How Emerging Tech Will Reshape Our Economy in the Next Decade

By Russ Banham

Emerging technologies like artificial intelligence (AI), blockchain, 5G, cryptocurrencies, and the Internet of Things (IoT) are improving how we communicate and exchange information. To varying degrees and often in combination, these tools also are transforming the fundamentals of commerce and production.

Yet, these breakthrough technologies tend to stir up worries of jobs lost to machines. The truth, however, is more nuanced. While machines will absorb many laborious tasks, people will be needed to operate these technologies. Hence the increasingly accepted idea of human-machine partnerships and their ability to change the types of work people perform to the betterment of business and the global economy.

This is just one of several important insights into human-machine partnerships and how they will reshape the world’s economy in a report by Dell Technologies and the Institute for the Future, a not-for-profit think tank based in Palo Alto, California. The study, titled “The Future of the Economy,” draws from interviews with twenty global experts across an array of disciplines. According to the report, three pivotal socioeconomic shifts are simultaneously occurring to create a friction-free economy by 2030.

The first shift is toward autonomous commerce, whereby machines will be able to assess the needs of consumers and businesses to deliver products and services on an automatic, cost-effective, low-to-no-human touch basis. For example, an internet-enabled clothes washer will “negotiate” with other appliances in a house to prioritize hot water use at times of day when energy is the least expensive.

When maintenance and repair issues arise, the machine will interact with other machines over the internet to contact service personnel to fix the problem, either online through electronic interventions or via a home visit. The related transactions will be triggered by pre-established smart contracts within secure blockchain platforms, with the payment made in cryptocurrencies.

The second shift cited in the report is toward anticipatory production, whereby automated micro-manufacturing augments and, in some cases, replaces traditional mass production. Once a consumer signals an intent to purchase a product, companies will be able to leverage emerging technologies to rapidly fulfill this demand, in part through “maker” communities with unique capabilities.

A case in point is a maker of 3D-printed components. When a customer signals a demand for a product, this information automatically triggers a smart contract in a blockchain platform, activating the making of the printed part. Since customer demand fluctuates, anticipatory production will leverage technologies to gauge these changes in advance, ensuring a ready-and-steady inexpensive supply from makers when the need arises.

The last shift is toward leapfrog communities. Smaller economies around the world that are unburdened by antiquated legacy systems will be positioned to leap forward, thanks to innovative financial services concepts. For example, distributed ledgers in a blockchain platform can empower the disenfranchised to document their identities to participate more fully in the global economy, using mobile handsets to transfer money and obtain micro-credit. These new ways of accessing capital are designed to improve the lives of people in their local communities.

These shifts are already evident in many cases. Rather than displace workers, they reimagine the nature of work, offering newer forms of craft and service. Nevertheless, every socioeconomic transition—especially one so technologically transformative—has impact well beyond more productive ways of performing a business operation or task.

“Machine learning, for instance, is an amazing technology, and it creates an ability to change the world like nothing we’ve seen before,” says Erik Brynjolfsson, director of the Initiative on the Digital Economy and a professor of management at MIT Sloan School of Business. “While it can be used to create more broadly shared prosperity to solve all sorts of health problems and empower people, it can also be used to concentrate wealth and power, and eliminate privacy. There is no economic law that we automatically share equally.”

To alter such negative outcomes, Brynjolfsson says that we must identify the potential downsides of emergent technologies to make ethical decisions on how these tools can be used to generate positive economic and societal outcomes.

“Real value is created by managers and entrepreneurs who know how to reinvent a factory or reinvent retailing—using some AI but also using people and combining both in new ways,” he explains. “The human and the machine working together can do something neither of them could have done separately. I’ve seen a sea change where most AI researchers now really think a lot about the ethics.”

Preparing for an Extraordinary Future

When asked to weigh in on the three shifts outlined by “The Future of the Economy” report, Brynjolfsson and Karen Harris, managing director of consultancy at Bain’s Macro Trends Group, both agreed these technologies can be enablers of a better future— assuming their challenges are mitigated to reduce negative outcomes.

One such outcome is a substantial reduction in traditional forms of employment. “I agree with the idea of autonomous commerce, where machine learning and internet-enabled sensors collaborate with or without people to provide services and products in the transitional period through 2030, but there are potentially adverse implications, chief among them massive dis-employment,” says Harris.

As an example, Harris points to Amazon’s current employment of warehouse workers, who are likely to be displaced as more efficient, productive and cost-effective robots are developed. “Amazon has been quietly rolling out these robots that handle customer orders, reportedly removing 24 job positions at each facility where they’ve been deployed.”

Certainly, the knock-on effects on people caused by emerging technologies, in addition to the economic impact of higher unemployment, cannot be ignored, particularly as the cost of automation comes down.

“With this as backdrop, the focus needs to be on the development of different types of jobs and places to work,” Harris says. “If businesses fail to provide this employment, then governments may need to intervene—much like the federal government did during the Great Depression with the Works Projects Administration (WPA), which gave jobs to more than 8 million people.”

Changing Demographics

Both futurists are neither cynics nor Luddites when it comes to the value of technological enhancements. As Harris observes, “Each new technology is built on a previous technology to create incredible upsides.”

Brynjolfsson agrees, commenting that human-machine partnerships have too much going for them to turn back the dial. “We’re moving from human decision-makers to having machines do more and more, either through big data or artificial intelligence,” he says. “But we’re far from general artificial intelligence that can just do everything, and that means we need to have a partnership between humans and machines. They each have their strengths and weaknesses.”

With regard to the weaknesses, he cites the stark possibility of growing wealth disparity. “We can use these powerful tools to create more inequality or more shared prosperity,” says Brynjolfsson. “This realization should be front and center as we apply the tools.”

The notion of shared prosperity also resonates with Harris, especially in relation to local maker communities producing specialty goods on an on-demand basis, given the availability of work provided and the opportunity for independent entrepreneurs to choose where to live.

“Because of the old industrial economy, people flocked to cities that were technically designed for mass production and concentrated labor,” she explains. “The cities eventually became unaffordable for the middle class, who migrated to the suburbs and commuted to the urban core. Now independent makers can live in the urban burbs or exurbs that are sprouting well outside major cities, where homes are more affordable and quality of life considerations like walkable communities are increasing.”

Moreover, unique forms of work are developing to provide an additional means of income in local communities. “A traditional small business like a hardware store can expand its customer base by becoming part of the maker revolution,” says Harris. “Instead of going to a retailer selling a silverware set that is mass-produced in Vietnam, a consumer who needs one or two forks and spoons and doesn’t want to buy an entire set can go to a hardware store with 3D printing capabilities to make the utensils on a customized basis. An entirely new enterprise and market opens up for an old-timey business.”

Harris adds that the shift toward anticipatory production also presents the opportunity for lower-income people to have more children. “Rich people today have more kids than people in the middle and lower classes because of the growing cost of living; our research indicates that birth rates rise as a family’s income begins to exceed $150,000 to $200,000 annually,” she explains. “People at lower income levels don’t want to have more kids than they can afford to provide a decent education and healthcare. The socioeconomic benefits would be more equally shared across families in different income classes.”

Brynjolfsson has a similar perspective of shared socioeconomic benefits, insofar as the value of emerging technologies to foster diversity of thought within companies. Many businesses tend to hire people who think just like those currently employed, “which leads to groupthink,” he says. “That’s where crowd innovation needs to come in.”

He is referring to loosely decentralized but well-functioning crowds of diverse people that collectively bring to the decision-making table a wide variety of skills, experiences and perspectives to solve business problems and ideate new business concepts.

“Diverse ways of thinking often come from people who have diverse experiences—different races, genders, classes, countries, training disciplines, backgrounds,” Brynjolfsson says. “You get people who think outside-the-box. It’s not that they’re experts, it’s that they’re experts in something else.

The use of machine learning and predictive data analytics can ferret out individuals’ diverse experiences and the skill sets they generate, whereas human recruiters have unconscious biases that limit this possibility. “It’s really hard to get people to be less biased,” Brynjolfsson acknowledges. “While machine learning systems are imperfect, people are way more imperfect. And machine learning systems have the advantage of improving over time.”

Preparing for Tomorrow

Much work still needs to be done within business organizations to set the stage for the profitable outcomes available from human-machine partnerships. “Technology is the tip of the iceberg, but the iceberg is our skills—human capital and organizational capital,” says Brynjolfsson.

He advises businesses to invest first in people and operations before spending capital on technology, “because that’s where the bottlenecks reside,” he says. “If somebody snapped their fingers and said, `Okay, no more technology development for the next 30 years,’ we’d still have lots of work to do reinventing retailing, manufacturing, government, and medicine just using the technologies we have right now.”

Harris has a similar perspective, citing the wisdom socioeconomic implications of a technology as it is under development. “AI, blockchain, robotics, the Internet of Things, they all have this incredible upside, but that doesn’t change the fact that moving too quickly can have adverse impacts like labor dislocation,” she explains. “We need to be realistic that some outcomes will be negative, requiring thoughtful analysis and mitigations.”

From the advent of the wheel to today’s machine learning systems, all technologies are simply tools designed to make work less toilsome and people more productive. As these tools become more sophisticated in the decade ahead, now is the time to evaluate and act upon their complex socioeconomic impacts.

Insurer Innovation Comes Under the Rating Agency Microscope

By Russ Banham

Insurance Journal

Underway for some time now, the disruption of the insurance industry has moved into a new phase, following the announcement by A.M. Best that it may soon begin scoring insurers’ innovation efforts. Journalist Russ Banham spoke with ratings agencies, thought leaders and an industry exec to discuss the varied responses to A.M. Best’s announcement that it may begin scoring carriers’ individual innovation efforts as a component of ratings.

In mid-March, the venerable insurer ratings agency sent out a draft report on its plan to incorporate a score on an insurance company’s innovativeness within its overall rating of a carrier. The report—”Scoring and Assessing Innovation”—affirms the disruptive risk that digital and data technology presents for insurers that fail to invest in innovation or invest unwisely.

Certainly, the importance of innovation is not news to industry participants. Over the past several years, hundreds of startup InsurTech companies have sprung up like mushrooms after a long-needed rainstorm. Many of the startups (and certainly their deep-pocket investors) saw an opportunity to enhance the business of insurance, leveraging technology to increase back-office efficiency, enrich the customer experience, and improve underwriting, pricing and claims administration.

The breathtaking pace and breadth of the startups’ technological ingenuity suggested an industry ripe for disruption. In response, many large insurers have increased their capital budgets to invest in similar enhancements, evident in their digital and data transformations. Pressed to do the same, many midsize and smaller insurers are following suit, moving their on-premise IT systems to the cloud and investing in data and analytics initiatives.

A.M. Best’s plan to assess and score each carrier’s innovation investments and their outcomes will likely further these efforts, given the vital importance of an insurer’s financial strength to customers’ trust in their claims-paying ability. Life, health and property/casualty insurers have until May 13 to express their comments about the draft report to A.M. Best.

The process by which the ratings agency will assess and score innovation is laid out in the draft report, which may alter as carrier comments are received and incorporated. A.M. Best expects that all rated companies eventually will be scored and assigned a published innovation assessment.

