“CyberRisk” sounds like the title of a new movie and, indeed, there have been a good many films coming out of Hollywood that have played upon our fears of the unknown in terms of new and untried technologies. Also, they have played upon our fears that miscreants might be able to manipulate these technologies to our general disadvantage. Fables, to be sure. But for the insurance industry and its clients, CyberRisk is not a fable. It is a reality, which harbingers new potential exposures that, if not checked, could run into losses in the hundreds of millions of dollars. Global Reinsurance correspondent Phil Zinkewicz recently conducted a roundtable discussion on CyberRisk exposures.
The roundtable was held at the offices of Guy Carpenter & Co. at Two World Trade Center in Manhattan. Participants in the roundtable included representatives of the legal and insurance professions who are in the midst of dealing with new CyberRisk exposures.Those participating were:
• Troy von Kutzleben of Guy Carpenter;
• Alan C. Brown of Chubb & Son;
• Robin M. Williams of Odyssey Re;
• Eugene R. Anderson of the law firm of Anderson, Kill & Olick;
• Peter K. Demmerle of LeBoeuf, Lamb, Greene & MacRae; and
• Mark W. Hutchins of Media/Professional Insurance.
What follows is the edited text of the roundtable proceedings.
Phil Zinkewicz: The subject today is CyberRisk. Of course, we should start with Y2K, a subject which has been talked about and written about a great deal. But what has not been discussed in terms of insurance exposures are the products that are out there or perhaps should be out there. Have Y2K insurance products been structured to meet the exposures, and are buyers purchasing them?
Peter Demmerle: Well, let's start with the products. There have been a few that have been offered in the marketplace. I don't believe any of them were widely appreciated by potential buyers. I think at one point there was a great deal of having to educate the underwriter as to what the exposures would be and also, in many instances, maybe two and three years ago, convincing policyholders that there was, in fact, considerable exposure relating to Y2K. I think by the time the policyholders were convinced and in full gallop to correct the problem, the underwriters began to shy away from the risk for fear that those who came late in the game would represent the most likely to fail. That aside, our firm has been doing quite a lot of work to help companies mitigate their exposure to loss.
Eugene Anderson: We have, as representatives of policyholders - which include a lot of insurance companies who are also facing litigation involving other insurance companies as policyholders - followed Y2K very closely. We have given a number of opinion letters on coverage issues and are basically advising our clients to give notice particularly to property insurers that there may be property exposures facing them in this year.
Robin Williams: From our standpoint as a reinsurance company, our major concern with Y2K has been monitoring what our clients - people with whom we have reinsurance treaties, for whom we are providing reinsurance - are doing to minimize their Y2K liabilities, to understand what their feeling is in terms of the coverage grants that are being offered, the defenses they have, the level to which their underwriting is going to protect them against Y2K liabilities. We have not participated in very many reinsurance policies that actually give Y2K coverage to clients, although there are a few out in the market. We also have noticed that Y2K products have really not taken off.
Alan Brown: We have spent a lot of time, as you can appreciate, trying to figure out what Y2K exposures mean, certainly to technology customers in particular. The main way we have been tackling it is to evaluate each one of our customer's mitigation procedures for handling both their internal and external Y2K exposures. We try to be very fair and thorough with each and every one of them to figure out where they are and see how we feel about that. That has been our primary approach to it. We don't think it is at all fair to, you know, make wholesale assumptions one way or another because somebody fits a particular category, because that would be counter to our underwriting philosophy of trying to specifically evaluate individual risks. As to what is going to happen, my crystal ball is probably as fuzzy as anybody else's. I don't think we can forecast anything in the future, other than there is going to be at least some coverage at issue.
