Revolutionary thinking: Why CFOs should account for political instability

Corporate executives are increasingly worried about geopolitical instability — and with good reason.

By Russ Banham

FM magazine

Prior to the 2011 uprising in Egypt that led to President Hosni Mubarak’s stepping down from power, multinational building materials company Cemex developed a plan to manage fallout from just such a political crisis.

That plan came in handy: Within a few weeks the Egyptian military dissolved the country’s parliament and suspended its constitution. Like many sophisticated multinational businesses, Mexico-based Cemex, which had significant operations in Egypt, had assembled an enterprise risk management (ERM) programme that included strategies for handling global political risks.

Months before the uprising, Enrique Alanis, Cemex’s global director of ERM, and his team received intelligence from within and outside the company that “something was not right”, he said. “The information was gathered from our own people in the region, as well as external people like market experts, industry trade groups, suppliers, and vendors. We also incorporated public sources of information like the internet, media reports, and public forums.”

Armed with this insight, the company quickly took action. “The advance warning gave us time to prepare for how we would address the situation,” said Alanis. “We had a strategy ready that pointed out [to the new regime] that Cemex was good for the country.”

The company successfully communicated to the new leaders that it provided significant employment, and building products that many diverse businesses relied upon in Egypt. The result: Cemex was able to continue its business operations without missing a beat.

Alanis said: “At all times, our goal is to stay ahead of potential risks [and] to be ready if they occur.”

Not all companies are as fortunate. Disastrous outcomes have included the confiscation, expropriation, and/or nationalisation of a company’s assets in a foreign country. Examples over the years are far too numerous to cite, but they provide a cautionary tale for all multinational companies operating in politically unstable regions of the world.

In recent years, emerging economies such as Thailand, Myanmar, Brazil, Turkey, and the Philippines — countries that had achieved some measure of stability for several years — have experienced their share of political turmoil. They’re not alone: According to the 2017 Government Stability Projection by consulting firm Verisk Maplecroft, more regions of the world are likely to experience a decrease in government stability in the next two years, with developing markets being the most susceptible. Among the factors behind these risks, according to Verisk Maple-croft, is anticipated volatility in US global trade and policymaking, underscored by the country’s withdrawal from the Trans-Pacific Partnership trade deal and US President Donald Trump’s threats to pull the US out of the North American Free Trade Agreement (NAFTA) with Canada and Mexico, in addition to global factors including Brexit.

The study underscores a growing concern of many C-suite executives, including CFOs. Another example: A survey by McKinsey & Co. in 2016 found that the number of corporate executives identifying geopolitical instability as a “very important business trend” had doubled over the past couple of years.

“Among the 13 trends we asked about, respondents most often expect that domestic political instability, as well as slowing growth in developed economies, will pose a threat to profits in the next five years,” the study stated. “… Yet a vast majority say their organisations are not yet taking active steps to address these issues.”


This complacency may have disastrous results for finance departments. Aside from asset expropriation, political instability also can lead to currency inconvertibility, a situation where one currency cannot be exchanged for another currency. Contracts in the foreign country may be repudiated — the duties of one party to another frustrated. Additionally, the sovereign nation may default on payments owed the company and/or wrongfully call on-demand bonds and guarantees. Banks, exporters, and investors owed money from foreign buyers may never see these receivables.

There’s also the possibility of violence and the detention of employees — something that Cemex was watching for. “As part of our ERM process, we had developed early warning systems of potential problems like political insurrection and riots across our global footprint,” said Cemex’s Alanis.

Emerging economies are not the only countries vulnerable to shifting political winds. Powerhouse economies such as the US and Britain also are susceptible. Voters’ dissatisfaction with the status quo in both nations fostered the election of a populist president in the US and approval for Britain to exit the EU. These decisions have generated serious questions about potential de-globalisation, with a corresponding impact on business prospects.


Despite these sobering concerns, many companies move forward with their global strategies, their eyes focused on growth more than on the impediments in the way. “Often the reasons to do business in an emerging economy are so enticing they appear to outweigh the risks,” said Daniel Wagner, CEO of Country Risk Solutions, an operational risk management consultancy. “But it’s folly to think a country that has been politically stable for several years will remain stable tomorrow.”


Political risks are not limited to companies that conduct business on the ground in a country. “Almost every business is global in nature today, simply because their supply chains are global and their customers are often global,” said Bodhi Ganguli, lead economist for Dun & Bradstreet’s country risk team. “Companies no longer produce and sell in one place anymore. If a coup breaks out in a country where a critical component is manufactured, it can put the brakes to the production line.”

Consequently, virtually all companies must heed global geopolitics. How can they manage a complex risk that takes on the guise of a multiheaded Hydra? “You need to weigh the strategic value of doing business in a country against the array of political risks, measuring the pros and cons,” said Charles Stevens, an assistant professor of management at Lehigh University, where his academic focus is on global strategy and political risk.

Several organisations can provide insightful intelligence on political risks, including the World Bank, the Overseas Private Investment Corporation, The Economist Intelligence Unit Viewswire, the US Export-Import Bank, private intelligence organisations like Kroll, and large insurance brokers and insurance companies like Marsh, Aon, and AIG.

“There is no absence of information that can be obtained,” Wagner said. “The problem is that as soon as it is produced, a period of time that can consume several weeks, it can become obsolete and irrelevant. It’s better to have local people on the ground who really know what’s going on to provide ongoing, real-time intelligence.”

One such source may be a local organisation that partners with the company in sharing the risks and rewards of the opportunity. “It makes sense to choose a joint venture partner, particularly one that knows the ins and outs of the region,” Wagner said. “Look for a partner that knows the local political landscape and understands the legal regime, preferably one with government contacts to get in front of a problem before it rears.”

A related tactic is to secure local equity and debt to help finance the business venture. When local firms, trade unions, financial institutions, and government agencies have a stake in the venture, it can reduce adverse consequences. To get this buy-in, some companies pledge to financially assist the host country in improving quality-of-life objectives.

But even the best plans can falter, so companies also need to consider the financial value of political risk insurance. Depending on the coverage particulars, political risk insurance generally absorbs financial losses due to the following conditions:

Political interference. The nationalisation and/or expropriation of assets by the host government.

Political violence. Strikes, riots, civil insurrections, and civil war, in addition to a hostile act like a coup.

Currency inconvertibility. Imposition of local currency controls making it difficult to receive hard currency payments.

Sovereign nonpayment. Nonpayment of financial commitments, obligations, and loans by the host government.

Supply chain disruption. Political, social, economic, or environmental instability that causes a disruption in the flow of goods and/or services into and out of a country.


When political instability threatens, the first priority for companies is the security of their employees. Stevens advocated the use of smartphone apps and hotlines that can alert local employees when trouble is brewing. “Your people can be scattered throughout a country; hence the prudence in giving them the means to instantly know what to do wherever they are,” he said. “They should also contact their local embassy and have their passport on them at all times.”

To reduce risk, many multinational companies employ local citizens. If a company needs to evacuate employees who are not citizens of the country, those remaining can continue some measure of business operations.

Even with the best due diligence, the unexpected can happen. “Sometimes you don’t know you have a problem until you have one,” said Wagner, who also is the author of the books Managing Country Risk and Virtual Terror. “That’s why we advise you proactively have a plan in place for worst-case scenarios.”

What CFOs need to know about political risk insurance

Political risk is increasingly on the radar for multinational companies, given rising concerns over geopolitical instability. One way companies try to mitigate the risks is through political risk insurance.

No two insurance policies are alike; each includes specific terms, conditions, and prices based on the perceived political risks in different nations. However, even in countries deemed to be at high risk of a political event, some measure of insurance is available.

“You can get it pretty much everywhere you need it, even in perceptibly high-risk countries,” said Stephen Kay, practice leader for structured credit and political risk at insurance broker Marsh. “We recently were asked if we could get political risk insurance for a client in West Africa, which has a very uncertain political climate. We could.”

Marsh also recently brokered a political risk insurance policy for a foreign company operating in South Korea that included full-breadth coverage, including the risk of war with North Korea. “The reason insurance markets took up the risk is that the company is located at the southern tip of the Korean peninsula, enough of a distance away from the border with North Korea to provide some semblance of comfort,” Kay explained.