“None of this is final yet and it’s possible things could change,” said Stephen Irwin, the Oldwick, N.J.-based rating agency’s senior director, Credit Rating Criteria, Research & Analytics. “We’ve been talking about innovation with companies for some time, but we are now moving toward more of a way of formalizing these discussions.”

Different Strokes

Like other ratings agencies, A.M. Best has its own formula for rating carriers. Key factors include an insurer’s balance sheet strength, operating performance, business profile and enterprise risk management (ERM). The plan is to include a score for innovation within the business profile component of a carrier’s overall rating. The reason, the agency explained in a press release, is to “consider whether the company’s innovation efforts, or lack thereof, have had a demonstrable positive or negative impact on its long-term financial strength.”

While innovation has always been an important factor in an insurer’s financial performance, the blistering speed of technological development has made it increasingly critical to a carrier’s long-term prospects. At its most basic, the score will consider two elements: the components of an insurer’s varied innovation efforts and their respective impact on the carrier’s financial performance. The resulting score is the sum of these two evaluations.

Assuming all goes according to plan, the rating agency will have made a bold if not historic decision, one with extraordinary ramifications for individual carriers. Although the firm suggests the innovation score will not automatically translate into a positive or negative rating for a carrier—possibly due to the time it takes for innovation to make a decided difference in an insurer’s financial performance—over time it will carry more weight. Nevertheless, for carriers that have not made investments in innovation, clearly the time has come to reappraise this decision. No longer can this be a viable option, given the dire risk of a ratings downgrade. As the draft report states, “The cultivation of innovation will become a leading indicator of companies with defensible market positions.”

Fitch, Moody’s, S&P

Carrier Management reached out to the three other major insurer ratings agencies to determine whether or not they plan to follow the example set by A.M. Best, if indeed its plan to score an insurer’s innovation efforts sees the light of day. All of them—Fitch, Moody’s and Standard & Poor’s—responded negatively.

“I don’t disagree that innovation is a crucial determinant of a carrier’s financial performance, but we don’t need to break this out into a separate score since it already bleeds into every component of our analyses,” said Jim Auden, managing director at Fitch Ratings.

Moody’s Investors Service shares this perspective. “Clearly, we’ve seen rapid progress by insurance companies to innovate inside the organization or partner with InsurTech firms to do the same,” said Manoj Jethani, the agency’s vice president, senior analyst, life insurance. “We don’t have an explicit factor assigned to innovation in our rating methodology, as we already incorporate it throughout our analyses.”

So does S&P Global Ratings. “In assessing innovation through our current rating framework, we would need to see a carrier demonstrate sustainable operating performance as a result of the innovation,” said Anika Getubig, an associate director at the ratings agency. “For example, if the innovation results in a better user experience or a more differentiated brand that materially improves the company’s market position, we would consider this in the overall assessment of the carrier’s competitive position.”

All the ratings agencies said they discuss each insurer’s innovation efforts with its senior management team to discern the amount of capital investments, where this money is earmarked, why it is being spent and the expectations for a return. Subsequent conversations ferret out whether or not the investments are reaping the anticipated returns. These varied details are compared with other carriers’ innovation efforts. This process conforms to the way A.M. Best has historically captured innovation—indirectly through the various building blocks of its rating process.

The discussions with senior management of insurers are considered a serious matter for all four ratings agencies. “An insurance company that is not delving into innovation would be viewed as a credit negative, as we expect it will lag behind its peers over time and find it increasingly difficult to secure preferred customers,” said Getubig.

Auden appeared to share this opinion. “With growing computing power and capacity, and technologies like machine learning, robotics processing, big data analytics, cloud and blockchain, there’s no question that carriers can do things more efficiently, less expensively, and provide better products and services to customers,” he said. “All insurers need to be investing in these technologies to harness their benefits. We’re analyzing these efforts as they relate to their core risk and performance factors.”

Insurers that fail to invest in innovation are at risk of enduring a ratings downgrade. “A carrier that doesn’t keep pace with its competitors’ innovative digital capabilities will lose market share,” Auden said. “If it isn’t using advanced analytics in underwriting, for instance, it may be overpricing its best-performing business. Someone using the tools then comes along, charges a lower rate and takes it away.”

Nothing is writ in stone, of course, meaning that the three other major rating agencies may eventually change their minds (or A.M. Best may jettison its plans). Jethani noted the difficulty in ascribing a score to something as idiosyncratic as innovation. “Innovation would be hard to measure as a separate metric accurately, given the subjectivity involved and the difficulty in determining if a carrier is actually making the right [technology] decisions,” he said.

“What if the technology you’re investing in today to modernize the infrastructure, or improve distribution or operations, is the wrong technology? What if it is replaced by something better in a short period of time? You’d end up artificially inflating one company’s rating to the detriment of another company that did not invest in that technology.”

Pluses and Minuses

Whether or not innovation is scored as a separate metric, the clear message to all carriers is that they cannot be complacent with status quo operations and business practices—not in an era where continuous innovation is a key factor in their financial performance.

The challenges are many. Large global insurers have the capital clout to invest in advanced analytics, deep learning and other emergent technologies but are nonetheless confronted with selecting the optimal solutions. Smaller insurers need to carefully assess these expenditures against other growth capital priorities. Mutual insurers that have a fiduciary obligation to protect their policy owners’ capital have additional pressures to exercise caution and prudence. Undoubtedly, some carriers will be unable to maintain pace and fall by the wayside.

“I think we’ll see a washout,” predicted Guy Fraker, chief innovation officer at Insurance Thought Leadership, which calls itself a global network of thought leaders and decision-makers transforming the insurance and risk management marketplace. “It is a mistake for any insurance company not to be experimenting in innovative ways to improve their products and services, customer value proposition and hiring practices. What A.M. Best has done is the right thing to do, as it screams the importance of innovation from the rooftops.”

Fraker is not alone in this perspective. “Our empirical surveys and other research have clearly indicated for some time that insurance customers want a better insurance product,” acknowledged Mike Fitzgerald, senior analyst at Celent, a research and advisory firm focused on financial services technology. “What A.M. Best is doing may serve as a ‘hammer’ to pound home just how important innovation has become for the industry. It should motivate carriers to innovate faster to the benefit of their customers; otherwise, they will risk disruption from industry competitors and other players outside the industry that make these investments.”

Fitzgerald makes an excellent point. In recent years, venture capital has flowed into startup insurers like Lemonade, Next Insurance and Root, each with a compelling customer value proposition. Technology giants like Amazon and Google also have floated the possibility that they, too, may provide insurance solutions. Even major automobile manufacturers might become formidable car insurance competitors, once autonomous vehicles hit the road in greater numbers.

Against this backdrop of disruptive competition, A.M. Best’s contemplations to possibly score innovation may someday be viewed as a very prescient decision. “I think the other ratings agencies are missing the boat,” said Fitzgerald. “Down the line, they will view this as an opportunity missed.”

Fraker seems to agree with this opinion, to a point. “The other ratings agencies may be telling you they have no plans to score an insurer’s innovation efforts, but wait 18 months and then ask them the same question,” he said. “On the other hand, they may be exercising prudence in taking their time and letting A.M. Best take the first bullet. There’s a high degree of skepticism in how a rating agency will develop the expertise needed to understand something as complex and subjective as technological innovation to score it accurately. That said, I’m thrilled they’re moving forward in this direction.”

How do carriers feel about the possibility of A.M. Best rating their innovation efforts? Dr. Henna Karna, chief data officer at global insurer and reinsurer AXA XL, is bullish on the idea. “It certainly is a good thing and adds to the pressure on innovation in a way that can have sustainable business impact for carriers, in a measurable manner,” said Karna. “But I’m concerned that the scoring is not just linked to doing better with traditional technology, as opposed to true digital and data transformation. This is where future disruption will emerge.”

In other words, while a carrier that moves data into the cloud from the on-premise mainframe computers is making an investment in innovation, is this investment on par, score-wise, with another insurer’s investment in a comprehensive digital and data transformation?

“There is a view that if a firm is spending millions of dollars moving legacy technology into the cloud or rolling out gadgets on a smartphone, that it’s an innovative firm,” said Dr. Karna. “That’s just catching up, a necessary continuous improvement. True innovation involves decisions to achieve game-changing, data-driven business growth outcomes. Frankly, that cannot happen with technology alone. It requires invention, boldly rethinking how everything is done today to achieve sustainability tomorrow.”

Irwin from A.M. Best agreed that innovation in the context of an insurance carrier represents more than technology. “Technology has been with us for hundreds of years. In our consideration of innovation, we’re looking at leadership, culture, organizational processes and not just the [technology] toolbox,” he said.

Tomorrow’s Industry

The intrepid decision by A.M. Best to possibly score carriers’ individual innovation efforts as a component of the firm’s ratings is bound to result in a profoundly different insurance industry. Many insurers will be motivated to innovate further, resulting in more refined and competitive products and services of greater value to customers. Alternatively, carriers that make meager or unwise investments in innovation will become vulnerable to more agile and responsive insurers. “Spending wisely is key,” said Irwin.

Asked if A.M. Best will score the innovation efforts of different sized carriers on an apples-to-apples basis, Irwin said only insofar as the outcomes of these investments. “Just because you spend a lot of money on something doesn’t mean it will produce the intended outcome,” he explained. “The more important question is whether more rapid access to better data, for instance, improves carrier underwriting and the customer experience. Ultimately, this is all about the customer.”

Russ Banham is a Pulitzer-nominated financial journalist and best-selling author.

Silent No More

Cyber claims made under traditional P&C policies that may be silent on the subject are forcing hidden cyber exposure into the spotlight.

BY RUSS BANHAM

Leader’s Edge

In the aftermath of major cyber attacks like NotPetya, policyholders have filed claims under property and liability insurance policies that remained silent on whether coverage included cyber attacks.

These so-called non-affirmative policies have become big news across the global insurance industry as “silent cyber” exposures have been revealed. In effect, such policies neither confirm nor deny that coverage is available to address property damage and business interruption losses caused by a cyber attack, thus leaving the matter open to interpretation.

Now the issue has landed in the courts and in the line of sight of regulators. If insureds lose their fight, will brokers be their next target? And as insurers start peeling back the onion on their cyber exposure, will the market respond effectively in the future to cover this massive and constantly changing risk?

NotPetya, which struck in 2017 and became the most devastating cyber attack in history, was a virus embedded into a Ukrainian tax-software program. The virus reportedly shut down 10% of the country’s computers and vital infrastructure. The contagion then spread to networks worldwide, infecting more than 2,000 companies in 65 countries, among them shipping company Maersk and FedEx, each reporting $300 million in related losses.

Assuming more frequent and severe cyber attacks, insurers and reinsurers could be on the hook for billions of dollars in claims that no company anticipated.

“Without statistics on these settlements, we can’t say for sure how much the industry has paid out in cyber claims on non-affirmative policies, but we do know that claims have been paid,” says Philip Edmundson, founder and CEO of Corvus Insurance, which describes itself as a broker-friendly insurtech managing general agent.