Mark Hutchins: Likewise, we have taken a similar tack and actually began the process probably in the middle part of 1997 to start developing a plan of action as to how we were going to address the exposures that we already had on the books as well as new technology business that we might underwrite in the next few years. We also wanted to provide a fair outlet for our existing and prospective customers, not taking a head-in-the-sand attitude, but trying to be very up front with them, telling them that we would be evaluating their activities and the exposures that could possibly appear relative to the millennium change. We want to make a positive statement as to the insurability of those exposures under the coverage we would offer, whether that positive statement were in the form of a positive coverage grant or a positive exclusion for those exposures. But our objective in that effort was to prevent or to minimize the possibility of as much dispute resolution between the insurer and the insured as to the coverage. So if a situation arose where the insured was alleged to have been negligent in providing services relative to a Y2K situation, we would have a concentrated focus effort in their defense as opposed to spending a lot of time and energy just arguing among ourselves. We began implementation of that program in the middle of 1998, actually, and, again, we will not know the final outcome until a few months from now, but so far, it appears as though we have done a reasonably diligent job in working with our carrier partners and their reinsurers in being able to define the book of business relative to Y2K exposure that we are trying to handle.
Phil Zinkewicz: It is interesting that some of you have mentioned that initially, the Y2K coverages, which were designed a few years ago, were not well received by potential buyers and that, later in the day, underwriters were reluctant to sell to buyers who came in late, feeling they might be the ones most in jeopardy. In other words, first Y2K products were not being bought, and now they're not being sold. What is going to happen? Is there going to be the litigation explosion after January of next year that everybody is predicting? If the coverages have not been purchased and they are not being sold, except under very stringent circumstances, is there going to be chaos?
Peter Demmerle: I think you have to separate the books of business first, before you can give a generalization about the whole industry, which is a pretty gutsy thing to do. If you try to segment the business, product liability, E&O, D&O, and so forth, I think you will find there will be very different results in the various books. A lot of it will depend in some measure, not so much on the efforts of the insured, but the interdependence of their business with third parties, either suppliers or distributors of products and how well those parties have attacked their problem. I think one of the things we are seeing as a result of trying to help clients to mitigate risk exposure is just how interconnected the economy is and how dependent on information technology.
Phil Zinkewicz: Are there any particular lines you see that are more vulnerable than others, such as business interruption?
Peter Demmerle: One is the property account, and that is because of a clause that some parties have imported from the marine world called a “sue and labor” clause. There was press attention in some recent litigation, which involved that particular clause. I think at this point we can reasonably interpret that recent litigation as that both sides are positioning themselves on various issues and various jurisdictions and sort of feeling where they go. I think it is all going to happen very quickly, but I think you will find that, unlike a single severity, you are going to have a high frequency of loss which aggregated will produce a catastrophe like a blip on the loss code.
Alan Brown: I'd like to say something about the severity issue. I would say one of the issues that inhibits commercial insurers from offering, quote, unquote, “Y2K coverage” is, simply, the fear of signing up to a catastrophic event. Basic insurance principles say you are trying to avoid catastrophic exposures, if you can help it, because you really cannot charge enough money and grant anybody any real coverage underwriting catastrophes. So one way to look at it would have been to say, it is a catastrophe that could hit virtually everywhere, arguably all at the same time or within a very tight time frame, so you would have every building in the world on fire almost at the same time, if you want to put an Armageddon type look to it. If you look at that kind of thing and say, okay, how can one figure out how to offer insurance, I guess yes, there is a way, just like there is a way to insure 97-year old men for life insurance too, but it becomes somewhat of a theoretical exercise.
Mark Hutchins: If economically feasible.
Alan Brown: This story may be apocryphal. As I understand, in the early days of aircraft insurance, the loss was an almost certainty, so they had to charge you the value plus a handling fee. So you, in essence, you paid more than 100% for coverage. If you want to call it insurance, I guess we can broaden the definition, but I don't think that falls within the general definition that we normally use in the commercial marketplace. I am being only slightly facetious when I say that. If we could figure out a way to grant affirmative coverage and thought we had a reasonable chance to make money at it, we would have done it, but we have not.
Phil Zinkewicz: Many people would say the potential catastrophic occurrences that you are talking about were overblown in the beginning. Do you think that is true? If they were overblown, why couldn't underwriters see that and design products that would have been economically acceptable to buyers. Isn't that what their profession is all about, to see something that may appear uninsurable and find a way to come to grips with the problem?
