Be afraid, be very afraid…

As we mentioned in a previous post, banks and other financial institutions do not appear to invest sufficiently in the robustness and security of their IT and systems; and senior management often lacks sufficient understanding of their institutions risks and vulnerabilities in that area. Yet banks, in particular, perform a critical function in any developed society as repositories of wealth (in the form of deposits) and the core of national and global payment systems. In that sense they are, as is often argued, critical utilities and should be regulated as such.

And as with “normal” utilities, such as power generators, pipelines and electricity grids, financial utilities are vulnerable, not only to operational failures caused by human error or poor maintenance, they are also extremely vulnerable to “hacking” and other forms of cyber-attack- a fact that should be cause of deep concern and intensive study by the (re)insurance industry for which “cyber covers” are supposedly “the next big thing”.

We suspect that many people think that attacks on banks are still made by “hackers”, out to burnish their reputations; by anti-capitalist collectives such as Anonymous; or by internal or external “opportunists”, who come across a vulnerability or weakness and exploit it before it is addressed.

Would that it were so.

In fact, the future of banking is becoming very much one of an “arms race” between the banks and their regulators, and an array of criminal enterprises run as businesses with the express intent of extracting as much “rent” from a quasi-monopolistic source- because that is where the money truly is! And not only that: such enterprises are often based in a physical sense (infrastructure and key personnel) in jurisdictions that protect them and benefit from their “work”, almost as if they had provided the equivalent of old-fashioned Lettres de Marque. There is more than one way of being a Private Military Contractor.

And these criminals (or, perhaps, PMCs) are in no sense stupid, or irrational. They exploit both human weakness and system vulnerabilities, as well as the complexity of modern banking, to create value for themselves at the expense of banks and their legitimate customers; but in ways that do not de-stabilize the system as a whole. What they do is in, every sense, a zero-sum economic act; but it would be foolish of those involved to become too greedy and destroy the source of their “wealth”.

So, in an environment in which many global banks are drastically reducing headcount by laying-off tens of thousands of workers, including many who will undoubtedly know how to exploit the systemic weaknesses of their soon-to-be-former employers, one suspects that the criminal networks are already seeking ways in which to reach out to the desperate and the disgruntled and “employ” them to steal from or extort their former employers. An analogy might be the concerns, following the collapse of the Soviet Union, about what a cadre of scientists might do with their knowledge of nuclear weapons technology and their former state employers security and control systems.

At Awbury, therefore, while understanding the enthusiasm of many in the (re)insurance industry for providing cyber-covers to generate premia in books of business that have been stressed by the decline in NatCAT revenues, we would be very cautious in terms of whether underwriters of such risks understand the extent to which the risks they are covering may not be quite all they appear to be; and we would want to be very sure that the terms, limits and loss triggers for such business were tightly worded; and that aggregations of risk to what may well be complex, inter-connected networks, with significant correlation, are properly understood.

– The Awbury Team

What’s IT all about…?

It is a statement of the obvious that Information Technology (IT) is by now a fundamental part of most business systems; so one would think that, for example, banks and their regulators would be somewhat obsessive about ensuring that IT systems and controls were robust and “state-of-the-art”, while directors’ and senior managers’ understanding of them was sound and up-to-date.

Sadly, this appears to be far from the case, even in the face of increasing “cyber-security” and similar threats.

A recent study by Accenture found that (even on a fairly loose definition) half of the world’s 109 largest banks had no main board member with any technology experience; while a further 25% had only one such member. One wonders what a similar survey of the (re)insurance industry would reveal. Anecdotally, at least amongst the largest groups, one would expect a better outcome; but perhaps Accenture should ask the same question.

Given that Deutsche Bank recently wrongly paid USD 6BN to a client (which, fortunately, it recovered the next day) because of a self-evident failure of what should have been relatively simple payment controls, it begs the question of what other “accidents waiting to happen” are out there. And yet, they are not accidents; they are fundamental failures of control, and, as such, inexcusable for an institution of the size and supposed sophistication of Deutsche Bank.

However, many of today’s largest banking groups are agglomerations of predecessor institutions, with multiple, often incompatible processes and systems that would give Heath Robinson a bad name; requiring all-too-fallible human intervention to make some sense of them and execute transactions. This, of course, also increases the scope for malfeasance and fraud, because the systems are themselves too easily manipulated, over-ridden or compromised. It reminds one of the Irish joke: “…but, if I were going there, I wouldn’t start from here”.

Not surprisingly, Deutsche Bank’s new CEO has recognized the risks that the Bank faces from its technological systems’ deficiencies; and is taking the proverbial axe to the thousands of “consultants” on which the Bank has been relying to patch its system together; is “insourcing” IT; and giving much more power and prominence to systems and IT executives. We are sure that many other bank CEOs and board Chairs wished that they could do the same, overcoming vested interests and inertia.

We would also hope that regulators, recognizing the vulnerability of crucial deposit and payments systems in particular to failure or compromise, are urging radical and necessary changes upon their charges. Deutsche Bank would have had to find USD 6BN to balance its books. Lesser banks would perhaps have failed because of such a huge and unexpected shortfall in their balance sheet.

