When Soubhagya Parija moved from his job as risk strategy director at Walmart to the post of chief risk officer at the New York Power Authority in 2015, he learned that corporations “could do with more innovation from the insurance industry.”
Parija was having trouble finding coverage for the utility that was scaled to fit what he calls its unique exposure. The NYPA, after all, was a vastly different operation than Walmart. Think about the risk exposure at a retail company with a huge international footprint versus what a company in the utility industry faces, he says.
Unlike Walmart, the NYPA, which operates 16 power-generating facilities, doesn’t keep large amounts of vulnerable customer data in its systems—and therefore shouldn’t have its coverage priced on the same basis as the retailing giant, the risk officer contends.
“Even within the utility industry, the [NYPA’s] exposure to cyber risk is very different from that of Con Ed, which has a huge number of retail customers [and as a result] much more danger than we have,” he added, referring to Consolidated Edison, the New York–based energy company.
Yet when Parija began looking for cyber coverage, he found that commercial insurers were treating all utilities the same way. When applying for the insurance, his broker presented him with the standard questionnaires a number of insurers use. Those forms were based mainly on the cyber risk experiences of financial services businesses, he maintains.
“Their assumption was that cyber risk was just one monolithic exposure attributable to all companies, which is just not true,” he adds.
What’s more, Parija and others say that the problem isn’t limited to cyber risks. Other complicated, fast-evolving threats such as damage to global supply chains and company reputations are met with the same cookie-cutter approach. Critics also portray the industry as lacking in the innovative juice needed to keep up with beneficial technological advances like the Internet of Things.
Fearful of taking a risk without sufficient data, carriers cling to the standard offerings like property, general liability, and directors’ and officers’ liability insurance, critics say. Central to such arguments is the notion that the industry is mired in “commoditization”—a tendency for insurers to package coverage before they have listened to clients about their particular needs.
Still, commercial insurers are not in business to lose money, their defenders argue. They’re built on the idea of pooling large numbers of clients and using decades’ worth of data to back their underwriting. While their customers crave innovation and customized underwriting, that involves more costs and lost time than insurers can reasonably absorb, some experts say.
“Commoditization does have the potential to slow innovation,” acknowledges Andrew Bent, the Americas risk manager at Sage, a provider of accounting and payroll software. But “a commodity isn’t necessarily bad,” he says.
From the commercial insurance industry’s perspective, “the key to commoditization is not being so narrow you can’t write a meaningful policy,” Bent adds. “But there has to be some basis on which to write a policy.”
Crucible of Risk
Perhaps because there have been so many news stories involving cyber risk (the 2014 breach of 500 million Yahoo accounts, for example), the exposure has become something of a test of the insurance industry’s ability to respond to fast-changing threats.
“One of the criticisms that the insurance industry’s sometimes received is that it’s too eager to commoditize a risk before that risk is totally understood,” noted Ben Beeson, the cyber risk practice leader of Lockton, an insurance broker, at a cyber risk conference sponsored by Advisen, a risk management research firm, last October.
Before 2016, some might well have argued that that was indeed the industry’s approach to cyber risk, since it was narrowly focused on selling liability insurance to cover corporations for the theft of personally identifiable information and protected health information, Beeson noted.
“In 2016 we woke up to the fact that the consequences of the risk can be much broader than just the cost of handling people’s personal data,” he explained. Cyber risk “isn’t just about data anymore” but also about business interruption risks like distributed denial-of-service attacks on servers and websites.
Despite the industry’s growing awareness of the extent of cyber risk, however, the knowledge “is not—at least in the short-term—making life any easier for our clients,” Beeson added.
Eric Dobkin, the risk manager of Merck, pointed to a fundamental gap between the nature of cyber risk and the industry’s ability to help its customers cope with it. The risk “is evolving incredibly dynamically, and the industry is very deliberative,” he observed at the conference.
As a result, when corporate risk officers seek to grasp how they can transfer risk from their companies’ balance sheets to commercial insurers, they often face a confusing, immature insurance market. Companies often encounter “a jigsaw puzzle of insurance products that overlap in some areas and exclude in others” regarding cyber coverage, Dobkin said.
But the fault doesn’t only lie with insurance sellers, at least one corporate buyer points out. Sage’s Bent says: “We risk managers, as a group, have to get better at understanding interlocking [coverages].”