Mark Hutchins: There is really no history to go by with Y2K. Our industry is based on historical data. We establish our rates based on how many homes have burned in a particular area or how often a hurricane hits the coast of Florida. There is no historical data because this phenomenon we're dealing with did not exist or the circumstances and conditions did not exist in the last millennium, or even the last decade, really. So we really have no historical data to use as a foundation. I think we have collectively made reasonable attempts to try to value what the potential loss may be and I think part of the problem was that, at the beginning of the awareness period of the Y2K events, there was a lot of talk of Armageddon, of all the buildings in the world being on fire. I think calmer, saner heads have taken over.
Peter Demmerle: Hundreds of billions of dollars have been spent.
Mark Hutchins: Exactly. I think a lot of us are hoping those dollars have been spent wisely and will have a positive result. I think we all recognize that there will be problems. I think we see some positive effort in terms of legislation to try to hold back some of the possibility of exorbitant legal expenses in terms of just answering questions as to responsibilities and coverage, etcetera. So I think we are seeing a much more positive picture at this point, but we are in a situation now where if you have not done it, it is probably too late. So to try and create a product, create a new product today that would be responsive, it is not feasible.
Phil Zinkewicz: Sort of like the MGM Grand, it would have to be a backdated policy. You mentioned before, Robin, that you also had noticed the policies or the products that were created initially were not well received. Why was that?
Robin Williams: I think probably the insureds just felt that they were not going to get a lot for what they would have to spend for coverage. That relates to the points that Alan and Mark have made. First of all, you know there is going to be an event that will probably create some liability, so it is not particularly fortuitous. I know there are arguments about how fortuitous it really is. Unlike what one would attempt to insure, you know something is going to happen. At the same time, it is very difficult, especially last year, to set a value to it, because we really did not know how well people would be able to mitigate, how carefully they would try to. We did not know what resources they would make available. So even without a history, it is possible to price a new product, but you do need to have some idea of what the liabilities might be. We had theories of liabilities that were unknown, as well as the mitigation effects, and how well they would work was unknown as well. So, in other words, the products that did come out were quite expensive for the insureds and I think they just felt there wasn't a lot of value there.
Phil Zinkewicz: What kind of disputes are we going to see under existing coverages, coverages not specifically geared to Y2K, but coverages such as ordinary business interruption, for example, that were written before Y2K became an issue? Will existing coverages become an issue in a Y2K case?
Peter Demmerle: I would be surprised if they weren't.
Eugene Anderson: I think the whole range of property policies are implicated. I would like to note that the comments about avoiding catastrophe exposure are basically anti-insurance. I mean what is the business these people are in if it is not to deal with catastrophe exposures? From my standpoint, as an attorney, this is silly talk for insurance companies.
Alan Brown: I respectfully disagree. The business we are in is to take on reasonable exposures, aggregating to a book of business. Since we have shareholders to answer to, we are supposed to underwrite that book of business to a profit, and one of the things we should not do is expose the company to bankruptcy. If we are not careful about what we do, we can find ourselves in such a situation. We certainly insure some Florida wind exposures, but we manage it very carefully, just like we manage California earthquakes carefully. We grant a lot of policyholders coverage, we manage it, and we track it so that if something happens, we are in a position to pay off every one to the dollar under our obligations. That is what we are supposed to be doing. If we overexpose the company, we have done nobody any service, other than dragged everybody into bankruptcy court.
Troy von Kutzleben: We at Guy Carpenter began dealing with the Y2K problem probably in middle to late 1997, when some of the property policies were coming up for renewal. At first, reinsurers were very reluctant to cover Y2K because of the reasons that were mentioned, one the concept of fortuity and, secondly, the concept of catastrophe loss. However, their position has softened over time and we have been able to get coverage for our clients, insurance companies, from reinsurers that have varied from no coverage to quite a bit of coverage. That really has been based upon what the original underwriter's underwriting methodology was. If the reinsurers felt it was sound and they were handling it from a responsible perspective, it was a risk that the reinsurers could take on in partnership with their client companies.
Mark Hutchins: Through a selective underwriting process, which is what Alan said.
Robin Williams: Are you talking about reinsurance or primary insurance?
Troy von Kutzleben: I'm talking from the reinsurers' perspective.
Robin Williams: I think, Troy, there are very few cases where primary insurers are giving positive coverage grants. There are a few, but not very many.
