Alizabeth Calder examines the challenges facing actuaries in an increasingly tech and data-based world
The 2008 financial crisis demonstrated the risk of forecasting the future based on events of the past. While human factors were partly to blame, technology also contributed: according to MIT finance professor Andrew W Lo, "the technology got ahead of our ability to use it in responsible ways."
We now face two new technology-driven challenges:
The knowledge imperative - The importance of actuaries keeping up with new technologies in order to support the increasing variety and volume of data.
The risk of speed - The speed of digitised information puts pressure on actuarial scientists to reflect new information, respond to new risks and leverage technology to apply models in real-time - like bots. According to Antony Blinken, a RAND adjunct researcher, this will increase the probability of bad decisions.
This article will consider both challenges in terms of personal data and technology, which can be studied by considering the personal health sector, in terms of recent examples where complex technologies have broader risk implications, and in terms of cyber insurance.
Data and personal technology
An underwriter might say: "A 70-year-old man has a 54% chance of reaching the age of 90 if he does not smoke or have diabetes", and progress through the implications of becoming more sedentary, having high blood pressure, being obese and smoking.Those models, however, could change with the use of human-computer interaction (HCI) devices tracking health and fitness, with insurers offering rebates on life and health products. Social advocates say such policies are discriminatory towards low-income groups. The challenge has become how to use that data without creating reputational risk for the insurer.
The benefits of wearable devices go beyond individual health and life policy rating. Wearable devices can help doctors to predict which patients will do well on a course of chemotherapy, and are being looked at to initiate interventions to reduce hospital admissions. This technology could drive improved models for life insurance and private health benefits coverage.
Finally, HCI devices produce enormous quantities of data, supporting Google research director Peter Norvig's hypothesis that "all models are wrong, and increasingly you can succeed without them". Of all the data in the world, 90% was generated within the past two years, and 2.5 quintillion bytes of data are created each day. Actuarial science will need to adapt, because better data and better analytic tools will change how we model.
A digital actuary needs to ask different questions, such as:
- How do you continuously adapt to new platforms that can improve your models?
- How do insurers best gather and use device-driven data without exposing new risks in data-use liability?
- How do you work effectively with data scientists to stay in sync with this new way of understanding risk?
Actuarial professionals are well positioned to assume a new level of strategic leadership. What data would improve your algorithms or models, and how can new HCI devices be leveraged to give you access to that data?
Hidden risk factors
Complex technology introduces new risks to the models and variables that support coverage for operational risk and liability, as well as directors and officers (D&O) coverage. Consider a few examples:
Boeing - The issues affecting the Boeing 737 MAX aeroplanes stemmed from an AI-based manoeuvring system called MCAS - put simply, the robot in the engine responded to abnormal data, took over the aeroplane and drove it into the ground. MCAS was designed to activate on just one problematic sensor reading. In spite of procedures provided by Boeing, no pilot actions could wrest back control. The power of the AI-enabled technology was four times what was specified, exponentially raising the speed with which the robot could bring the plane down. The critical risk decision was made when Boeing management and the FAA together assigned a danger level to this technology. The most extreme danger would be termed catastrophic, but the decision-makers opted for the lighter assessment of hazardous, effectively avoiding more rigorous risk interventions. Do D&O policies need to factor in greater amounts of operational oversight?
Amazon - In 2018, Amazon leveraged smart locks and a cloud-connected camera to leave packages inside customers' homes. Do those customers need a waiver on their personal insurance? Now the company wants to do the same thing with cars, working with GM and Volvo to give couriers access to customers' vehicles. Does this change the model for vehicle coverage?
Bitcoin - If a personal computer lost in a fire contained the private encryption key to access £100,000 worth of bitcoin, is that a claimable loss in the fire?
Increasingly, underwriters will be called on to define terms and context for the complexities of coverage. Graham Elliott of Azur Group Underwriting suggests that actuaries and data scientists spend 80% of their time acquiring, combining and cleansing data before they can do value-add work. With this in mind, how can the sector stay ahead when it comes to knowing which data matters, and how to gather it?
Actuarial leaders must stay on top of business changes and have direct access to the conversations about what is going to be different; hidden technology-based risks need to be explored to inform opportunities for contract terms, pricing and marketing strategies that need to be aligned.
The cyber insurance market is estimated to reach $14bn by 2022. With 93% of cyber incidents considered preventable, and annual reported numbers increasing at almost 20% a year, cyber insurance has become a critical mitigation strategy.
Traditionally, cyber policies addressed a relatively simplistic view of data loss. As data breach notification has become a regulatory requirement, policies have improved to keep up, and most policies now cover notification and other liabilities. Recent cases show the importance of cyber coverage and broader business coverage, including D&O:
Home Depot experienced a breach of 56m customer records in 2014. A similar security breach had exposed 40m cards at Target in 2013, and remediation strategies were known. In 2016, Home Depot set aside $161m, not including insurance-covered items, to address the costs. In 2017, an additional settlement of $27m was set aside for bank partners. Stakeholders felt this response was inadequate, and in 2017 a lawsuit expressly named Home Depot's directors. That suit was initially dismissed based on directors' technical understanding, but in 2018 it was settled to avoid an appeal.
Equifax announced a data breach in 2017, affecting 146m US customer records - the result of a flaw that the company had known about for more than a month but not addressed or disclosed. Equifax executives happened to sell $2m worth of shares during that period. The implications of litigation claims are not yet fully known.
Cyber policy terms are evolving, with clearer definitions of terms such as 'defence costs', 'incident response' and 'notification expenses'. In addition, policies now overtly exclude costs associated with preventing or correcting deficiencies in systems and failure to properly handle, manage, store, protect and destroy data. Actuaries will benefit from GDPR reporting, but will need to continuously improve models to reflect changing issues.
There are also new risks that fall outside of cyber insurance models:
Cloud computing and solutions as a service (SaaS) - Cloud and SaaS providers are not immune to skills and procedural gaps that cause problems, and the cost per hour of a cloud outage can exceed $1m. Salesforce, for example, recently created a data breach exposure for a large group of customers, reportedly the result of a maintenance error. The vulnerability was quickly caught and contained, but the affected customers lacked system capability for two days. Who pays? Cyber insurance may need to offer service provider coverage for when cloud providers face issues that impact the customer's domain.
Business process outsourcing and delivery partnerships - The business process outsourcing industry has a compound annual growth rate of 4.4%. That is alarming when you consider that nearly half of IT leaders lack confidence in business partner security postures, 25% do not evaluate partner cybersecurity, and half make exceptions in cybersecurity posture requirements for partners.
Third-party processes and data handling will become part of cyber exposure; the industry may need to be clearer and more consistent when it comes to evaluating and modelling these risks, so they can add the critical coverage to a policy.
Now is the time for actuaries to embrace technology change and develop a broader curiosity and foundational knowledge, so you know when discussions will render traditional models ineffective.
Alizabeth Calder is a senior technology strategist, NACD member and certified corporate director (ICD.D). She is also a successful author. Her most recent project is:
Duty of Care: An Executive Guide for Corporate Boards in the Digital Era
It is cited as a much-needed guide for business leaders who need to close their digital knowledge gap in order to make the right decisions about technology, investment and deployments.
Published by John Wiley (2019).