Insurance carriers selling political risk insurance include large international insurers like AIG, Zurich Insurance Group, Chubb, Great American, and Lloyd’s of London, among others. The US federal government’s Overseas Private Investment Corporation also offers the insurance. “Multinational companies generally can buy ample insurance coverage to protect foreign assets in most regions of the world, albeit at a price,” Kay said.

The premium depends on the market’s assessment of a country’s political risk. Current hot spots include Venezuela, Argentina, Bolivia, and Ecuador in Latin America; Cambodia, Myanmar, and Thailand in Asia; Syria, Libya, Yemen, and Afghanistan in the Middle East; and multiple countries in sub-Saharan Africa.

Russ Banham is a freelance writer who is based in the US.

GDPR: Act now Before It’s Too Late

By Russ Banham

Chief Executive magazine

The May 25 deadline for complying with the European Commission’s General Data Protection Regulation (GDPR) is approaching fast—so fast that many small and medium-sized businesses are in a mad rush to get their houses in order.

So are many large companies, but the regulation creates intimidating challenges for SMEs, given their smaller size and resources. In recent weeks, the European Commission (EC) has dispatched a flurry of detailed advisories and even created an exclusive website to help companies prepare for compliance, with special attention accorded the demands placed upon SMEs.

We’ve gone through the advisories to distill critical steps that must be taken now, assuming they have not already been addressed. Most important of all is for CEOs to take GDPR very seriously, as its teeth are razor sharp—irrespective of company size.

Basic Background:

The EC created GDPR to heighten and unify personal data privacy laws across the European Union (EU). All companies doing business in the EU must comply with the regulation. The EC applies a new principle called extraterritoriality to ensure compliance by non-European businesses—even those without a physical presence in the EU. If they “control” or “process” personal data belonging to European consumers, they must comply with the regulation. A data controller comprises both for-profit and nonprofit organizations. A data processor is a firm that performs the actual data processing.

The new regulation broadly extends the EU’s 1995 data protection directive that held businesses accountable for the security of the consumer data they had in their possession. As opposed to the previous passive opt-out acceptance model, companies now must receive written consent from consumers to collect and use their data, and only for a legitimate business purpose. Consumers can withdraw their consent at any time, and once the business purpose for using the consumer’s personal information has been fulfilled, the data must be deleted.

These aspects of GDPR loudly resonate following recent disclosures of the harvesting of 50 million Facebook profiles in the continuing Cambridge Analytica scandal. A major objective in drafting the regulation was to give consumers more control over their personal information, insofar as which organizations can use it, when they can use it, and for what purposes. The other primary goal was to create regulatory uniformity across the EU.

Analysis and Monitoring:

Before processing a consumer’s personal information—both paper-based and digital data—companies must analyze the related data privacy and security risks. This rule also applies to consumer data the business may have provided to its vendors, suppliers and outsourcing partners. Additionally, the measures used to secure data, such as encryption in transit and in temporary storage, must be documented. A record of these various activities must be maintained by the organization for delivery to regulators upon request.

For SMEs whose core activity is the systematic monitoring of data subjects on a large scale, GDPR advises these businesses to appoint a data protection officer dedicated to data privacy. Companies not technically mandated to do this should still consider the value of hiring a privacy overseer and having this person sit on the board.

Since new products, services and technologies under development must take GDPR compliance into account from the origination of these plans, having someone in charge—either internally or on an outsourced basis—may be prudent for all SMEs.

Lastly, it is the responsibility of companies in the event of a data breach to inform EU regulators within 72 hours of the event, even though all the details may be unknown or uncertain. Regulators want to know are the nature of the incident, approximately how many people were affected, the potential consequences for these individuals, and the measures taken to date or in the planning stages to respond to the breach.

GDPR’s consequences for failing to address the regulation are gulping. A penalty of 2 percent of annual worldwide revenue or 10 million euros (roughly $12.37 million), whichever is greater, may be imposed on businesses that fail to report the breach within 72 hours. For companies that fail to comply with other parts of the regulation, the penalties are double these amounts.

Had GDPR been in effect the past five years, FTSE 100 companies that experienced a data breach collectively would have been fined more than 25 billion euros (close to $30 billion), according to an October 2017 study.

What To Do Now:

Most SMEs are hopefully well into their preparations for GDPR compliance. For those still at the beginning of this process, we’ve compiled a checklist of tasks to help ensure readiness by the deadline.

  1. Know Your Data. What types of consumer data does the company collect and where does this information reside? Create an inventory of this information that includes the consumer’s name, email, bank details, etc., since the business will need to demonstrate an understanding of the personal data in its possession.
  2. Consider Consent. How does the organization currently receive consent from consumers to collect and use their data? What needs to change internally from a process and systems standpoint to reach out to consumers for their consent and how will this consent be documented for regulatory purposes. What is the process to delete consumer information after its business use has concluded? Start writing up clear policies regarding all of the above and ensure their appropriateness from legal staff or outside consel.
  3. Data Chief. Does the company employ a chief data protection officer? If not, who in the organization will be in charge of data privacy and data security, and what are their respective responsibilities and capacity to achieve these aims? Is there value in creating a multi-functional team to report to these individuals? How does the company currently secure consumer data; broader use of encryption might be needed. The goal is to ensure regulation-ready data privacy and security policies.
  4. Breach Notification. What are the processes to comply with the 72-hour data breach notification rule? How will each of the required responsibilities, such as demonstrating the nature of the breach and how many people were affected, be determined? Who in the organization is involved in these regards and what are their tasks? Consider testing the process to iron out any kinks.
  5. Third Party Obligations. What are the processes to review how vendors, suppliers and outsourcing partners are using the personal data provided them? How can the organization ensure these organziations are GDPR-ready? For instance, contract terms and conditions may need to change to obligate them to immediately report the incidence of a data breach.

The bottom line for CEOs of midsize and smaller companies that conduct business in the European Union is that GDPR readiness may be difficult, but the likelihood is that similar rules will hit U.S. shores at some point. This gives them a leg up on domestic competitors currently free from compliance. Better now than later.

Mining for Gold—and Other Creative Ways Companies Are Combating E-Waste

By Russ Banham

The facts surrounding electronic waste, commonly referred to as e-waste, are staggering. Although nearly all e-waste can be recycled, 60 percent ends up in landfills, where toxic metals leach into the environment and can cause severe damage to human kidneys, blood, and central and peripheral nervous systems.

More than 50 tons of e-waste is produced each year through the discarding of used or unwanted electrical and electronic devices, many nearing the end of their useful purpose. In an effort to show the magnitude of the e-waste problem and promote recycling, artist Benjamin Von Wong worked with Dell to create photograph sculptures using two tones of old laptops, keyboards and circuit boards – all of which can be recycled.

The message? The past can power the future but time is of the essence. A 2010 report issued by the United Nations indicated that the volume of e-waste could increase by as much as 500 percent in developing countries alone by 2020. Newer statistics are hard to come by, but the overwhelming consensus is that much can be done to positively alter the status quo and combat these staggering 2020 figures. Here’s a look at just a few creative solutions for tackling the mounting problem of e-waste.

Revitalize the Manufacturing Sector

Inside of the 44.7 million metric tons of e-waste produced in 2016 lays approximately $55 billion of gold, silver, copper, platinum, palladium, and other high-value recoverable materials, according to a 2017 report by Global e-Waste Monitor. That figure exceeds the gross domestic product of most countries in the world, and presents a compelling financial incentive for municipalities and businesses to consider ways to pursue more robust e-waste management.

E-waste mining is one innovative solution to recover these precious materials. With $35 million in financing, BlueOak Resources has built an urban refinery in Osceola, Arkansas to recover “technology metals” from 15 million pounds of electronic scrap each year. The first of its kind in the U.S., the refinery exemplifies a type of development that can reinvigorate the American manufacturing sector.

If there’s anything BlueOak Resources proves, it’s that finding ways to extract valuable metals from electronic scraps is not only good for the environment; it is also a healthy financial investment.

Look for Gold

In addition to mining, companies are forging creative partnerships and rethinking the treatment of the precious metals hidden in technology e-waste. “When you think about the fact that there is up to 800 times more gold in a ton of motherboards than a ton of ore from the earth,” Jeff Clarke, Dell vice chairman, explained, “you start to realize the enormous opportunity we have to put valuable materials to work.”