Troy von Kutzleben: As we talked about, there is going to be some litigation or perhaps a lot of litigation in areas that are not necessarily classified as Y2K coverage, something like the general liability E & O policy and D & O policy. Therefore, a primary insurer has to approach it responsibly and say, okay, we have to try to mitigate our loss, just as our reinsurers would mitigate their own loss. While you are saying policyholders need to buy the insurance, insurance companies need to make it available. The policyholder is not always going to pay the premium that is necessary to fund for the losses an insurance company may have.
Phil Zinkewicz: But, there is enough reinsurance capacity out there today to make it easier for primary companies to make Y2K coverage available, isn't there?
Peter Demmerle: That is part of the problem. We are talking about underwriting, but we have not discussed the marketplace in which the underwriters are acting. There is a surplus of capital. Underwriters have, I think, fought bitterly for the accounts they have and then to introduce an absolute Y2K exclusion is simply to invite the competition back in, and it's, let's have another fight over who gets the account. So I think you have to weigh in the pressure that the underwriter is under to maintain a book of business, the pressure they are under with the demands of the client.
Eugene Anderson: I would like to just point out a few other exposures that insurance companies have avoided in the past because of their catastrophic nature - radium, swine flu, breast implants, DES, asbestos, toxic shock syndrome, bone marrow transplants and they even tried to get out of the World Trade Center bombing because it was, quote, unquote, “unexpected” by the management of the Port Authority. In my profession, I don't see a single directors and officers claim that is paid in full. There is your avoiding catastrophe exposure.
Robin Williams: Nevertheless, there are some exposures that really are uninsurable. There is war, there is flood. I think you do have to allow the insurance industry some leeway. You do not want to insure something that is certain to provide a loss that is going to create a financial deficit.
Eugene Anderson: That's ridiculous. As Phil mentioned there was the MGM Grand fire. It had already happened and it was still insured.
Peter Demmerle: The insurance industry is not one that is hindered by barriers to entry and exit. Capital is flowing freely into the marketplace. We saw the best example of that, I think, in 1993, when catastrophic losses in 1992 created the marketplace perception that there would be a shortage of catastrophe exposure. What we found was bankers and strategic players in the industry poured billions of dollars into Bermuda and began to underwrite because they perceived there was an opportunity for a profit. So I guess the question is, if there is, in fact, opportunity to make money by affirmatively offering Y2K coverage and the marketplace is not responding, why isn't there somebody out there going to Bermuda and creating a company to offer the coverage?
Eugene Anderson: Bermuda is an interesting situation because I am waiting for a good occasion to sue brokers for placing coverage in Bermuda because that coverage is basically or very largely illusory coverage.
Phil Zinkewicz: All right, let's just sum up Y2K and get on to other exposures in the CyberRisk world. Even if you don't cover Y2K, aren't you as insurers going to get hit through the back door with all of the other policies that are out there anyway?
Alan Brown: Some people take that point of view. I certainly agree with that statement.
Peter Demmerle: When you say hit it, do you mean an indemnity payment?
Phil Zinkewicz: I mean, with the businesses that are interconnected, won't there be issues of contingent business interruption claims? Even if you are careful in terms of underwriting Y2K-specific products, you are still facing Y2K exposures, aren't you? And then there are the legal defense costs.
Alan Brown: You have to be very careful with theoretical scenarios. Because inevitably, I can guarantee you, it will come down to a case by case situation, a given set of facts against a given coverage and the policy wording, affirmative grants or its clarity or lack of clarity in that wording. That is what is going to happen.
Robin Williams: I think it is also going to be difficult to determine what claims are Y2K-related or not. I think it is going to take a good deal of investigation. But, I wanted to address the issue of the insurance industry being willing to come up with new products. My perspective as a reinsurer, is that there is a constant flow of new products from primary insurers, and as a reinsurance company, we are always looking for ways to develop new products because we see them as a source of potential profit. Usually they have higher margins because there is not as much competition. As someone who has been involved in pricing new products on the primary and the reinsurance side, because my background is as a casualty actuary, the issue comes down to where can we provide coverage at all. In other words, what is coverable, if that makes any sense, and then how do you go about figuring out a price for anything new? It can be done, but it has to be done within certain parameters. I think our argument is Y2K falls out of those parameters for the most part. If you do offer the coverage, it is limited and the price is high; whereas some of the other things involved in Cyberspace, such as e-commerce and the internet do fall within the insurable parameters and those are the things that we hope to bring to the market as an industry.
