, cyber risk (i.e., digital security and privacy protection risks) bears an uncanny resemblance to fire risk just before the catastrophic event that took place in London in 1666, of course, with the notable exception of personal physical harm that comes with fires. Like fire risk then, which was a significant and complex risk to manage—with the potential to disable critical infrastructure, imperil national security, and threaten the economy—so is the case for cyber risk now. Urbanization, which brought significant economic benefits to the population then, was the driving force behind the increase in fire risk. Today a similar evolution is the increasing use of digital technologies, which has yielded a multitude of benefits affecting the entire world. The digital transformation of economic activities has led to a sharp increase in cyber risks, which was identified among the top global business risks in the 2017 Allianz Risk Barometer survey.
Unfortunately, in London’s case it took a significant catastrophe to summon a serious response to the risk posed by urban fire. Ultimately the response was a multifaceted one that took the form of an integrated approach involving the public, private, and social sectors adopting a package of risk mitigation measures. Insurance coverage for fire risk had a role in, and made important contributions to, the management of the risk. In a similar vein, the Organization for Economic Cooperation and Development’s (OECD) December 2017 report, Enhancing the Role of Insurance in Cyber Risk Management, provides a series of policy recommendations aimed at enhancing the contribution of the cyber insurance market to manage the increasingly prevalent risk posed by digitalization. The report was prepared by the OECD based on questionnaire responses received from (re)insurance companies and brokers globally active in this market, as well as responses from ministries of finance and insurance regulators responsible for overseeing the market.
The report points to how the management of cyber risk could be improved once significant obstacles impeding the development of the cyber insurance market are overcome. Specifically, insurance could contribute to the management of cyber risk through:
-
supporting the quantification of cyber exposure;
-
providing expertise on risk management and prevention;
-
facilitating access to crisis management services; and
-
encouraging risk reduction through premium pricing.
In laying out its case, the report provides extensive background on a variety of related topics. Included is an insightful overview of different types of cyber incidents, as well as the types of losses that may result from such incidents. It gives a crash course on the cyber insurance market, including the types of losses that commonly are covered by stand-alone cyber insurance policies and traditional policies, as well as the losses that are more difficult to cover. The report offers useful information on how insurers underwrite cyber insurance coverage and the additional risk mitigation and crisis response services frequently offered with policies and gives an explanatory overview of the main challenges that constrain the capacity of the cyber insurance market from both the supply and demand perspective. It also examines initiatives that are being explored and ideas that have been proposed to address ongoing challenges. The report concludes by providing a pertinent set of recommendations on policy and regulatory measures that could be implemented to improve the development of the cyber insurance market.
Some of the report’s key findings include:
-
Governments should include insurance as an essential component of their strategies for addressing digital security risks.
-
Greater public–private collaboration is necessary to overcome the sparsity of data on cyber incidents, which is a significant impediment to the management of cyber risk.
-
The policy, legal, and regulatory frameworks are important factors in how much information on cyber incidents is made available, and, therefore, governments should promote notification and disclosure requirements that improve the availability of data on cyber incidents and losses.
-
The insurance market has an important role to play in providing greater clarity about the coverage available for cyber risk and which policies provide that coverage. Governments need to acknowledge this and ensure that policyholders are provided with as much clarity as possible on available coverage so that no gaps emerge as a result of market practices.
-
Although the financial effects of cyber incidents to date have been manageable, there is concern about the potential for significant accumulation losses. Governments should examine options for managing cyber accumulation risk, including the potential role of risk pooling.
Many of these conclusions may not be surprising, particularly to those well-versed in the topic. Nevertheless, the overarching theme that easily may be missed is that the burden of enhancing the development of the cyber insurance market does not need to fall solely on the private sector. Collaboration between the private and public sectors is the optimal path. Even so, there are significant obstacles that need to be overcome, which the report discusses in great detail.
It took a significant catastrophe for London to develop effective measures involving both the private and public sectors to manage the risk of urban fire. How and when we respond to the increasingly prevalent risk posed by the digital revolution remains to be seen.
Edmund Douglas is chairperson of the Academy’s Cyber Risk Task Force
COPLFR Releases P/C Loss Reserves Practice Note
 practice note, the purpose of which is to provide information to actuaries on current or emerging practices in which their peers are engaged related to issuing NAIC P/C statements of actuarial opinion (SAOs) and actuarial opinion summaries (AOSs).
It is intended to assist actuaries by describing practices that COPLFR believes are commonly employed in issuing SAOs and AOSs on loss and loss adjustment expense reserves in compliance with the P/C Annual Statement Instructions for 2017 issued by the NAIC. Actuaries may also find this information useful in preparing SAOs for other audiences or regulators.
COPLFR Issues Exposure Draft of Retained Risk Practice Note
The Committee on Property and Liability Financial Reporting (COPLFR) released an exposure draft of a new practice note, Retained Property Casualty Insurance-Related Risk: Interaction of Actuarial Analysis and Accounting. Comments are due by March 30; read the Academy alert.
