Hidden Risk

The phenomenon of risk expanding in scope and depth, called cascading or systemic risk, is not new.

But the pace and expanse of systemic risk is escalating. In a world that’s increasingly globally connected, an event in one location is likely to have systemic consequences.

Insurers and many brokers and agents are tracking such risks, examining the relationships between risks, requiring clients to adopt best practices to limit such risks, and structuring coverage more carefully.

But they say much remains to be done. All too often action is taken only after a new line of risk has suddenly emerged and insurance claims are already accumulating.

Bob Reville, co-founder of casualty risk analytics company Praedicat, says accumulating claims from cascading risks could threaten insurers’ ability to aptly price different categories of risk. “If enough major risks collide, large swaths of risks could become ubiquitous and uninsurable or require government-backed alternatives, as for flood risk in the U.S. or terrorism risk in many territories,” Reville says. “On the other hand, the increasing presence of systemic risk could prompt the industry and their clients to adopt better emerging risk management practices that could translate into increased mitigation of risks before they emerge.”

Understanding Systemic Risks

Systemic risk is the potential for one event to trigger instability or even collapse of a broader sector or geography. “I think of systemic risk as being that you have multiple parties who are making claims as a result of a single event,” Reville says. “In the context of property, they usually will call that ‘catastrophe,’ and in the context of casualty, they usually call that a ‘clash’ event.

“In casualty, the way these events generate massive losses is by having a complex impact on the industrial footprint rather than only impacting a single company or a single industry. So, on one end, you can have a pharmaceutical litigation that involves thousands of people who’ve been exposed to a drug and harmed by it, and they all bring a claim against one pharmaceutical company that has one limit of insurance. That’s not a systemic risk.”

A second, more involved type, Reville says, involves claims against multiple companies within an industry. “That’s easy to manage as an insurer by having industry aggregates that you manage to,” he says. One such example, Reville says, is litigation that involves a class of pharmaceutical drugs, such as statins.

More involved events, including those that cause claims against multiple industries, “start to get into the limits of what insurers are capable of today,” Reville says. As an example, he points to the recent opioid litigation, which he says surprised insurers as it spread from manufacturers to distributors and retailers.

Further along the spectrum are those cases that further involve multiple lines of insurance, such as some opioid claims that involved D&O as well as general liability.

The worst case involves all of the above and maybe more, Reville adds. “If you have something that is truly systemic, in the worst way, it’s going to be multiple claimants against multiple companies in multiple industries against multiple lines of insurance,” Reville says. “The best example of this is asbestos litigation, which impacted dozens of industries, multiple insurance lines and decades of policy years. Today’s litigation over PFAS, also known as the ‘forever chemicals,’ is already unfolding similarly with thousands of claimants and 220 companies named across 90 industries, alleging a broad range of harms, from product liability to corporate malfeasance to water contamination.”

The extensive PFAS litigation includes claims against environmental liability, workers comp, general liability and excess casualty policies. “So you’ve got all the makings of an early-stage systemic risk that is pretty severe,” Reville says.

Behind the PFAS system risk, he says, are characteristics that accompany many emerging systemic risks: the evolution and use of new technologies. “With technologies like PFAS, the way in which you’ve got a cascading risk is somebody develops a new technology for, say, nonstick cookware. That technology, which is really useful, gets used in more and more ways over time, such as stain-resistant carpets, food packaging, cosmetics and firefighting foam. Meanwhile, scientists notice that the PFAS chemicals are present in the environment, don’t break down, and may cause bodily injury, but the new applications and the increased production keep coming,” Reville says. “That can lead to widespread environmental exposures with a complex industrial footprint and a systemic risk for insurers.”

Sometimes minor threat patterns mature into more severe ones, says Jerry Paulson, senior vice president at Hub International. Cyber is a case in point.

The insurance industry was generally slow in following that trend, he adds. But he notes one exception: Kent Paisley, a senior vice president at insurer Allied World, who started up a credit insurance and political risk book and preached about the systemic effects of cyber events.

“He said, ‘Hey, we think that cyber attacks and ransomware can lead to default of companies and insolvency,’” Paulson says. “And we were like, ‘Yeah, of course, we see the logic in that. But how prevailing is that going to really be?’”

What is often less clearly perceived, Paulson notes, is the relationship of cyber incidents and claims to other claims and business damage. “Paisley and his team were spot on,” Paulson says. “Because when you think about it, a small business that gets ransomware has to pay hundreds of thousands or millions of dollars to be able to open within days, or it could literally put them out of business. If they go out of business, who do they owe money to? That’s where the credit insurance would be triggered. It could cause a domino effect default. Now fast-forward to everyone’s talking about supply chain and the effects of COVID-19.”