Recognizing that approximately $60 million in gold and silver is discarded each year by Americans through unwanted phones alone, Dell has begun to work with actress and jewelry designer Nikki Reed to recycle excess gold from old computers collected through programs like Dell Reconnect and Asset Resale and Recycling Services and turn it into earrings, bracelets, and rings.

The effort is part of Dell’s “Legacy of Good” program, which outlines social and environmental milestones to achieve by 2020 (and beyond). Altogether, Dell has pledged to recover 2 billion pounds of used electronics and reuse 100 million pounds of recycled content back into their products, all by 2020.

With the help of Dell’s environmental partner, Wistron GreenTech, these efforts have resulted in a process for extracting the precious mineral to use in Reed’s sustainable design line of jewelry, The Circular Collection, through her company Bayou with Love.

More Recycling, More Jobs

Job creation through repairing electronics is another booming creative solution that tackles two birds with one stone. In addition to recycling old electronic material, these programs provide employment opportunities for often underserved or vulnerable communities.

Homeboy Recycling (formerly Isidore Electronics Recycling), for instance, employs former gang members and prisoners in Los Angeles to recycle much of the city’s electronics. “I felt like if I asked people in Los Angeles to give me their electronics, they would, and I could hire people with records to do the recycling,” founder Kabira Stokes told Fast Company in 2017.

The company accepts donations, sorts through the equipment, and then dispatches the ones still working into its reuse department. Those products that don’t make the grade are taken apart to recover and recycle the valuable minerals and other materials. As of early last year, Homeboy Recycling had employed 27 re-entry members and recycled upwards of 2.2 million tons of electronics. According to Stokes, the model is “the future of capitalism.” does something similar, repairing and upgrading yesterday’s tech devices for sale at affordable prices to people unable or unwilling to pay for newer, pricier versions. Through its services, the company is making a dent in the e-waste problem, creating jobs, and giving people access to affordable products—what one might call a triple bottom line.

With millions of tons of electronics thrown to the wayside each year, there are endless opportunities to repurpose valuable materials and aid employment. Whether a tossed device becomes someone else’s next device, a pair of earrings, or the inner workings of the next new device — what is yesterday’s trash might just become tomorrow’s future.

Russ Banham is a Pulitzer-nominated business journalist and author who writes frequently about the intersection of business and technology.

Real-Time Payments Have Arrived

By Russ Banham

Treasury & Risk

Prepare for payments transformation. In November 2017, The Clearing House (TCH) and 25 partnering banks launched the first new core payments structure in the United States in more than 40 years. The new system permits real-time payment clearing, marking a major change for treasury operations that have been using the one- to two-day Automated Clearing House (ACH).

Qualifying payments are domestic, interbank electronic transactions. Their payment messages are transferred, and funds are available to the payee, in real time —literally within seconds—on a 24×7 basis. The new system, dubbed RTP for “real time payments,” was designed and built through the collaborative efforts of TCH and its partnering financial institutions. RTP meets the objectives of the Federal Reserve Faster Payments Task Force, which has been tasked by the Fed to identify and assess alternative approaches for implementing safe, ubiquitous, and faster payment capabilities in the United States.

The new system follows late on the heels of the Faster Payments Scheme Limited (FPSL) launched by the United Kingdom in 2008. FPSL moves mobile, Internet, telephone, and standing-order payments quickly and securely, in nearly real time, 24 hours a day. Seventeen banks and building societies are participants in FPSL, with more than 400 financial institutions now offering the service to over 52 million account holders.

Why has the U.S. lagged behind the U.K. by a full decade in developing RTP? “The clearing cycle prior to FPSL in the U.K. was three days, giving them significant impetus to improve the status quo,” says Steve Ledford, senior vice president of product and strategy at TCH. “In the U.S., we already had ACH and next-day payments. There was less of a gap to make up.”

Another factor slowing implementation in the United States was the sheer volume of financial institutions dotting the American landscape—more than 100,000 entities in all. TCH and its partnering banks needed extra time to design a payments model that could scale to address all these institutions’ different capabilities. As Ledford puts it, “We needed to find a model that worked for everyone.”


Worth the Wait

Similar to wire transfers and ACH, RTP is another component of the core industry payments infrastructure, with the potential to support diverse use cases. In a business-to-business context, RTP is a credit “push” system. Payments are pushed from the bank account of the business making the payment to the bank account of the company receiving it. In between, RTP supports the financial institution’s customer-facing systems for services like bill payment, cash management, peer-to-peer (P2P) payments, and emergency disbursements. Messages such as requests for payment, payment confirmations, requests for additional information, and remittance detail are used to create frictionless customer-facing interactions.

TCH is working with a wide array of industry stakeholders, including community banks, credit unions, and financial institution service providers, to drive adoption of the long-sought real -time payments system. “The reality is that we’ve been talking about payments transformation for the past 25 years,” says Alberto Casas, managing director and North American head of payments and receivables at Citi, one of TCH’s partnering institutions and one of six banks currently processing payments through RTP. The others are JPMorgan Chase, BNY Mellon, SunTrust, U.S. Bancorp, and PNC Financial Services Group.

“However, we wanted a model that didn’t just promise immediacy and faster payments,” Casas adds. “We also wanted to create ‘smarter’ payments—a standardized data set that allowed for clean interactions between parties to send and accept inbound or outbound payments. Today, payments and payment information don’t always travel together perfectly, with the receiver often misunderstanding the purpose of the payment, culminating in costly and frustrating interactions.”

An example is a wire transfer that lacks details indicating the purpose of the payment. Without the right payment guidance, the recipient company may not connect the payment to the right receivable. RTP obviates this possibility by supporting the transfer of critical information about a payment along with the transfer of funds, to efficiently deal with back-office reconciliation issues.

This unique capability was designed and developed using technology from Vocalink, the software vender that built the U.K.’s faster payments system and which is now owned by Mastercard. TCH wrote the code for RTP and is the system operator.

Heightened payment security was another factor weighed carefully in the development of RTP. The new payments system is the first to be built and launched in the United States since the advent of the Internet. Over this period, incremental changes have occurred in payments, beginning with the gradual reduction in the use of cash and checks, and continuing forward with the digitization of payments and standardized messaging.

“Previous fast payments systems were based on older-generation technology and payments standards,” Ledford says. “An advantage for us being later to the game is that we could learn from and piggyback off of the previous systems’ upgrades. We’ve developed a system using secure, digitally capable Web-based protocols. So we’re not just fast, we’re also safe.”


Treasury Opportunities

Treasurers who leverage the RTP system may help their companies achieve competitive differentiation in their markets.

“With RTP, the payments system can actually become a customer engagement tool,” says Casas. “An insurance company, for example, can provide instant claims payments to a company devastated by a natural disaster.”

Now that the United States and several other nations have introduced independent systems for faster payments, other countries around the world are expected to follow suit, resulting in significant changes in how businesses and consumers send and receive payments globally.

“Today’s payments systems are the building blocks upon which future payments innovation will be built,” says Casas. “Nevertheless, we’re not predicting that all payments will move to a real-time payment channel overnight. RTP is an additional option for payers and receivers to support unique use cases.”

He provided the example of a consumer who has not paid his or her electricity bill on time. “RTP will allow for a request for payment to go from the utility to the consumer’s bank,” Casas says. “When the bank receives the request, it can instantly forward a detailed message through RTP to the consumer that the payment is now overdue. There are multiple benefits, including the avoidance of late fees and/or service disruptions while simultaneously helping to build trust and customer loyalty.”

The business owner sees that if the bill isn’t paid immediately, the electricity will be turned off. “If the person chooses the ‘click to pay’ option, the money is moved from the bank to the utility in real time to avert a shutdown in power—and possibly even a late payment fee,” he says.


Treasurers’ Next Steps

Treasurers interested in adopting RTP need to first determine its value in the context of their current business operations. Moving to RTP might require new payment technology, particularly if the company’s current system releases batch payments periodically to address specific deadlines.

“Business customers need to contemplate API [application programming interface] connectivity with their banks to release transactions in real time, as opposed to batch,” Casas advises.

Treasurers may also need to change the way they manage liquidity and working capital, creating models in their accounts that move money from point A to point B, he adds. Furthermore, with an RTP system, security needs to be embedded in the company’s operational processes at the item level as opposed to the batch level.

