Insuring a store of wealth, like gold and silver bullion or coins or piles of paper money, used to be a fairly straightforward proposition. You had safes, barred windows, armed guards, accounting procedures, sign-out processes, and so forth. Later we added tech like laser beams, acoustic systems, and biometric lockout apps. Maybe even a junkyard dog or two to round out the protection. But now you have to figure out how to manage the risks of company holdings in crypto currencies like Bitcoin, Ethereum, Tether, Binance, and the like (last count shows 26 different cryptos in active use). In spite of the illustrations some writers like to use (see below for an example), cryptos are really nothing but coding entries - a series of 1s and 0s, as in: 01101111 01100101 00100000 01101000 01110101 01101110 01100100 01110010 01100101 01100100 00100000 01100010 01101001 01110100 01100011 01101111 01101001 01101110 01110011. That's binary code for "100 bitcoin." Don't try to spend it.
The rub is that insurance companies have been slow to figure out cryptos and how to insure them against loss, devaluation, fraud, or other possible events which might lower or eliminate their value. A good article appeared on this issue two weeks ago in the Insurance Journal, "Insurers Have Not Yet Embraced Cryptocurrency Craze Despite Demand". From the article: "Scant regulation and volatile prices of bitcoin and other cryptocurrencies make many insurers reluctant to underwrite the risks, despite booming demand for protection of digital assets and for personal liabilities of directors and executives of companies that deal with cryptocurrencies."
In fact, the issues with insuring crypto risk may remind you of the problems with cyber risk discussed later in this issue of the Journal. These are really two complementary aspects of the same dilemma - how do we insure against novel technology based risks with little or no claims/risk history and with a large number of unknown or poorly understood potential dangers? We're told that blockchain, for example, can't be forged or fudged. After all, that's what makes cryptos feasible, but do we know for certain? Many famous ships have been considered unsinkable by their designers. That list includes the Titanic and the Andrea Doria.
Then there's the issue - common to almost all non-cash asset classes - what is the covered asset worth as of a given date/time? We have developed rules over time to cover stocks and bonds and even asset classes without assigned denominations such as fine art and collections which can be subject to large swings in value over time, but what concepts apply to cryptos, if any?
Regardless of how you feel about crypto currencies as a store of wealth, large exposures (over around $10M) are very difficult to cover in today's insurance market. This applies in spades to D & O for organizations using serious volumes of cryptos in their business*. If the folks down the hall from you are into using bitcoin et al, or are planning to go there, read this article. It's a new world out there. Makes the risk management tasks of just twenty years ago seem almost quaint and cozy by comparison.
How do we learn to manage the many and unusual risks crypto currencies and other new technical whiz-bangs are liable to? Hmmm. Makes me think of a question a Dutch friend** recently posed: Wat wil je later worden als je huidige beroep straks niet meer bestaat? What do you want to become once your current profession no longer exists? Risk management keeps changing because the nature of risk keeps changing. Figuring out how to work with crypto and cyber risks is just part of learning your new job, which will continue to be new-- year after year.
*In 2021 D&O may well stand for dazed and obfuscated as many new developments, cyptos and cyber issues among them, come to bear on this year's renewals. As a recent article in Advisen pointed out, "'Uncertainty' is the word of choice for the D&O market these days."
** Anne-Marije Buckens of the 50 Companie in Amsterdam, one of the sharpest observers of modern business I know.
What cryptos are not - real, heavy things you can lock away in a safe or hide in the bottom of your sock drawer.
The Past Is Prologue, But What If There Is No Past?
We all know the ancient mantra for risk financing: budget for claim certainties and insure against claim catastrophes. Simple right? Unless the issue is cyber risk. Cyber risk is a growing, moving, twisting, shape-shifting target. Even a decade ago, it wasn't the nightmare inducing thing that goes bump in the night that it is now. It's also one of the few risks that seems to come only in sizes catastrophic and larger. So how are we supposed to build a risk program which captures smoke?
Good old Best's Review has put together a very helpful overview of how to size a cyber risk . If cyber risk is on your menu, check it out. Best's primary audience is insurance companies
Insurers [and you, dear risk manager] need to pay particularly close attention to social engineering and "ensure that the risk management frameworks, security strategies, analytics tools and catastrophe models take this emerging threat into consideration," said Darren Thomson, head of cybersecurity strategy at CyberCube.
The basic point of this article is to help you frame your cyber risk like an underwriter and think through the various risks presented by your own architecture and the applications ecosystem in which you operate day to day. As we have noted in past issues, a minor error by a vendor with access to your systems can be the key to the castle.
As the reference to "social engineering" reminds us, the weakest link is usually a naive or careless employee who falls for a phishing scam. While it's true that the bad guys out there on the hunt for ransom, espionage, or just plain cyber mayhem, have quite an array of high tech tools these days, you're more likely to be tripped up by old Fred in bookkeeping who dutifully types in his credentials in response to an email about updating account permissions.
Before we go, here's an idea from our bulging file of "why didn't I think of that?" items. The Public Infrastructure Security Cyber Education System, or Pisces, is working with colleges in the U.S. to provide network monitoring and threat detection to small public-sector organizations, who often don't have the resources to patrol their own networks to identify when hackers may be inside their defenses. Small public entities are being hit with ransomware attacks; meanwhile undergrads in computer science and related areas of study need work experience. Much has changed lately, but necessity is still the mother of invention. Go Pisces!
