Hidden Risk
The phenomenon of risk expanding in scope and depth, called cascading or systemic risk, is not new.
But the pace and expanse of systemic risk is escalating. In a world that’s increasingly globally connected, an event in one location is likely to have systemic consequences.
Cascading risk is the potential for an event to trigger instability beyond a single company or entity.
Insurers and brokers are tracking such risk more closely, but they say much remains to be done.
Recent opioid litigation surprised insurers as it spread from manufacturers to distributors and retailers.
Insurers and many brokers and agents are tracking such risks, examining the relationships between risks, requiring clients to adopt best practices to limit such risks, and structuring coverage more carefully.
But they say much remains to be done. All too often action is taken only after a new line of risk has suddenly emerged and insurance claims are already accumulating.
Bob Reville, co-founder of casualty risk analytics company Praedicat, says accumulating claims from cascading risks could threaten insurers’ ability to aptly price different categories of risk. “If enough major risks collide, large swaths of risks could become ubiquitous and uninsurable or require government-backed alternatives, as for flood risk in the U.S. or terrorism risk in many territories,” Reville says. “On the other hand, the increasing presence of systemic risk could prompt the industry and their clients to adopt better emerging risk management practices that could translate into increased mitigation of risks before they emerge.”
Understanding Systemic Risks
Systemic risk is the potential for one event to trigger instability or even collapse of a broader sector or geography. “I think of systemic risk as being that you have multiple parties who are making claims as a result of a single event,” Reville says. “In the context of property, they usually will call that ‘catastrophe,’ and in the context of casualty, they usually call that a ‘clash’ event.
“In casualty, the way these events generate massive losses is by having a complex impact on the industrial footprint rather than only impacting a single company or a single industry. So, on one end, you can have a pharmaceutical litigation that involves thousands of people who’ve been exposed to a drug and harmed by it, and they all bring a claim against one pharmaceutical company that has one limit of insurance. That’s not a systemic risk.”
A second, more involved type, Reville says, involves claims against multiple companies within an industry. “That’s easy to manage as an insurer by having industry aggregates that you manage to,” he says. One such example, Reville says, is litigation that involves a class of pharmaceutical drugs, such as statins.
More involved events, including those that cause claims against multiple industries, “start to get into the limits of what insurers are capable of today,” Reville says. As an example, he points to the recent opioid litigation, which he says surprised insurers as it spread from manufacturers to distributors and retailers.
Further along the spectrum are those cases that further involve multiple lines of insurance, such as some opioid claims that involved D&O as well as general liability.
The worst case involves all of the above and maybe more, Reville adds. “If you have something that is truly systemic, in the worst way, it’s going to be multiple claimants against multiple companies in multiple industries against multiple lines of insurance,” Reville says. “The best example of this is asbestos litigation, which impacted dozens of industries, multiple insurance lines and decades of policy years. Today’s litigation over PFAS, also known as the ‘forever chemicals,’ is already unfolding similarly with thousands of claimants and 220 companies named across 90 industries, alleging a broad range of harms, from product liability to corporate malfeasance to water contamination.”
The extensive PFAS litigation includes claims against environmental liability, workers comp, general liability and excess casualty policies. “So you’ve got all the makings of an early-stage systemic risk that is pretty severe,” Reville says.
Behind the PFAS system risk, he says, are characteristics that accompany many emerging systemic risks: the evolution and use of new technologies. “With technologies like PFAS, the way in which you’ve got a cascading risk is somebody develops a new technology for, say, nonstick cookware. That technology, which is really useful, gets used in more and more ways over time, such as stain-resistant carpets, food packaging, cosmetics and firefighting foam. Meanwhile, scientists notice that the PFAS chemicals are present in the environment, don’t break down, and may cause bodily injury, but the new applications and the increased production keep coming,” Reville says. “That can lead to widespread environmental exposures with a complex industrial footprint and a systemic risk for insurers.”
Sometimes minor threat patterns mature into more severe ones, says Jerry Paulson, senior vice president at Hub International. Cyber is a case in point.
The insurance industry was generally slow in following that trend, he adds. But he notes one exception: Kent Paisley, a senior vice president at insurer Allied World, who started up a credit insurance and political risk book and preached about the systemic effects of cyber events.
“He said, ‘Hey, we think that cyber attacks and ransomware can lead to default of companies and insolvency,’” Paulson says. “And we were like, ‘Yeah, of course, we see the logic in that. But how prevailing is that going to really be?’”
