Analysis: Connected risks require joined-up thinking

Imagine a terrorist group instigates a cyber attack that breaks down air traffic control at a hub airport. A mid-air collision occurs, as well as several ground collisions, killing many people. Planes are re-routed, freight operations are halted. As business interruption spreads, local authorities consider halting sea, air and land traffic in the vicinity. The stock prices of aviation contractors and leasing companies fall. Airport and airlines CEOs are grilled by the press, while aviation, cyber, casualty and political risk underwriters have to swiftly assess their portfolio exposure.

That is one of the – rather scary – scenarios the Russell Group uses to illustrate connected risks. “Underwriting within a product line cannot be done in a vacuum or in a silo,” argues CEO Suki Basi. “An underwriter must be aware of some of the other risks that threaten to give contagion to the product.”

Adriano Bastiani, head of casualty facultative for global clients North America at Munich Re, agrees: “The degree of interconnection is dramatically increasing and companies offering services, especially IT-related services, are increasing. The world economy is shifting much more into services and the companies delivering these services have completely different vulnerabilities than production or manufacturing companies used to have in the past.”

The internet has been instrumental that interconnection of risks, entangling them tightly. “The very nature of digital risk means that it isn’t necessarily confined by geography and that means a single event can have a wide-ranging impact,” notes James Burns, cyber product leader at CFC Underwriting. He quotes as examples the Wanna Cry attack, which infected more than 230,000 computers in some 150 countries in May, and the Not Petya malware outbreak, which affected a Danish shipping giant, an American pharmaceutical firm and a Russian oil company, among many others.

The growing use of connected devices in the Internet of Things means cyber glitches can have repercussions in the physical world. “Physical infrastructure and devices are connected ubiquitously to virtual systems,” notes Richard Hartley, CEO of data analytics provider Cytora. “The need for companies to understand where digital risks intersect is paramount.”

Despite the crucial role played by IT systems in our lives, Burns says there is no need to be too alarmist, as a lack of harmonisation prevents infinite contagion: “Yes, modern networks and connected devices mean our systems can all talk to each other. But varied operating systems, different application baselines and the multitude of configurations mean our computing networks have also never been more diverse.”

“It isn’t just the internet in itself that has changed the risk landscape,” he observes. A view shared by Laura Irvine, partner at BTO. An IT meltdown at British Airways caused travel chaos over a weekend in May. “If electricity went offline for that length of time, the consequences would be more widespread and potentially more devastating,” she says.

Spreading contagion

As contagion can spread from a risk class to other risk classes, insurers need to break out of their traditional silo mentality, argues the Russell Group, urging them to build connected risk models that price risk and portfolio exposures more accurately. It suggests a ‘connected risk score’ that would benchmark companies by risk profile.

Jamie Bouloux, CEO of Emergin Risk, explains: “Looking at a company as a single risk rather than looking at multiple lines for any one risk in a company means that we should create more robust product propositions and get a better idea of what we should be charging from a rating perspective and ultimately how we should be allocating that across the portfolio in the organisation.”

Basi highlights how this differs from the current situation. “The corporates are looking for solutions, the insurance industry is offering products. There is friction between those,” he says. “If you’re blending casualty with cyber and property damage to give a more rounded solution, each of your class underwriters in those three things don’t necessarily understand a complex event; they haven’t seen that event. We need a way to adapt products, create solutions and not lose sight of the coverage criteria.

“Underwriters just need better access to information, they need ways of analysing information and they need to think outside the box, outside of their silos.”

For Bouloux, this doesn’t mean the end of product classes. “It is important that there is discipline within the verticals because you can’t have somebody who doesn’t understand property writing property propositions for a class. So you have to have the disciplines.”

He says insurers need to re-organise their underwriting teams: “It definitely needs strong leadership from the top; it needs people who can understand that risks transcend classes throughout verticals and it needs somebody who can drive collaboration across.”

To tackle connected risks, insurers need to overhaul their strategy, adds Bastiani. “Basically it’s probably kind of moving from a reaction to an action mode,” he says.

“At the moment, we’re writing risks, we’re accumulating them in the balance sheet and at some point in time there is a big event and everybody starts to realise: ‘How much do I have in my books?’ Of course, we have line management and we have limitations on what underwriters can write and pick up on an individual risk but if you don’t know the interconnection, it’s very tough to manage this accumulation.”

Policyholders and insurers should look at building resilience, Irvine suggests, She says the technological infrastructure to do so is available. And she expects upcoming regulations will provide an incentive.

The General Data Protection Regulation, coming into force in the UK on 25 May 2018, will increase fines for data breaches. In addition, the Network and Information Systems Directive, will be implemented into national law by 9 May 2018. “It obliges organisations which are deemed to be part of the critical infrastructure or the operators of essential services – such as those involved in energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure – to achieve minimum standards of cyber security in relation to all operations,” Irvine says.

She notes NIS fines could be as high as GDPR fines, whose maximum amount will be €20m (£17m) or 4% of global turnover.

That would be on top of all the claims that could be triggered by a complex event with contagion from one risk class to other classes. That potential cost perhaps explains why some in the industry are starting to give consideration to connected risks. According to Basi: “We’re just at that tipping point from curiosity to general interest.”