The advent of the Internet of Things or IoT in recent years has precipitated an explosion of new ideas and new products. The introduction of the IoT concept to automobiles has been going on since 1996 with the installation of the OBD2 device for cars and J1939 for trucks. At the time of introduction, the security measures for cars was not on the radar screen. No one had ever thought of it. The demand for accessibility to the internet in autos has become one of the primary revenue platforms for automakers. This is not only for the driver but the automakers themselves. The vehicles built since 1996 have incrementally become computer network endpoints. The drivers experience has been enhanced due to the knowledge that drive time is now not “deadtime”. The auto manufacturers are generating copious amount of data and reselling it to their vendors creating a recurring revenue model they never had. This sounds great until you consider the risks. There are on average over 15 points of entry for hacking into a vehicle today and that number is growing. This has now availed the criminals, state sponsored terrorists or enemies of a given state to systemically disable any specific make of vehicle. Hacking is a borderless crime and this is a global situation that is very real.

We applied our risk management skills and financial capital to the Distracted Driving Solution. In doing this we were utilizing a dongle that goes into the OBD port of Cars and Trucks which is designed to take information from the vehicle’s computer and transit it to a device for technical readouts. A concern developed however that the data that can transit to a diagnostic device through the OBD/J1939 Port can also open the car’s computer to receiving malicious information. The advent of the connected car (and everything else for that matter) has hastened the advent of the threat agent of hacking. Therein lies the problem. We asked our business partners at Verizon if putting a dongle into a car’s OBD2 port and transiting data to and from the car’s computer was not now creating another problem of letting someone hack a vehicle”? The disturbing answer was “YES”. We immediately changed our way of doing business and scrapped the dongle approach in pursuit of a way so as NOT to create an even bigger issue.

This discovery drove home the point that there is a gigantic looming problem for the insurance industry:

What precipitated this conversation with the Massachusetts Department of Insurance, and indeed the whole NAIC, is the fact we have gone to many of the carriers personally and asked the executives “Is this covered”? The answers we received to this question varied from:

A. No, it is not covered
B. Yes, it is covered
C. This is too new to us and we haven’t even considered it
D. Absolute avoidance in any answer
E. It is covered, because it is not excluded

The last response seems to be the consensus amongst the majority of the carriers and the reinsurers. In order to further understand the degree of risk related to this exposure no one has accounted for, we engaged with international reinsurers and Lloyd’s of London syndicates to see if there was a market to take on this kind of exposure and we ran into the problem… “There is no data to support this coverage pricing”. That was true given no carrier in the world we spoke to is even tracking this data. However, with Verizon’s data were able to show the reinsurer the imminence of the threat. We met with the reinsurers and convinced them this is no longer an emerging risk but a risk that should have been addressed over 9 years ago. In fact, a retired US Air Force General, Gregory Touhill, stated in the July 20, 2018 Boston Globe Article (attached) many agencies use cyber security tools that are so obsolete “we can take them out for a beer because they are 22 years old.” This was the US Military telling us this! The result of our trip to England was that we proved there is a market and there is a cost associated with this exposure that has not been contemplated by the majority of carriers. We also found out the reinsurers were caught uninformed about this issue as well. In the process of securing quotations, we found out the kinds of reinsurance contract carriers have purchased (Quota Share, XOL etc.) has put the carriers and reinsurers in a potentially devastating position. Remember the Consensus of “It is Covered, because it is not excluded”? If that is true we have actual quotation data for a single nationwide carrier as follows:

Total Cars Insured Globally 15,000,000
Average Value of insured vehicle (USA Today 2014) $16,400
Carrier Total Insurable Values aka TIV ( Personal Auto Only) $246,000,000,000
Reinsured Amount of TIV @ 12.5 % $30,750,000,000
Carrier Net Amount of TIV @ 87.5% $215,000,000,000
Carrier’s Exposure to an OEM Systemic wide hack 10% of Policies in 
Force (PIF) 
Allocated & Unallocated Loss Expenses @ 20% Cost Per Claim $4,305,000,000
Total One Day PML Cost of OEM Systemic wide hack to Personal Autos $25,830,000,000
Reinsurance recovery (Paid Losses Only No expenses) ($2,690,625,000)
Total expected PML payout for OEM Systemic Hack in ONE Day  $23,139,375,000

Now, the scary part…this is just one carrier! This exposure across the top 25 domestic US Personal Lines Auto Carriers amounts to a one day PML of $ 233,301,033,879. This does not contemplate the domestic US Commercial Auto PML of $35,639,678,826. Not ONE DOLLAR of Lost Income is contemplated in this for the insureds either. (Information Gathered per NAIC

TOP 25 Personal Lines Carriers and Top 25 Commercial Lines Carriers; list attached).