What is often less clearly perceived, Paulson notes, is the relationship of cyber incidents and claims to other claims and business damage. “Paisley and his team were spot on,” Paulson says. “Because when you think about it, a small business that gets ransomware has to pay hundreds of thousands or millions of dollars to be able to open within days, or it could literally put them out of business. If they go out of business, who do they owe money to? That’s where the credit insurance would be triggered. It could cause a domino effect default. Now fast-forward to everyone’s talking about supply chain and the effects of COVID-19.”
Tracking Scientific Developments
Risk analytics companies like Praedicat and Risk Management Solutions (RMS), a Moody’s risk-modeling organization, try to model future insurance accumulations by tracking scientific developments and discoveries. That’s an approach that RMS has long taken for property but it’s a relatively new development for casualty that has grown over the last 10 years, Reville says.
Generally, Praedicat works by analyzing patterns of information and connected risks that grow and mature over time, Reville says.
“We mine the peer-reviewed scientific literature, looking for chemicals or products or business activities that scientists are beginning to be concerned might, downstream from their intended purpose, result in property damage, environmental damage or bodily injury,” Reville says.
“Then, as the scientific literature becomes increasingly rich at describing the exposures and understanding the bodily injuries, what we call emerging damages, we actually simulate potential future mass litigation over these issues.
“Next, we see some of these emerging damage agents end up being used in litigation, so we track the litigation over the agents that we’ve been following through the science. The risks that we’re tracking are cascading events, and we’re anticipating that they’re going to cascade in somewhat predictable patterns which are identifiable from the scientific literature.”
One often overlooked set of systemic risks are political risks, says Jerry Paulson, senior vice president at Hub International. The transition of an America-dominant world order to one with multiple strong nation-states is leading to increasing conflicts and crises throughout the globe. Political risk is one line that is still underpriced, Paulson says.
“Political risk insurance is, on a relative basis, very inexpensive to secure,” Paulson says. “Only sophisticated folks from larger companies actually think about it. Or it is sometimes secured to respond to a requirement from a borrowing perspective. They want to have protection when, for example, [former Venezuelan president Hugo] Chavez sent his military gunboats out on the coast of Venezuela 13 years ago and said, ‘Hey, these are now our oil rigs.’”
Demand for this product may rise as events like the war in Ukraine call attention to a riskier world, including the aftermath of a sanctions war that has led to Russia’s nationalization of the assets of some foreign companies.
“Right now we have a flood of interest because everyone is now thinking about China and Taiwan. The whole world is reliant on Taiwan for semiconductors, and the uncertainty is unsettling. We’re not even in the second inning of uptake of [political risk insurance] despite the fact it’s been around a long time.” Paulson notes there are some requirements for political risk insurance, such as owning physical assets in the country or having a financial interest (like equity) in a company in the country that takes an action against the asset. He says another option is supply chain disruption insurance, which is specific to a supply route and includes certain political insurance perils.
Dialogue with Clients
Identifying cascading risks early can allow brokers to source available lines before those lines are swamped by claims and demands, and it buys time to work on how to address the risks before they mushroom in size.
“The goal should be for insurers to be able to have a dialogue with their clients about what the early science is saying, to get them to substitute or change their business in such a way as to avoid causing anticipated harms,” Reville says. “The insurance industry can be the vehicle for that action in a way others cannot. Why? Say you’re talking about a chemical company that produces a particular chemical. It should know if scientists are writing about the chemical and saying it might cause bodily injury. But if that chemical company sells that product to 10,000 other companies, those 10,000 companies probably are not going to hear from the chemical company about the problem, right? And who’s the best one to be able to start that dialogue? I think it’s the insurance industry. I think that agents and brokers, as well as insurers, are absolutely in the position to do it. It could be an underwriter or a broker having a conversation with a risk manager.”
In that vein, Reville says, it’s important for brokers to have difficult conversations about emerging risks with their clients.
“Ultimately, I think that’s where brokers are headed,” Reveille says. “A lot of brokers are trying to increasingly compete not just on their ability to secure insurance but also on their ability to deliver risk intelligence. To the extent that happens, that is going to stop risks at the beginning before they cascade.”
Fundamental misinformation about the nature of systemic and cascading risks and how they play out also impedes efforts to understand and price them appropriately, says Jose Holguín-Veras, a professor at Rensselaer Polytechnic University.
“Efficiency is all about eliminating any extra fat from the system,” he says. “But if you want to be resilient, you have to have extra fat in the form of redundancy. Otherwise you will not be able to withstand external shocks like a catastrophic hurricane or the pandemic.”