Those payments of claims may be a problem for other insurers that have sold non-affirmative policies and have no intention of covering cyber risks. If insureds file claims against these insurers, some industry parties believe, the insurers will point out that a variety of stand-alone cyber insurance policies addressing first-party and third-party losses from cyber attacks have been available since the 1990s but companies neglected to buy coverage.

Some insureds have filed claims for cyber attacks against more than one policy, Edmundson notes, resulting in what insurers call “clash claims”—situations where both a non-affirmative property and liability policy and a separate, stand-alone cyber insurance policy respond to the same cause of loss. “There are just so many uncertainties right now,” he says. “And that causes trepidation.”

Affirmative Cyber Exclusions

Complicating the claims scenario for insureds—and by extension their insurance brokers—is that several insurers have denied claims for cyber losses in all-risks property and liability policies that actually had affirmative protections for cyber exposures.

A case in point is the large claim (a reported $100 million) filed by Mondelez International with Zurich Insurance for losses attributed to the NotPetya cyber attack. The insurer denied the claim based on the policy’s war and terrorism exclusion, maintaining that NotPetya was an act of war by Russian-backed operatives. Russia has formally denied any responsibility for the cyber attack. Mondelez, a U.S. maker of snack foods like Oreo cookies, subsequently sued Zurich for breach of contract. (See our digital short “Warring Factions” for more on this suit.)

Pharmaceutical giant Merck also has filed lawsuits against more than 20 insurers that rejected its claims related to NotPetya on affirmative policies, several of which cited the war exemption in their reasoning. Undoubtedly, this claims treatment sends a confusing message to current and prospective buyers about the value of buying cyber insurance outside the stand-alone market. “The message seems to be that, if the claim is too much money, the insurer will go to court over it,” Edmundson says.

What do these lawsuits mean for holders of non-affirmative policies? Do the exclusions make the difference when it comes to paying claims, or will insurers point to the existence of the stand-alone market as evidence enough that a non-affirmative policy was not intended for cyber claims?

According to Joshua Motta, CEO of Coalition, a San Francisco firm that offers cyber insurance and risk management for small and midsize businesses, it’s not. “There is a long precedent across many lines of insurance that coverage is written on an open-peril basis—denying coverage for claims only when there is an explicit exclusion in the policy,” Motta says. “This shouldn’t be any different for cyber claims. Cyber is truly a form of peril and can trigger losses across the entire known spectrum of risk—from supply-chain interruptions to centrifuge explosions, hospital shutdowns and hotel lockouts. While more coverage for these exposures is likely to make its way into the stand-alone cyber market, cyber is a risk that pervades all classes of insurance. If an insurer’s intent is to deny coverage, it should be affirmatively excluded in their policy.”

“It’s a can of worms for insurers with non-affirmative policies,” says Daniel Leahy, an account executive at Miller Insurance Services, which places cyber insurance contracts in the London insurance and reinsurance markets. “The policies don’t address if cyber is a covered peril or not, leaving the matter open to interpretation. If insureds file claims and insurers deny them, companies are likely to sue.”

Whether courts will rule in their favor is anybody’s guess. “There are just too many shades of gray,” says Robert Hartwig, an associate professor of insurance and finance at the University of South Carolina. “No one knows where the axe may fall.”

Are Brokers Next in Line?

If courts rule the non-affirmative policies were not intended to cover losses attributed to cyber attacks, the news is potentially grim for some of these insureds’ insurance brokers. The issue is twofold: whether the brokers explicitly pointed out to insureds the danger of relying on the all-risks policies to address their cyber exposures, and whether they emphasized in words and writing the need to address these perils through the stand-alone cyber insurance market.

“I’m pretty sure that a sophisticated broker that handles many different classes of insurance would strongly recommend to the risk manager of a midsize or larger company the importance of buying stand-alone cyber insurance,” says Luke Foord-Kelcey, international head of cyber for Aon’s Reinsurance Solutions Business. “They’re going to get the right advice.”

Edmundson is less certain. “Brokers face growing E&O pressures if they haven’t got this right and carriers deny claims that insureds believed they had coverage for,” he says. “We’ve seen other instances of litigation between insureds and insurers arising out of pollution and employment practices claims where this initial wave of litigation is followed by a secondary wave against other potentially responsible parties with deep pockets—like brokers.”

Over the past three decades, a few notable cases, in particular, have spurred mass claims against insurers. One was the 1989 grounding of the Exxon Valdez in Alaska, which resulted in stricter enforcement of liability regulations and led to a slew of claims for environmental impairment liability. Another occurred in the early 2000s, when an increase in workplace discrimination lawsuits spurred greater enforcement of civil rights laws governing job hiring, promotions and termination, leading to a jump in employment practices liability claims.

In both cases, insureds filed claims against policies for losses they believed were covered by their insurance. Many claims were denied, spurring litigation that eventually dragged brokers into the disputes for not adequately pointing out contractual nuances that affected the clients’ liability and alternative means of protection. “Brokers have been in this position far too many times before whenever there is coverage ambiguity following a series of large claims,” Hartwig says.

Other industry participants have a slightly different perspective on broker liability. “Certainly, there’s a potential for E&O claims against brokers that have neglected the need for granular conversations with their insureds about stand-alone cyber insurance,” says Daniel Burke, national cyber practice leader at insurance brokerage Woodruff-Sawyer. “But I honestly don’t know many brokers that aren’t offering these coverage options to their accounts. The question is whether the broker was effective in selling it. If not, the client could push back and say they thought they already had cyber insurance via the non-affirmative all-risk policy.”

Brokers also confront E&O risks from all-risks policies that include affirmative cyber coverages. “You’ve got companies like Mondelez and Merck alleging their brokers assured them they had cyber coverage,” Hartwig says. “If the courts rule against them in their breach-of-contract lawsuits, they may go after their brokers next.”

Obviously, silent cyber poses a potential financial crisis for both insurers and brokers. Attorney Daniel Garrie, head of the cyber-security practice at law firm Zeichner Ellman & Krause, says a catastrophic cyber attack causing massive first-party damage claims and third-party business disruption claims will slam into insurers, reinsurers and brokers like a tsunami.

“The idea that you need to have property damage to cover a cyber attack that produces loss is ridiculous,” Garrie says. “Servers, IoT devices, computers, tablets and mobile devices can be turned into the equivalent of bricks via a ‘wiperware’ attack that effectively wipes out hard drives. If they’re inoperable, that is physical damage. If the insurer hasn’t specifically excluded losses from cyber attacks, they’re on shaky ground. The E&O blowback for brokers will likely be insane, given the large number of brokers that are in the market today that do not understand what they’re selling when it comes to cyber.”

“Such a crisis,” he adds, “is imminent.”

Dizzying Cyber Market

Truthfully, it is difficult to imagine that courts will heave the burden of paying for companies’ cyber-related losses onto the backs of insurers and reinsurers. Since the 1990s, the industry has tried its best to insure a dynamically changing risk that has morphed with every new hacking. The first stand-alone cyber-risk policies were written in the 1990s, albeit coverage terms and conditions were narrow and premiums and deductibles veered toward the high side. As newer cyber attacks surfaced, coverages expanded, but the policies containing them became increasingly complicated and voluminous in length.

“Each passing year in the evolution of the cyber insurance market has been an improvement on the last,” Motta says. “As compared to today, cyber insurance products in the 1990s were a bit like eating soup with a fork. However, because there is little standardization in the cyber insurance market even to this day, there are still carriers offering products and policy language that are well out of date. Buyer beware.”

While he notes the market is growing rapidly, “The lack of standardization and technical nature of the product have also resulted in numerous failures,” Motta says. “Many cyber insurance policies to this day provide only third-party coverage and provide no cover for the growing first-party losses experienced by victims of cyber crime, such as extortion, wire fraud, as well as the many other costs to respond to an incident or breach.” (See sidebar: “A Growing Cyber Insurance Market of Many Colors.”)

Edmundson, however, believes the stand-alone products “gave insurers a degree of confidence that traditional insurance policies could remain silent on cyber risks.”

That complacency withered following the NotPetya disaster. “When claims were filed against the non-affirmative policies,” Edmundson says, “alarm bells sounded in insurer boardrooms, since it was clear the carriers had not reflected these risks in their premium derivations.”

UK Regulators Lead

Regulators are also sounding the alarm. At present, the United Kingdom’s insurance regulator, the Prudential Regulatory Authority (PRA), has taken the strongest stance on silent cyber. In 2018, the PRA surveyed regulated insurers on their cyber exposures to non-affirmative cyber risks. The responses ranged from “between zero and the full limits (of the policies).” The PRA has since demanded the insurers develop an action plan by the end of 2019 to reduce their unintended exposures to non-affirmative cyber losses.

Although U.S. state regulators are said to be closely following the PRA’s lead on the matter, ratings agencies like Standard & Poor’s are taking notice. “We’re paying increasing attention to the possibility of insurer policies paying out potentially huge sums of money for cyber losses they did not anticipate,” says Tracy Dolin, director and insurance sector lead at S&P Global Ratings. “At this point, we’re applying an inquiry-based approach as opposed to incorporating a specific factor [for cyber] in our ratings framework.”

Leahy agrees. “It’s a potential minefield for carriers,” he says. “As per the PRA, several insurers [of non-affirmative policies] are in the thick of performing cyber loss stress tests trying to calculate just how much exposure they may have across their product portfolios.”

But it’s not necessarily just the carriers that should be the regulatory focus. “The role of any regulatory effort must be to create the appropriate conditions and incentives, and conversely penalties, under which businesses are encouraged to exercise a standard of care in protecting their stakeholders—be that employees, customers and other third parties—from cyber crime and data breaches,” Motta says. “Any regulatory effort that bolstered law enforcement’s ability to investigate and enforce violations of the law pertaining to cyber crime would also go a long way to deterring further acts of crime. It is a rare occurrence that justice is served for victims of cyber crime.”

Carriers Adding Clarity

In late April, insurer Axa XL broke the silence on cyber in its all-risks policy. The insurer designed a first-party cyber insurance option for buyers of its premium commercial property insurance policy. The added coverage explicitly absorbs business interruption losses resulting from a cyber attack. John Coletti, the insurer’s chief underwriting officer for cyber and technology, says the coverage offers clarity where presently there is none. “With no physical damage per se, business interruption from a cyber event can be caught in a gray area,” he says.

In other words, it’s time to make all-risks policies black and white—either make it clear that the policies cover first-party and third-party losses attributed to a cyber attack or exclude these perils by pointing the way to the stand-alone cyber insurance market. This is the strong position recently espoused by the PRA on silent cyber in the United Kingdom.

Zurich, which has declined to comment on its current legal case, is another carrier focused on bringing transparency to its policies. By undergoing a global review of its portfolio, Zurich is looking to add clarity of coverage wherever it sees silent cyber potential. And as Lori Bailey, global head of cyber risk, commercial insurance, for Zurich, says, “It’s a journey, and it’s an important one, but I don’t know that it’s ever going to be one that has a finite end either because cyber exposures are going to continue to evolve at such a pace that, even if we get to a place where we think we know what we’re going to do, the risk could change and we need to be constantly tweaking our wording to fit the current state of the market.”