Alan Brown: I agree with that. I can certainly speak for my own organization, we hold ourselves forth as specialized underwriters with industry specific pursuits and I can guarantee you that almost every day we are trying to think of new ways to cover the things that we see our customers getting involved in.
Phil Zinkewicz: In that light, what are the new exposures that are coming about in the world of Cyberspace, and what are the products that are being offered to deal with those exposures?
Alan Brown: We have to try to bracket that a little bit. That is really broad-based.
Phil Zinkewicz: Well, then let's just talk about e-commerce for a moment.
Alan Brown: Fine.
Mark Hutchins: From our perspective, and I believe this is the case with most underwriters who examine a risk, we look at risks from different perspectives based on their history and our knowledge and our efforts to provide coverage. We are looking at third-party liability because that is our history and that is what we try to deal with and try to provide some added value to our service and products. From the e-commerce and CyberRisk universe, we see four areas primarily, not exclusively, but primarily four areas of risk for third-party liability. The four areas that we concentrate on are, first, the personal injury perils - the protection of privacy, avoidance of defamation or libel. The second area we see involves intellectual property or proprietary rights and ownership of knowledge and information. The third area is errors and omissions, just plain mistakes in processing or transacting or recording or storing information and knowledge. The fourth area we see is really the new area for the medium, the security exposure. The first three we and other insurers have been dealing with in the business sense and in the personal sense to some extent for quite some time. There have been exposures of libel and slander and invasion of privacy for many, many years. Obviously we are aware that parts of our constitution deal with these risks so we know they have existed for quite some time. Insurance to address these exposures has also existed, but the new medium has created some new difficulties, one in terms of valuing the risk. Cyberspace opens up a universe of audiences and participants in the medium. Interactive exchange of knowledge and information is new. The cost of creating that exchange is almost insignificant in the big scheme of things and certainly the addition of the security exposure because of that interactivity has opened up some new avenues of risk that some of us have not had the experience in dealing with. So we are trying to build our knowledge. Going back to one of my first comments, other underwriters who have had experience and history in underwriting security exposures from another aspect, whether it was electronics or physical security, are addressing the other aspects. So I think we as the insurance industry are trying to keep up with the rapid evolution of CyberRisk, particularly the commercialization of CyberRisk. Again, we are a relatively reactive industry, but I think we are doing a little bit better job of keeping up with the evolution, particularly at the pace it is evolving than we have in some other areas, such as Y2K. I mean, we have provided some coverage for CyberRisk since actually before it became commercialized, but since the internet was publicly available anyway.
Alan Brown: I guess the way I would like to attack the question would be to sort of compare and contrast the industrial-based coverages versus, shall we say, cyberbased coverages that jump up at you right away. One issue is valuation. Valuation is a challenge now and I dare say will continue to be a challenge. I think there are ways of doing it, but I don't believe we have as good an answer as we hope to have in the future as we continue to work on it. One of the key things that we try to do in drafting coverage responses to new exposures is to try to make them as clear as we can so that when one of our customers gets coverage from us, they have a very good idea of how that is going to work. If something happens, how are they going to be paid? What we want is to avoid having unclear wording that is gray and if something happens, then we have a big fight on our hands. We really don't want to do that. Valuation is essential. Sitting around here, we can all agree if there is a fire in here and this table burns up, somebody gets paid for that. But when you get bits and bites of data zipping around networks, what is their value? Assuming you can agree on a value or a valuation mechanism, what perils are you going to allow to be triggered to grant coverage? Some of them are fairly traditional ones I dare say. If you think about bits and bites of data zipping around networks as goods and transit, that may be a good way of thinking about it, some of those same things may occur, things can be lost.
