The 2017 annual RIMS conference has just concluded in Philadelphia. While sessions were offered, as usual, in every possible aspect of risk management (including the latest wrinkles in product recall insurance and Medicare set-aside allocations, even drone trespass and property rights), the Journal elected to concentrate on the intersection of risk management and new technology. Note that all handouts from this year's RIMS sessions are available at www.RIMS.org/ASC for further reading and research.
The Internet of Things (IoT): Why Should I Care?
The IoT came up constantly in the tech sessions. An opening session (The Internet of Things: Why Should I Care?) set the tone and provided an overview and definitions of important IoT concepts. The IoT is chockablock with risks: some obvious, some hidden. The sheer size of the IoT today is daunting: 10 billion connected devices worldwide. This is expected to grow to 34 billion by 2020. Total investment in IoT related development is pegged at $6 trillion over the coming 5 years
Meanwhile, many of the risks associated with the IoT are just beginning to surface: security, data privacy, product failure, liability, all types of personal privacy. The bottom line is that IoT related risk needs to be an important part of your ERM practice, if it is not already. It touches human resources, marketing, your corporation's public profile, internal security, operational maintenance, inventory and fleet management, and legal-compliance activities, not to mention IT operations.
Best practices are being developed now. New concepts such as islands of security and end of life terminations (for tech equipment, not employees) are being added to new, more stringent standards for such areas as vendor security and defense in depth. What does that printer know about you? What does the refrigerator see? All these questions need to be worked through, scenario by scenario. The bottom line: Every integrated circuit with a link to the internet presents a potential threat.
The Superstorm of Cyber Events: Coming to a Grid Near You & Hackers Are After More Than Just Data: Property Coverage for Physical Damage and Business Interruption
The word "cyber" got quite a workout in these two related sessions Tuesday morning - and for good reason. Cyber related risks are proliferating everywhere. The IoT is one reason, of course, but threats come from all directions. One major take home point of both presentations was that cyber risk is far too important and pervasive to be regarded as an "IT problem." In 2017 cyber risk is a top of the list ERM issue.
The news headlines about compromised consumer financial data (think Target) look at only a small part of the overall exposure. There were 4223 significant cyber attack incidents in 2015 involving billions of records of all types. One very important point is that we now know enough about this type of risk to begin modeling it. One speaker compared cyber risk to commercial fire risk and noted that it can be analyzed for loss engineering purposes using similar approaches.
In addition to the obvious E&O and D&O risks, cyber presents serious business interruption and property loss/impairment dangers as well. The raiding of consumer records falls primarily under the first two coverages, but such events as denial of service attacks can trigger major corporate system outages resulting in serious downtime and interruptions leading to late deliveries - or no deliveries. While malicious attacks are the most common cause of such outages, one of the worst events, the recent interruption of the Amazon Cloud, was caused by a typo in an update instruction. That typo caused roughly $3 billion in service interruptions. Are you covered if that happens in your IT department?
And don't overlook real property damage. A malicious attack on a German steel mill two years ago caused a blast furnace to explode and other virus based attacks, like shamoon and stuxnet viruses, can destroy entire IT systems, turning your server farm into a room full of very expensive paperweights. The takeaway here is to know your coverages and any exclusions. Do you need a cyber wrap policy, for example? Does your property coverage include data corruption as a "physical loss"?
Thorough cyber GAP analysis is critical. Don't wait until you see the black screen of death to read your policies. Most important of all, stay informed and ask questions. This is a rapidly evolving field where old concepts of "property" and "liability" are expanding and mutating and the changing nature of your own external and internal IT operations (and your vendors - don't forget them) creates new risks regularly.
Blockchain Technology: What Is It and How Will It Affect You?
We have to include blockchain technology to be truly au courant in 2017. Note that this RIMS session was not about Bitcoin. While Bitcoin brought the underlying blockchain technology to public attention, there is much more to blockchain than cryptocurrency. Blockchain belongs in this discussion because it may play an important role in protecting against or mitigating some of the cyber risks described above.
In essence, blockchain is a combination of a distributed ledger system with strong cryptography and a series of permissions which make it possible to record such matters as policy negotiation, issuance, and modifications in ways that are fast (no intermediaries required) and secure. Insurance is often all about very complex agreements. Blockchain offers a way to develop, approve, and store such agreements faster than is now possible with a much lower risk of data loss or corruption - incidental data corruption like the Amazon typo or intentional like the exploding blast furnace noted above.
Blockchain networks can be public, like Bitcoin, or private, like the R-3 network now being tested by a group of 11 banks. Creating a new blockchain is expensive and complicated, at least for now, so don't expect this to become a feature of financial services immediately. A blockchain can be hacked, but this is much harder to do than with present IT systems. In short, one of your banks or perhaps an insurance carrier may have a blockchain based app for various aspects of policy issuance or invoicing functions in the not too distant future and it will be fast, convenient, and safe. Might be something to that.
More RIMS to Come
Our next issue, due May 25, will include two more informative tech sessions from RIMS covering wearables for employees and telematics for vehicles. If your business involves either motor vehicles or human beings, be sure to tune in.