Black swan events: Covid insurance cases go to Supreme Court
The hotly-contested case on lockdown business interruption insurance payouts for small businesses hits the Supreme Court today. Bill Mew asks whether we can rely on insurers to cover the increasing number and frequency of major incident risks.
The hotly-contested case on lockdown business interruption insurance payouts for small businesses hits the Supreme Court today.
Many SMEs with business interruption insurance have either closed or faced significant losses during the pandemic. Some insurers have disputed their claims, arguing that policies were never meant to cover such unprecedented restrictions.
With 370,000 businesses seeking potential payouts totalling £1.2bn, an earlier ruling largely in favour of the policyholders is being put to the test before the Supreme Court.
Black swans in theory and in practice
When Nassim Nicholas Taleb defined black swan events as unforeseen but have potentially devastating consequences, it was assumed that they would be rare.
Not all black swan events are entirely unforeseen, but interpreting signals among the background noise can be almost impossible even when we are risk-aware. Unfortunately, few organisations are sufficiently risk-aware or able to spot the signals – even when clear warnings are made.
There were warnings about credit risk ahead of the global financial crisis and about health risk ahead of the coronavirus pandemic, but such warnings were largely ignored. There have been similar warnings about cyber and terrorist attacks, as well as extreme weather events.
However, predicting that such events may occur is very different from being able to anticipate exactly where, when and how often they will happen.
What do organisations need to do?
With financial, health, cyber and climate risks all appearing to escalate in both size and frequency, organisations need to know how they can protect their supply chains and operations.
The traditional approach to risk mitigation is insurance. Some larger organisations have tended to self-insure, believing that they are big enough to absorb any losses. Meanwhile, others rely on the ability of underwriters to understand historical data to determine the likelihood of any risk occurring in order to price risk and, therefore, policies accurately.
Historical data however may be misleading and the fear is that many risks are rapidly escalating. Some risks may now have even become too great for insurers to cover. Policies almost all preclude acts of war or terrorism, with governments typically acting as insurers of last resort for acts of terrorism. The question is, should governments cover other major risks as well?
Are black swan events becoming more common?
The global insurance losses from the Covid-19 pandemic are expected to be higher this year than the $107bn Lloyd’s of London originally estimated. And with three Atlantic hurricanes, this year has resulted in a catastrophe bill of $144bn, the highest on record according to Swiss Re.
Consequently, the insurance industry is starting to think the previously unthinkable. Lloyd’s has proposed a “Black Swan” reinsurance scheme to governments globally to ensure better cover during circumstances such as the pandemic and other major disturbances.
The insurers failed to get much government attention on the topic so far and any kind of global agreement looks like an incredibly tall order. Most governments have a pandemic on their hands and are preoccupied with numerous domestic issues.
Hack to the future
Even with a raging pandemic and with rising concern about climate change, the largest concern remains cybersecurity. Global insurer Marsh & McLennan believes that cyber exposure remained the single biggest risk faced by insurers.
The problem with cyber is that prevention and detection is the responsibility of clients, but with no organisation entirely secure, policies have been crafted to cover numerous exemptions where the client might be held to blame.
Indeed, the exemptions in most cyber policies are so extensive that it would be possible for an insurer to refuse to pay out for almost any kind of incident, making such policies almost worthless. A useful list of the most common exclusions is given here – check to see if your policy includes them.
Even when there is some cover, the exact extent of this cover is often underwhelming. Following a ransomware attack, Norsk Hydro received an insurance payout of $3.6 million. That’s only about 6% of the overall damage that was estimated to be as much as $71 million. It covered the cost of the technical fix, but that was it.
This is akin to a pedestrian in a road traffic incident being stretchered to the side of the road to prevent him from being hit again, rather than being taken to hospital in an ambulance, being seen by a doctor, or even receiving life-saving surgery. The patient might not only be disappointed at the lack of care, but it could also fatally undermine his chances of recovery.
Not only are cyber incidents becoming more frequent and serious, but some can be contagious, impacting not just individual clients, but potentially entire ecosystems. With such contagious risks excluded in almost all policies (along with many other risks), the question of just how companies can protect themselves needs to be addressed.
Propelled back to the dark ages
The pandemic has caused enormous damage, but the toll would have been far bigger if the death rate had been significantly higher and the economic impact would have been far greater if people had been unable to switch in so many areas to remote working.
When global shipping firm Maersk was hit by the Wannacry virus (described eloquently here) it found that overnight it had been propelled back to the dark ages. Without any access to computer systems or telecommunications.
If the next Wannacry attack spreads further than the last, then the systemic impact could be cataclysmic. Hospitals and other essential services could grind to a halt along with significant parts of the economy. How would your organisation cope with or respond to such an incident?
GDPR obliges all organisations to have “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of [data] processing.” Key to this is having a cyber incident response plan in place to define how they’d respond to a cyber incident, as well as the ability to test this plan to ensure that it is effective.
When insurers can’t be trusted
While some organisations conduct scenario planning and immersive simulation exercises to put their teams to the test and ensure that they are crisis ready to meet these obligations under the GDPR, most do not. And some that do, tend not to involve their most senior management in these exercises, meaning that those that will actually be at the helm in a crisis are totally unrehearsed.
Cyber incident response specialists have saved a number of firms from disaster, but their services aren’t necessarily covered by cyber insurance policies. They are also most effective if they have participated in your simulation exercises rather than being called in at the last minute, without any knowledge of your set up or systems.
Nevertheless swiftly responding to take advantage of their technical, legal, reputational and social capabilities can massively limit potentially catastrophic damages. After all, if the insurers are not going to protect organisations in a crisis and their own senior management aren’t sufficiently prepared to do so either, then exactly who will?
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...