Updates Page 12

What next for cyber resilience?Page 8

Disruption and innovation in insurance Page 4

EditorialPage 2

COVER TO COVERM A G A Z I N E F O R T H E N E W Z E A L A N D I N S U R A N C E M A R K E T F E B R U A R Y 2 0 1 6 / I S S U E S E V E N

2

C O V E R T O C O V E R - I S S U E S E V E N

Happy New Year

Happy New Year! and welcome to the first issue of Cover to Cover of 2016.

In this issue we welcome a fascinating and challenging article by Nick Mereu, in-house counsel for the Insurance Council of New Zealand, on disruption and innovation in the insurance industry. Nick highlights the importance of innovation throughout the history of insurance, and suggests avenues for innovation for insurers to explore in the digital age.

Consideration of the digital age also takes us back to a subject which we covered in our first issue, in August 2014, and which seems in no danger of going away: cyber risks. In many respects, not much has changed. However, what we have seen since then, unsurprisingly, is further exponential growth of cyber risks in both prevalence and sophistication, and a growing awareness that cyber risks are a key business risk which should not be

3

left to the IT department alone, but which demands proactive consideration at board level. As the Institute of Directors says, ‘Put cyber security on the agenda before it becomes the agenda.’

Risk is, of course, the bread and butter of the insurance industry. The rapid development of cyber risks means that insurers are already providing services to assist businesses in the aftermath of cyber events, but uptake of cyber risks policies is still relatively low, and set to grow. Policies themselves are becoming more sophisticated, but it is probably fair to say it is a ‘work in progress’ for both insurers and insureds, not least because of the speed of evolution of cyber risks and the difficulty of obtaining clear data as to risk categories and levels.

Bringing innovation and cyber risks together, we believe that insurers should be able to analyse cyber risks effectively, educate businesses appropriately as to the risks they face and how to mitigate them, and reward businesses which take sensible precautions, by charging lower premiums. If insurers are able to take such steps in an

efficient manner by innovative use of technology, they will provide a better service to their insureds and should gain a bigger slice of the market. At the same time, they will help to lower the overall impact of cyber risks across New Zealand.

We do not have any comments on recent earthquake cases in this issue, but include a brief update on the Fair Insurance Code, which has recently come into effect.

We hope you find the articles in this issue relevant, useful and interesting.

We also welcome feedback, comments and ideas for future issues, so please take 30 seconds to email me on covertocover@minterellison.co.nz if you would like to provide any thoughts.

Toby GeeEditor

4

C O V E R T O C O V E R - I S S U E S E V E N

Disruption and innovation in insurance

In this article Nick Mereu, in-house counsel at the

Insurance Council of New Zealand, suggests that disruptive innovation has been present throughout the history of the insurance industry – and proposes key areas for development.

5

Insurance is an innovation that disrupted the lending marketInsurance media frequently report ‘disruption’ and ‘innovation’ in the industry as if they were modern phenomena. But disruptive innovation has been par for the course throughout insurance history. The founding idea of insurance was an innovation to disrupt the lending market.

Edward Lloyd’s 17th century London coffee shop is often thought of as the birthplace of modern insurance. That is true – to an extent. But if the industry today is an oak, Lloyd’s was the sapling, and the acorn was sown much earlier.

In the 13th and 14th century, Italian commerce was booming. Merchants shipped goods from North Africa and the East to distribute throughout Europe. It was a perilous time, with merchants risking the loss of whole shipments - and financial ruin as a result.

The moneylenders had an answer. Traditionally, canon law forbade usury: it was illegal and immoral to make a profit from a loan by charging interest. So the moneylenders gave “sea loans”1. Before a voyage, the moneylender would lend the merchant a sum of money. If the voyage was doomed, the merchant kept the money. If the ship returned, the merchant would repay the loan, plus a risk premium.1

1 Sea loans were not invented by the Italian merchants, they were just used as the mechanism to avoid ‘usury’. The Babylonians gave similar sea loans – and published premium rates – circa 1750 BC.

The moneylenders must have had excellent lawyers: they convinced the Vatican that risk transfer was not moneylending, and the risk premium was not “interest”. Looked at in this light, the invention of insurance was disruptive innovation in the money market.

