My, I’m behind on responding to comments.
A reader says:
Phenomenon of Tsunami is going to be universal and may hit any country without any geographical /distance limitation. When the risk of Natural calamity is accepted in one country ,loss due to tsunami is to be paid, since application of premium rate is limited to that country.That may be true for an insurance policy, but it doesn’t have to be true for a catastrophe bond, which can be bought by anyone anywhere.
-jsq
In 1998 the former chief meteorologist of Thailand said “a tsunami is going to occur for sure”. Smith Dharmasaroja was called a mad dog for that. On Sunday 26 December 2004, after the earthquake but before the tsunami hit Thailand, he tried again to warn the Thai meteorological department, but could not get them to respond. (A case of denial and damage, just as happened years before in the U.S. regarding hurricanes.)
How did Mr. Smith know? He didn’t accept the received wisdom that earthquakes off Indonesia would only happen on the other side of Sumatra from Thailand. He studied seismology and discovered there was a fault line that would put the Thai tourist resort Phuket in the direct path of a tsunami. His public warning in 1998 was after a tsunami from the same fault hit Papua New Guinea (the Aitapa tsunami of Friday 17 July 1998; there was no tsunami warning system for that part of the Pacific at that time, either).
"You’d really have to go digging into very old historical records and the scientific literature and extrapolate from what’s there to find that yes, there could be effects (leading to tsunamis) in Thailand," says Phil Cummins, a seismologist who studies the region at Australia’s national geological agency. "But he was correct."
Such an earthquake did occur and the resulting tsunami hit Phuket.
Two weeks after the 2004 tsunami, the Thai government called Smith Dharmasaroja out of retirement to head its new tsunami warning system.
The economic damages of the 2004 tsunami are estimated at $14 billion by Munich Re, the world’s largest reinsurer. Maybe it would be prudent to do some historical exploration and to set up an early warning system for Internet events that could cause $50 to $100 billion in economic damages.
-jsq
IIt seems likely that tsunami insurance would be easier to get if there were an early warning system. There is one for the Pacific but none for the Indian Ocean.
Australia, which participates in the Pacific warning system, may have been the first country to volunteer (on 27 December) to help set up a tsunami warning system for the Indian Ocean. Since then India has announced it is building one to be operational within 3 years, PM Koizumi has ordered one for Japan, the U.S. has come out in favor of one, Thailand is lobbying to be the location for one, and there’s been a meeting in Indonesia about the need for one.
Maybe early warning and tracking systems would be useful for other fields of likely major economic damage.
-jsq
Speaking of natural disasters, this one wasn’t a disaster, but it was unusual: snow in the United Arab Emirates.
-jsq
The American Bar Association is concerned about insurance being out of date in a networked world:
Most businesses have insurance designed to cover them if a building burns down or someone trips and falls in the parking lot – yesterday’s risks. Today’s businesses may suffer intangible losses resulting from computer viruses, hacker attacks, and theft of confidential information. Current commercial general liability policies do not cover damage to intangible property. They exclude nearly all intellectual property exposures, and personal and advertising injury coverage for website designers. Internet search, access, content and service providers and companies that host bulletin boards are also excluded. Crime policies require identification of the perpetrator and cover only money, securities, and other tangible property. As a result, insurers are rejecting policyholders’ claims under traditional insurance.
This program examines the 21st century risk environment and the heightened legislative and regulatory focus of network security and privacy. It shows how traditional insurance policies fall short in protecting against 21st century risks, and identifies a new generation of specialty insurance coverage that can protect your clients against those risks.
That’s the course description for a teleconference and webcast the ABA is going to hold on 11 January, called 21st Century Risks Are Your Clients Covered?
Thanks to Phil for the pointer.
-jsq
In Tsunami Insurance I mentioned that there was some worry that 2004 being a record year for natural disasters might be a trend, and whether insurers handle it. Here’s more.
Canadian TV is presenting a three part series called The Great Warming, which compares Global Warming, especially the coming period as it increases, as a challenge comparable to the Great Depression or a Great Plague.
Worldchanging points out in The Great Warming and The Greening of the Reinsurance Industry that the TV series is sponsored by Swiss Re, and that that reinsurer (one of the largest in the world) is sufficiently interested in this issue that it is reducing its own emissions by 15% and investing the rest in green investment instruments according to the Kyoto protocol.
It seems to me that one of the biggest problems with the recent tsunamis has been assessing the damage. Hundreds of islands hadn’t even reported in days later. Investing in improved communications and monitoring might also be a good idea. More on that later.
-jsq
Catastrophe bonds were originally incented by the Northridge Earthquake in California and Hurricane Andrew in Florida, and cat bonds are commonly applied to earthquakes, hurricanes, floods, and wildfires. See also What’s a Cat Bond?
Regarding the particular tsunami of last week, it appears that insurers usually exclude tsunamis from flood coverage, considering them more like earthquakes. Insurers don’t seem very worried about excess claims, possibly because of exclusions like the above, and also because the insurers are often covered by catastrophe reinsurance.
Of course, this also means that many of the people affected by the tsunami probably weren’t insured.
2004 was the most expensive in modern history for natural disasters, with $105 billion in property damage and $42 billion in insurance claims. This leads to some worry as to whether this is a trend, and will insurers be able to deal with it. More on that later.
Meanwhile, a single worst-case Internet worm could cause $50 billion in economic damages in the U.S. alone, and $100 billion worldwide.
