Many feel rate hikes are too high; will be
looking to alternative market for relief
By Dennis Pillsbury
Corporate America is "mad as hell and it's not going to take it anymore." That was the one of the clearest messages enunciated at the recent Risk and Insurance Management Society (RIMS) annual meeting in New Orleans. Whether on the shuttle bus, at cocktail receptions or at meetings, one invariably heard someone complain about a huge rate increase accompanied by a diminution of coverage. And these increases are not just being accepted as the cost of doing business. Risk managers will be making changes.
In a survey conducted by Munich-American RiskPartners, Princeton, New Jersey, 69% of respondents said they "expected to change their relationship with the insurance provider" over the next 24 months. And among the comments from responding risk managers was: "Insurance companies are taking advantage of 9/11. Price gouging does not enhance relationships." A number of others termed the recent rate hikes, "knee jerk reactions," and some suggested that carriers have demonstrated that they "really do not value loyalty/relation building."
There is "an undercurrent of dissatisfaction" with the insurance industry, newly elected RIMS President Christopher E. Mandel said at a press conference. Mandel, who is assistant vice president, enterprise risk management for USAA, added, "there is exploitation going on."
Outgoing RIMS President David Mair said risk managers are looking at finite risk, captives and other alternatives. "The insurance industry has brought us a time of great challenge," continued Mair, director, risk management and purchasing for the United States Olympic Committee. He called some of the rate hikes "inappropriate" and suggested that the insurance industry could be losing a lot of good customers to alternative markets.
Mandel added that he was tired of the industry complaining about not getting credit for paying claims arising out of the September 11 tragedy. "Paying claims should be a core competency. That's what they are in business to do." He added that, while the majority of the claims have been paid, there remain a number of claims that are being disputed.
As one risk manager, who preferred not to be identified, commented: "It took the industry 15 years of questionable pricing to get itself into this fix. Now it seems like the companies want to recoup it all in one year." She admitted "we took advantage of the competitive pricing during the soft market, so we're willing to take some of the blame and pay a fair price for coverage. But these huge increases are intolerable."
A survey by RM Access, a Fidelity Investments company based in Boston, confirmed that risk managers would be looking elsewhere for coverage. In that survey, 63% of the respondents indicated they planned to "increase the use of alternative risk financing tools," while the other 37% said their use of alternative financing would "remain the same." No one said they would be decreasing their use of alternative financing. The survey found that captives will be the most used form of alternative financing, with 50% saying they planned to "expand the use of an existing captive" and 38% saying they planned to "form a captive." (It should be noted that respondents could indicate more than one answer to the question about alternative financing, so some respondents may be both expanding the use of a captive and forming a new one.)
E-risk becoming a growing concern
While the escalating cost of insurance took center stage, concerns about potential exposures of the electronic age are beginning to capture the attention of the risk management community.
Until recently, e-risk has been like the weather with everyone talking about it, but no one really doing anything about it. However, the RM Access survey found that risk managers now are beginning to focus on their e-risk exposures in a big way: 46% said they were attempting to "quantify the exposure to e-risk"; 42% were "investigating an e-risk policy"; 39% were "developing an e-risk loss prevention program"; and 23% were "conducting a third-party exposure audit." (Respondents could have more than one answer.)
Interestingly, the current insurance products that have emerged in the marketplace are not understood by many and are not seen as solutions to the e-risk problem. Only 14% of respondents said the "existing products available for e-risk provided the desired coverage and limits"; 38% said they did not; and a plurality (48%) didn't know whether they did or not.
One of the positive aspects of this focus on e-risk has been a much better understanding of where losses are coming from. As Richard Power, editorial director, Computer Security Institute (CSI), San Francisco, points out, a number of commonly accepted fallacies led many companies to take no action on risk transfer and others to take the wrong action. Two of the most common fallacies are that "80% of cyber crime comes from inside the company," and that "most hackers are just kids who aren't involved in serious crime." The early results of acceptance of these fallacies was that many companies spent much more time on internal security than on building strong security technology to thwart external entry into the system. And many companies decided that insurance wasn't necessary since no serious crimes were being committed.
Today, however, a growing number of companies have become aware of the fact that cyber crime is a serious problem, involving networks of very serious criminals intent on extracting information from company databases that will enrich them in some way. Other criminals appear intent on destruction of information in order to create disruption. The "2002 Computer Crime and Security Survey," conducted by CSI and the FBI, found that reported losses from cyber crime were up to nearly $456 million in 2001. Five years ago, reported losses were just a little over $100 million. This is especially startling when one considers that 80% of the 503 companies responding to the 2002 survey acknowledged financial losses, but only 44% of respondents could quantify the losses, suggesting that the actual losses are much higher.
Power goes on to point out that increasing reliance on electronic communication and commerce makes the Web a perfect mechanism for cyber-terrorism. He notes that many attempts already have been made on the nation's infrastructure, including telecommunications, energy, transportation, banking and finance, emergency services and government operations. In response to an increasing number of attempts, the FBI established the National Infrastructure Protection Center located at FBI headquarters and the Regional Computer Intrusion Squads located in selected offices throughout the United States.
"September 11 made it clear that we need to take these people seriously," Power says. "Bin Laden was successful because he thought outside the box. Who ever would have thought that people armed with box cutters could take control of airliners? Cyber-terrorist attacks could have a devastating and disruptive effect on our economy and our psychological well-being."
Power concludes that "9/11 has shown us that security must be global and multi-dimensional. Corporations need to appoint a chief risk officer (CRO) or a chief security officer (CSO) with responsibility for making certain that network security is part of the company's complete risk management program." *