Citi is working closely with its commercial accounts to prepare them for these changes. Ledford says the other five TCH member banks are also assisting their business customers with the transformations required.

Response to RTP has been highly positive thus far. “We’re already hearing from the treasurers now using RTP that the big difference for them has been immediate confirmation of a payment,” Ledford says. “They’re telling us they cannot overstate how important that has been— the certainty it gives them in simplifying processes like reconciliations.”

Treasurers are also touting the speed of the new payments system in assisting their just-in-time supply and demand obligations. An example is a midsize or smaller company buying from a supplier with which they don’t have a credit relationship. “The company needs the product to ship soon but is concerned over payment,” says Ledford. “What might have taken weeks to resolve in the past takes a couple hours and less, due to the new system’s certainty [of payment] and speed.”

Down the line, more and more financial institutions and their customers will be engaging in real-time payments. “We’ll see material adoption [of RTP] in 2019, when more banks are online with more features and functionalities, such as requests for payments and extended messaging,” says Casas. “By 2020, we’ll see a high number of banks on the system and payment volume ramping up in a significant way. Beyond that, it will eventually become the material payments method and the primary alternative to existing systems.”

These developments will be felt worldwide. In anticipation, Citi has developed a comprehensive toolkit that addresses its connectivity to all payment methods and channels globally. Casas explains, “We’re focused on building globally inter-operable capabilities to provide a common experience through a central real-time payment gateway. We see this as  a significant differentiator.”

Navigating The Dark Side Of The IoT Revolution

By Russ Banham

Chief Executive magazine

Wesley McGrew is a white hat hacker at HORNE Cyber, where he directs cyber operations. His job is to find security flaws in company systems by hacking into them. Lately, McGrew and his team have been exploiting the vulnerabilities of Internet-connected smart devices like, well, pretty much everything.

From thermostats and coffeemakers to security systems and garage door openers, many commonplace things are embedded with electronics connecting them to smartphones via wireless protocols like Bluetooth. These devices can be connected to the Internet to exchange data, making the work of business more efficient—except when they do dumb things like let hackers exploit them to shut down corporate networks or steal sensitive data. “Any business today has some sort of smart device on its network, either for pure business reasons, like a printer, or for ease of use, like my crockpot,” says McGrew.

His crockpot, which he relies on occasionally for in-office meals, is a demon in disguise. Inside it is a miniature, multi-purpose computer like a circuit board with untold powers—of the bad kind. “The manufacturer of the crockpot has no idea about this computer, other than it switches things on and off,” McGrew explains. “But it is really quite remarkable, with the same power and capabilities as a full desktop workstation from 10 years ago.”

Suddenly, a prosaic crockpot is also a computer designed to automatically connect in the cloud to a company’s wireless network. However, this computer is vastly easier to hack because it was not designed with strong, configurable security in mind. “A lot of them have a hard-coded password that can’t be changed without a firmware update by the vendor,” says McGrew. “The problem is vendors rarely, if ever, update the firmware.”

A worse problem is that this password is instantly available to hackers. “Default passwords of all these devices are available on the search engine Shodan, which allows anyone to find specific devices connected to the Internet,” says Harri Hursti, the famed Finnish programmer whose studies of voting systems unearthed serious security flaws. “You simply type in the name of the device, and it’s amazing what you can find.”

Not Exactly Fort Knox

Blame economics for many smart devices’ shoddy security. “The challenge in selling many smart devices is the need to hit a price point low enough to encourage people to buy the device,” says Irfan Saif, a principal in the cyber risk practice at consultancy firm Deloitte. “To help achieve this price point, manufacturers may limit features around security.”

He is not alone in this alarmist view.

“Three seconds of thought are given to security,” says Dottie Schindlinger, vice president and governance technology evangelist at Diligent, a provider of enterprise governance management solutions. “The goal is to make the device super easy to connect to a WiFi network and other devices—to make them ‘idiot-proof’ for anyone to deploy. Yet, the moment the device connects to a network, it becomes a giant wormhole for hackers to penetrate.”

This was the case with McGrew’s crockpot.

“It was incredibly simple to exploit its security flaws,” he says. “Once in the back door, I used it as my base of operations to scan the rest of the network looking for vulnerabilities in our internal systems. Basically, I had a foothold into our network to do whatever I wanted next.”

A hacker with malicious intent can do the same thing, albeit with devastating consequences—compromise the network, steal sensitive data, hold the organization ransom and crimp the flow of business.

Midsize and smaller companies with tight resources to invest in a chief information security officer and trained IT security staff are most at risk, although even the largest enterprises are not immune.

“Our company is dependent on IT systems, data and our employees for our operations and securing these systems and data is a fiduciary responsibility of management and directors,” says Ken Asbury, CEO of CACI, a provider of information solutions and services for defense, intelligence and federal civilian government customers. “Just like we have to be sure our facilities and our people are secure, we now need to ensure our employees are informed about the importance of and necessary steps to secure smart devices like surveillance cameras, door locks and printers that are on the network….The Internet of things (IoT) is a new area for cybersecurity, one that increasingly poses the greatest amount of risk.”

Awakening the Zombies

This threat was made frighteningly clear in August 2016, when hackers created malware called Mirai that scanned the Internet continuously looking for the IP addresses of smart devices vulnerable to the default password security flaw. The hackers then commandeered these smart devices into a botnet (robot network) that unleashed DDoS (distributed denial of service) attacks on hundreds of websites, shutting them down and causing extraordinary business interruption losses. In a DDoS attack, a website is besieged with so much traffic, it can no longer accommodate legitimate users.

The smart devices-turned-zombies were primarily inexpensive, mass-produced CCTV video cameras designed for security purposes. Two months later, the same malware was used against Dyn, a managed domain name system provider of Internet services to Twitter, Reddit, CNN, Spotify and thousands of other websites, shutting many of its clients down. Approximately 500 companies that relied exclusively on Dyn suffered extensive downtimes.

“In the old days, hackers used powerful IT systems to carry out a DDoS attack,” says Vance Brown, CEO of the National Cybersecurity Center, a provider of cybersecurity training. “Today, it’s much easier to marshal thousands of network-connected smart devices to do the same thing.”

Another eye-opening hack of a smart device involved the hospitality industry. In 2017, a hacker infiltrated the wireless key card system at an Austrian hotel, locking all the doors and shutting down the computer system that operated them. “A ransom in bitcoin was demanded to turn the system back on,” says Jody Westby, CEO of Global Cyber Risk, a provider of cyber risk management services. “The hacking was publicly reported, exposing the hotel to potential reputational damage.”

Smart printers have also been hacked. In 2017, a bored teenager in the UK built a program that hacked into 150,000 Internet-connected printers to print out reams of paper. The clever hacker signed his work “Stackoverflowin.”

Schindlinger cited a more devastating hack. “A certain brand of wireless printer has been shown to have a gaping security loophole, allowing hackers to reprint anything that has ever been printed on the device,” she says. “That may include every legal contract the company has signed, new product information, payroll data, employee names and Social Security numbers—you name it.”

What’s more, once a hacker breaks into the printer, a back door to the rest of the network is opened. As Brown puts it, “As soon as you’re in the house, you have access to all the rooms.”

Even some of the best-selling technology products today may do things users are in the dark about. Brown points to smart speakers like Amazon Echo, noting, “If the device is always listening to you, it also could be spying on you.”

He’s right. A security researcher recently demonstrated how to insert malware into a pre-2017 Echo to stream audio from it to a server, turning the device into a personal eavesdropping microphone.

While there is no software patch available to repair the problem in older units, the vulnerability has been addressed in post-2017 Echo models.

Sending in the Guards

How concerned are corporate risk managers about IoT-related attacks? The answer is extremely. An astonishing 94 percent of cyber risk professionals responding to a study by the Ponemon Institute stated that a security incident related to an unsecured smart device would be “catastrophic,” with 74 percent expressing concern over the loss or theft of valuable data.

What can CEOs to do ensure their companies’ networks and systems are protected? It’s not an easy question to answer.

As McGrew points out, “In many midsize and smaller businesses, the IT security staff is 100 percent focused on keeping the network running. They don’t have time to chase all these smart devices that are connecting to it; they’re at capacity. And most companies don’t have a team of [network] penetration testers—white hat hackers who love to break into devices and pinpoint their vulnerabilities.”