-jsq
The Economist reports on a scheme being worked out by Richard Wilcox at the World Food Fund to float famine insurance on behalf of inhabitants of famine-prone regions. Basically, it’s probably cheaper to pay for insurance that will pay off to the inhabitants when rains fail, so that they won’t sell their tools and burn all the vegetation for firewood.
Cheaper than dealing with refugees, wars, broken economies, and failed states. Instead of having a Band-Aid to rush in aid after people start dying, insure them before the problem starts and keep them alive and the environment and the economy intact.
The Economist article notes that bad government may in many senses be responsible for famine, “But bad government is hard to measure, and therefore hard to insure against. Rainfall, by contrast, is easy to measure.”
WFP seems serious about this scheme, and says it could be up and running by 2007. No invasions or nationbuilding required. Famines prevented at less international expense than cleaning them up later, and without destroying the indigenous cultures.
Now wouldn’t that be a Merry Christmas 2007?
See “Famine insurance, Hedging against the horsemen,” Dec 9th 2004, From The Economist print edition.
-jsq
Also in the recent report from Congress about homeland cybersecurity there is this passage, citing a research report:
The insurance industry has the ability to contribute to the development of a cost methodology through its customer base but is currently limited in the number of specialized cyber risk policies available. CRS found that the "growth of cyber risk insurance is hindered primarily by a lack of reliable actuarial data related to the incidence and costs of information security breaches; enhanced collection of such figures would probably be the most important contribution that policy can make."
Missing data? Very interesting!
If information gathering has the potential to reduce costs and risks, why does the data shortfall persist? According to the CRS report, "[T]here are two chief obstacles. First, there are strong incentives that discourage the reporting of breaches of information security. Second, organizations are often unable to quantify the risks of cyber attacks they face, or even to set a dollar value on the cost of attacks that have already taken place. Thus, even if all the confidential and proprietary information that victims have about cyber attacks were disclosed and collected in a central database, measurement of the economic impact would still be problematical."
This summary of another report doesn’t say what the strong disincentives are that discourage reporting information security breaches, but one can guess they may have to do with fear of customers worrying about their information being insecure, fear of resulting lawsuits (see Negligence or Risk?) and fear of further targeted attacks. A program like InfraGard may help with such corporate hesitance by permitting information sharing about breaches without public disclosure. Or the other direction might work: disclose all breaches, thus giving all enterprises incentive to do something about them.
The report makes a very important point that a centralized database of all breaches still wouldn’t address the economic issues, because the breached companies don’t know themselves. For that matter, they often don’t even know they’ve been breached; witness the burgeoning blackmarket in botnets. And they know even less about slowdowns and interruptions outside the firewall that cause customers not to be able to transact business.
In other words, required reporting such as the FCC requires of telecommunications companies won’t solve the problem. The popular suggestion of determining the security state of the Internet by having ISPs or even enterprises report on it would be inadequate.
Regrettably, many people continue to use metrics and methodologies from the physical environment when thinking about cyberspace. As CRS determined, "There is a fundamental difference between a cyber attack and a conventional physical attack in that a cyber attack generally disables — rather than destroys — the target of the attack. Because of that difference, direct comparison with previous large-scale disasters may be of limited use."
This last is all true, although there has been at least one case involving an electric utility in which temporary loss of electrical service was counted as physical damage with corresponding legal liability, even though everything worked correctly once power was restored. The lost business did not automatically come back. Damage to reputation does not autmatically come back. Increased expense does not necessarily go away.
There are some other differences about cyberspace.
-jsq
iIt seems that part of Congress has a clue about what needs to be done in cybersecurity for U.S. homeland security, starting with creating an Assistant Secretary for Homeland Security for Cybersecurity. The recent report from the Subcommittee on Cybersecurity, Science, and Research & Development of the U.S. House of Representatives Select Committee on Homeland Security sums up the matter pithily in two sentences:
The information infrastructure is unique among the critical infrastructures because it is owned primarily by the private sector, it changes at the rapid pace of the information technology market, and it is the backbone for many other infrastructures. Therefore, protection of this infrastructure must be given the proper attention throughout government.
The Internet isn’t just another infrastructure: it’s the one that connects all the others.
The report spells this point out in more detail, as well:
Information technology and American ingenuity have revolutionized almost every facet of our lives. From education to recreation and from business to banking, the nation is dependent on telephones, cellular phones, personal digital assistants, computers, and the physical and virtual infrastructure that ties them all together. Almost all data and voice communications now touch the Internet — the global electronic network of computers (including the World Wide Web ) that connects people, ideas, and information around the globe.
Technology provides the nation with immeasurable opportunities, giving citizens global access and making daily transactions more affordable, efficient, and interactive. Unfortunately, the same characteristics that make information technology so valuable also make those technologies attractive to criminals, terrorists, and others who would use the same tools to harm society and the economy.
Despite the growing threat, security and efforts to protect information often remain an afterthought frequently delegated to a Chief Information Officer or a Chief Technology Officer. Cybersecurity should be treated as a cost of doing business by the highest levels of an enterprise’s leadership because the ability to conduct business and assure delivery of services to consumers — whether it is banking, electrical, or manufacturing-depends on ensuring the availability of information and related infrastructure.
– CYBERSECURITY FOR THE HOMELAND
December 2004
Report of the Activities and Findings
by the Chairman and Ranking Member
Subcommittee on Cybersecurity, Science, and Research & Development
of the
U.S. House of Representatives Select Committee on Homeland Security
This sounds quite like what Lord Levene, Chairman of Lloyds, said last spring: Internet business risk management should be at the top of the priority list for chief officers and board members.
-jsq