Archives for Basel II

Inside-out cyber insurance; another problem with the insurance model

November 30, 2011 by tim in Insurance | 1 Comment

There is a thread going on through various LinkedIn Groups at the moment concerning whether ‘Cyber Insurance’ needs a new name.  My take is that there is nothing wrong with using the term ‘cyber’ as a general catch-all term, as long as that is all it is used for.  If however, we are going to talk about specific exposures and their corresponding insurances, we should use accurately descriptive and specific terms.

But that is not my point this morning.  My point concerns problematic thinking within our industry that I fear could slow down development of the kinds of products I think our customers really need.  It is another reason, if you will, why the current ‘cyber insurance’ model doesn’t work.

I have been amazed that so many of the postings in the various LinkedIn threads seem to suggest something I have noticed before, that ‘cyber insurance’ – whether it is described as Network Security, Cyber Liability, Privacy Liability or Data Breach – really only means one thing to most people in insurance: the unintended release of PII or PHI.  That’s what I call Data Breach.

As an aside, I suspect this is another good example of the law of unintended consequences. The legislative decision to force firms to notify victims that their data has been released – and so to attach a direct cost to breaches – seems to be that half the insurance industry thinks data breach is the beginning and end of ‘cyber exposure’.

And to be fair, regardless of the fact that PII or PHI data breach exposure is just one of the data exposures firms face (and for many firms will be far from their biggest data exposure), its importance is pushed out of proportion by the cost imposed by legislation, so this is somewhat understandable.  But only somewhat..

Aside aside, the problem with disproportional thinking is that it inevitably distracts from the main topic that really needs thinking about and that is that insurance is a bottom up service and it needs to become top-down.

To explain that with Data Breach, we see things in terms of how far Data Breach coverage should extend out from the original breach (so ‘inside-out’ is probably a better term than ‘bottom up’…).  So, should coverage deal only with the direct costs of the breach – the notification costs?  How about the less direct costs where, for example, the breach is not caused by some plonker loosing a USB stick in a bar but by a hacker; should the forensics that uncover that be covered?  And the costs of a patch?  Defence costs against the (almost) inevitable class action?  Regulatory defence costs?  What about PR costs to try to minimise the negative publicity?  What about the business interruption costs?  What about the costs of rebuilding a damaged brand – not just negative publicity?

My point here is that we vector out from what, for many firms, is a relatively limited part of their data exposure, where I am just not sure that is how our customers think or what they would buy if the alternative were available.  The alternative?  A single policy that deals with the effects/costs of ‘cyber’ issues, not lots of different policies (see list above) each trying to compartmentalise exposure but which all end up in the same place – costs – anyway.

Now, I know there are enormous challenges with this idea.  Selling insurance as a direct response to legislation is an easy sell.  ’Cause’ is normally followed by ‘effect’, not the other way round.  Dealing with ‘effects’ would also mean having to think more deeply about the causes of the causes of losses, not just the step or two back to the specific event that produces the loss, which is the approach currently.  More challenging still are the modelling implications; I am still trying to write Part 2 of this post.  Most challenging of all would be the capital issues – and its optimal deployment – but that is more than a little tied up with the modelling challenge.

Challenging though these supply side issues are, demand side issues seem to me to be more pressing.  Among these, two stand out for me.

First, ERM is increasingly best practice, where a holistic (sorry, I hate that word too…) approach is essential.  Regulation is even imposing ERM in the banking and insurance industries via Basel II and Solvency II and, at least in banking, creating direct incentives (in the form of reduced regulatory capital) if genuinely capital mitigating insurance can be procured.

Second – an old friend on this site – knowledge will become less and less exploitable by insurers as insureds increasingly use social techniques to develop faster, better and more immediately actionable knowledge than insurers.  For example, in the data rich, big data world we are moving towards, the ability to extrapolate knowledge from ever-larger and more complex data sets will mean (I fear) a relatively rapid decline in the value of insurers current silo based and ‘a few steps back’ approach to knowledge management.

Demand side opportunities will, eventually, always trump supply side difficulties.  I fear narrow thinking – about Data Breach or anything else for that matter – will become increasingly damaging to insurance.  But I am naturally an optimist…

UBS fraud up-date; risk management systems almost bound to fail

October 6, 2011 by tim in Financial Institutions, Risk | Leave a comment

I don’t know why UBS risk managers ignored risk and operational systems that detected unauthorised or unexplained activity by Kweku Adoboli.  I don’t know why they didn’t investigate the signals or why appropriate action (whatever that means) wasn’t taken to ensure their existing controls were fully enforced.  According to this Reuters report however, UBS’s own internal report indicates all these things did – or rather didn’t – happen

I am not surprised.  There are countless reasons why action might not have been taken, ranging from failure to understand the signals to a positive decision to ignore them.  But underpinning all the possible reasons is the fact that how risk management systems successfully monitor human/system (e.g. trading) interaction – never mind how humans successfully interact with risk management systems – has yet to be successfully worked out.

One challenge is motivation.  When we wrote this Basel II report, my co-author and I spent a lot of time trying to think through what it was about man-made systems that made them different from natural ones in the context of risk.  We were particularly trying to think about the modelling and pricing implications for transferring operational risk under Basel II - of which Adoboli’s ‘alleged’ fraud is a prime example.

At that time, ten years ago, we came to a number of conclusions – some of which we might think about differently today (but not much).  One was that in a natural system (a tree for example), the system’s agents (earth, sun and water for example) can be identified and their interactions (photosynthesis for example) observed, leading to the possibility of successfully inferring its objective (to mature and propagate).

In a human system like a bank however, its overall objective (to grow and make a profit) is formally established (rather than inferred) as part of its design.  The agents (for example, people and capital) are brought together and rules introduced to govern their interactions, aimed at the achievement of the objective.  The problem is that how those agents actually interact is difficult to observe and cannot safely be inferred because the motivations of different agents can differ so considerably from the formally established objective.

In understanding this difficulty, we believed (and I continue to believe) that a key to understanding the true nature of risk in many human systems is to try to understand the true nature of power and influence relationships within organisations and the importance of the organisation’s culture in determining the nature of those relationships.  Today, we would think in terms of a social graphbut that wasn’t possible ten years ago.

One recent book that rather supports one of our concerns with risk in banks – as I have very briefly outlined it above – is Delivering Happiness by Tony Hsieh.  One of the key points of the book is that a vital ingredient of a firm’s culture is that the firm itself have a purpose beyond simply growing or making a profit.

That’s always going to be a tough sell in a bank, not because banks don’t have purpose; after all, intermediation is absolutely critical for a capitalist economy to function.  But I wonder if it is the very importance of intermediation that means the profit banks can generate can be so high that profit blinds bankers to their genuinely valuable purpose – amongst other things…