The best story told about insurance is how it originated may centuries ago. Merchants traveling to a nearby market used to load their goods into boats and travel down-river to a nearby market. Unfortunately, dangerous water conditions often tipped the boats causing the merchants to lose all their possessions. Since this caused significant hardship for the merchants and their families, an alternative solution needed to be created.
The merchants decided if they spread their possessions among several boats traveling to the market, chances are most boats would make it and they wouldn't lose all their possessions. This model worked originally but unfortunately several conditions made it unfavorable over time, for example;
1. Some merchants didn't take good care of their boats and therefore were more likely to sink.
2. Newer merchants were inexperienced navigating the waters and tipped their boats more frequently.
3. Some merchants started stealing the goods of other merchants.
Eventually wealthy merchants decided a different alternative was needed. They then agreed to replace all the possessions of any given merchant for a small fee. With this model, every merchant would carry their own goods, in the event their boat tipped traveling through the dangerous waters, the wealthy merchants would pay to replace all their possessions. Of course, the merchants decided the following rules would apply;
1. Any merchant with a boat in poor condition would be charged extra for their journey
2. Newer merchants would be charged extra because they had less experience navigating the dangerous waters.
Of course, this story continues to evolve over many generations but you can get an idea of how insurance allows us to protect ourselves against the financial hardship of a loss.
Today insurance covers 100's possibilities. For example;
• Protecting you from financial loss when your home is damaged.
• Protecting your family against the financial loss of a critical illness or death.
• Protecting your business from the financial loss of damages, injury and interruption.
• Protecting yourself from the financial loss of lawsuits
• Protecting you from the financial loss of a car theft or accident.
Insurance works by "pooling" risk with others. This simply means a group of people want to protect against a loss or exposure that could cause financial hardship. Since the "pool" is so large, you can project what the actual losses will be for a loss or exposure "pool". It is obvious not all people in the pool will have a loss at the same time. This allows third parties (insurance companies) to profitably cover losses or new exposures as they may arise.
What do you think?
Almost 15% of systems remain vulnerable two years after the identification of the "Heartbleed Bug". Researcher Robert David Graham reported his results after completing scans on the 1.5 million systems that supported the bug. What should you be thinking?
What is the problem with this scenario? Most IT personnel will tell you the bug compromises security for applications including web and email, basically allowing cyber criminals to watch what you are doing. If two years have passed and systems are so vulnerable, what are the chances you or your third-party vendors are being impacted by this bug?
Can't my IT team detect this?
If you read the article (http://heartbleed.com/) "exploitation of this bug does not leave any trace of anything abnormal". Quite concerning to think someone could be tracing your actions undetected. This vulnerability can only be fixed as patches become available.
From an insurance standpoint
Unlike most types of crimes insurance professionals deal with, cyber crime can be mysterious. Unfortunately, cyber criminals are not breaking into your building and can't be easily caught by the police. This means most cyber activity goes undetected for a very long time.
When we work with business on cyber insurance, most are unaware of the IT infrastructure they have in place. This can make purchasing coverage difficult when it is hard to comprehend what type of exposure the organization is open to. These problems only mount when you consider the increasing number of clients and vendors interacting with a business every day.
Talking with an insurance professional about your cyber exposure should be a top priority. This exposure can have a large financial impact on your business and can be very hard quantify. It's time to start thinking about how cyber exposure might impact your business.
What do you think?
How do cyber breaches effect you?
This question is asked often, which is why we wanted to do a mini case study for our readers. In this example, we are going to look at the Home Depot breach and discuss the ongoing implications.
Most corporate directors and officers are aware of some of the cyber breaches that have occurred over the last couple of years. In Home Depots case 50 million customer records were stolen form the system causing a significant impact on their business. Following the breach various lawsuits followed against the company for breach of privacy. What we want to highlight is the derivative suit that followed the breach.
What is a derivative suit? A derivative suit is a lawsuit brought by shareholders on behalf of the corporation. In this case the shareholders are claiming there was a breach of duty and waste of corporate assets by certain company officers and directors.
Why is this relevant? The shareholders allege the directors and officers of Home Depot knew the company's systems were vulnerable and failed to act. In this case several warnings signs should have been acted upon prior to the breach?
Now what? The first question a director or officer might ask is "how does my insurance respond"? In this case, it is important to understand a director and officer’s liability may respond differently to consumer protection laws and deny coverage in this situation. A commercial general liability policy will exclude electric data as cyber products have been developed to pick up this exposure. A cyber policy will generally contain language such as "warranties" or "subjectivities" which require basic security steps be taken to prevent a breach.
As you might now be understanding there are several factors to take into consideration when considering the implications of a cyber event. Adequate protection for the directors and officers may be used up as more people look for defence under the policy of the corporation. This can leave directors and officers personally liable for lawsuits against the corporation.