Commercial insurance buyers need to understand that full protection against cyber risks often requires the placement of multiple lines of coverage that must fit together, he adds. For instance, a full menu of protection might include professional indemnity insurance; a legal liability policy to cover a company’s software; crime coverage to protect against thefts engineered via company systems; and coverage for damage to a company’s infrastructure caused by hacking.
In any event, “all of the pieces have to be joined up” to make sure all the risks are covered and that there is no costly overlap in coverages, according to Bent. “I think there’s an onus on both sides,” he says, referring to corporate buyers as well as commercial insurers.
Narrowing the Gap
But when it comes to the innovation that could help solve the problems coverage fragmentation has spawned, there is a big gap between the expectations of customers and their insurers. That’s the key takeaway from a survey on innovation in financial services that was released in January by Celent, a research and consulting firm.
The great divide is between how crucial innovation is to customers and how important it is to a financial services company’s strategy, according to the survey of 194 financial services professionals and senior executives, 62% of whom came from insurance. While 82% of the respondents said that innovation was “critical” to meeting customer expectations, only 52% said that it was critical to company strategy.
The percentages were reversed when the word “critical” was changed to “important”: only 18% said that innovation was important to meeting customer expectations, while 43% said it was important when it came to hatching company strategy.
Yet that small difference in word choice can make all the difference in the world when it comes to the question of how much a commercial insurer commits itself to innovation, according to Mike Fitzgerald, a senior analyst at Celent.
“In the competition for resources and talent, if something’s not critical, it really doesn’t get done,” he says.
In a property-casualty insurance company, a commitment to innovation means setting up a dedicated innovation group within the organization, according to Fitzgerald. If the choice is between dedicating people and resources to such a unit or putting the resources behind an effort to tweak an existing policy form, innovation is “probably going to lose.”
One big reason is that sustained innovation is inherently inefficient, requiring a great deal of testing and learning via experimentation. Many of the experiments will inevitably fail, Fitzgerald notes, producing costs that are unacceptable to most commercial insurers. And insurers have long trailed such leading innovators as the pharmaceutical and retail industries in corporate inventiveness, he adds.
Still, the gap between strategic objectives and customer desires seems to be narrowing considerably among insurers. For the first time in Celent’s survey since it began in 2013, more than 50% of respondents indicated that innovation was “critical to executing company strategy.” Even more impressive: in the 2013 survey only 26% deemed innovation critical.
Innovation doesn’t have to come from established innovation groups, of course. To some industry players, it’s better arrived at through direct contact with clients than in a lab-like environment. “As soon as you make it a central group, you lose that gritty connection with clients that innovation needs,” says Eric Joost, head of global property and casualty for Willis Towers Watson, a big insurance broker. “If you’re too far from client interaction, it’s hard to quickly spot where innovation is needed.”
Perhaps the most basic question for insurers is how to define innovation itself. To Celent’s Fitzgerald, innovation boils down to “breaking trade-offs that are meaningful to a customer.”
For example, a carrier is being innovative if it can undo the trade-off between price and quality, which holds that to get a better insurance policy you have to pay more. It doesn’t mean tweaking it to get the price down by subtracting some of the coverage, he adds.
In some cases, innovation can mean eliminating the tradeoff that stipulates that the only way for a corporate insurance buyer to finance a risk is to buy a standardized insurance product. In that arrangement, while the insured may get some needed coverage, the insurance may not exactly fit the company’s more complex needs. The New York Power Authority’s Parija found himself in just such a situation when he tried to manage the utility’s water-supply risk.
Seventy percent of the NYPA’s energy capacity is hydroelectric power; therefore, the organization faces the huge risk of not having enough water to produce the power its customers are paying for, according to Parija, who noted that the exposure stems mainly from variable weather.
“Insurance companies have not been able to develop good analytical tools to really quantify the weather exposure that different companies have,” he says, and coverage “continues to be expensive.”
As a result, most power companies try to self-fund their weather risk. For its part, the NYPA is mostly self-insured and is in the process of looking into forming a captive insurance company to cover part of the risk. By retaining much of the risk itself, the utility will be able to lessen its premiums by only buying insurance to cover the remainder, he reasons.
Parija feels that, rather than functioning as commodity providers, “insurance companies really need to play the role of risk counsel” to help guide clients through the maze of funding perils like his company’s weather exposure.
“Insurers really need to think of the program from their client’s perspective. It’s not always a matter of what’s in the market and available to buy. It’s ‘what are the needs of the client?’” he says. To get to that place, it appears, insurers have a lot more innovating to do