Robin Williams: These two guys (Brown and Hutchins) are really on the front lines because a lot of these products are in development now. What we have seen are more of internet liability, media related policies and the e-commerce that are still on the drawing board. I would say, more are still on the drawing board, but on the reinsurance end, we are very interested in keeping abreast of these developments. My own personal opinion is that e-commerce is going to be very important, particularly once people realize how convenient it is. Just imagine all the different sources of loss that an e-commerce facility could have if something goes wrong. Just imagine the huge wide dispersal of those damages. So we are keeping an eye on it. We are not involved in the primary development. We want to participate.
Troy von Kutzleben: We have talked about one of the important thingswe are trying to deal with right now, and that is the coverage that is going to be provided in CyberRisk policies, and then also the valuation. Robin says it is a product that the insurance and reinsurance industry is going to be able to cover. I agree. I think we as an industry are going to be able to build some history on CyberRisk exposure, itself. So, therefore, by using the valuations that will ultimately be determined, we are going to be able to come up with loss costs which then insurance companies will be able to say, okay, I have to charge this premium in order to make a reasonable profit so I can stay in business and continue to offer this coverage to other insureds. So these guys (Brown and Hutchins), I think, have recognized the potential of the e-commerce products and are beginning to develop the product for their insureds. The reinsurance companies that we work with are also getting into this area and are eager to help their insurance partners to come up with solutions to be able to deal with this stuff. This is not a problem that is going to go away. Our world is becoming increasingly intangible in the assets it is using.
Phil Zinkewicz: What about the problems, before we go further on that, the problems of conducting business over the internet and cyberspace itself. Insurance companies and reinsurance companies are doing, in some cases, deals in cyberspace right now.
Robin Williams: We are not immune from the trend.
Troy von Kutzleben: I can speak from Guy Carpenter's perspective. We have an internet site that is primarily brochure ware-related right now. If that internet site should go down, we probably would not have a large loss that would be associated with it. However, we are also working on transactional facilities where our clients, insurance companies and our reinsurance companies will conduct business through our network. If, let's say, three years from now, that network were to go down or that site were to go down, we are probably going to have some loss of business due to that. There are insurance sites out there that are trading. There are certainly insurance companies that are offering insurance directly to policyholders, something like Ins-Web. So you are seeing the insurance industry get into the area of e-commerce.
Phil Zinkewicz: Do they face additional exposures, other than what they would normally face in the conduct of their business, because of cyberspace?
Mark Hutchins: I don't think there are necessarily new exposures because it really is just a new method of delivery, but there would probably be some new perils. If the postman did not deliver your insurance policy and you had a fire and they said you didn't have any coverage because you did not have your policy, it's the same sort of situation. So I think there are not necessarily new exposures, but, because it is a new method of delivery, there will be some challenges as to interpretation, and our objective from the underwriting standpoint is to minimize the gray areas as much as we can and recognize how this new method of delivery works. And we have lots of folks who want to have a hand in that, whether it be the federal government or in the case of the insurance delivery, each state government. We are and have explored the possibility of transacting our business via the electronic medium, and we are struggling right now with the regulatory issues from each state. Consequently, we have chosen to kind of take a back seat for a while. Frankly, we don't want to spend the money; we will let somebody else do it. So, there are a lot of those questions yet to be answered. There may be more people like us. We will kind of wait and see what happens in that respect. But then again, look at Ins-Web. They dove right in. There certainly are going to be more of those. Anybody who is transacting commerce as an individual or as a company, private or public, has got to be aware of the potential questions that this new method of delivery and transaction can raise. We have touched on a few of them. Some of them have a historical base. As the transactional aspect of e-commerce develops, there's going to be an evolution of the exposures. I think that is where we are seeing a lot of press - a lot of attention is being directed to the security aspects. I am glad to see the attention. I hope it doesn't get to the point where that becomes the only focal point because, to date, the vast majority of the litigation has been from the traditional sides, the privacy and the personal injury and the intellectual property, etcetera. So I hope there isn't too much emphasis put on the security because it always has been a cost of doing business. Your assets have always been subject to security issues, but this is a whole new ball game. But I think, again, the industry is certainly aware of the issues and is trying to respond to them, including the security issues.
continued in part 2…