Tracking Scientific Developments

Risk analytics companies like Praedicat and Risk Management Solutions (RMS), a Moody’s risk-modeling organization, try to model future insurance accumulations by tracking scientific developments and discoveries. That’s an approach that RMS has long taken for property but it’s a relatively new development for casualty that has grown over the last 10 years, Reville says.

Generally, Praedicat works by analyzing patterns of information and connected risks that grow and mature over time, Reville says.

“We mine the peer-reviewed scientific literature, looking for chemicals or products or business activities that scientists are beginning to be concerned might, downstream from their intended purpose, result in property damage, environmental damage or bodily injury,” Reville says.

“Then, as the scientific literature becomes increasingly rich at describing the exposures and understanding the bodily injuries, what we call emerging damages, we actually simulate potential future mass litigation over these issues.

“Next, we see some of these emerging damage agents end up being used in litigation, so we track the litigation over the agents that we’ve been following through the science. The risks that we’re tracking are cascading events, and we’re anticipating that they’re going to cascade in somewhat predictable patterns which are identifiable from the scientific literature.”

Dialogue with Clients

Identifying cascading risks early can allow brokers to source available lines before those lines are swamped by claims and demands, and it buys time to work on how to address the risks before they mushroom in size.

“The goal should be for insurers to be able to have a dialogue with their clients about what the early science is saying, to get them to substitute or change their business in such a way as to avoid causing anticipated harms,” Reville says. “The insurance industry can be the vehicle for that action in a way others cannot. Why? Say you’re talking about a chemical company that produces a particular chemical. It should know if scientists are writing about the chemical and saying it might cause bodily injury. But if that chemical company sells that product to 10,000 other companies, those 10,000 companies probably are not going to hear from the chemical company about the problem, right? And who’s the best one to be able to start that dialogue? I think it’s the insurance industry. I think that agents and brokers, as well as insurers, are absolutely in the position to do it. It could be an underwriter or a broker having a conversation with a risk manager.”

In that vein, Reville says, it’s important for brokers to have difficult conversations about emerging risks with their clients.

“Ultimately, I think that’s where brokers are headed,” Reveille says. “A lot of brokers are trying to increasingly compete not just on their ability to secure insurance but also on their ability to deliver risk intelligence. To the extent that happens, that is going to stop risks at the beginning before they cascade.”

Fundamental misinformation about the nature of systemic and cascading risks and how they play out also impedes efforts to understand and price them appropriately, says Jose Holguín-Veras, a professor at Rensselaer Polytechnic University.

“Efficiency is all about eliminating any extra fat from the system,” he says. “But if you want to be resilient, you have to have extra fat in the form of redundancy. Otherwise you will not be able to withstand external shocks like a catastrophic hurricane or the pandemic.”

Many cascades are caused by lack of awareness of the cumulative effects of smaller risks, says Robert Muir-Wood, chief research officer at RMS. As an example, Muir-Wood recounts that in the 1990s the Thai government wanted to create giant business clusters in the highest-growth technologies, such as auto, laptops and cameras. “To do this, they needed large areas of cheap, flat land, not previously built on,” Muir-Wood says. “Unfortunately, the areas chosen were floodplains.” Muir-Wood says a handful of these industrial parks were built on the same floodplain north of Bangkok. In 2011, they all flooded for up to two months, generating the largest-ever privately insured flood loss. He says that no insurer had been tracking this accumulation of risk.

Muir-Wood says data analytics have since progressed to recognize the potential for such situations before they occur. For example, he says that the biggest current concentration of risk in the global supply chain is in the Suez Canal. Beyond geographic concentrations of risk, he says, analysis of the data has demonstrated patterns of the same type of exposure worldwide, which could lead to a global cascade of similar property and liability insurance claims. One example he gives is the worldwide problem of high-rise cladding fires. Muir-Wood says these events will generate both property and liability insurance claims and have the potential to be contagious.

“We have to become smarter at identifying the potential systemic consequences of every individual event,” he says. “At RMS, we have made finding these a bigger priority, using all sorts of novel information, including artificial intelligence, where appropriate.” In many cases, he says, such risk analysis involves looking in advance for the conditions that allow for a rapid spread of risk, much as a hillside full of dried vegetation can allow a small fire to spread devastation. In cyber, concentration in one provider can be a super-spreader situation. “For example, the 2017 NotPetya attack was a malware attack masquerading as ransomware,” Muir-Wood says. “It was launched by Russia against Ukraine but then broke out to infect numerous other countries and businesses around the world. What allowed this to become truly pervasive and systemic was that they were all relying on the same Microsoft applications, and that had created the vulnerability.”

Better Pricing, Rightsizing Exposure

Reville says casualty insurers need to price systemic risk better. “Increased pricing for companies exposed to systemic risk would likely lead to more mitigation efforts,” he says. “To the extent that the industry doesn’t think systemically about risk and instead considers and prices by individual risk, they miss out on their opportunity to play a role in reducing society’s systemic risks. This type of thinking is being done in a better way on the property side but not in casualty. That’s to be expected, because we have only had the technology to do this for the latter of the past 10 years or so, whereas property has tried to do so for the last 30 to 40 years.”