Many cascades are caused by lack of awareness of the cumulative effects of smaller risks, says Robert Muir-Wood, chief research officer at RMS. As an example, Muir-Wood recounts that in the 1990s the Thai government wanted to create giant business clusters in the highest-growth technologies, such as auto, laptops and cameras. “To do this, they needed large areas of cheap, flat land, not previously built on,” Muir-Wood says. “Unfortunately, the areas chosen were floodplains.” Muir-Wood says a handful of these industrial parks were built on the same floodplain north of Bangkok. In 2011, they all flooded for up to two months, generating the largest-ever privately insured flood loss. He says that no insurer had been tracking this accumulation of risk.
Muir-Wood says data analytics have since progressed to recognize the potential for such situations before they occur. For example, he says that the biggest current concentration of risk in the global supply chain is in the Suez Canal. Beyond geographic concentrations of risk, he says, analysis of the data has demonstrated patterns of the same type of exposure worldwide, which could lead to a global cascade of similar property and liability insurance claims. One example he gives is the worldwide problem of high-rise cladding fires. Muir-Wood says these events will generate both property and liability insurance claims and have the potential to be contagious.
“We have to become smarter at identifying the potential systemic consequences of every individual event,” he says. “At RMS, we have made finding these a bigger priority, using all sorts of novel information, including artificial intelligence, where appropriate.” In many cases, he says, such risk analysis involves looking in advance for the conditions that allow for a rapid spread of risk, much as a hillside full of dried vegetation can allow a small fire to spread devastation. In cyber, concentration in one provider can be a super-spreader situation. “For example, the 2017 NotPetya attack was a malware attack masquerading as ransomware,” Muir-Wood says. “It was launched by Russia against Ukraine but then broke out to infect numerous other countries and businesses around the world. What allowed this to become truly pervasive and systemic was that they were all relying on the same Microsoft applications, and that had created the vulnerability.”
Better Pricing, Rightsizing Exposure
Reville says casualty insurers need to price systemic risk better. “Increased pricing for companies exposed to systemic risk would likely lead to more mitigation efforts,” he says. “To the extent that the industry doesn’t think systemically about risk and instead considers and prices by individual risk, they miss out on their opportunity to play a role in reducing society’s systemic risks. This type of thinking is being done in a better way on the property side but not in casualty. That’s to be expected, because we have only had the technology to do this for the latter of the past 10 years or so, whereas property has tried to do so for the last 30 to 40 years.”
A positive development, Reville says, has been the evolution toward portfolio underwriting among casualty insurers. Rather than underwriting one single class or specific type of insurance, the portfolio underwriter looks at groups or portfolios of business. One objective of portfolio underwriting is to spot small changes that could be made, perhaps in risk selection or terms, which, when applied across the portfolio, will make a significant improvement in performance of the portfolio, according to Fuse Consultancy, a U.K.-based management consultant, in a description of the practice.
An example of a systemic risk that analytics are already helping to track better and underwrite more effectively is supply chain risk, says Nancy Bewlay, global chief underwriting officer at insurer AXA XL. “We have better clarity on supply chain than we’ve ever had,” Bewlay says. “It’s not perfect, but we have the ability to track every point of the supply chain. This information gives us better insight so that we can model and determine how interconnected our portfolio is. You just have to constantly get better at looking at how our insurance business is connected, across geographies.
“What we have now that we didn’t have even 10 years ago is clarity on the data. For instance, we understand parent-subsidiary structures better; it’s common practice now. Our technology is more educated. If I went back 10 or 15 years ago, you had a lot of assumptions of possibilities that you thought could occur; today you can model it factually.
“We have to think about exposures and how broad they go. We contemplate ‘black swan’ events, rare events, and we determine our risk threshold. As an organization, when we think about our products and our risk management, we actually set thresholds about how much of that business that we want to assume. We look at our overall exposure, and we manage our exposure to those possible events. It drives everything we do, from the setting of our selection to pricing to our reinsurance purchases.”
Chubb made language changes in its policies last year to recognize the impacts of some systemic risks related to cyber, says John Kerns, executive managing director for Brown & Brown. “Boards were turning to Chubb and saying, ‘If we have a systemic event, if we were exposed to SolarWinds’—a malware cyber attack—‘can you measure or quantify that and know what the impact is going to be on the book of business?’ So Chubb introduced language, called a ‘widespread event,’ which is for systemic cascading exposure. For each type of widespread event, they will have the ability to impose co-insurance. So they’re putting it on all their policies.” Kerns, who places many of his Fortune 500 company clients with Chubb, says he has been able—given the long-standing relationships, solid controls and cyber maturity progress—to “negotiate off” co-insurance that otherwise would have been applied to them. “It can depend by industry,” Kerns says. “So you think about healthcare and public entity; those are really difficult classes. Any business that has to manage to a low margin is probably not spending as much money on IT security compared to a more profitable business, right? These all come into play in terms of whether they’re going to impose some co-insurance or not, but at the end of the day, if there’s a systemic event, they should be able to very quickly determine their aggregate exposure.”