Back in the day, when computers used vacuum tubes, punched card programs, and open reel off-line memory storage, the way God intended, yours truly did systems consulting. We had an old saying: never count any system foolproof until you have met and measured all the fools who will use it.
So how's your laptop dealing with the pressure, eh?
Quick Take 1:
And You Think You Had a Bad Day?
Decades often acquire nicknames. We remember the twenties as The Jazz Age or the fifties as the Age of the Man in the Gray Flannel Suit. We are beginning to think that the current decade may be remembered as the age of "You can't make this stuff up." An item in The Independent (UK) a few days ago begins with these words - perhaps better suited to a James Bond novel than a newspaper item: "The Mexican government has warned inhabitants of the densely populated central states that a truck carrying highly radioactive material was stolen from the town of Teoloyucan during an armed heist in the early hours of Sunday."
Now that sounds like bad news enough, but the item stolen was not a little canister of a radioactive isotope used for medical imaging or something sort of non-threatening like that. No. The hijacked truck was carrying a QSA Delta 800 gamma ray projector – an extremely dangerous piece of equipment, which can deliver a fatal dose of radiation to anyone who comes into direct contact with it. Other than that, no problem. Naturally, Teoloyucan is in the densely populated suburbs of Mexico City.
Our point here is that modern technology brings us all into regular proximity with incredibly dangerous substances and equipment. We don't have to be the risk manager for a nuclear power reactor or a private spaceship builder* to run into extraordinary.
It doesn't look dangerous, does it? It's almost cute in its rubber ducky yellow paint. What are the chances that anyone, including a child, might pick it up and push a button? But, you object, our business doesn't use dangerous stuff like this. Are you sure? What if we told you that you can order one of these puppies on Amazon**? Yeah. All you need is a very healthy credit card.
As we said, you can't make this stuff up. Exposures like this swirl around us every day. Now what happens if a kid finds this in an alley in Teoloyucan, takes it home, and he and his siblings try to see if they can make it work? How would you manage this risk? You might just have an exposure more like this than you think.
*Ever think, years ago, that we would have several private companies building serious space ships - right out of 1950's science fiction movies?
**This model and machines like it are used worldwide as part of oil drilling and pipeline construction. QSA is a major supplier of the machines and the isotopes that power them.
Quick Take 2:
Another Hurricane Season - Already?
Seems like we're still picking up the pieces from the last season and here we are with the first predictions for the upcoming 2021 parade of hurricanes. As we've noted in previous issues of this Journal, hurricane prediction is still as much art as science, but the predictors are steadily improving their RBI metrics. That's why we pay attention this time every year. This isn't your local newspaper's astrology column.
Let's get the bad news over with quickly: "Experts at Colorado State University announced the results of their first long-range forecast for the 2021 Atlantic hurricane season Thursday, calling for above-average activity. It comes on the heels of the most storm-packed season on record in 2020, during which an unprecedented 30 named storms formed". This promises to be the sixth straight above normal season with perhaps 17 named storms, compared with an average of 12.1, and eight hurricanes, compared with an average of 6.4. Looks like the term "average" is becoming dysfunctional in the 21st Century.
What to do - other than taking another aspirin - or something stronger? You might start by reviewing the lessons learned from the last few seasons. We all know how to say I wish I had known then what I know now. Here's a strong chance to redeem any errors of seasons past, like underinsuring key business components, not adequately maintaining drainage, not testing emergency procedures and hot/cold start backup facilities*. Do any procedures need to be updated so your 2021 recovery process matches any improvements implemented recently? Do your employees in hurricane-prone areas need refresher training on what to do in case?
You get the idea. During his first three voyages to the Indies, Columbus learned from the natives about the big wind storms they called huracanes. When leaving Hispaniola in June of 1502 he recognized the signs and sequestered his ships in the harbor. The other commander, Orvando, dismissed Columbus's warnings and sailed on. His part of the fleet was badly damaged. So you see - predicting hurricanes-- and ignoring those predictions at serious peril-- both go back over 500 years. Have we learned anything?
*I run a battery of tests on my backup/recovery systems here at my farm in PA weekly. Got hammered by Superstorm Sandy in 2012. Not going there again.
Spanish galleons running before the wind
Say It Isn't So...
From an interview with GM's head of innovation, Pam Fletcher:
The veteran GM engineer's Global Innovation team is looking for new enterprises to expand the automaker's sources of revenue well beyond vehicle sales and is incubating ventures from commercial delivery services to vehicle insurance, [emphasis added] to address future markets worth an estimated $1.3 trillion. That doesn't include flying cars, a market sector that alone could be worth $1.3 trillion, Fletcher told Reuters.
A sign of the times. GM is going after auto insurance and who knows what else. We suppose that, if they do deliver on the flying cars, we'd just as soon they write the A/L.
A whole new angle to see the USA in your Chevrolet.
Words to Remember
The year 2020 has generated its own mythos already. We've collected a few of the better comments as of today:
Based on 2020 thus far, I'm expecting the flying monkeys from Oz to show up any minute now.
2020 is like going to a wedding reception and finding it's a cash bar.
I can't wait to hear Billy Joel's song about 2020.
The good news: waking up every day. The bad news: it's 2020.
And finally - history repeats itself, but with a twist:
1977 - stayin' alive
2020 - stayin' alive.