A positive development, Reville says, has been the evolution toward portfolio underwriting among casualty insurers. Rather than underwriting one single class or specific type of insurance, the portfolio underwriter looks at groups or portfolios of business. One objective of portfolio underwriting is to spot small changes that could be made, perhaps in risk selection or terms, which, when applied across the portfolio, will make a significant improvement in performance of the portfolio, according to Fuse Consultancy, a U.K.-based management consultant, in a description of the practice.

An example of a systemic risk that analytics are already helping to track better and underwrite more effectively is supply chain risk, says Nancy Bewlay, global chief underwriting officer at insurer AXA XL. “We have better clarity on supply chain than we’ve ever had,” Bewlay says. “It’s not perfect, but we have the ability to track every point of the supply chain. This information gives us better insight so that we can model and determine how interconnected our portfolio is. You just have to constantly get better at looking at how our insurance business is connected, across geographies.

“What we have now that we didn’t have even 10 years ago is clarity on the data. For instance, we understand parent-subsidiary structures better; it’s common practice now. Our technology is more educated. If I went back 10 or 15 years ago, you had a lot of assumptions of possibilities that you thought could occur; today you can model it factually.

“We have to think about exposures and how broad they go. We contemplate ‘black swan’ events, rare events, and we determine our risk threshold. As an organization, when we think about our products and our risk management, we actually set thresholds about how much of that business that we want to assume. We look at our overall exposure, and we manage our exposure to those possible events. It drives everything we do, from the setting of our selection to pricing to our reinsurance purchases.”

Chubb made language changes in its policies last year to recognize the impacts of some systemic risks related to cyber, says John Kerns, executive managing director for Brown & Brown. “Boards were turning to Chubb and saying, ‘If we have a systemic event, if we were exposed to SolarWinds’—a malware cyber attack—‘can you measure or quantify that and know what the impact is going to be on the book of business?’ So Chubb introduced language, called a ‘widespread event,’ which is for systemic cascading exposure. For each type of widespread event, they will have the ability to impose co-insurance. So they’re putting it on all their policies.” Kerns, who places many of his Fortune 500 company clients with Chubb, says he has been able—given the long-standing relationships, solid controls and cyber maturity progress—to “negotiate off” co-insurance that otherwise would have been applied to them. “It can depend by industry,” Kerns says. “So you think about healthcare and public entity; those are really difficult classes. Any business that has to manage to a low margin is probably not spending as much money on IT security compared to a more profitable business, right? These all come into play in terms of whether they’re going to impose some co-insurance or not, but at the end of the day, if there’s a systemic event, they should be able to very quickly determine their aggregate exposure.”

Clients Taking It On

An inability to predict and contain systemic and cascading risks is leading increasing numbers of commercial clients, particularly larger ones, to self-insure or maintain reserves to account for perils, some brokers say. This is particularly occurring in cyber insurance.

Whether systemic risks render the existing cyber insurance product unsustainable in the long run is top of mind for many insurers and agents, says Kerns. The continuing nature of breaches and the pricing of insurance solutions is leading clients to question insurance as a risk hedge, Kerns says. “I’ve heard clients, major clients, make statements like, ‘If the current pricing trajectory for cyber insurance continues, we may have to consider this part of a business or operational risk and elect not to purchase insurance any longer.’”

Kerns says he believes 2022 will be an “inflection point” as cyber underwriters determine whether the correction made in the second half of 2021 and the first half of this year will be enough to sustain a long-term product. “While I’ve not seen a full reporting of the pure loss ratio of the cyber market for 2021, I’ve read that it could be as high as 80%, which is up from 73% from 2020,” Kerns says. “If widespread, systemic risks continue and manifest into multiples of loss across the markets’ book of business, this correction period may not be near the end.”

As the availability, pricing and coverage of insurance products become more challenging, clients are increasingly asking exactly what coverage they would be getting for such risks, and they may be forced to retain tail risks that represent systemic risks, Kerns says.

“Clients are routinely taking on more risk; that’s the bottom line,” Kerns says. “They want more information about risks so they can translate their probability of loss into financial terms that the CFO and the board can understand. Clients don’t like the cycles of the insurance market, and they want to be able to control their costs much better than they have been in the past.

“If you are transferring risk for a one-in-10-year event and you’re paying extraordinarily more than you’re paying for a 10-year note or your cost of capital, that may not be the best bet,” he says. Many clients are seeking assistance in setting up captives, says Hub’s Paulson. In the past, such constructs were often executed exclusively for tax benefits. Today, however, given the difficulty identifying and insuring cascading risks, more financially strong companies that want to insure for the uninsurable are setting up captives.