The above figures are compelling enough to indicate that the NAIC presides over a really big problem. The carriers’ PML exposures completely blow their statutory requirements of 3:1 Premium to Surplus ratios out of the water. This should warrant a Market Conduct Survey for every carrier based on the fact the carriers’ consensus is “It is covered because it is not excluded” position and the fact they did not charge for it means that there is a potentially catastrophic rate deficiency in the Auto market.

Given the auto carriers are effectively blind to this exposure, let’s talk about the attempts by some carriers to rectify this by getting reinsurance coverage. We were able to secure specific property damage and liability coverage for a certain carrier for approximately 1,000,000 cars at a premium in excess of $80,000,000 for their NET exposure due to the revelation that they actually have a TIV fully exposed for the first time with a PML exposure that was never actuarily contemplated. By obtaining the $80,000,000 Net only reinsurance quotation we have de facto proved the relative rate deficiency for that specific carrier. Based on that quotation and the total policies in force for the Top 25 Personal and Commercial Auto Carriers there is a rate deficiency across all these carriers of 62,938,191 (PIF’s) for approximately (conservatively) $10,936,140,035. This contemplates an additional 5% premium charge which was the reinsurance rate determined by the reinsurance market for the property damage and liability specific coverage and does NOT include data breach consequences. Now that is an annual figure that may rival the annual personal and commercial auto profits of all Top 25 personal carriers combined!

In the risk mitigation space, the next question is “what is the reinsurance market’s exposure and how are they addressing this?” The average exposure of let’s say; very conservatively 10% average reinsurance under various styles of contracts under the same TIV for the top 25 carriers combined is $ 2,120,918,489,808. This does not include the $323,997,080,240 TIV for commercial lines exposures) The reinsurers personal lines aggregate PML is $212,091,848,980. This is only for personal auto domestic US, and only for paid losses – not expenses.

The consensus points to the reinsurance market adding cyber exclusions on all lines of business to be forthcoming, which means the domestic carriers are going to have to take this all net very soon. Insurance works on the principle of transfer of risk, however given this scenario there may not be enough capacity capital? in the system for a successful coordinated attack to support the carriers or reinsurers.

What will it take to start to rectify this immediately? First, open dialogue with the network providers amongst who Verizon are the market leader. The insurance carriers themselves are contributing to the loss scenarios with the implementation of these post loss driven telematic devices (we are seeing them as problematic devices) all trying to capture the access to the OBD Port to actually give credits for perceived good driving. Here is a reality check. Having been down this road, we have told several carriers to not do this as they could very well be introducing the threat agent into the vehicles and even crediting their clients to do so. If a hack happens to a car and a PD or Bodily injury occurs (FYI, the likes of Verizon can prove this scenario in real time) this will make the carriers themselves complicit in the losses they are obligated to pay out on. This could constitute severe conflict of interest at a time of loss or even loss adjustment. Everybody needs to pull together on this as this is a national security issue and we have the capability to collect the data and work with likes of Department of Defense (We have already informed them about this issue in person), the OEM’s and the network providers like Verizon. We need to get more information from those at the forefront of this issue. Just recently, The Geneva Association, (which is represented by 90 CEO’s from the insurance industry around the globe) has put out a white paper on this accumulation of this risk (referenced below).

Excerpts from the Geneva Association report August 2018

This report identifies four challenges in the context of cyber accumulation risks:

i. A single large event or a series of consecutive events may make affirmative cyber insurance unprofitable;

ii. Insurers and reinsurers (for which risk accumulation may be more pronounced than for primary insurers) could underestimate non-affirmative cyber exposure leading to an unplanned shock from a major event;

iii. Data are of insufficient quality, are incomplete and/or lack the necessary consistency for more advanced modelling techniques; and

iv. Governments fail to provide commensurate frameworks for the sharing of large- scale terrorism induced losses.

The potential for ‘non-affirmative’ coverages to be triggered presents additional—and potentially significant—challenges for insurers and reinsurers. Not only is there a high degree of uncertainty in the quantitative impact of a large event, but the interpretation of policy language can also be expected to be a major determinant of liability. Policy wordings will likely be tested in the courts, perhaps over several years. (OH – “Adding to these challenges for the primary insurers, there are risks of misalignment between primary wordings and reinsurance coverages, or reinsurers restricting the cover they provide to the primary insurance market”.)