Westby from Global Cyber Risk agrees, noting that it is difficult to sell the firm’s assessments to companies with under $1 billion in revenue.

“Compared with the enormous expense of a business interruption, a forensic investigation is a pittance, yet many CEOs downplay the need,” she says. “This is ridiculous since they have a fiduciary responsibility to investors and shareholders to pay attention to these risks. A big attack can literally do them in.”

The Ponemon Institute study drew a similar conclusion. The respondents cited boards of directors not fulfilling their oversight responsibilities and making management accountable as one of the three major barriers to addressing the risks of smart devices. The other two barriers were insufficient resources and a lack of priority in their approach to cyber risks. “Because it is not a priority and leadership is not engaged, the necessary resources are not being allocated,”

says Larry Ponemon, chairman and founder of the Ponemon Institute. “While smart devices promise good things by sharing information for good purposes, there is a dark side—hackers using the information for nefarious purposes.”

Asbury from CACI says that CEOs must take the risk of connected smart devices seriously and lead the charge in their organizations to do something about it. “Companies must develop a culture of cybersecurity, and that begins with the tone from the top set by the executive team and board,” he says. “A strong culture of cybersecurity makes the security of systems, data and smart devices the responsibility of all employees, not just the IT and security teams.”

He adds, “It takes everyone to keep a company secure, at every level of the workforce, all the way up to the boardroom. But someone has to lead the way.”

Insurance Underwriting 2018

By Russ Banham

Carrier Management

Underwriting is the nucleus of the insurance business. For centuries, human beings have performed this process, evaluating a risk to determine whether or not it is insurable at a profit for the insurance carrier. To this task they brought significant statistical and analytical skills, attention to detail, and judgment.

Well, move over people; here come the robots. Through the use of cognitive computing tools like machine learning, predictive analytics, robotics processing automation, and both image recognition and natural language processing, underwriting is becoming less manual and more automated. Providers of the tools offer novel ways for underwriters to better gauge risk, set premiums, save time, become more efficient and lower loss ratios.

We’ve profiled four such InsurTech companies here, each with a different set of products and services, but all with a similar value proposition: to make insurance underwriting more accurate and less burdensome, freeing underwriters to take on more strategic, value-added work.

Will the tools eventually replace the people whom they are currently helping? Read on.

Intellect SEEC: Expanding Information Boundaries

The unusually named Intellect SEEC (the two words reflect the consequence of a merger) is the first InsurTech enterprise in our lineup. Intellect SEEC provides cognitive computing solutions covering multiple insurance functions like underwriting and distribution via a cloud-based platform. The company focuses on commercial lines underwriting services for primarily medium-sized and smaller commercial insurers and specialty carriers.

Pranav Pasricha, Intellect SEEC’s CEO, said the company reinvented itself after the 2009 merger to bring the latest innovations in machine learning and big data to underwriting. “We’re confident that we’re the best source of structured, semi-structured and unstructured information in the world,” he asserted.

This information ranges from publicly available legal filings and press articles to customer comments and social media feedback. Intellect SEEC’s tools capture this data and ferret out the most pertinent information from an underwriting standpoint.

“We’re able to distill fine-tuned alerts of information about each class of business—the different things that can go wrong and the insights drawn from this knowledge,” said Pasricha. “Such risk indicators often escape the attention of underwriters, yet are crucial elements of the overall risk picture. We’re expanding information a thousand times.”

He’s not necessarily boasting. A human being could not possibly collect and collate 10,000 pieces of information of import to a particular risk. However, using cognitive computing tools like predictive analytics and machine learning, this huge volume of data is compressed into digestible tidbits of underwriting import.

Intellect SEEC also canvasses historical and real-time data sources to make predictions on future loss likelihood. Examples include an upcoming regulation or possibly adverse legal ruling affecting a potential insured’s business prospects or a competitor’s research into the development of a new product or product enhancement.

“Our Risk Analyst product uses machine learning to look at events occurring around an insurance prospect’s business to assess potential risks down the line,” said Pasricha. “We capture this information and provide it to underwriters in the form of an alert.”

Prior to joining Intellect SEEC, Pasricha was the chief operating officer of QBE Insurance Group in Australia, leading the company’s global underwriting transformation effort. Intellect SEEC’s Chief Technology Officer Lakshan De Silva worked with him at QBE in driving this transformation.

“Next up for us is an extension of our current capabilities, incorporating more video into our telematics to further illuminate the risk profile,” said Pasricha. “We also see the Internet of Things as a huge growth platform, pulling and analyzing data from the embedded sensors to provide added insights to underwriters.”

DataRobot: Powering Predictive Models

DataRobot also digs through mountains of risk-based data to unearth underwriting insights, in its case via an automated machine learning platform. Underwriters interact with the platform to create better risk models.

“We help underwriters get an idea of what an insurance policy will cost over a multiyear period of time, presenting the opportunity for the carrier to improve its risk segmentation,” explained Satadru Sengupta, DataRobot general manager and data scientist.

The business of selling an insurance policy today is based on an assessment of a prospect’s historical risk and loss data to price the coverage terms and conditions on an annual basis. Scant thought is given the trajectory of the risk five years into the future and what the premium for the policy would need to be at that time. Predictive big data analytics offers a way to gauge this future cost of goods sold to create a more balanced underwriting portfolio.

Armed with this knowledge, an insurer may determine a particular risk provides a greater long-term return than another risk. “We’re providing a way for underwriters to make better predictions that improve risk segmentation and charge a more accurate premium,” said Sengupta. “We tap into different sets of data and automatically apply open source algorithms to help underwriters build highly accurate predictive models that tell a truer story of future risk.”

DataRobot’s cognitive computing platform also is marketed to carriers for claims, distribution and other insurance processes (underwriting represents less than one-third of its market). The platform can be used to underwrite personal lines and commercial lines products, as well as health and life insurance. Users interact with the platform to build hundreds of risk models in a single click, helping them make better predictions. “We make the process of building a risk model extremely simple,” Sengupta said.

Large global insurance carriers are DataRobot’s primary customers, although its modeling tools also are sold to other industry sectors like banking and health care. Nevertheless, insurance would appear to be the company’s sweet spot. Two former insurance executives—Jeremy Achin and Tom de Godoy (both from Travelers)—are co-founders of DataRobot. Sengupta also hails from the industry, serving stints at AIG and Liberty Mutual. And its chief data scientist is a former actuary.

“We’re insurance through and through, from product design and development through advisory and client interactions,” said Sengupta. “We speak the language of insurance and understand the challenges of underwriting.”

He added, “Oftentimes people think analytics is all about the application of algorithms. Not necessarily so, although they are important. What is most critical is designing the workflow. When you merge experienced data scientists with people who have deep insurance domain expertise, you get solutions that address real business problems.”

In 2018 DataRobot plans to incorporate so-called time series analytical modeling into its platform. Last year, it acquired data science company Nutonian to bolster its capabilities to create models involving time series data. The key word is “time.” As the name suggests, the analyses involve predictions generated by time-based data—years, days and hours.

DataCubes: Solving Underwriting Problems

Unlike DataRobot, DataCubes focuses exclusively on developing machine learning and data science tools for insurance underwriters. “It’s all we do,” said Harish Neelamana, DataCubes’ co-founder and chief product officer. “We solve two big problems: overcoming inefficiencies in how underwriters do their job and providing access to better facts to make smarter decisions.”

Regarding the first solution, by digitizing and automating the processing of insurance applications in real time, the company reduces the paperwork migraines involved in the quote-to-bind underwriting process. The solution also comprises a data integration engine that captures and organizes data from multiple external and internal sources.

“We start with a few pieces of information, like the name and address of a business, and then sift through the usual mountains of publicly available data and licensed data sources that describe various aspects of this entity,” said Kuldeep Malik, DataCubes’ CEO and co-founder. “This typically includes how long the company has been in business, the nature of the work it does, how many employees it has and all sorts of other information. We then apply machine learning to this data to answer specific underwriting questions, giving users an Amazon-like experience.”

An example is a landscaping enterprise that mows lawns, cuts hedges and removes dead leaves. These activities help describe the company’s risk profile for underwriting purposes, culminating in a premium charged for the related exposures. However, by scraping data off websites and social media, the underwriter may learn that the landscaper did a great job cleaning out the roof gutters of a particular customer. Unfortunately, this high-risk activity was neither realized nor reflected in the underwriter’s risk assessment and premium calculations.