And the history of insurance is littered with disruptive innovation…London market participants in the 16th century were dissatisfied with the courts’ resolution of insurance disputes. In response, Francis Bacon sponsored the Assurances Bill 1601 to establish a competent court for the arbitration of insurance disputes. While the admiralty and common law courts continued to have jurisdiction, merchants entered into contracts with arbitration clauses stating that disputes would be resolved “by honest merchants, and shall not go to law”.

…including in New ZealandThe tariff system was another early innovation of the insurance market. After the Great Fire of London in 1666, fire and general insurers proliferated. New companies entering the insurance market started a rate-cutting war with incumbents. By the 1820s, ruinous loss ratios forced the companies to come together and agree to set minimum rates for certain risks.

New Zealand had a similar experience. The “highly inflammable shanty towns and

hazardous mines and mills of the infant colony” proved irresistible for domestic, Australian and British insurance companies. Tariffs were established - but ignored.

This led, in 1895, to the establishment of the Council of Fire Underwriters’ Association of New Zealand. The Council’s job was not only to administer the tariffs, but also to set the uniform policy wording to be adopted by all insurers. The tariff took effect on 1 October 1895 and ended in 1973, just in time for the arrival of the Commerce Act in the 1980s.

By then the Council had changed its name to the Insurance Council of New Zealand, whose other innovations – responding to heightened government scrutiny of insurers – include the development of the Insurance Ombudsman and the Fair Insurance Code.

This led, in 1895, to the establishment of the Council of Fire Underwriters’ Association of New Zealand. The Council’s job was not only to administer the tariffs, but also to set the uniform policy wording to be adopted by all insurers.

6

C O V E R T O C O V E R - I S S U E S E V E N

New Zealand also has a unique history of government intervention to disrupt private insurance markets, through the Government Life Insurance Agency,2 the State Fire Insurance Office3 and the Earthquake Commission.4

Digital technology is the modern disruptorImprovements in digital technology are the source of modern disruption and innovation in the insurance industry. Technology allows us direct access to better information about risks, gives consumers easier ways to interact with insurance services, and has created new ways of pooling capital to manage risk through social media.

Friendsurance, for example, runs a peer to peer insurance model where trusted friends get together and pool capital for a year to cover smaller risks, like loss of personal property below traditional insurers’ excess, or cover for certain property like smartphones. Any leftover premium is distributed at the end of the year amongst the members of the group who did not make a claim. Crowdfunded insurance operates similarly

to traditional insurance, albeit with capital raised through a crowdfunding platform.

More insurers and brokers are developing apps that provide a total customer interface. So as an insured, you can enter into and renew policies, upload photos of contents, receive notifications that a hailstorm is coming and you need to move your car under cover, and so on. State Farm in the United States has an entire customer interface by way of app. New Zealand insurers have not developed this technology as quickly.

Telematics and big data provide the biggest opportunities for innovationTelematics are technologies that collect data, built into everyday items like cars, houses, smartphones or Fitbits. ‘Big data’ describes the growth of data from all sources and the development of the technologies used to organise, search and analyse the data. Tower’s SmartDriver app is probably the simplest of this kind of technology in New Zealand.

Telematics and big data reduce information asymmetry between the insurer and insured, performing a similar role to historical legal rules (like the insured’s duty of disclosure) and market research (like the shipping news at Lloyd’s coffee shop).

What does this mean for the future of insurance? Firms that are in a better position to collect, collate and crunch data will gain substantial market power in the insurance industry. Competition is already coming from firms that are not traditionally insurance providers. OnStar was originally a safety platform on cars, and now

provides insurance services. Apple’s HealthKit is scoping insurers to provide a supplementary service. Further, consumer trust and confidence is comparatively very low for the insurance industry, and we are already seeing an increase in the distribution of insurance products through firms with strong brand image and consumer goodwill like banks, supermarkets, retailers, airlines and auction sites.

These developments could impact insurance in one of two ways.

Insurance could slip into the background as a behind-the-scenes support service with no direct customer relationship. Imagine your Fitbit or smartphone monitoring your personal health data and behaviours, and sending you notifications to encourage safer health behaviours. Your primary relationship as a consumer is with the gadget manufacturer or app developer. That service encourages better risk management on your part. You may consent to that primary service provider sharing information with insurers, who may offer an add-on product with personalised cover based on your personal data. In this scenario, you do not need a direct relationship with an insurer.