Around 30 per cent of the market premium is ceded to reinsurers with several reinsurers participating reflecting the overall small size of cyber portfolios relative to their overall busiess volumes, larger reinsurers are currently able to manage their exposures using relatively pragmatic approaches with limited mathematical sophistication. However, growth in the stand-alone cyber business and the exposure to non-affirmative coverages in other lines means that reinsurers will likely face considerable modelling challenges in the future. These challenges include both the granularity of data and the frequency of data submissions from primary insurers. The latter is particularly important to reinsurers, given how quickly the cyber risk landscape is evolving. – (OH – “Reinsurance entrants into the cyber marketplace can be facilitated by the restricted nature of auto cyber. We see specific coverage on property damage and liability with no coverage for data breach giving reinsurers the ability to ‘silo’ their exposure reducing their potential aggregates”.)

Furthermore, recent trends and the replicating nature of cyber threats would indicate that 2018 an coming years could be worse, and perhaps considerably so. Less likely, but nonetheless plausible, are losses from a cyber catastrophe, impacting both affirmative and non- affirmative covers, which would have a very significant impact on (re)insurers’ earnings. – (OH – “This is a regulatory issue and a threat to the whole insurance industry and by extension financial system.”)

The first prerequisite—resilience—is relevant for any risk class to be insurable. If homeowners did not lock their homes, then theft would not be insurable. The first steps in addressing any risk are to assess, measure and manage it. Residual risks (i.e. those that cannot be contained at the source) can then be mitigated through risk transfer mechanisms such as insurance. In the case of cyber risk, resilience is a wide and complex topic and, as can be seen by the current high frequency of events, much needs to be done by technology providers, by technology security companies and by businesses. Unlike traditional risks covered under property and liability lines of business, cyber risk is relatively poorly understood in the business sector, and risk management in this field is evolving at a brisk pace. Insurers can play an important role in helping to develop business-level resilience, and there are a growing number of service companies dedicated to building cyber resilience in conjunction with risk carriers. Many of these offerings are innovative and blend the discipline of systems thinking with technological advances. The focus of this report is on the latter two prerequisites and the consequences for the industry, including primary insurers, reinsurers and alternative capital providers.

For cyber risk, it is a challenge to even define a ‘footprint,’ let alone measure the exposure within it. Some leading practitioners talk of a ‘confinement zone’ to reflect complex and constantly evolving corporate systems and networks, both internal and external. Supply chains have become increasingly digitalized and, with the range of cloud-based services extending further alone the value chain, aggregations ‘in the cloud’ lie both within and across industries. While specialized industry-specific software tools connect actors in one industry sector, more generic technologies are utilized across multiple sectors and, with the Internet of Things, connections reach into the homes of hundreds of millions of individuals. These varied connecting threads and digital ‘monocultures’ create an exposure base that is largely opaque, lacks hard boundaries and enables threats to permeate across sectors and countries. Notwithstanding the above challenges, an annual study by Verizon, based on a set of nine common attack patterns and an extensive event database, shows that historically, attacks have tended to cluster by industry sector. This is promising and suggests that the ‘footprint’ problem is not intractable, while recognizing there is potential for cross industry attacks as discussed below

Furthermore, there is around 20 years’ historical experience of malware attacks. While recognizing that malware evolves as the systems it targets evolve, the growing volume of empirical data is enabling modelers to understand the nature of this threat vector. The motivations and capabilities of the threat actors are a first step; whether the attack is for financial gain or (politically motivated) disruption will have a significant bearing on the footprint (the latter tending to be much wider).