That notion—that cyber risk is undergoing continuous change—underlies Zurich’s approach to its affirmative risk portfolio as well, “because the manifestations of cyber events continue to evolve with the evolution of technology and the increased interconnectedness through IoT devices and sensors,” says Michelle Chia, senior vice president, head of E&O and cyber, specialty products, for Zurich North America. What that means is a lot of collaboration across business lines, she says, “in order to understand where other coverages end and where cyber starts.”

Undoubtedly, many insurers on this side of the Atlantic would be prudent to do the same. “Carriers in the U.S. should follow the lead of the PRA and take a more aggressive approach, but they haven’t,” says Mark Synnott, executive vice president and global head of Willis Re’s cyber practice. “That’s a mistake. Given recent cyber attacks and claims litigation, insurers need to assess their downside exposures and take steps to mitigate them.”

Why Stay Silent?

Why has it taken so long for carriers to realize the inherent danger of remaining silent on a risk that so clearly affects their insureds? Some say it has to do with the fear of losing business. “No one wants to be the first mover to explicitly include cyber, because it will cost more money to the buyer,” Synnott says. “Just like no one wants to move first on specifically excluding cyber and recommending that the insured buy stand-alone cyber insurance, since that, too, costs more money.”

Aon’s Foord-Kelcey notes a similar approach from insureds themselves. “Insureds aren’t clamoring for clarity on the exclusion/inclusion conundrum, thinking they may already have coverage in their property and casualty insurance program and don’t need to buy a cyber policy,” he says. “They think they’re saving money. The flaw is that they’re making an assumption without clarifying explicitly what they’re covered for.”

And perhaps one of the reasons insureds aren’t clamoring for cyber insurance is because they aren’t thinking about the depth and the breadth of the risk.

“I’ve been in this market since the first policies came out…and it was always viewed as a data breach cover,” Zurich’s Bailey explains. Companies that didn’t traditionally consider themselves as having a lot of data—manufacturers, for example—didn’t think they needed cyber cover. And even if they did, she says, they figured their standard policy would pick it up. “But it has evolved so much now that, while data breach is still a really important part of it, because everything is so interconnected now, even if a customer isn’t a direct target of a specific incident, there could be a large indirect effect on the business interruption,” Bailey says. “So that’s where a lot more industries have now taken notice and also said, ‘Maybe my traditional program isn’t sufficient anymore. Maybe I do need a stand-alone product.’”

Digital Mindset

As the risk continues to evolve, businesses will become increasingly affected by cyber attacks. So how do we underscore the importance of cyber coverage before it happens? Education and mindset may be the keys.

“Businesses need to start by understanding that it is their company that needs defending and not just their network,” Motta, of Coalition, says. “In this day and age, it is a rare business whose core operations are not dependent on technology. A cyber incident can easily trigger losses across multiple lines of insurance—negligence claims against D&Os, product recalls resulting from security vulnerabilities, property damage from the failure of an industrial control system, and so on.”

True and accurate cyber underwriting can also help an organization more clearly see where it is at risk. Some of the more tech-driven cyber insurance companies, like Corvus and Coalition, focus on data-driven underwriting that uses software to scan the digital world for a company’s vulnerabilities, thus presenting a much more accurate and real-time view of risk.

“While they cannot view through firewalls, the scans can assess an organization’s IT security the same way that the bad guys do—looking for out-of-date software, specific threat intelligence, information on sale on the dark web and much more,” notes a Corvus white paper on silent cyber. These tools help uncover an organization’s hidden vulnerabilities in the digital world.

Once a business fully understands its risk and the need for coverage, then it must ensure it is fully covered. True cyber protection is more than risk transfer, Chia says. It’s about risk management as a whole. Adds Bailey, “A lot of the claims that we’ve seen, the loss is dictated by how well they handle it.”

Motta agrees. “While there is a long list of commonplace cyber-security practices organizations should take—such as routine patching, strong passwords, multifactor authentication, and the elimination of remote network access—these practices should be accompanied by a coherent incident response plan and a comprehensive insurance policy to help the business remain resilient.”

Brokers are key to helping their clients through this process, from understanding and recognizing the threat to ensuring they are covered and as protected as possible against cyber attacks.

“I think there’s a real obligation on [brokers’] part to make sure they’re helping their customers identify and really think about this issue,” Bailey says, “helping them really figure out where their specific cyber risk lies, what their existing program looks like, and how a cyber policy may or may not fit into that.”

Some brokers, such as Aon, are also developing reinsurance solutions for carriers that discover their own exposures. “We can help insurers identify and quantify their silent-cyber exposures through wording and threat analyses and then offer protections against these threats through reinsurance,” Foord-Kelcey says. “Our goal here is to end the silence, empowering carriers to either exclude or recognize these exposures, by way of leading to a day where they’ll strategically underwrite cyber risks across all lines of insurance.”

If carriers move forward in this direction, greater competition would ensue, as traditional all-risks policies specifically reinsured to cover cyber risks would compete against the innumerable cyber policies in the stand-alone market, increasing overall insurance and reinsurance capacity.

With more than 60% of insurers anticipating higher cyber-related losses from NotPetya-like cyber attacks through the remainder of the year, competition would be a good thing.

Capacity aside, brokers who will best serve their clients are the ones who truly understand the risk. As Motta says, “The best way for a broker to ensure they are providing the best cyber insurance product for their clients is to work with carriers that deeply understand the specific cyber risks faced by their clients, that have the personnel with deep backgrounds in cyber security to help a client respond to an incident, and that specialize in protecting clients from cyber risk. As with any craft, there is no substitute for specialization and experience.”

RUSS BANHAM IS A PULITZER-NOMINATED FINANCIAL JOURNALIST AND BEST-SELLING AUTHOR.

Sidebar: A Cyber Insurance Market of Many Colors

The onus is on brokers to know the contractual distinctions and effectively educate clients about what they are and are not getting.

The first cyber insurance policies in the 1990s were narrowly written contracts providing a modicum of financial protection against third-party hackings. In the early 2000s, newer policies also covered data breaches, albeit with no first-party coverages and a variety of exclusions—like rogue employees. No one blamed the insurance industry for its conservatism at the time, given the paucity of cyber-attack data on hand to effectively evaluate the exposure.

As this data materialized in subsequent years and more companies in every industry suffered cyber losses, the industry’s conservatism gradually dissipated. Today, dozens of insurers offer a wide range of cyber-insurance policies focused on different lines of insurance, classes of business and wide-ranging cyber risks.

Consequently, the market has grown on the order of 25% each year through 2017 and is projected to increase another 33.8% by 2024. “The stand-alone cyber market today is very robust and much more mature than it was even a few years ago,” says Daniel Leahy, account executive at Miller Insurance Services, which places contracts in the London insurance and reinsurance markets. “It’s a mainstream market with 70-something insurers in London alone writing cyber with abundant capacity.”

The challenge for brokers and buyers is the contract wording within the insurers’ cyber policies. “You’ve got something like 70 carriers writing these policies, each with their own contract language and interpretative nuances,” says Daniel Garrie, co-head of the cyber-security practice at law firm Zeichner Ellman & Krause. “Nothing is uniform, making them difficult for brokers to explain and buyers to understand.”

Confusion over what is and is not covered is evident in the annual report by Betterley Risk Consultants on the cyber insurance market, which is based on a survey of 32 insurers offering cyber insurance. As the firm’s most recent 2018 report stated, “The types of coverage offered by cyber-risk insurers vary dramatically. Some offer coverage for a wide range of exposures, while others are more limited. For the insured (or its advisers) looking for proper coverage, choosing the right product can be

challenge.”

Other industry observers agree that the substantial variance in cyber policies complicates what already are complex risks. “There’s no standard policy—no two look exactly alike,” says Tracy Dolin, director and insurance sector lead at S&P Global Ratings. “We see this as a risk with great potential for the insurance industry and are being cautious because of the unknowns.”

With no one-size-fits-all cyber insurance policy, the onus is on brokers to be highly cognizant of the contractual distinctions to effectively educate current and prospective policyholders about what they’re buying and not buying.

Garrie agrees. He claims some brokers need to flatten their learning curves. “My advice to risk managers and other buyers of cyber insurance policies is to require their brokers to put in writing what is specifically covered and not covered in these contracts,” Garrie says.

Other industry observers recommend the value of a collaborative approach by brokers and risk managers in addressing the coverage challenges. “Cyber policies can be very gray and murky—to nobody’s benefit,” says Robert Hartwig, an associate professor of insurance and finance at the University of South Carolina. “To avoid claims disputes in the future, brokers and risk managers need to come together in developing agreed-upon contract language and standards of protection.”

Assuming this occurs, carriers can then compete to offer these policies in full understanding of what they are, in fact, covering.

R.B.

Boards Should Ask Executives These Ethics Questions

By Russ Banham

Corporate Board Member

Board members have a fiduciary responsibility to be loyal to the corporation and its shareholders in utmost good faith and with scrupulous honesty. These duties insist that members supervise the same measures of integrity throughout the organization.

“Serious issues like paying a bribe or engaging in any form of corruption merely to grow the business overseas is a risk no company can consider or take,” says Therese Tucker, founder, CEO and board member of global public company BlackLine, a provider of finance and accounting automated software solutions. “Given this risk and the board’s responsibility to protect shareholders, board members must take an active role ensuring ethical behaviors by all people at all times, particularly in countries with spotty records when it comes to corruption and bribery.”

In taking a more active role, board members must continually evaluate these risks and insist on receiving independent reviews of the ongoing effectiveness of the organization’s anti-corruption and anti-bribery programs. Most importantly, the board must not be quiet on the subject. “The board must set the tone that anti-corruption is a priority, should be properly resourced, and supervised by an independent Chief Compliance Officer with a direct reporting line to the board,” says Pamela Passman, president and CEO of the Center for Responsible Enterprise and Trade (CREATe), a non-governmental organization promoting anti-corruption best practices.

Tough questions must be asked by board members of senior executive managers, such as:

• In the particular geography, what are the most prevalent bribery and corruption schemes?

• Is there use of consultants or other third parties in the particular geography, are they critically necessary, and have they been thoroughly vetted?

• Which interactions with which government officials in the particular geography raise the biggest bribery and corruption risks?

• What are the experiences of other companies in our industry with regard to geographic expansion in the region?

• Do the company’s quarterly forecasts encourage unrealistic goals like too-rapid growth that may incentivize salespeople to pay bribes? Should the company project earnings across a longer timeframe to reduce the pressures that may generate bribery?

• Are employees and third-party representatives provided with training and tools to address bribery and corruption when these tactics rear?

• Are the members of every operational team cognizant of the provisions of the FCPA and the implications in failing to comply with these rules?

• Is there a “zero tolerance” policy with respect to bribery and corruption; if not, why is this the case?

• Are systems and audits in place to detect evidence of bribery? What are the procedures when such criminal activities are discovered, and at which point does this information reach the board?

• Does the Chief Compliance Officer have the independence, standing and resources to be an effective monitor of these activities?

Board members taking on more involved and active oversight of bribery and corruption risks are effectively the “conscience” of an organization, says David Montero, author of the book “Kickback,” a history of corporate corruption. “The board must set the tone that employees will not be penalized for doing the right thing; rather, they will be rewarded for avoiding bribes and other forms of corruption, as this augments the overall health of the company,” he adds.

