Risk Management & Insurance
This article examines the risks that businesses face including those of natural events such as severe storms, and technological risks such as those created by the Internet. The concept of a risk society is explained as well as how and why societies have become risk focused. The cost of damage from natural events is examined along with methods that insurance companies use to reduce their financial exposure to such risks. The risks posed by the Internet are reviewed and the use and purpose of cyber insurance policies are explained. The means by which insurance companies actively work at the societal level to reduce their risk is examined.
Keywords Climate Change; Cyber Insurance; Cyber Risk Insurance; External Risk; High-risk Customers; Insurance; Low Probability-High Consequence (LP-HC) Events; Manufactured Risks; Natural Disaster; Reinsurer; Risk Society; Risks Analysis; Technological Risks
We live in a world full of risks. Events of nature such as Hurricane Katrina affect international markets, such as oil, gas, and insurance. Attacks such as those of September 11, 2001 had the immediate effect of property damage and fatalities, inflicting direct damage estimated at nearly $80 billion. Both events caused significant business interruption losses, which were felt all over the world (Kunreuther, 2006).
There are also numerous risks that have been created by industrial societies (Giddens, 1999). Trains wrecking, bridges falling, and planes crashing are examples of technological risks (Lewis, 1990). All technologies have some sort of risk involved. Even the Internet is at risk and creates risks. Malicious code attacks on the Internet, for example, have caused billions of dollars in business disruption over the last decade (Erbschloe, 2004).
The Risk Society
Modern societies are often considered risk societies. A risk society is a society in which people “increasingly live on a high technological frontier which absolutely no one completely understands and which generates a diversity of possible futures” (Giddens, 1999, p. 3). According to Giddens, the origins of the risk society can be traced to two fundamental transformations: the end of nature and the end of tradition.
“The end of nature does not mean a world in which the natural environment disappears. It means that there are now few if any aspects of the physical world untouched by human intervention. For hundreds of years, people worried about what nature could do to them — earthquakes, floods, plagues, bad harvests and so on. At a certain point, somewhere over the past fifty years or so, people stopped worrying so much about what nature could do to them, and started worrying more about what they have done to nature. The transition makes one major point of entry in risk society. It is a society which lives 'after nature'” (Giddens, 1999, p. 3).
However, a risk society is also a society that lives after tradition. Giddens writes that, “to live after the end of tradition is essentially to be in a world where life is no longer lived as fate. For many people — and this is still a source of class division in modern societies — diverse aspects of life were established by tradition as fate. It was the fate of a woman to be involved in a domestic milieu for much of her life, to have children and look after the house. It was the fate of men to go out to work, to work until they retired and then — quite often soon after retirement — essentially to fade away” (1999, p. 3).
In post-industrial societies where some degree of economic mobility is possible, people no longer live their lives as fate, but rather make choices about how to live.
In modern risk societies, the management and elimination of risk have become preeminent drivers of public policy. In the contexts of science and public health, for example, the protection of public trust is a complex task. Those actors involved in public health decision-making and implementation (e.g., mass vaccination for influenza A virus) are confronted with growing pressures and responsibility to act. However, they also need to accept the limits of their own expertise and recognize the ability of lay publics to understand and be responsible for public health (Dupras & Williams-Jones, 2012).
To analyze what a risk society is, one must make a series of distinctions. First of all, it is necessary to separate risk from hazard or danger. As Giddens points out, “A risk society is not intrinsically more dangerous or hazardous than pre-existing forms of social order. . . it is a society increasingly preoccupied with the future (and also with safety), which generates the notion of risk” (p. 3).
The word 'risk' has a negative connotation, since it refers to the possibility of an unwanted outcome. But it can be positive, in terms of taking bold initiatives in the face of a potentially problematic future. To distinguish risk from hazard, we must also make a distinction between two kinds of risk (Giddens, 1999):
- External risk is the risk of events that may strike individuals unexpectedly (from the outside) but that happen often enough in a general population of people to be broadly predictable, and so insurable.
- Manufactured risk is expanding in most aspects of human life. “It is associated with a side of science and technology, which the early theorists of industrial society by and large did not foresee. Manufactured uncertainty intrudes directly into personal and social life — it is not confined to more collective settings of risk. In a world where one can no longer simply rely on tradition to establish what to do in a given range of contexts, people have to take a more active and risk-infused orientation to their relationships and activities” (Giddens, 1999, p. 4).