So, what does all this have to do with Awbury? We have long worked closely with our banking clients to assist them with managing and optimizing their balance sheet risks and capital positions. What we have described above, is operational risk, for which banks have to provide appropriate capital. We can help manage that too.

The Awbury Team

Utopia or Neverneverland?

Next year marks the 500th anniversary of the first publication of Thomas More’s “Utopia”. Of course, the author’s end was rather unfortunate, after he found himself on the wrong side of the argument with Henry VIII, as did the then Catholic Church in England. And debate has raged ever since as to whether his stand was principled, or simply stubborn. Was he a martyr or a fool?

We mention this, because we have been wondering about the characteristics of a rational (re)insurance market (Yes, a fantasy, of course); and whether its key decision-makers will adapt, or cling stubbornly to an old, familiar paradigm. We have also been thinking in the same context about the impact of the economic reality of capital abundance, as that interplay is likely to be crucial to the future of the (re)insurance industry and its ability to continue to be fit for purpose.

In a rational market, participants should seek to maximize their returns, while minimizing their risks. Yet, in the NatCAT market, we observe seemingly ever declining returns being earned in the face of accepting greater risks- with this reality currently masked by reserve releases, and a lull in the occurrence of major catastrophic events. A rational allocator of capital would be patient until appropriate risk adjusted returns were present; and simply refuse to do business if pricing were irrational.

Yet, the business models, ownership structures and cost bases of most market participants seem to reinforce a reluctance to act rationally in many product lines in the desire to earn that “last dollar of premium” and achieve (decidedly short-term) targets or expectations. Perhaps they should remember something that the late Yogi Berra said: “Nobody goes there anymore. It’s too crowded”. Except that they do.

It seems ironic that an industry that should be capable of planning for the long-term (after all its USP is being there to pay any valid claim well into the future) seems, as so many others do, to focus on meeting “expectations” in the hope that things will turn out well. At Awbury, we do not believe in “hope” or “expectations” when it comes to business and risk management; but in dispassionate, evidence-based analysis, which our proprietary business model then allows us to convert into cost-effective and capital efficient products.

Perhaps at Awbury, we are simply naïve to expect otherwise of the industry as a whole. However, in our, very real, world, we consider the following points are key:

Firstly: if you know that you are “reaching” to justify something, should you not walk away and avoid it?

Secondly: recognize that the tail risks are often greater than the models predict

Thirdly: be wary of back-testing and “fitting” outcomes to desires

Fourthly: precision and clarity in terms matter greatly; and can make the difference between an excellent risk and a “catastrophic” one

Fifthly: capital should be fungible and be allocated where the best risk-adjusted returns lie.

We also do not believe in fantasies, but in reason, logic, discipline and realism, coupled with adherence to principle- but not to stubbornness.

So, why not come and share your own concerns and problems with us? We will not create Utopia, but ways in which you can actually address those risks which seemed difficult, impractical or even impossible to manage.

The Awbury Team

The China Syndrome

To say that economists and political analysts have something of an obsession with the PRC is probably an understatement; while Beidaihe-watching is the new Kremlinology; although probably equally as futile.

The simple fact is that China does matter in the world; and, while its economic dominance may not yet quite reach the level of the Imperial Middle Kingdom, the decisions that its political leaders make can have a very broad reach; they know that; and quietly revel in it.

However, the fact of its economic weight carries with it significant risks, as well as opportunities, including for the western (re)insurance industries anxious to penetrate a growing and underserved market, because the norms and expectations that apply in more established markets often do not apply in the PRC: the rule of law, whether in a commercial or personal sense, being an obvious example. Everything is subordinate to the (perceived or actual) will of the Chinese Communist Party and its paranoia about maintaining control in the face of “instability”, to the extent that being a P&C (re)insurer can be a rather hazardous occupation, as those who had exposure to the so-called Tianjin Port explosions would vouch.

There is a basic problem of opacity and a willingness on the part of “the authorities” to suppress facts or information that could prove critical in determining the extent of one’s true exposure and the validity of a claim. Of course, as in other areas of “natCAT” cover, it may be tempting to book premia and perhaps weaken terms or definitions to gain the business; and there is no doubt that the Chinese market does and will offer many significant opportunities on the basis of need and size alone.

However, we suspect that the Tianjin Port disaster revealed levels of exposure and inter-connectedness that were unexpected, as well as risks that were simply not foreseen, because they were concealed or mis-represented, which will make the clarity and scope of wordings particularly relevant, as well as questions of uberrimae fidei. Questions are also likely to arise of influence on the loss-adjusting process, and the relationship of affected parties to local and national power-bases.

Given that Awbury does not underwrite any “natCAT” business, but is focused on its E-CAT, economic and financial catastrophe risk franchise, why should we care what happens in cases such as Tainjin? Simple- while so-called Emerging Markets such as the PRC are causing significant angst to investors, and apprehension to (re)insurers, it would be remarkably foolish to ignore their growing scale and complexity, and the fact that they increasingly face the same issues as the Developed Markets in terms of risk and capital management. This will lead to opportunities for those who research and study the market’s characteristics carefully, and are patient in terms of risk selection.

We believe that opportunities will present themselves; and we are ever-vigilant in terms of identifying them. Our reach is broad as well as deep, so give us a call.

The Awbury Team