The potential for a large cyber-triggered event to have considerable impact on non-affirmative coverages is now recognized across the industry, and much is being done to quantify this. Although insurers’ historical loss statistics for ‘non-cyber’ coverages do not include any material cyber losses (and neither does the pricing, which is a further consideration), a body of man-made disaster scenarios has been developed over many years. Covering many events, such as aviation disasters, oil rig explosions, chemical plant and power grid failures, these scenarios can readily provide a sense of the scale of a cyber-triggered event. Insurers are able to leverage the extensive modelling work that has already been done for these man-made catastrophes but with a recalibration for cyber as a loss driver. This will further enable strategic discussion on risk mitigation, engineering, pricing, and reinsurance buying This is a complex process, however, and from the insurance industry’s standpoint, there are further layers of uncertainty as to how legal systems in various jurisdictions will interpret policy wordings following a cyber event. A full and robust assessment of these exposures is essential to provide confidence to the boards of (re)insurers and investors. Other parties (one such being Observatory Holdings, LLC.) also provide valuable insights for the mitigation of cyber risk and the strengthening of cyber resilience. – A veritable flood of publications attests to their productivity. But the contribution of insurers is different in one fundamental point: insurers are absorbing policyholder risks on their own balance sheets. And by putting capital at risk, insurers have ‘skin in the game’ on behalf of their customers. This will arguably go a long way towards aligning the interests of policyholders and insurers and making the insurance offering an effective risk mitigation tool. – (OH – “THIS IS THE OPPORTUNITY BEING MISSED! An enlightened insurer can seize this opportunity and lead the way in providing meaningful, transparent and comprehensive coverage to the consumer”.)

With regards to the doomsday scenario most likely spawned by international espionage or terrorism, discussions are underway to create a TRIA (US) / Pool RE. (UK) style catastrophe backstop that would also be created with full knowledge of the exposures being assumed. As our group consists of Insurance Carrier Executives, Current Agency Owners, Wholesaler, Risk Managers, Reinsurance Specialists and Military advisors we can help regulators and relevant government authorities set the terms and conditions for this backstop. We are in a whole new world now and the old rules are dying quickly. The actuaries did not catch this, the regulators did not catch this, the lawmakers are not getting it and most importantly, is this the next “too big to fail” scenario? Remember this is not JUST an Auto insurer problem but all lines of insurance. The year of the Internet of Things or IOT is upon us. How are we collectively going to rise to this challenge?

Gerald J. Kennedy CEO
Observatory Holdings, LLC

About the Author:
As the CEO of Observatory Holding LLC, a provider of risk mitigation strategies, my core focus has been looking at things differently to arrive at positive outcomes. My resume consists 30+ years in the Underwriting community and Agency community. I have been an owner of Charles River Insurance Brokerage, Inc. of Framingham Massachusetts since 1998, as well as an Equity partner in Waters Insurance Network. I have taken all this experience to focus on true mitigation strategies that actually stops losses from occurring since 2009.

Together with my partners at Observatory we have worked on Water Loss Mitigation through Meter Dog, Material Pre-Placement strategies for Natural Disasters, Kyrus Mobile, an active technology for stopping distracted driving and other current projects. Through developing and learning to correct several risks plaguing the insurance industry, we have been introduced to significant and talented partners to find solutions. We continue to work with partners like Verizon and mutually we have been involved at the forefront on loss mitigation.
Additional references:

  1. https://www.bostonglobe.com/business/2018/07/20/for-cybersecurity-code-
  2. https://www.genevaassociation.org/addressing-cyber-accumulation-risk
  3. https://digitalguardian.com/blog/data-security-experts-answer-what-biggest-misconception-

Top 25 US Personal Auto CarriersWritten Premium ( Source NAIC)Personal Auto Policies in Force 2017 (est)Carrier TIVAvg ALE (@20%) of PMLExposure to a 10% PIF to OEM SYS EventAdding Back ALETotal One Day Expected Loss To OEM Event
State Farm$41,817,390,69427,822,615$456,290,889,808$91,258,177,962$45,629,088,981$4,562,908,898$50,191,997,879
Country Ins & Fin Serv.$1,109,436,992738,148$12,105,633,180$2,421,126,636$1,210,563,318$121,056,332$1,331,619,650
Infinity P&C$1,233,886,708820,949$13,463,567,539$2,692,713,508$1,346,356,754$134,635,675$1,480,992,429
Auto Club MI$1,771,554,4441,178,679$19,330,334,585$3,866,066,917$1,933,033,459$193,303,346$2,126,336,804
Mercury General$2,453,385,7961,632,326$26,770,144,414$5,354,028,883$2,677,014,441$267,701,444$2,944,715,886
Erie Ins.$2,977,421,2291,980,986$32,488,162,446$6,497,632,489$3,248,816,245$324,881,624$3,573,697,869
Auto Club Enterprises$3,111,846,1062,070,423$33,954,940,877$6,790,988,175$3,395,494,088$339,549,409$3,735,043,496
American Family$4,381,962,3692,915,477$47,813,827,579$9,562,765,516$4,781,382,758$478,138,276$5,259,521,034
Berkshire Hathaway$25,253,895,69116,802,326$275,558,143,268$55,111,628,654$27,555,814,327$2,755,581,433$30,311,395,760