The practice note defines ways that entities use to retain risk, often described in other literature as methods of financing an entity’s exposure to risk. Because the type of entity often determines the particular approach or applicable accounting treatment, the various types of entities and the associated variation in the retained risk characteristics are described. The common exposures that these various entities may retain also are described, and the practice note also discusses the relevant accounting guidance that could apply to the various entities and exposures, the interaction of the accounting guidance with the relevant actuarial concepts, and the variation by type of entity.
“COPLFR saw a need for practitioners to be able to access a single source document that provides an overview of the accounting principles that apply and identifies what practitioners view as the right resources to access,” said Past Academy President Mary Frances Miller, a member of COPLFR.
Lisa Slotznick, a member of the Academy’s Board and a past COPLFR chairperson, added that actuaries working for insurers that provide commercial insurance with retained risk components also encounter the situations described in the practice note and, therefore, may also find it a helpful resource.
Academy Weighs In on Proposal for ‘Qualified Actuary’
The Academy provided comments in response to the NAIC’s exposure draft of the proposed Revised Qualified Actuary Definition for the Property/Casualty (P/C) Actuarial Opinion Instructions.
“The Academy strongly supports the exposure draft’s revised definition that refers to the Member of the American Academy of Actuaries (MAAA) as the sole credential the NAIC recognizes as identifying qualification to sign statutory statements of actuarial opinion (SAOs) in the P/C Actuarial Opinion Instructions,” wrote former Academy President Mary D. Miller. “We support this approach, as we have before, for several reasons that make this approach the most appropriate way for the NAIC to focus its qualifications specifically on actuaries who are knowledgeable and dedicated to practice in the U.S.”
The letter also offered comments on a qualified actuary being able to perform tasks identified in the NAIC 2017 U.S. P/C Appointed Actuary Job Analysis.
Senior Fellow Ryan Testifies at Maryland General Assembly Auto Insurance Hearing
 commenting on legislation that would prohibit the use of occupation, education, gender, and marital status as factors in determining private passenger automobile insurance rates. Ryan’s remarks focused on the actuarial implications of such actions, including application of actuarial principles and standards of practice, including, specifically, risk classification.
Actuaries Climate Index Remains High for Latest Quarter
 Actuaries Climate Index (ACI) released in January for the period of spring 2017 reveal the five-year moving average of climate extremes across the United States and Canada remains near the high recorded in the previous quarter, winter 2016–17. The seasonal ACI value was 1.66, compared with 1.94 in the previous quarter, marking the seventh consecutive season with an elevated value of above 1.5.
“Sea levels have overtaken high temperatures as the biggest single factor behind the record averages in climate extremes measured by the ACI,” Academy Senior Property and Casualty Fellow Kevin Ryan said in a statement. “Sea level measurements in the Atlantic and Gulf Coast regions were particularly important in keeping the moving index value at its current high level.”
The five-year ACI moving average for spring 2017 was 1.14, the same value as reported in the previous quarter, which was a record. Sea level, one of the six components of the index, has been highest in recent years in the Southeast Atlantic region (Virginia to Louisiana) and in the Southern Plains coastal region (Texas).
Sea levels in the Central East Atlantic (Maryland to Maine) and Northeast Atlantic (Canada’s Maritime Provinces) regions also contributed to the increased significance of the component.
The ACI is based on analysis of seasonal data from neutral, scientific sources for the six different index components collected since 1961. It measures changes in extremes of high and low temperatures, high winds, heavy precipitation, and drought, as well as changes in sea level, expressed in units of standard deviations from the mean for the 30-year reference period of 1961 to 1990 for the United States and Canada combined.
The ACI—sponsored by the Academy along with the Canadian Institute of Actuaries, the Casualty Actuarial Society, and the Society of Actuaries—is designed to provide objective data about changes in the frequency of extreme climate events and sea levels in recent decades.
COPLFR Shares Academy Research Findings on Schedule P Reporting Practices
The Committee on Property and Liability Financial Reporting (COPLFR) sent a letter informing the NAIC’s Casualty Actuarial and Statistical Task Force of the results of Academy research into Schedule P reporting practices. The Academy’s survey looked at currency conversion and changes in intercompany quotashare pooling due to acquisition or divestiture.
Related to foreign currency, 89 percent reported having no material amounts in Schedule P in non-US currency. For those that responded with regard to amounts in non-U.S. currency, questions were asked on two groupings, Canadian currency and all other currencies. With respect to Canadian currency, 60 percent converted into U.S. dollars prior to preparing Schedule P, thus indicating that Schedule P amounts for those companies is all in U.S.-dollar denominated currency. The remaining 40 percent do not convert the Canadian dollar denominated amounts into U.S. currency for preparing Schedule P. With respect to non-Canadian currencies, 100 percent of the respondents indicated that they converted the foreign currency into U.S. dollars.
|
Seminar on Effective P/C Loss Reserve Opinions in Chicago. The two-day seminar provided participants with information about the latest regulations and standards and included reviews of actuarial qualification standards and interactive case studies.