BlackLine’s Tucker shares this perspective. “I believe that to drive home to every employee that stringent adherence to ethical practices in every single undertaking is a priority of the highest order, the CEO and the board must set the tone at the top,” says Tucker. “Honestly, there are few things more important.”

Russ Banham (russ@russbanham.com) is a contributing writer to Corporate Board Member.

Ethics In An Unethical World

By Russ Banham

Corporate Board Member

Fred Davidson was stifling in the unbearable heat of a midsummer’s day in 2002. Temperatures in the corrugated steel warehouse hovered around 100 degrees. Weeks earlier, Energold Drilling, a global drilling solutions company that operates 270 rigs in 24 countries across the Americas, Africa and Asia, had imported several drill rigs into the country. The rigs were now blanketed in a fine layer of dust. For nine hours straight, the customs agent ticked off one supposed problem after another with the rigs’ components—none of them actual regulatory infringements.

It was a test of wills between the two men. “It was not a lot of money he wanted, but in no way were we going to set a precedent,” says Davidson, who is Energold’s CEO and a director on its board. “If I was going to shed a few pounds of weight in that warehouse, he was going to shed a few pounds with me.”

Finally, the customs agent backed away from his unspoken expectation of a payment and released the rigs. “I had sent a clear message that we would never solicit preferential treatment for a bribe,” Davidson says. “Some companies just pay it, figuring it’s the cost of doing business and they won’t get caught. But it’s a slippery slope.”

This slope remains just as slippery in 2019 and is a growing risk for corporate boards of directors at fast-growing global companies. Not only is corruption a financial disaster for the companies they serve, it can dig into their own personal pockets. “Board members, as individuals, may be held civilly and criminally liable if they lack knowledge ‘about the content and operation of the (company’s) compliance and ethics program,’” says Pamela Passman, citing boilerplate from the U.S. Department of Justice. Passman is the CEO of the Center for Responsible Enterprise and Trade (CREATe), a non-governmental organization promoting anti-corruption best practices.

Aside from financial liability, board members have a responsibility to ensure that business strategy and the objectives of the company’s anti-bribery program are aligned, says Passman. “The challenge is that global oversight of bribery and corruption is complex, and there’s a limit to what boards can review,” she adds. The price for companies that downplay these risks has never been higher, says David Montero, author of Kickback, a history of corporate corruption. “Federal law enforcement agencies both in the U.S. and abroad are showing greater determination to crack down on corruption,” he explains. “Fines also are mounting, with the Justice Department pocketing more than $11 billion since 2006. Now, more than ever, board members should be apprised of the corruption risks involved in global expansion.”

A GROWING CONCERN

It is now 42 years since the Foreign Corrupt Practices Act (FCPA) came into law in the U.S., yet bribery continues to be the “cost of doing business” in many countries worldwide. The United Nations estimates that corruption eats up some 5 percent of the world’s GDP, a shocking figure. The most crooked places on Earth to do business are Somalia, Syria, North Korea, Venezuela, Iraq and Haiti, and the least corrupt are Denmark, New Zealand, Finland and Singapore, according to Transparency International’s 2018 Corruption Perceptions Index, the leading indicator of public sector bribery on a country-by-country basis.

It’s the countries in between that give pause for consideration. India ranked 78th of the 180 countries on the list, tied with Ghana and Burkina Faso. Argentina ranked 85th, and China and Serbia shared an 87 grade. Although Vietnam’s economy is soaring, the country ranked a dismal 117 in a tie with Pakistan. What about the U.S.? It was ranked 22nd, sandwiched between France and United Arab Emirates. The U.S. received a score of 71 on a 0 to 100 scale in which 0 is most corrupt and 100 is least. Somalia, at the bottom of the list, received a score of 10.

To be sure, FCPA, and FCPA-like laws in places like the UK, Brazil and Canada, and the equally punitive provisions of the OECD Anti-Bribery Convention, ratified by 43 countries, have had an effect. These varied regulations prohibit companies and their representatives from influencing foreign officials with payments or rewards to receive preferential treatment in obtaining or retaining business.

Civil and criminal sanctions for anti-bribery violations are significant and sobering. As directors know, FCPA authorizes the U.S. Securities and Exchange Commission to bring civil enforcement actions against company officers, directors, employees and stockholders. If determined to have committed the violation, they must disgorge the ill-gotten gains, pay substantial civil penalties and may even be imprisoned. Sixteen companies paid a record $2.89 billion in 2018 to resolve FCPA cases.

“We’ve seen significant reduction in bribery-related crimes by U.S. companies in the past dozen years,” Montero says. “For roughly 30 years, FCPA criminalized commercial bribery overseas, but enforcement was laughable. The Justice Department had one full-time prosecutor, literally the same guy from 1977 to 2005. No one gave the law much thought.”

No longer is this the case. While stricter anti-bribery oversight and enforcement has resulted in fewer companies offering payments in a country for preferential treatment, it has not curtailed the practice of corrupt government individuals asking for one. The payments typically are billed as “surcharges” and “commissions” to help companies mask skirting the law.

“Paying a bribe comes at a cost, but not paying a bribe also comes at a cost— in `lost’ contracts, slow licensing timeframes and other unnecessary delays and bureaucratic roadblocks,” says Montero. “Further incentivizing a bribe is the knowledge that a competitor will pay one and get away with it.”

He’s referring to companies in countries not signatory to the OECD’s Anti-Bribery Convention or bound by the FCPA and similar laws. Such companies, says Daniel Wagner, CEO of consultancy Country Risk Solutions, “not only are legally permitted to pay bribes, they’ll often receive a tax deduction for the amount paid, which puts their competitors at a distinct advantage.” Among countries permitting tax deductions for bribes showed to be a necessary part of a transaction are Austria, Belgium, France and Germany.

This preferential treatment is a “competitive injustice” to companies that will not stoop to paying a bribe, says Jim Nelson, president and COO of Parr Instrument Company, a manufacturer and global seller of chemical reactors and pressure vessels in 75 countries. “It hurts us financially and ticks me off personally when I find a competitor that’s not bound to the FCPA paying a bribe without a care in the world,” says Nelson.

“Bribery is a continual problem,” says Jon R. Tabor, chairman and CEO of Allied Mineral Products, a global manufacturer of monolithic refractory products for a myriad of industrial applications. The company has 12 manufacturing plants in eight countries, including China, India, Russia, Chile and Brazil, and a sales presence in more than 100 countries. “We’ve been asked and refused to pay bribes in Russia, China, India, and elsewhere,” Tabor says. “Once you start paying, you get a reputation for it and it never stops.”

Davidson agrees. “You pay just one person and the word gets out, and now you’re expected to pay everyone,” he says. “It’s like quicksand—you put your foot into it, and it gradually sucks you in.”

HUMAN NATURE

Why do companies risk their reputations in committing these crimes? They figure they’ll get away with it, says Montero. “In my research, I discovered that only about 20 percent of companies [that engage in bribery] ever get caught,” he says. “While the fines may look astronomical, they’re miniscule relative to the value of selling in an overseas market.”

The good news is that fewer companies are taking the risk. “The fines are an impediment, but it’s really the risk of imprisonment and disbarment from a country [to procure business in the future] that are starting to make a positive difference,” says Patrick Moulette, head of the anti-corruption division of the OECD’s Directorate for Financial and Enterprise Affairs.

Since the OECD Anti-Bribery Convention entered in force in 1999, 560 individuals and 184 business entities have received criminal sanctions for foreign bribery. At least 125 of these individuals were sentenced to prison, with 11 of them receiving five-year terms. At present, more than 155 criminal proceedings are underway against 146 individuals and nine businesses.

Refusing to pay a bribe does not always mean a company will face hurdles getting its products into a foreign region. In countries like India, where the asking of small bribes by low-level customs agents is common to get goods off a dock and into commerce, not paying the bribe stalls the proceedings temporarily. “It doesn’t mean you can’t transact business in the country; it just means it will take a bit longer,” says Bill Pollard, a partner at Deloitte Risk and Financial Advisory, who specializes in anti-bribery due diligence and post-bribery detection.

Blowing the whistle on a government employee who asks for a payment doesn’t necessarily speed up the delay. Davidson recalls once being asked for a kickback by a customs agent. “I went over the person to his superior and told him what happened,” he says. “Two days later, I got a call from the same customs agent. He doubled the payment. That told me people up the chain were getting a percentage.”

BOARDROOM BEHAVIORS

Despite the prevalence of such practices, beyond a peek at an organization’s anti-bribery policies, board members rarely are apprised of what is going on in the trenches. “Board members need to be confident that not only is a robust program in place, but that it is effective and embedded throughout the organization and particularly in high-risk regions,” warns Passman.

Montero agrees, pointing out that directors must balance their interests in growing business abroad and maintaining the commitment to ethical practices. “Board members should realize that some markets are simply so corrupt that bribery cannot be avoided; in such cases, they should walk away and concentrate on those segments where the company can both thrive and adhere to sound compliance,” he says.

That’s the practice at BlackLine, a public company experiencing rapid global expansion. “There are countries where corruption is standard business practice that we will not do any business in—period,” says Therese Tucker, founder, CEO and board member of the provider of finance and accounting automation software solutions that has sprouted offices in the UK, Australia, France, Germany, Singapore and Japan in the past six years. “Even if the country represents a significant market, it’s just not worth it to us.”

This approach should be de rigueur in all companies, Montero says. “Corrupt behaviors are a short-term solution with a long-term downside—bribes may drive up sales today, but, over the long run, they increase costs, adding to inefficiency and undermining morale,” he explains. Board members should take care not to inadvertently encourage such risky behaviors. “At times, board members will push management too hard to execute deals quickly in specific jurisdictions for competitive reasons—without a discussion of the bribery and corruption risks,” Pollard says. Directors also need to become more knowledgeable about the risk environment in the geographies eyed for market expansion. In assessing the country risk, the compliance experts agree that Transparency International’s index is a great start. “It’s the best way to determine which markets you can effectively compete in and be the ethical player you want to be,” says Montero.

Due diligence into the third parties the business relies on to service, sell and distribute its products abroad also is recommended. According to the 2018 Anti-Bribery and Corruption Report by corporate investigations firm Kroll, nearly half (45 percent) of companies surveyed rely on third-party partners to enter foreign markets and conduct business abroad. If the third party engages in bribes to obtain or retain business, the company itself could be in violation of FCPA and other anti-bribery regulations.

Given that 58 percent of the survey respondents uncovered legal, ethical or compliance issues in their due diligence to select a third party, the compliance risks are not for the fainthearted. “Third-party risks are the most significant corruption challenge for a company expanding overseas,” says Passman. “The further you move away from relying on your own employees abroad, the higher the bribery risk.”

To strengthen third party compliance practices, Passman advises boards to follow the framework within the ISO 37001 Anti-Bribery Management Systems Standard, published in 2016 by the International Organization for Standardization. The standard provides for independent verifications and audits of third-party partners. If these evaluations indicate prior problems with a third party, the standard requires that these issues are made public to alert other companies.