The Take Away: Make sure you work with a professional team when purchasing insurance for your business. A specialist is better than a generalist and can give advice that will provide tremendous value before, during and after a claim.
What do you think?
The questions for most organizations is not whether to employ technology, but how they should do it?
Most executives understand technology requires a large initial investment but struggle to consider the potential impact on the organization. From an insurance perspective there are a few things we like executives to consider.
1. Understanding needs: As with the strategic plan of the organization the technology plan should be simple, practical, severable and flexible. This is why it is important to involve internal and external stakeholders in the selection and upkeep of technology. The best way to do this is start with analyzing the current business situation. Once the existing situation is understood executives should predict the future in order to anticipate what type of changes will need to be made and how the system with evolve with the business.
Insurance - When executives understand the technological needs of the organization they are often thinking about contingencies such as cyber strategy. Insurance companies like to see business taking a proactive approach towards technology. The more an organization can show they understand their exposure, the better the chances are that they will receive favourable pricing on their insurance.
2. Evaluating Technology: Reporting capabilities, capacity, support & training, and cost are all important factors when evaluating technology. Reporting capabilities and capacity increase the functionality of the system, but also increase the attractiveness to malicious third-parties. In order to combat this we implement support and training to educate and prepare the organization for the proper use of technology.
Insurance - Although the cost of training can be high, the costs of paying for the repercussions of a cyber breach can be even more expensive.
3. Implementation: Management attitude is critical to the success of any technology action plan as the organization turns to leaders for direction. Technology implementation should be an on-going and cyclical process as the organization grows. There should be a strategy in place various situations that can impact the business such as system updates, interruptions, and data breaches.
Insurance - Most insurance companies like to see a business continuity plan in place. When an organization can show they are able to prevent or limit the chances of a large loss, the insurance company will be more inclined to insure the company.
What do you think?
Total cost of risk
IRMI defines the total cost of risk (TCOR) as "the sum of all aspects of an organization's operations that relate to risk, including retained (uninsured) losses and related loss adjustment expenses, risk control costs, transfer costs, and administrative costs." Business owners should keep in mind insurance remains important for transferring risk and protecting their balance sheet. Total cost of risk encourages business to look at risk management on an integrated basis.
What items are included in the calculation of your total cost of risk?
1. Insurance Premiums: This is the amount you pay your insurance company for coverage through an insurance policy. Included in this calculation would be the various types of insurance you purchase as well as any fees you pay.
2. Self-Insured Losses: Not all losses will be covered by an insurance policy as the amount may fall under the deductible. When this happens a business is required to pay in order to fix or replace damages.
3. Risk Management: How much is professional advise costing you? Legal and risk management advise should be utilized by every organization. Whether it be hold harmless contracts or engineer inspections these costs should be considered.
4. Precautionary measures: Sometimes a business needs to take extra precautionary measures in order to prevent accidents from happening. Many business purchase safety equipment or post signs to warn visitors of any dangers in which they might be held liable. A "wet floor" sign would be a common example of this.
5. Other: Training and miscellaneous risk expenses should be considered when calculating the total cost of risk. It might not always be an obvious choice but activities such as cyber awareness should be considered.
Every business should understand their total cost of risk and be aware of how they are allocating their expenses. Next we will explore the financial benchmarks for total cost of risk and discuss how every business can utilize this strategy.
How is the Total Cost of Risk Calculated?
Expected Self Insured Losses
+ Insurance Premium
= Total Cost Of Risk
Risk managers use Total Cost Of Risk to provide organizations with an accurate cost on risk. By drilling down into the customer’s transactional outcomes, a risk management professional can evaluate the tradeoff in costs of insurance and expense options. Some advantages of measuring and understanding Total Cost Of Risk are; cost trends can be measured, benchmarking can be done against other companies, and a risk appetite can be managed appropriately.
Expected Self Insured Losses
Losses absorbed by the company. For example, losses beneath the deductible amount, above the limit of insurance, or completely uninsured.
Risk control, claim and other administrative expenses. It is not uncommon for companies to hire external contractors in order to get detailed reports on their risk exposure. This category can also include precautionary measures taken to protect the organization.
Money paid to transfer risk onto an insurance company in return for coverage.
Utilizing the Total Cost Of Risk approach can be time consuming and take up a lot of resources. Unfortunately this prevents many organization from taking advantage of such services. Fortunately some insurers have proprietary software that can help you analyze and calculate your Total Cost Of Risk. Ask your insurance broker if they have access to these services and start taking advantage of the Total Cost Of Risk approach for your organization.
What do you think?
The Base Team
Insurance made easy. How we can make insurance better for you?