DataCubes helps to solve this conundrum. “The underwriter can ask the question: ‘Does the landscape contractor do roofing work?’” said Malik. “The tool interprets this to go out and search data about the company. Up pops some information that the company did some roofing work a couple times. Well, roofers fall off roofs, changing the risk profile.”

Most of DataCubes’ insurance carrier customers are in the $50 million to $100 million range (gross written premiums), although some are in the $500 million to $2 billion category, and one is a top-tier $10 billion-plus insurer. “We focus on underwriters of workers compensation and BOP [businessowner policy] packages—general liability and property stuff,” Neelamana said.

Prior to launching DataCubes, Neelamana spent 15 years performing operational and strategic roles at Zurich Insurance Group and Allstate; Malik, on the other hand, is an experienced entrepreneur. He said, “Our team is a sort of happy medium of data technologists and insurance underwriting experts coming together to solve underwriting problems.”

RiskPossible: Continuous Underwriting

RiskPossible is the newest kid on the block, a startup still getting its footing. Like the other InsurTech companies, its founder and CEO Michael DeSiato hails from the insurance industry. His mother and two uncles launched the small Granada Insurance Company, a Florida-based property/casualty carrier, in the 1980s. “My mom introduced both insurance and entrepreneurship when I was a little kid,” said DeSiato, who was in Des Moines, Iowa, taking part in a global accelerator program for startups when interviewed for this article.

The company has yet to make its official launch, although it has participated in several pilot projects. RiskPossible also leverages data access and analysis tools, but for a somewhat different purpose. “We help underwriters find out if a policyholder’s risk profile has changed dramatically since binding,” said DeSiato. “We provide this information through our continuous underwriting engine.”

Rather than underwriting being a once-and-done exercise with an annual reappraisal of client risk, DeSiato wanted to make it more of an ongoing process throughout the life of the policy. His thinking was that important risk-based data was escaping the attention of carriers—information that may compel it to cancel the policy.

“We’ve partnered in a pilot program with a nursing home, providing a continuous feed of risk-based data that our tool has scraped off different public and private sources of information, including social media,” he explained. “Once you go down the rabbit hole, the amount of information is incredible. Based on the insights we learn, an alert would be sent to the underwriter to re-evaluate the risk.”

DeSiato provided the following scenario: a nursing home whose fire and smoke doors were recently inspected to ensure compliance with a new rule from the U.S. Centers for Medicare & Medicaid Services (CMS) covering the installation, care and maintenance of many types of doors and assemblies in a healthcare setting. If the company fails the test, this information typically would not reach the underwriter until just before the policy renewal.

“Say you have a restaurant regularly failing inspections for pests or with multiple infractions of people not washing their hands. Wouldn’t the carrier want to know this immediately?” asked DeSiato. “This way you could send out your own inspector to do a renewal review much earlier in the process. Depending on the state, you may have the ability to do a midterm policy cancellation.”

RiskPossible currently is engaged in a joint venture with a provider of IoT-enabled sensors measuring temperature and moisture. The plan is to feed this data into its continuous underwriting engine in time for the company’s imminent launch.

“We want to put the sensors inside freezers in restaurants to detect drops in temperature causing potential food spoilage, and in commercial buildings to discern evidence of a leak, with the data going to both the insured and insurers,” said DeSiato. “We’re also working with another partner that has developed a tool that counts the number of people going in and out of a facility. All this risk-based data coming from multiple sources has import for underwriting, well before the renewal.”

Back to Those Robots

As these stories relate, machine learning and data science technology should make the job of underwriting easier and more efficient and productive. But will the tools eliminate the need for underwriters in the future?

All the interviewees demurred on the point. “The day a machine does what human underwriters do is the day there is nothing left for anyone to do,” said DeSiato. “Underwriting requires three things: intellectual curiosity, domain knowledge and creativity. This is what human beings provide. At best, the tools will help underwriters enhance their portfolios and productivity. They won’t replace people—not any time soon.”

Pasricha from Intellect SEEC has a slightly different perspective. “In the future, every job is going to be disrupted by machine learning, including those of underwriters,” he said. “But this doesn’t mean underwriters will be replaced entirely. An important job in the future will be training the machines to underwrite—something that only the best underwriters will inevitably do.”

DataRobot’s Sengupta concurred: “Underwriters will be different in the future, but the jobs are not going away. As machines take over the rote jobs, underwriters will have more time on their hands to focus on emerging risks like cyber, where there isn’t much data yet to draw from. Machines will extract this data as it increasingly becomes available, but human beings will be needed to assess its meaning.”

“As robots allow underwriters to be more efficient and make more intelligent decisions, they will be freed to spend more time on building a better book of business,” said Neelamana from DataCubes. “The position itself will be occupied by highly intelligent people of enormous importance to the profitability of the carrier.”

Instead of robots replacing people, the interviewees contend that humans and machines will fuse together as one—not in a mechanical sense, of course, but in an intellectual one. Underwriters will not disappear. Instead, they will become uber-underwriters.

Russ Banham is a Pulitzer-nominated business journalist and author

Insurance Captives Reach New Hieghts

By Russ Banham

Risk Management

Over the past five years, the popularity of captive insurance companies has skyrocketed. Not only do more than 90% of Fortune 500 businesses own at least one captive, but even small and mid-sized companies have formed them.

The motivations for creating a captive have not changed much in the half-century since the first captive was formed in 1962. A company-owned insurance operation provides direct access to reinsurance markets, customized insurance coverage that fills gaps in the commercial market, access to accrued investment income, and incentive to improve loss control. The thinking of many risk managers is simply, why trade dollars with an insurance company when you don’t have to?

The surge in captive formations has been fueled by a series of favorable tax court rulings, the increasing number of U.S. state captive domiciles, and the emergence of new and challenging exposures, such as cyberrisks, that have caused insurance carriers to raise rates and adopt stricter coverage terms and conditions. As a result, the reasons to form a captive have never been more persuasive.

New Captives Under Scrutiny

Captives have become increasingly common, but experts believe some companies may be throwing caution to the wind with certain arrangements. “I’m not concerned about big corporations forming captives as much as I am about the private sanitation company that forms a captive because it can’t get decent workers compensation insurance, or the nursing home that can’t buy professional liability insurance,” said Andrew Barile, CEO of Andrew Barile Consulting and a strategic advisor on captive formation and implementation since 1967. “It’s these 831(b) captives and the recent flurry in the formation of captive cells that give me pause.”

The 831(b) captives get their name from Section 831(b) of the IRS Code on Micro-Captive Transactions, a 1986 regulation that provides tax advantages to small property and casualty insurance companies. According to the rule, a captive can elect to be taxed on net investment income when gross annual premiums are $1.2 million or less (recently increased to $2.2 million). The owning entity also can deduct premiums paid to the captive as ordinary business expenses.

The tax advantages reduce the cost of financing a risk transaction, making captive formation enticingly affordable for many small companies. The IRS, however, is closely examining 831(b) captives to ensure they do not constitute illegal tax shelters. IRS Notice 2016-66 categorizes Section 831(b) as “transactions of interest,” subject to additional documentation and disclosure requirements for “promoters” and “material advisors.” New legislation in 2018 has also mandated additional tests for these captives to demonstrate appropriate risk diversification.

The added scrutiny does not bode well for some 831(b) owners. “Too many of these structures are set up by CPA firms and not insurance underwriters, which tells me they lean more toward being a tax shelter as opposed to a genuine risk-transfer mechanism,” Barile said.

Captive cells have also come under scrutiny. A captive cell is akin to a rented apartment in a large apartment building: The captive is used by a group of unrelated insureds so each can take advantage of the benefits of a typical captive arrangement without actually owning the insurance company. Each cell is legally separated from other cells, meaning the insured’s assets are walled off and protected from the legal liabilities of other cells. The core owner maintains a capital surplus to absorb working layer losses, above which reinsurance kicks in.

The challenge is when one cell company’s losses exceed the capital set aside by the captive’s sponsor. If the cell company has not posted enough capital to absorb the financial impact, it will need to dig into its wallet to pay off the remaining financial obligation. Since the companies forming cell captives are, for the most part, small businesses, that burden can be significant.