Board members also can help beef up the provisions of the company’s anti-bribery code of conduct to make sure they are transparent, strict and punitive. Contracts with third parties in violation of the code should be terminated, and employees should be made liable for disciplinary actions, including loss of employment. The violators also should be reported to relevant regulatory and criminal authorities. “The code of conduct should be absolutely clear that local business practices are never a justification for paying a bribe,” says Wagner from Country Risk Solutions.

To ensure BlackLine’s employees understand and appreciate the company’s strict compliance with FCPA and other anti-bribery regimes, Tucker has an external legal consultant draw up a 60-pages long detailed employment contract that includes a boldfaced Code of Conduct. “We have a zero-tolerance policy when it comes to bribery and any form of dishonesty,” she says. “When trust is lost, it cannot be regained.”

Russ Banham is a Pulitzer-nominated financial journalist and best-selling author.

In Blockchain They Trust

By Russ Banham

CFO

Someday, you may use an app at a supermarket to scan the beef sirloin you plan to buy for dinner, discovering the cow’s life journey. Another app will assure that the pair of handmade Gucci loafers you just bought are authentic. These apps will be connected over the internet to blockchain platforms, each one a digital ecosystem created for a specific industry. And they’re not distant dreams of tech entrepreneurs — these apps are already in development.

A year ago, the CFO/Duke University Business Outlook Survey found that 78% of U.S. finance chiefs said they didn’t know whether or how blockchain would affect their company. Only 3% claimed to even understand it. But many organizations apparently did their homework since then and warmed to the technology’s potential. In Deloitte’s 2019 Global Blockchain Survey (of a more general set of senior executives), more than half (53%) said blockchain had become a critical priority for their organizations; four in 10 said they were willing to invest $5 million or more in blockchain initiatives in the next year.

What has been the catalyst? Companies eager to drive down operating costs, certainly. The other, somewhat surprising, impetus is the lack of trust — between industry competitors, suppliers and customers, and even the manufacturer and the consumer.

Traceable and Accurate

Farther back, five years ago, blockchain meant bitcoin, the cryptocurrency whose founding depended on a trading platform in which currency data was confirmable and immutable. Bitcoin’s star has faded. But blockchain has wider value as a network to exchange data and transact via “smart contracts.” These contracts trigger based on prearranged terms and conditions. Smart contracts can automate highly manual and semi-manual transactional processes to cut operating expenses and reduce points of friction with customers.

At its most basic, blockchain is a digital ledger that records transactions among a network’s participants and distributes them to members in real time. Every 10 minutes, a transaction is verified as factual and then permanently time-stamped and stored in a “block” similar to a page in a ledger. Once a block of transactions is complete, it is linked to the preceding block to create a chain of records.

Since the data entries provide a secure audit trail, network members are assured the ledgers are beyond reproach (although some, like MIT Technology Review, claim blockchains are hackable). “Blockchain’s initial wave of business transformation is the creation of single sources of truth,” says Jamie Solomon, a managing director for North America at Accenture.

The technology lets distrustful parties come to an agreement without relying on intermediaries. In blockchain-fueled networks, companies can share accurate and verifiable data with each other and with suppliers. Not all data — just information that is of mutual benefit. “Industries have now passed the stage where they want to apply blockchain because it’s cool,” says Paul Brody, global blockchain leader at Ernst & Young. “There is now widespread [recognition] that blockchain lends itself to solving real business problems.”

Taking Steps

One of those problems is overcoming consumer skepticism of companies that claim to sell “ethical” goods. Blockchain, it turns out, offers an uncontestable way to trace a product’s lifecycle. That capability impelled Lukas Pünder, finance chief of handmade shoe brand CANO, to investigate developing a blockchain for the fashion apparel industry.

“We wanted consumers to be able to trace every step in the manufacture of each pair of our shoes — from the origin of the raw materials to the craftspeople in Mexico who use traditional braiding methods,” says Pünder.

Pünder leveraged Oracle’s blockchain technology to create a digital ecosystem for CANO. Customers interested in their purchase’s provenance can use an app on their smartphones to scan a near-field communications chip embedded in the shoes or apparel. The two-year-old company’s complete summer collection will be equipped with the transparency technology.

For the winter collection, to be launched in September, CANO products will use a pilot solution for the entire industry called Retraced. Retraced offers more in-depth information about a product and has a more sophisticated design. Other fashion brands that will be equipped for the Retraced transparency solution include European makers John W. Shoes, Afew Store, and Jyoti-Fair Works. Additional brands will be onboarded after a test phase. With Retraced, about 50,000 to 100,000 products will be tracked this year.

Trust in a company’s sustainable practices are important, Pünder says. In an industry rocked by allegations of unsafe working conditions and low wages, the apps let consumers know that they’re not purchasing products from unscrupulous sellers. “By leveraging transparency as a core value, a company can achieve desirable brand differentiation,” Pünder says.

Companies like CANO can also discern which suppliers are producing shoddy work, generating lower quality products that customers tend to return. “Ten percent of all fashion items are faulty. Now you can identify exactly which company in the supply chain is responsible,” Pünder says.

Pruning Processes

In what other industry is trust an issue? Insurance. “Policies and claims involve multiple parties, complicated agreements, complex logic, different intermediaries, and many verification points, making them ripe for blockchain,” says EY’s Brody.

More than 30 large global insurers, reinsurers, and insurance brokers joined in 2018 to create a blockchain consortium, The Institutes RiskStream Collaborative.

“There’s great value in members sharing their data for mutual benefit, but the problem in the past has been an immense lack of trust between these entities,” says Christopher McDaniel, Risk Stream president.

The consortium is developing Canopy, a blockchain that connects the industry in a data-sharing network. An example of its proposed use is the car insurance claims process. At present, if two drivers, each insured by a different company, are in a minor collision, they jot down their driver’s license and car registration information. Each policyholder then calls his or her insurance agent to relay the other party’s information.

Once notified, the insurers start the drawn-out claims administration process, manually preparing a “First Notice of Loss.” A claims adjuster is tasked with gauging the extent of the damage and relative fault for the accident. This process entails numerous and lengthy back-and-forth phone calls and emails between the insurers. They eventually agree on who pays.

In the future, with Canopy, each policyholder would have an app provided by their insurer. The drivers would upload a QR code reader and scan each other’s codes. The information would flow to Canopy in real time, giving the insurers the ability to simultaneously verify the drivers’ identifying information. The blockhain platform would trigger a First Notice of Loss without the involvement of agents.

By sharing their policyholder data in Canopy, the two insurers’ processing cycle times would shorten. Agents would be able to devote more time to managing client risks instead of processing information. “You need people to process claims and underwrite policies,” says Matt Lehman, managing director in the insurance practice of Accenture, a solutions provider to RiskStream. “That’s a lot of trapped value.”

Both the proof of insurance and First Notice of Loss capabilities will be technically ready and available to network members in July, but then carriers have to embed them into their own mobile applications, which will take longer.

Further down the line in Canopy’s development, as the vehicle accident information flows to the blockchain platform, it could set off a series of smart contracts to member tow truck firms, car repair shops, rental car agencies, and law enforcement.The next stage in Canopy’s development calls for members to share data in the interest of developing new products. RiskStream’s McDaniel provides the example of a group of electric bicycles reinsured at a micro-transactional level.

“A primary insurer of electric bicycles could cluster them across different geographies, creating a portfolio of risks that would be traded in an open market,” he says. “Different reinsurers would assume portions of the primary insurer’s risks in real time, automated through prearranged smart contracts.”

“Once you remove the inefficiencies across companies in an industry, all sorts of innovative concepts bubble up, to the benefit of all parties in the blockchain network,” McDaniel adds.

Sean Ringsted, chief digital officer at the large global insurer Chubb (a member of Canopy), cites the value of Canopy’s ongoing work for policyholders. “By improving our operating efficiencies, eliminating duplicative, redundant data flows and questions about where the data comes from and is it accurate, our customers benefit from much easier and less time-consuming claims processes, not to mention more innovative risk-transfer products,” he says.

Farm to Table

Livestock agriculture is another industry experimenting with blockchain. “There’s a growing segment of direct-to-consumer brands that retail only organic, free-range, grass-fed, responsibly raised, and naturally sustainable lamb, beef, chicken, and pork of the highest quality from small farmers,” says Leslie Moore, owner of Farmer Girl Meats, an e-commerce farm-to-table business based in Princeton, Kansas. “The challenge has been proving everything I just said to consumers.”

Moore, a third-generation farmer raised on her family’s grass-fed beef farm in Kansas, left in the 1990s for business school and later a job in branding at a large manufacturer. She returned to the farm with an idea for building a platform that would track relevant data on the farm’s meat products.

Truth and transparency are lacking in today’s meat industry, she says. “Ambiguous language in [U.S. Department of Agriculture] regulations allow imported beef from Paraguay, New Zealand, and Australia to be labeled as ‘Product of the USA,’” says Moore.

The imported grass-fed beef is shipped in what are called primal cuts (the main areas of the animal, which include the loin, rib, round, flank, chuck, sirloin, and brisket). It goes directly to USDA-approved facilities in the United States. The meat is inspected and cut into packaged goods destined for grocery store shelves nationwide.

“An animal born, raised, and harvested in a foreign country can be marketed to consumers as a product of the United States; its true origin is unknown to the buyer,” Moore claims.

Through a partnership with Silicon Valley blockchain startup Citizens Reserve, Moore hopes to alter the paradigm for small livestock producers. The app provides traceability from the birth of an animal to the steak or pork chop on a plate, she says. “Everything that animal encounters over its lifespan becomes part of its story.”

This includes what a cow or pig is fed each day, what kinds of fertilizers or pesticides the farm may use, and whether an animal has been treated with antibiotics, making it no longer antibiotic-free. “That classification results in a lower markup, but if the buyer could see that the medicine was used only topically and not ingested, it could alter economic outcomes for the farmer,” says Moore.

The blockchain platform would give each package of meat a unique digital identity providing “farm-to-plate” lifecycle information so consumers can make more educated buying decisions.

Thane Tokerud, financial controller of Citizens Reserve, says the major benefit of the ecosystem it is developing, called Impact Ranching, is providing traceability.

Farmers and other vendors on the platform could view distribution outlets eager to sell meats from farms that can literally prove their sustainable practices through the use of blockchain, Tokerud explains. Specialty meats have up to a 20% markup, so the additional distribution opportunities can equate to significantly higher margins.

Another advantage, which may not get the promotion the others do, is in product recalls. Regulators and distributors could quickly ascertain the origin of meat sitting on grocery store shelves and pull it if necessary. Walmart and its Sam’s Club division, for example, are planning to implement blockchain technology this year to get real-time, end-to-end traceability of leafy green products.

Impact Ranching, which goes live in 2020 and will have many agricultural industry collaborators, also may obviate farmers’ reliance on the costly third-party certifications required by the USDA. “Since the data in the ecosystem is verifiable and immutable, the information theoretically would allow farmers to self-regulate, reducing the time-consuming bureaucracy they presently confront,” Tokerud says.

Accenture’s Lehman sees a similar benefit for insurers. “Regulation in insurance is complicated, given 50 different states with disparate rules and complex filings,” he says. “If you can create specific real-time views for regulators in Canopy, where they get to see accurate, immutable, and standardized data they know is factual, it will remove a layer of bureaucracy.”

