It’s war, Jim, but not as we know it…

War used to be an obvious, physical act, with or without a prior formal declaration, between state-sanctioned and supported actors, whose role was clear, even if they were sometimes mercenaries.

Russia’s annexation of Crimea in 2014 was an inkling that perhaps the usual binary identification (war/not war) no longer held. Ex post facto, it was clearly an aggressive and hostile act committed by one sovereign state against another, but the manner in which it was conducted allowed, for a time at least, the blurring of perceptions to the advantage of the aggressor.

In the realm of cyber insurance coverage, such issues are also becoming increasingly problematic, as cases involving Mondelez and Merck now make evident. In 2017, both companies, amongst many others, fell victim to the so-called NotPetya cyberattack. Ironically, the code used actually incorporated a stolen US National Security Agency (NSA) “cyberweapon”.

Not surprisingly, both companies, having suffered extensive economic damage, running to hundreds of millions of dollars, made claims for reimbursement under insurance policies which they believed would respond to what happened. To their shock, their insurance carriers (Zurich, in the case of Mondelez) rejected their claims, invoking a little-used “war exclusion” clause, which would absolve them from paying a claim which was deemed to have arisen from an act of war. In response, both companies have sued their insurers; and, given the importance of the cases, the resulting litigation is likely to be both closely watched and protracted.

As we have written before, cyber covers are one of the few supposed bright spots for the product lines of traditional CAT (re)insurers, as growth in demand continues- with global premia estimated to almost quadruple from 2017’s USD 4.5BN to USD 17.5BN in 2023. This is a product line in which any major insurer will have an interest, yet the nature of and triggers for coverage remain a work in progress.

The key problem in most such cases is identifying with any appropriate level of proof exactly who, or which entity is responsible for a particular event. In the case of state, or state-affiliated or -directed actors, while that may be known, reasons of state may dictate that proof is not available or made public. The NotPetya event was actually publicly stated by the US government to have been conducted by a state actor- Russia. However, characterization as an “act of war” is problematic, as the impact was widespread and not confined to US entities, even though the Ukraine was considered to be the intended target.

From the point of view of a (re) insurer this raises the issues of how to define and limit the extent of the coverage to what the (re)insured intended (and what the Insured expected), as well as determining whether those impacted were the intended target(s), or simply collateral damage. The inter-connectedness of the world makes how far that damage can spread increasingly hard to determine. Given the potential potency of the “act of war” exclusion, one can also foresee the risk of “moral hazard” in terms of who might, and might have the incentive, to state that a particular cyberattack was an act of war, and where the burden of proof should lie.

At Awbury, a key focus of our business model is ensuring that the terms and “triggers” of any coverage we write are unambiguous and clearly defined. We do not wish to find ourselves in the position of having to debate with an Insured whether or not a claim exists. Ambiguity, or the raising of an unforeseen defence, serves no-one’s interests. And, for the record, we do not write cyber covers, although we keep a close eye on cyber risks as the may relate to any of our credit-based coverages.

The Awbury Team

Standard

Risk, what is that?

We have long been admirers of the investment skills and thoughtfulness of Howard Marks, co-founder of Oaktree Capital Management. Like Warren Buffett’s Annual Shareholder Letters for Berkshire Hathaway, Mr. Marks’s periodic Memos, which now date back almost three decades, are always worth reading for their thoroughness, and intellectual diversity and depth.

Anyone who wishes to understand what the nature of risk is would be well advised to read a Memo from 2015- Risk Revisited Again in which Mr. Marks (as one should) updates and describes not only what he considers to be the true nature of risk, but provides a useful starting checklist for those risks which one should consider in an investment and business environment.

So, what exactly is risk? As the Memo points out, it should not be confused with volatility (which is a tendency that is still prevalent.) Academics and model-builders like to use volatility because it is a property that can be recorded and measured- just think of Value at Risk (VaR) and the use of such concepts as standard deviations. However, volatility is a fluctuation and is simply a property of most exposures or investments. Risk is something else. As Mr. Marks points out, what investors and risk managers are really concerned with is the possibility of permanent loss. Of course, volatility can expose one to that risk if one is unable to manage it and absorb it, which is why lack of liquidity is such a killer of companies and of investors’ hopes and expectations.

The problem with this is that (to quote the Memo): “The probability of loss is no more measurable than the probability of rain” (which reminds us of Andre Brink’s novel “Rumours of Rain”). Like volatility, one can model it and estimate it, but it can never be fully known ex ante- nor even ex post. After all, just because there was no permanent loss, does not mean that there was no risk. Too often people confuse dumb luck with skill when it comes to identifying, assessing and managing risk.

The Memo wryly quotes JK Galbraith: “We have two classes of forecasters: Those who know- and those who don’t know they don’t know”. Being in the latter category, is never a good idea. Ignorance is not bliss. In the real world, it is far better to recognize that, because the future is unknowable, one can never be certain of how much risk truly exists in a particular investment or exposure, or as a consequence of one’s decisions. Humility is an essential virtue for any risk manager! Far too many things that should not or “cannot” happen actually do. Therefore, one must focus on trying to ensure that the worst possible outcome (the real risk) is not such as to also cause ruin.

In reality, the future is always a range of possibilities. One can try to identity scenarios and assign probabilities to create a distribution, but in the end only one thing will happen (putting to one side the fascinating topic of quantum mechanics!) The probability of that causing a permanent loss may be remote, but the risk will always be there until such time as an obligation has expired. Of course, the entire concept of an “insurable risk” depends upon there being an expected minimum level of risk and thus of loss.

At Awbury, we aim to be assiduous students of risk both as a concept and as an inevitable factor in all that we do. Our business model and franchise depend upon never being self-satisfied or complacent about its existence, nor believing that we must be right. A healthy skepticism and paranoia are also essential virtues for the Team.

The Awbury Team

Standard