There are tax concerns for cell captives, as well. “I get these calls from nursing homes that say they just formed a cell captive in Bermuda, but there’s no broker or risk manager and they don’t know what they’re doing,” Barile said. “There’s no fronting company involved. Instead, there’s a small CPA firm hoping to get the client a tax deduction. You’ve got the accountants—not actuaries—setting the reserves and writing manuscript insurance policies, using the internet as the only source of intelligence.”

Certainly not all cell and 831(b) captives are suspect, but some of the IRS scrutiny is justified, and necessitates reasonable caution. “To a certain degree, 831(b) captives are being used as a wealth management device,” said Peter Mullen, CEO of Aon Global Captive and Insurance Management. “We do not set up such vehicles. Our distribution system is a risk management distribution system, not wealth management.”

Charting Captive Growth

While there are no reliable figures on the total number of 831(b) and cell captives that have been formed, anecdotal evidence indicates they are on the rise. More dependable statistics are available on the rising volume of traditional captives.

EY estimates there are currently 7,100 captives, up from 4,000 five years ago, while insurance broker Marsh tallies 7,000 captives, up from 5,000 in 2006. The Captive Insurance Companies Association (CICA) cites a current total of 6,618 captives.

Captives have been formed in domiciles all over the world, but the United States has seen the greatest recent growth. “About 78% of captives formed worldwide in 2017 occurred in the United States, accounting for 616 new licensed captives,” said Daniel Towle, CICA president. “Europe licensed 22 new captives, down from 36 the prior year, and only eight captives were licensed across Asia-Pacific. Bermuda and the rest of the Caribbean licensed 108.”

The high volume of recent captive formations in the United States can be attributed to the growing number of states that have passed legislation to become captive domiciles. The Insurance Information Institute reported that 29 states now permit the formation of captive insurance companies. Vermont is the current leader in the United States with 593 state-licensed captives, followed by Utah with 462.

As more states enter the fray, competition for business is fierce. “Economic development is the reason a state wants to become a captive domicile,” said Paul Phillips, a partner and tax markets leader at EY. In Vermont, for example, there are dozens of captive managers and insurance brokerages with brick and mortar buildings in Burlington, as well as a host of small CPA firms and actuaries. “All that property development and employment translates into substantial tax income and economic lift,” he said.

Barile concurred, “Domiciles are tripping over themselves to get business. Governors know this is a lucrative way to build fee income.”

Unwieldy Exposures

Another factor in the recent surge in captive formations is corporate concern over new types of financial exposures, most notably cyberrisks. “Generally speaking, any line of insurance that does not have much in the way of commercial capacity or has lots of coverage exclusions is a good fit for a captive,” Towle said. “Right now, cyber fits this bill. Companies can write coverage in the captive for the exclusions and buy reinsurance for losses above the limit.”

Mullen said many of Aon’s clients are “incubating” cyber and other thorny exposures in their captives. “Although there is quite a bit more capacity for cyber in the commercial market now, if the risk is deemed by insurers to be particularly difficult—with little data on potential losses—the client may choose to put the risk in its captive,” he said.

In such cases, the captive owner will engage an actuary to develop a probabilistic loss model to calculate an adequate premium. As losses occur over the next few years, a body of data develops, and the company may then take its chances again in the commercial market. “They’ll say, ‘We’ve been incubating this risk in our captive for the past five years and here is the policy form we used, how we calculated our premium, our claims adjustment process, and our loss experience,’” Mullen said. “If the market’s reaction is good, they may then opt to buy risk-transfer.”

Other financial exposures similarly incubated in larger captives include product liability, employee wage and hour, and business interruption risks. Large captives are also being formed to insure their owner’s employee benefits obligations, such as life insurance and short- and long-term disability insurance. Corporations funding employee benefit risks through their captive insurance companies include Hyatt Hotels, Coca-Cola, Intel and Microsoft.

Smaller captives are insuring an even wider range of exposures. “I’ve seen small companies wanting policies to absorb business losses caused by changes in legislation, to absorb the risk of a tax audit or bad debts, and to insure all the deductibles the company has with commercial insurers,” Barile said.

Many experts advise small businesses to include captive experts drawn from the insurance industry—like an actuary or underwriter—when mulling the formation of a captive. “Captives aren’t for everybody,” said Prabal Lakhanbal, a captive consultant with Spring Consulting Group. “Proper due diligence should be pursued, followed by a well thought-out feasibility study prepared by an insurance specialist.”

Legal Clarity

Many of the legal and tax issues that historically hovered over the captive industry are less of a concern today, compelling companies that were wary of forming a captive in the past to consider doing so. Recent tax court decisions have been favorable for alternative insurance arrangements, clarifying questions of risk-shifting, risk distribution, premium excessiveness and what constitutes an insurance contract.

For example, in the recent captive case RVI Guaranty Co. Ltd., et al. v. Commissioner, the U.S. Tax Court held that an insurance contract created to insure against the risk of a decrease in the value of property in fact covered an insurance risk rather than an investment risk, as the IRS had alleged, qualifying the contract as insurance for federal income tax purposes.

Today, fewer companies form captives primarily for the tax benefits. A Marsh study, for example, indicated less than 50% of the captives managed by the firm even bother to take a U.S. tax position. Nearly three-quarters of their clients reported  the key driver in forming a captive was to fund retained corporate risk. “As organizations’ understanding of risk matures, their risk management strategies become more sophisticated, increasing the likelihood of forming or expanding the use of a captive,” said Michael Serricchio, managing director of Marsh Captive Solutions.

Mullen has heard similar reasoning at Aon. “When we survey our clients every year about the reasons they have a captive, something like 4% say they do it for tax reasons; the majority cite strategic risk management purposes,” he said.

By establishing their captive for these strategic reasons, current and prospective owners can avoid IRS suspicion. “The simplest way to ensure your captive is within current tax rules is to be able to show that it was formed for a non-tax business reason,” Lakhanbal said.

Overall, captives have proven to be effective for funding and strengthening management of a company’s risks. “Looking at our global captive book of about $30 billion, the combined loss ratio runs around 75%, a clear indication that our clients are doing something right as they run their business through their captives,” Mullen said.

This success has helped make captives into a more mainstream risk management option. “A captive is no longer an alternative risk transfer mechanism,” Serricchio said. “It’s now a key tool for risk managers to address traditional property/casualty and employee and customer risks.”

In the future, Phillips believes more businesses of all types and sizes will consider forming captive insurance companies of their own simply because they are effective. After all, “captives are sector-agnostic,” he said, “and every company has risk.”

DDoS Attacks Evolve To Conscript Devices Onto The IoT

By Russ Banham

The number of cybersecurity attacks skyrocketed in frequency and increased in complexity as the internet of things (IoT) spread its wings in 2017.

But DDoS attacks are really nothing new. They turn 30 this year, making the threat to computer systems and data security one of the oldest around. But the IoT has provided new fuel.

 In these attacks, thousands of computers are turned into an arsenal converging on a single network, overwhelming it with traffic. Today, any electronic device connected to the internet can be used in a DDoS attack — smart refrigerators, thermostats, home security and lighting systems, even baby monitors.It’s a strange picture — commandeering a legion of smart devices to do battle as botnets against a target organization’s network and systems. But this is exactly the scenario that recently took down an internet services company that routes and manages internet traffic.

Army Of Invaders

Like humans turned into zombie-like White Walkers on “Game of Thrones,” 100,000 internet-connected devices were infected with malware and ordered to attack. The result prevented millions of internet users from accessing the websites of more than 70 online companies for about two hours.

Such assaults can be devastating for businesses that generate income through online customer-facing services. The Ponemon Institute pegs the average cost of a DDoS attack for a company at $1.7 million. The bulk of this expense ($517,599) comes from lost services. Other costs include technical support ($414,128), lost productivity ($229,071), disruption to normal operations ($346,062) and damage or theft of IT assets and infrastructure ($199,201).

Hackers’ motives in launching cybersecurity attacks are evolving. They include shutting down networks and reaping illegal financial gains. Hackers are cognizant of the time it takes for IT security to battle the attack, leaving the door temporarily open to corporate data.