That’s a big ask of regulators — blockchain technology will first have to earn the government’s imprimatur. That may take awhile because the applications are still somewhere immature. It’s also unclear how fast or if these industry solutions will produce a return on investment for companies. But industries are pushing forward, confident of blockchain’s potential to bring business partners together and build credibility with consumers.

Russ Banham is a Pulitzer-nominated financial journalist and best-selling author.

New Accounting Model For Life Insurers Seeks Greater Transparency

By Russ Banham

Forbes

A new accounting standard issued by the Financial Accounting Standards Board (FASB) should make it easier for investors to compare companies that sell long-duration life and health products and annuities with market guarantees. However, companies will need to expend a great deal of effort to comply with the standard.

FASB’s Accounting Standards Update No. 2018-12 is driven by the accounting standard-setting body’s objective to improve the existing recognition, measurement and disclosure requirements for life insurance and annuity contracts that remain in force for an extended time. The standard takes effect in 2021 for public business entities operating on a fiscal year basis, and in 2022 for other entities (early adoption is permitted).

Let’s look first at these changes as they relate to life insurance, a product involving a promise of payment that may not occur for several decades. The assumptions used by insurers to measure the liabilities for their policyholders’ future benefits extend decades into the future. Under current accounting rules, the assumptions are locked at contract inception and held constant over the term of the contract. If the contract was sold in 1980, the assumptions at the time—the discount rate and estimates of longevity, for example—would generally remain appropriate 30 years later. This approach takes a long view of the obligation and avoids changes in the short term.

FASB’s updated rules will require insurers to revisit their assumptions for these types of life contracts annually, or earlier if they believe significant changes have occurred. Any changes in the liability resulting from these new assumptions will be recognized immediately; however, FASB has made an important distinction: Changes in the discount rate won’t be recognized in earnings while changes related to other assumptions will be.

That’s good news for both investors and companies as it provides a current view of the liability without introducing unnecessary noise into earnings. “Many investors felt the current accounting model was not very transparent, making it difficult for them to understand what was on the books, while companies were worried about earnings volatility caused by movements in interest rates,” explained Edward Chanda, national sector leader for insurance at audit firm KPMG LLP in the United States.

With regard to annuities with market guarantees under current accounting practices, some types of guarantees previously were accounted for as insurance and others at fair value. However, under the new accounting standard, any such guarantee that is responsive to market changes will be accounted for at fair value. While this will make it easier to compare companies, earnings volatility resulting from changes in fair value associated with these long-term contracts could make it more difficult for companies to explain their earnings to investors.

Clearer Vistas Ahead

Concerns about the current accounting had prompted FASB’s joint efforts with the International Accounting Standards Board to update the accounting standard nearly a decade ago. The two groups eventually parted company, with FASB focused on more targeted reforms to long-duration contracts.

There are several benefits of the new standard. FASB stated that it will improve the timeliness of reporting changes in an insurer’s liability for future policy benefits and provide guidance regarding the rate used to discount future cash flows. It also will improve and enhance the consistency of the accounting for certain market-based options or guarantees associated with deposit (or account balance) contracts. Other benefits include simplifying the amortization of deferred acquisition costs and improving the effectiveness of the required disclosures.

By and large, these changes will make it easier for investors and other stakeholders to compare different insurers on more of an apples-to-apples basis. “The changes are a step in the right direction for investors in terms of providing more consistency between companies and greater transparency about the assumptions,” said Laura Gray, principal and leader of KPMG’s actuarial practice.

The onus is on insurers to provide this transparency. The new standard requires significant changes in insurer accounting processes, since economic events could change the assumptions almost every year. Even more worrisome is the hard work required to ensure their data, systems and processes are compliant within a relatively tight timeframe. “It will require significant investments in people and resources that may be in short supply,” said Gray.

Insurers are bracing for the changes. “While everyone acknowledges there are challenges with the current ‘locked’ approach, there’s always an element of trepidation when it comes to change,” said Chanda. “Companies have been telling their story one way for a long time and now they have to tell it other ways, separating the signals from the noise.”

In planning their transition, companies should form steering committees and working groups to wrestle with the tougher aspects of the new standard, Gray said. “A lot of judgment will be needed to determine future results,” she explained. “But, as people get used to the ‘new normal,’ these judgments around assumption-setting will become better understood.”

Russ Banham is a Pulitzer-nominated financial journalist and best-selling author.

How Machine Learning Speeds Up Fraud Detection

By Russ Banham

Forbes

In their work to unearth evidence of fraudulent activities, forensic accounting investigators dig through diverse data looking for anomalies that suggest something is just not right. But as the massive volumes of data collected by companies balloon, this task has become increasingly arduous, time-consuming and humanly impossible.

The regrettable consequence is the greater chance of a well-thought-out scam slipping through the cracks. A case in point is healthcare fraud, which has been estimated to cost the United States tens of billions of dollars annually.

For forensic accounting investigators, unearthing these crimes manually is an uphill climb. “The fundamental issue is that there is a flawed approach in examining fraud, since fraudsters know the rules that are set up to catch them,” says Justin Bass, chief data science officer at Crowe, the global accounting, consulting and technology firm combining specialized industry expertise with innovative technology solutions.

Bass provides the example of money laundering rules, which require banks to report any cash transactions of more than $10,000 to regulatory authorities. In response, “fraudsters simply break up the cash transactions into smaller amounts,” he explains. “The rules are created to catch these smaller amounts, but then the fraudsters circumvent them with other methods — which leads to creation of other rules and other subsequent actions by fraudsters to evade those new rules.

Machine Learning To The Rescue

Now there is a way to circumvent fraudsters via the use of machine learning(ML), the subset of artificial intelligence giving computers the ability to scan a haystack of data in search of the proverbial needle and progressively improve this capability through continuous learning.

Instead of investigators manually reviewing spreadsheet rows and columns, looking for three or four data elements that together indicate a suspicious transaction, ML can peruse thousands of data elements — instantly.

Applying an algorithm to this massive volume of data to tease out unique interrelationships presents a greater likelihood of detecting anomalies indicating fraud. “Whereas people generally can visualize three or four dimensions when evaluating the accuracy of a purchase order, machines can examine innumerable dimensions to ferret out the truly suspicious activities,” Bass explains.

To that end, Crowe has developed a proprietary ML tool called Crowe Data Anomaly Detection that has allowed the firm’s forensic accounting investigators to focus their efforts on higher-risk cases, reducing the time spent on those that don’t pan out, says Bass, whose team created the fraud-busting solution.

“We let the data tell us where to look, as opposed to us having to look everywhere,” says Tim Bryan, one such investigator and a partner in the Crowe forensic accounting and technology services group.

How It Works

Since the solution is capable of continuous learning, its ability to detect fraud improves by the day, Bryan notes. “Each time the tool is right about an actual anomalous transaction, the information automatically goes into the system, making it smarter. The same applies to when it is wrong, as this false positive also is incorporated.”

To detect the aforementioned money laundering schemes, the data anomaly detection solution examines the underlying data to pinpoint incongruities, clustering like-transactions together. Programmed to identify transactions under $10,000, the tool might highlight, say, if similar sums are deposited in a large number of banks across geographies, instantly detecting this atypical interrelationship. As a result, the customary latency time between when an investigator receives a transaction report and subsequently conducts a hindsight analysis is vastly reduced. “The transaction now comes in and is immediately scored by the tool,” Bryan says.

To test the tool’s ability to identify suspicious and possibly fraudulent activity, Crowe recently used the solution to analyze more than 16,000 contracts from a large telecommunications company. “With human analysts, the project took five professionals four months to complete,” says Bryan. “The machine learning tool enabled professionals to focus their time on investigating only the top 5% of transactions within one month, culminating in a 95% reduction in the amount of data the professionals needed to review, saving significant time and costs.”

Turning The Tide

That’s good news for companies (and bad news for fraudsters). “I’m confident we have a game-changer here,” Bass says.

Having successfully tested and used the tool internally, Crowe recently made it available as both a standalone software product and an add-on to clients’ existing accounting systems. The technology doesn’t just assist in detecting potentially fraudulent activities; it also illuminates human errors that could result in accounting mistakes.

“What Justin’s team has developed is what we in forensic accounting call ‘the brains,’” says Bryan. “It is industry agnostic, in the sense that it can be used in the healthcare space to look at fraudulent billing, in insurance to examine suspicious workers’ compensation claims, in manufacturing to look at fraudulent purchasing and in academia for a university to scope out fraud or errors in their expense processes.”

Since the tool enables continuous monitoring, as opposed to a one-time look back at data, Bryan says it presents the vital opportunity to improve the accuracy of financial statements across the board. “The tool finds things we couldn’t find using our rules-based investigatory procedures,” he acknowledges. “Now we’re leveraging technology to do what we’re good at — only much better.

Russ Banham is a Pulitzer-nominated financial journalist and best-selling author.

How Energy Companies Are Leading The Way In Cybersecurity

By Russ Banham

Forbes

In today’s increasingly digital world, the secure transmission of sensitive information has become a top priority for both individual citizens and the world’s largest government agencies. Since 90 percent of the U.S.’s power infrastructure is privately held, leading energy companies are adopting cybersecurity practices intended to reduce the impact of any incident that might put energy delivery at risk. However, sometimes these measures fall short.

A universal challenge

On March 19, the computer screens at Norsk Hydro went blank. The giant Norwegian energy and mining company’s IT systems were infected with a new strain of ransomware virus called LockerGoga. The situation was “severe,” Norsk Hydro CFO Eivind Kallevik told a hastily-convened news conference.

The cyberattack had launched in one system the previous night and spread quickly throughout the company’s network, locking up digital files and devices critical to its core operations. As in other ransomware attacks, Norsk Hydro was given a stark choice: pay a ransom to unlock the systems, or pay the price in curtailed production.

In the six years since the first ransomware strain CryptoLocker appeared in 2013, such attacks have become business as usual of the worst kind. Every minute, a private company falls victim to a ransomware attack. These invasions have cost businesses a staggering sum: more than $8 billion each year.

If the targeted company is vital to critical infrastructure, the impact is even more significant. For instance, if an attack compromises the energy grid — the network of synchronized power providers and consumers connected by transmission and distribution lines — everyone relying on it will suffer the consequences in the form of lost power.

Protection and prevention

Taking preemptive steps to combat this grim possibility, the U.S. House of Representatives recently introduced a bill (H.R. 1975) to establish a Cybersecurity Advisory Committee within the Department of Homeland Security. The 35-member committee of cybersecurity experts would make recommendations on the development and implementation of policies to combat cybercrimes, such as ransomware attacks, against the nation’s critical infrastructure.

The energy industry is also stepping up to protect its assets from the damage caused by a major cyberattack, such as the one successfully launched againstUkraine’s power grid in December 2015. Hackers were able to compromise the IT systems of three energy distribution companies, effectively disrupting the supply of electricity to end consumers.

To prevent a similar attack from occurring on American shores, the Federal Energy Regulatory Commission (FERC) issued a final rule in 2018 lowering the threshold for a “reportable cyber event.” The goal of the rule is to improve data collection to better analyze the risk of a cyberattack for defense and response purposes.