Man’s existence has always been plagued with unpredicted events in nature such as earthquakes, blizzards, hurricanes, floods, forest fires, tornadoes, and volcanoes. America was “fortunate to experience relatively few catastrophes from the 1960s through the 1980s, and even the property/casualty insurance industry, which pays for much of the damage, was lulled by years of relatively low losses. Premium rates fell to levels that allowed little to be set aside as a reserve for catastrophic losses” (Campbell, 1997, p. 6).
Kunreuther (2006) classifies natural disasters as low probability-high consequence (LP-HC) events. Since 1989, when Hurricane Hugo struck the Southeast and the Loma Prieta earthquake shook the San Francisco area, several worse disasters hit, with major financial consequences:
“Hurricane Andrew in South Florida in 1992, and the Northridge earthquake two years later near Los Angeles caused over $45 billion in damage (1997 dollars), with the insured loss at $30 billion. These events introduced a new sense of scale to the calculations of insurers, academic observers, rating agencies, and regulators. The reinsurance market reacted first, by raising prices and restricting coverage” (Campbell, 1997, p. 6).
The perception of greater exposure to natural disaster has opened “fissures in the system” of risk management. Campbell writes,
“the question of insurability has become a public policy issue, beyond the possibility of insolvency of individual insurance firms. Some in the industry would turn to the government as insurer of last resort, since the government already issues flood insurance and provides disaster aid. But if government protection were extended without passing on the true costs to those property owners who incur the risks, it could encourage greater exposure and larger losses when the next big one hits” (1997, par. 4).
Unfortunately, regulated insurance pricing is inadequate in aligning an individual customer’s risk with the problem of adverse selection, i.e., placing himself or his property at greater risk than others. Campbell believes that, “premium rates are well below what are now considered to be actuarially sound levels” (par. 8). Insurance regulators (who are either elected or appointed) have been “loath to allow prices to rise much. And some firms, reluctant to cede growing markets to competitors, have decided to hold fast at the regulated, low prices” (par. 8).
Insurance against Cyber Risk
One of the most popular technologies, the Internet, has shown to have as much risk as it does promise. One of the biggest challenges that has come along with networked and Internet-connected computers is the absolute requirement of dealing with malicious code attacks. “If systems are not in some way equipped with anti virus protection, sooner or later some bug will eat them” (Erbschloe, 2004).
The unfortunate circumstances that wired societies face can be depicted in as follows:
- Organizations and individuals want computing and communications resources and they want them as cheap as possible.
- Software and hardware manufacturers synergistically work to meet market demands for cheap but highly functional computing and communications resources.
- The corporate interests that drive cooperation between software and hardware manufacturers have resulted in a marketplace that is dominated by very few companies.
- Market dominance by very few companies has created a computing and communications technology ecology with very few species.
- The antitheses to the social forces that drive the dominant companies to cooperate in controlling the marketplace is a counter culture of malicious code writers that revels in embarrassing the corporate giants on their lack of technological prowess.
- The small number of species in the technology ecology makes it easy for the malicious code writers to find vulnerabilities and launch attacks that can spread around the world in a very short time (Erbschloe, 2004, p. xv).
Additionally, the quickly growing market for smartphones, in combination with their near-constant on-line presence, makes these devices newer targets of malicious code writers. Aggravating the issue, the security level of these devices is below the state-of-the-art of what is used in personal computers (Wang, Gonz les, Menezes, & B rabasi, 2013).
Law enforcement agencies and the corporate giants that dominate the computer market label malicious code writers and attackers as criminals and at times even as terrorists. The malicious code writers and attackers view the corporate giants as criminal and parasitic organizations dominated by greedy capitalists. Meanwhile the governments of the computer-dependent parts of the world are struggling to unify their efforts to fight malicious code attacks and doing so largely under the umbrella of the global war on terrorism. These circumstances have created a marketplace in which virus protection and computer security product companies have thrived. This labyrinth of social, political, and economic forces has several results, many of which are very embarrassing for modern societies:
- Very few malicious code attackers are ever caught by the police.
- Government agencies, like the Department of Homeland Security in the United States, cannot catch up with malicious code attackers, let alone build a national defense system to stop attacks.
- Large organizations that purchase technology...
(The entire section is 5082 words.)