Weapons Evolving

Turning smart devices into DDoS botnets is the latest scourge. Unlike corporate computer networks and systems with sophisticated firewalls and flow analytics tools that redirect traffic in response to an attack, connected devices such as baby monitors and washing machines generally have poor security, their endpoints protected by little more than inexpensive, off-the-shelf Wi-Fi routers.

Hackers are well aware of the vulnerabilities, not to mention the opportunity presented. As the number of connected devices rapidly increases from roughly 23 billion to an estimated 50 billion by 2020, the number of potential weapons for a DDoS attack more than doubles.

Limiting Casualties

A multipronged defense strategy is needed to combat DDoS attacks. Vendors of the semiconductors, sensors and other components used in connected devices must upgrade security, according to Broadband Internet Technical Advisory Group. And companies that embed these devices must commit to buying only the most secure ones.

Endpoints on the IoT must be protected by next-generation firewalls with enterprise-level protections as the data flows into the internet. The use of a separate network segmented from the current one will add an extra layer of protection if the device is breached. The U.S. Justice Department also recommends that device users create complex passwords and keep the software current, implementing upgrades and patches the instant they’re issued.

As for limiting network losses from a DDoS attack, security experts recommend geographically dispersing systems so as to reduce the surface attack area. The idea is to put servers in different data centers located on different networks, making it tougher to topple the entire network.

Over time, IoT-related cyber threats will continue to evolve. But the positive results that business and society gain from the use of any new technology can outweigh the bad.

“Growth is being driven by the potential to increase efficiency and improve business outcomes by collecting better data about things in the workplace,” said Larry Ponemon, founder and CEO of the Ponemon Institute. “To ensure that security risks do not outweigh the benefits, new strategies that holistically consider risks in the organization’s entire IoT ecosystem are needed.”

Don’t Let Your IT Security Be The Lowest-Hanging Fruit

By Russ Banham

Yesterday’s hackers may have yearned for the bragging rights that come from having pulled off a major cyberattack, be it against a government network or a large company. But today’s hackers aim for the lowest-hanging fruit: Money, in this case bitcoin, is a bigger lure than boasting.

Today’s hackers strike in a flurry of activity — in many cases, distributed denial of service (DDoS) attacks that divert the attention of a victim’s information security team from malware designed to capture valuable data assets. Distracted in its efforts to get systems back online, the responding cybersecurity team overlooks the malware as it worms its way toward the real bounty.

“DDoS attacks are often designed to cover up the actual intent of hackers, which can be data theft, planting of targeted malware or propagation of ransomware,” said Max Solonski, chief security officer at BlackLine, a financial and accounting automation software provider. “By focusing on containing the disruptive DDoS attack, the InfoSec team might not be able to identify the primary attack vector focused on a specific target or quickly react to the unauthorized transfer of data from a computer.”

This modern-day Trojan horse is becoming increasingly common. According to a 2017 study by Neustar, of all the companies hit with a DDoS attack, 52 percent reported a virus associated with the attack, 35 percent reported malware, 21 percent reported ransomware and 18 percent reported lost customer data. “This is all about the value of information,” said Solonski, “and the easiest way for hackers to obtain information is to target companies lacking adequate InfoSec controls and countermeasures.”

Hackers “aim for companies with the most unsecured cybersecurity and inferior disaster response programs,” said Dottie Schindlinger, vice president and governance technology evangelist at Diligent, a provider of secure board communication and collaboration tools. “Once they sneak through the fence, they go for the gold.”

Security Begins At Top

To protect their companies, senior management and board directors need to ensure that hackers don’t perceive their organizations as low-hanging fruit, Schindlinger said. “The days of the IT team alone thinking about cybersecurity are long over,” she said. “Cyber risk management is everyone’s responsibility today — from the top of the company down. Cybersecurity must be embedded into the organization’s culture.”

While employees are increasingly educated about and vigilant of cyber risks like phishing, many board directors and senior executives fail to heed such threats. Sixty percent of board directors regularly communicate with executive management and fellow directors using personal email, according to a study by Diligent. Nearly half (48 percent) use personal PCs and laptops to download company documents. And 22 percent store these documents long term on their devices.

“The biggest risk are the people with the least amount of cybersecurity training,” said Schindlinger, pointing to board members and senior executives.

It’s not uncommon for what seem like trifling digital and physical documents to contain sensitive corporate information that hackers would find valuable to steal and sell. “Any piece of data is potentially lucrative to a bad actor — the home addresses and phone numbers of board members can be used to exploit the organization and them,” said Schindlinger.

Pushing Back

Both Solonski and Schindlinger offered several recommendations on how a business can reduce its appeal to hackers. “Think like a hacker,” said Solonski. “First and foremost, you want to understand the types of data the organization owns and where the data is located, and then take a critical eye to determine how a skilled attacker can navigate around InfoSec controls to get to it and fulfill his nefarious purpose,” he said.

Board directors and senior executives might ask their security leaders questions like: Would a hacker perceive the company as a relatively easy target? Which types of information does the business have that would be of significant value to an attacker? Where does this data reside? Who has access? And how is it protected? Does the organization maintain layered controls throughout the environment, or does it just have a strong perimeter, leaving its “soft core” to be accessed via a “back door” planted by a malicious insider or through social engineering?

Vulnerabilities revealed by these questions need to be strengthened, Schindlinger said. And it is up to board directors to take action. “They have a fiduciary obligation and duty of care to ensure the organization is not put on a hacker hit list,” she said. “My advice (to the board) is to establish a policy that stipulates the behaviors they must uphold as board members, and have each member sign off on the policy.”

Some stipulations may be simple, like not using unsecured personal email or shredding paper documents that contain sensitive business data. “You wouldn’t believe how many board members write down proprietary information in a notebook that they can’t find afterward,” Schindlinger said.

The company’s chief security officer should be present at board meetings to present a brief overview of the organization’s cyber risk readiness, she said. Another good idea is to simulate once a year how the business continuity plan will be executed in the event of a data breach.

Board members have good reason to take such measures. If the organization’s data is stolen because the company was perceived as an easy target, “they are the ones who will be held responsible,” said Schindlinger.

Russ Banham is a Pulitzer-nominated business journalist and author who writes frequently about cybersecurity.

Biggest Mistake: No Employee Non-Compete Clause, Says BlackLine CEO Therese Tucker

By Russ Banham

Chief Executive

Therese Tucker is the rare woman in technology to have founded a successful technology company and brought it public. The CEO of BlackLine, a provider of automated finance and accounting software now worth in excess of $1.5 billion, is esteemed for her enlightened entrepreneurship, software programming savvy, and nurturing leadership qualities.

Broad-minded and compassionate, Tucker sports pastel-pink hair and a mile-wide smile that makes her Los Angeles-based employees feel their CEO actually cares about them. She does. “Business should not be purely business,” Tucker opines. “Companies have a social obligation to care about the lives of people in the communities we serve with our products and services.”

Not surprisingly, Tucker created Blackline’s account reconciliation software to make the lives of accountants less dreary and burdensome. She also undertook an initiative over the recent holidays to clothe more than 50,000 homeless people in the city. But it’s her business chops that really set her apart: She single-handedly programmed BlackLine’s initial products and guided its revolutionary concept of continuous accounting that nearly does away with the dreaded financial close.

Still, she’s as human as the rest of us. “I learned a really valuable lesson about the critical importance of legally sound contracts with employees, one that I will never forget,” says Tucker, shaking her signature pink hair.

The lesson was this: BlackLine gave birth to a competitor. “In California, you’re not allowed to ask an employee to sign a non-compete contract, which are banned,” Tucker explains. “The mistake we made was not having specific clauses in our employment contracts regarding confidentiality and reusability. Regrettably, an employee in our sales group had access to our source code in her laptop. She outsourced the code to India, created a competing product, and sold it.”

BlackLine had little recourse to do anything about the situation, other than take it in stride and double down on making innovative finance and accounting software products to best the competition. The company also retained sharp legal minds to devise crystal clear and enforceable employment contracts on a state-by-state basis.

The tactics worked, helping BlackLine maintain and even enlarge its market lead. The company is one of four technology companies and the only one in its space to be listed as a leader in Gartner’s Cloud Financial Corporate Performance “Magic Quadrant.” “Having good legal counsel and solid contracts with customers and employees pays dividends down the road,” says Tucker.

Once burned, twice shy.