The FERC also directed the North American Electric Reliability Corporation, a nonprofit institution overseeing the steadfastness of electric grids across North America, to “augment the mandatory reporting of cyber security incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system,” accrding to the rule filing.

In issuing the final rule, the FERC’s then-Chairman Kevin McIntyre emphasized the fluid aspects of challenges to cybersecurity.

“Cyber threats to the bulk power system are ever changing, and they are a matter that commands constant vigilance,” he stated.

New tools on the front lines of the cyber frontier

Today’s energy industry plays a vital role in securing the flow of electricity to businesses and consumers, essentially upholding our modern economy. It’s no wonder, then, that hostile governments, terrorist organizations and private-practice hackers have put the industry in their crosshairs, disrupting the operations of utilities and energy suppliers. The energy sector now rightly recognizes these cyberattacks as a core business risk which pose as much of a threat to large infrastructure as floods or fires.

To help the industry reduce the incidence and severity of these hazards, top energy companies have partnered with government agencies like the Department of Energy—and sometimes even with competitors—to make great headway in improving their cybersecurity practices.

With solutions designed specifically for the energy sector, new innovations make it easier for companies to safeguard vital information and keep operations online. These are not passive endeavors, either. Thanks to Information Sharing and Analysis Centers established by federal law, energy companies can learn from each other, sharing cyber threat indicators and other security information.

New software also assists companies with risk detection, monitoring and incident response by recognizing and understanding the exploits meant to inflict harm. Keeping up with these new attacks or malware through continuous threat monitoring, real-time anomaly detection and immediate malware pattern updates helps companies to stay a step ahead.

Meanwhile, the information gaps that attackers take advantage of in weak security measures can be adjusted for by using enhanced intrusion detection and user authentication to identify suspicious activity. As companies look for guidance on security, comprehensive online training and clearer policy on grid defense solutions can provide the information they need.

Maintaining power and establishing industry-wide trust

Companies that develop cybersecurity solutions are responding to this increasing and changing threat. Mitsubishi Heavy Industries (MHI) has partnered with NTT Group to commercialize a jointly developed cybersecurity technology for critical energy infrastructure control systems. Called InteRSePT(Integrated Resilient Security and Proactive Technology), the technology provides real-time monitoring of data flows in a network and helps to detect cyberattacks specifically designed to exploit operating controls.

Unlike conventional technology, which finds it challenging to spot this type of attack, the system discerns potential threats by changing the security remediation rules governing the operations of the target. These rule changes allow for earlier detections of anomalies, which can be screened to vet potential breaches. By rapidly identifying these threats and responding in kind to halt the damage, the system preserves continuous power generation and availability – with no disruption in service.

“Cybersecurity is a focal area for MHI, and we continue to place importance on developing next-generation solutions in this area,” MHI’s Chairman of the Board and former CEO Shunichi Miyanaga recently stated.

MHI is the first company in Asia to join the Charter of Trust for Cybersecurity, which calls for binding rules and standards to build security and trust in the digital realm. Initiated by Siemens during the Munich Security Conference in February 2018, the 17 company members of the trust (including Cisco, Enel Group, Dell Technologies and IBM) have pledged their compliance with minimum binding cybersecurity requirements, to be anchored by binding clauses in each member’s contracts with customers. These requirements are being finalized now and will be introduced on a step-by-step basis.

The ambitious goal of the Charter of Trust for Cybersecurity is to better protect the digital assets of critical infrastructure, ensuring high-quality cybersecurity throughout the networked environment. Since new forms of malware and viruses rapidly proliferate every day, it’s important to encourage energy industry efforts to work together, and with investigators, on cyber prevention and defense. The security of daily life – and all the infrastructure that powers it – depends on this effort.

Russ Banham is a Pulitzer-nominated financial journalist and best-selling author.

5G is the Road to Tomorrow

By Russ Banham

Perspectives

Few things in life are certain, but one of them appears to be the inevitably of self-driving cars. Although some disparage this possibility for potential safety and loss of personal freedom reasons, others can’t wait to hop into a Tesla or Waymo and say, “Home, please.”

This latter group may get their wish sooner rather than later as wider availability of mobile 5G network services may shorten the wait. 5G—the fifth generation of wireless technology—promises transmission speeds up to 20 times faster than current 4G platforms, in addition to lower latency (the time lag between the initiation and reception of communications). 5G networks are touted as having latency rates of under a millisecond. This near-instantaneous delivery of information can be crucial to the rapid responsiveness needed by autonomous cars and trucks when confronting an imminent danger like a giant pothole—or a pedestrian.

“You’re getting less latency, which is important in an environment where a remotely-piloted vehicle like a truck is getting a substantial volume of collision-avoidance information from sensors onboard the vehicle and from the surrounding environment, such as weather reports, driving conditions, pedestrians in the road, and so on,” says Steve Viscelli, senior fellow at the University of Pennsylvania’s Kleinman Center for Energy Policy. “The speed at which all this data flows to a remote human pilot operating an autonomous truck is fundamental to avoiding a collision.”

Maximum Speed Ahead

Autonomous cars and trucks are those in which automated driving systems (ADS) do some, most, or all the driving. There are five levels of autonomous driving, as outlined by the National Highway Traffic Safety Administration (NHTSA). These levels capture a progressively increasing use of ADS in driving a vehicle, with Level 4 describing a vehicle that is capable of performing all driving functions under certain conditions, and Level 5 describing a vehicle capable of performing all driving functions under all conditions.

When Levels 4 and 5 will occur in great numbers on the road has long been a matter of debate, though most experts believe that fully-autonomous commercial vehicles like trucks will predate the debut of entirely self-driven cars. While some trucks will involve passive drivers, others will be completely unmanned; in such cases, a combination of autonomous driving technologies and remote piloting by humans will control the vehicle.

“The first autonomous vehicles without humans on board are already widely in use in the construction and agriculture industries, but large numbers of unmanned trucks will be on highways and others roads before we see fully self-driving cars,” says Kartik Tawiri, cofounder and CTO of Starsky Robotics, a leading manufacturer of autonomous trucks.

Sharing this perspective is Viscelli, author of the book, The Big Rig: Trucking and the Decline of the American Dream. “Fully autonomous trucks that are unmanned and remotely piloted will come sooner than autonomous cars,” he explains. “There are just too many economic benefits to be gained from autonomy for the trucking industry to ignore.”

Chief among these is the precipitous decline in people willing to drive trucks long-distance; the American Trucking Associations (ATA) posits an urgent need for 60,000 drivers now and far more in the future. “The biggest problem in trucking is a dire shortage of long-haul drivers,” says Tawiri. “It’s a fun thing to do in your early 20s, but after that no one wants to spend their life in a metal box roaming the country. The turnover of drivers is huge.”

Autonomous trucks would solve the human labor dilemma, assuming legislators and regulators are willing to designate a dedicated lane on highways to accommodate driverless trucks. Aside from addressing the protracted driver shortage, the concept would increase safety: By limiting the use of autonomous trucks to a single lane and restricting non-autonomous vehicles from driving in this lane, the risk of a collision with non-autonomous vehicles is greatly reduced.

A designated lane also fits well with current autonomous technology: Driverless trucks can be remotely controlled through geo-fencing, which involves the use of global positioning (GPS) or radio frequency identification (RFID) to create a virtual perimeter in a prescribed area like a dedicated lane, limiting automotive autonomy to this geographic boundary.

In this regard, the agriculture industry is instructive. “We’re seeing quite a bit of autonomous equipment on farms in India, where tractors geo-fenced into a particular agricultural area drive around freely without anyone on board,” says John Simlett, consulting firm EY’s Future of Mobility leader.

Another factor driving autonomous trucks on the road is online retail. Small trucks and vans delivering consumer goods purchased from online retainers, such as Amazon, will continue to crowd residential streets, but autonomous long-haul trucks plying dedicated highway lanes in the future will transport the goods from ports and rail depots to the smaller vans and trucks.

“We’ll begin to see what the industry calls `platooning,’ in which the first truck in a queue of trucks is driven by a human being and the remainder use automated driver support systems, in addition to remote piloting in the first and last miles of travel, to maintain a specific distance behind the leader, accelerating and braking as the computer dictates,” says Viscelli.

This possibility bodes well for all of us. Highway accidents generally are the most catastrophic, with truck-related fatalities reaching their highest level over the past 29 years in 2017, rising 9 percent to cause 4,761 deaths, according to the latest available statistics. According to the NHTSA, autonomous trucks traveling in a dedicated lane away from other vehicles theoretically would enhance safety by removing “human error from the crash equation.”

The Missing Link?

Despite the varied benefits, the year of fully autonomous vehicles taking over the roads remains uncertain. A major stumbling block is safety, insofar as a clear and mutually-agreed upon understanding of acceptable risk by governments and the public.

“No critical system of transportation can claim a zero percent level of risk,” Tawiri says. “Decades passed before people agreed on an acceptable level of risk when flying in a plane. We’re in a phase now where we’re trying to define what is acceptable and unacceptable risk.”

This effort has not stopped dozens if not hundreds of autonomous test vehicles from jumping on the nation’s roads, most of them unnoticed by the public. So far, 29 states have passed legislation allowing specified uses of self-driving vehicles on state roads. That number is expected to increase this year following the decision by the U.S. Department of Transportation in December 2018 to limit federal oversight of autonomous vehicles, in addition to plans by Congress to reintroduce legislation permitting more than 100,000 autonomous vehicles to be driven by 2022.

5G is expected to accelerate this timetable. At the recent Consumer Electronics Show (CES) earlier this year, the 5G Automotive Association (5GAA), an organization composed of more than 110 automotive, technology and telecommunications companies, unveiled Cooperative Intelligent Transportation Systems (CITS), an all-encompassing autonomous vehicle system comprising vehicle-to-vehicle, vehicle-to-infrastructure, vehicle-to-network, and vehicle-to-pedestrian communications.

Such vehicle-to-everything wireless communications (dubbed V2X) can handle enormous data volumes, reducing latency risks. “5GAA supports the idea that 5G will be the ultimate platform to enable CITS, (as it) will be able to carry mission-critical communications for safer driving,” the group stated. “The impact on road safety alone is sufficiently important to make CITS a priority.”

5GAA has assembled a number of working groups, each tasked with a specific assignment—the development of industry standards, system architecture, business models, go-to-market strategies, and so on. At CES 2019, V2X took home the Innovation Award in the Vehicle Intelligence and Self-Driving Technology category, giving further credence to expectations of a shorter road to tomorrow.

According to EY’s Simlett, 5G networks are expected to reach half the world’s population by 2024. “My perspective is that we will begin to see Level 4 autonomous vehicles on the road in much greater numbers by 2030, with Level 5 vehicles following relatively soon thereafter,” he says.

That’s roughly 10 years from now. Assuming this prediction is close to reality, a speedier schedule for self-driving vehicles is on the near horizon. As NHTSA stated, “Fully automated cars and trucks that drive us, instead of us driving them, are a vision that seems on the verge of becoming a reality.”

Home, please.

Russ Banham is a Pulitzer-nominated financial journalist and best-selling author.