Clients Taking It On
An inability to predict and contain systemic and cascading risks is leading increasing numbers of commercial clients, particularly larger ones, to self-insure or maintain reserves to account for perils, some brokers say. This is particularly occurring in cyber insurance.
Whether systemic risks render the existing cyber insurance product unsustainable in the long run is top of mind for many insurers and agents, says Kerns. The continuing nature of breaches and the pricing of insurance solutions is leading clients to question insurance as a risk hedge, Kerns says. “I’ve heard clients, major clients, make statements like, ‘If the current pricing trajectory for cyber insurance continues, we may have to consider this part of a business or operational risk and elect not to purchase insurance any longer.’”
Kerns says he believes 2022 will be an “inflection point” as cyber underwriters determine whether the correction made in the second half of 2021 and the first half of this year will be enough to sustain a long-term product. “While I’ve not seen a full reporting of the pure loss ratio of the cyber market for 2021, I’ve read that it could be as high as 80%, which is up from 73% from 2020,” Kerns says. “If widespread, systemic risks continue and manifest into multiples of loss across the markets’ book of business, this correction period may not be near the end.”
As the availability, pricing and coverage of insurance products become more challenging, clients are increasingly asking exactly what coverage they would be getting for such risks, and they may be forced to retain tail risks that represent systemic risks, Kerns says.
“Clients are routinely taking on more risk; that’s the bottom line,” Kerns says. “They want more information about risks so they can translate their probability of loss into financial terms that the CFO and the board can understand. Clients don’t like the cycles of the insurance market, and they want to be able to control their costs much better than they have been in the past.
“If you are transferring risk for a one-in-10-year event and you’re paying extraordinarily more than you’re paying for a 10-year note or your cost of capital, that may not be the best bet,” he says. Many clients are seeking assistance in setting up captives, says Hub’s Paulson. In the past, such constructs were often executed exclusively for tax benefits. Today, however, given the difficulty identifying and insuring cascading risks, more financially strong companies that want to insure for the uninsurable are setting up captives.
Some systemic risks are so dire they beg for government intervention to help contain them. That role can include steps to identify cascading and systemic risks, steps to prepare for and mitigate such risk, and mandating insurance coverage and financial reserves.
In that vein, the Bank of England and the U.K.’s Prudential Regulatory Authority have required U.K. financial institutions to develop operational resilience by mapping out and accounting for small-probability tail events related to cyber security and other systemic threats. The concept of operational resilience gained prominence in 2018 after the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority jointly released a discussion paper titled “Building the U.K. Financial Sector’s Operational Resilience.” The discussion paper was published in response to technology outages and major cyber attacks impacting the financial sector, according to research by management consulting firm Protiviti.
“The PRA is essentially requiring insurers to explicitly map out these different risks,” Reville says. “Once you map them out, then you can price and underwrite them. The PRA is going to be methodical. They are trying to make sure that insurers have the capability to map the risk first. Once they establish that the mapping capability is present, they will want to make sure that the industry is taking appropriate steps, whether it’s pricing or aggregation management or reinsurance or insurance-linked securities. Ultimately, they’re headed down the path to create a system to internalize these large-scale risks in ways that probably will ultimately lead to better mitigation.”
U.S. electric grid regulations adopted in response to a 2003 large blackout in the Northeast United States offer another example of impactful regulation. Prior to the blackout, the North American Electricity Reliability Council (NERC) set voluntary standards. In the wake of the blackout report, Congress passed the Energy Policy Act of 2005, which expanded the role of the Federal Energy Regulatory Commission by requiring it to solicit, approve and enforce new reliability standards from NERC, now the North American Electricity Reliability Corporation. Utilities have been able to recover the costs of such initiatives through rates.
The National Association of Insurance Commissioners has also begun responding to systemic risks. After the 2008 financial crisis, it emphasized focus on examining financial risks through its macroprudential initiative, which “involves analyzing how the insurance sector is impacted by, reacts to, and contributes to financial, economic, and other common risk exposures.” Liquidity risk is a priority.
In 2019, the International Association of Insurance Supervisors adopted the Holistic Framework for the assessment and mitigation of systemic risk in the insurance sector. It was implemented in the beginning of 2020. The Holistic Framework is an integrated set of supervisory policy measures, a Global Monitoring Exercise (GME) and implementation assessment activities. The GME is designed to assess global insurance market trends and developments and detect the possible buildup of systemic risk in the global insurance sector.