Alternatively, holistic personal risks products, encompassing life, health, liability, property and travel risks, could be developed for individuals who are willing to have insurers collect and collate their data and price their holistic personal risk accordingly. Not only would information asymmetry between insurer and insured be minimised: an insurer may also have better insights into insureds than insureds have into themselves. Consumer search costs would be significantly reduced if they had to interact with only one insurer, and the insurer already

2 Now Tower Insurance. Established in 1869, the GLIA sold insurance through the state-owned post offices. By 1877 it was bigger than all its competitors combined, which included the Australian Mutual Provident Society (AMP) which had set up shop in 1854. 3 Established in 1903 in response to concern about the tariff system keeping fire insurance premiums unreasonably high. State set its premiums at 10 percent below the tariff rates, and all the private insurers immediately dropped theirs. Nonetheless, by 1920 State was the largest fire insurer in the country.4 EQC, in its original form the Earthquake and War Damage Commission, was established because private insurers would not cover natural disaster after the 1906 San Francisco earthquakes and the attack on Pearl Harbour in 1941 (although the consequences of war have never really been insurable).

7

To concludeThe core function of insurance is to transfer the financial risk of loss from a party who can’t afford the risk to a party who can. Demand for insurance and for a strong insurance industry will endure for as long as risk endures, regardless of what particular form the industry takes. The challenge for insurers is to become, yet again, disruptive innovators, and to avoid becoming reactive market participants who may get left behind in the ever-accelerating commercial world.The views in this article are those of the author and do not necessarily represent those of the Insurance Council of New Zealand.

Nick Mereu

had access to all the information it needed to accurately price risk.

No doubt there are challenges to be overcome in relation to privacy and the perception of privacy. However, forward-looking insurers will take steps to harness the new technologies to provide a better service to consumers and a better analysis of the risks they accept.

8

C O V E R T O C O V E R - I S S U E S E V E N

What next for cyber resilience?

Businesses are increasingly recognising that cyber security and cyber resilience require active engagement by the board and senior executive team, and should not be restricted to the IT department. As the Institute of Directors pithily recommends in a useful practice guide to directors, ‘Put cybersecurity on the agenda before it becomes the agenda.’

‘Cyber security’ can be summarised as referring to safeguards to protect against cyber attack. ‘Cyber resilience’ relates to an organisation’s ability to withstand a cyber event. Both are important.

So where are cyber security and resilience heading, and how does the insurance industry fit into the picture?

Cyber threats are getting bigger and more sophisticatedCyber threats have seen exponential growth in the last few years. Symantec detected 19.4 million new pieces of malware globally in the month of November 2015 alone, and 317 million new pieces of malware in 2014 – that’s nearly a million new cyber threats every day. Cyber threats are also becoming more sophisticated. They are likely to operate undetected for longer and potentially cause greater

harm: Mandiant found that in 2015 the mean number of days between infection and detection was 205.

Incidents range in severity from the targeting of individuals and small businesses, such as demanding a ransom to permit the business resumed access to its own system, to significant corporate espionage of large New Zealand organisations, putting valuable intellectual property, business plans, pricing and acquisition strategies at risk.

Such cyber threats are taking a serious toll on business. Research from Grant Thornton reveals that the total cost of attacks globally is estimated to have been more than US$315 billion in 2015. And regionally, cyber attacks are estimated to have cost businesses in the Asia Pacific US$81 billion in 2015. The same report shows that the average “successful” cyber attack costs businesses the equivalent of 1.2% of annual revenues. In addition, there are

also extensive indirect costs, such as a reduction in a business’ ability to trade, or reputational damage – which can be particularly severe where customer loyalty relies heavily on trust.

It is therefore perhaps not surprising that the World Economic Forum lists cyber attacks as among the top 5 risks in terms of a combination of probability and impact (along with interstate conflict; water crises; failure of climate change adaptation; and under-/un-employment).

It is tempting, in a small and geographically isolated country like New Zealand, to regard these as someone else’s problem, unlikely to occur here. However, this would be a mistake: As cyber crime can be conducted from anywhere in the world, New Zealand’s apparently low risk environment means, experts say, that it generally has a lower level of cyber security and awareness than in comparable developed countries. This makes New Zealand businesses a soft target for cyber criminals.

In addition to detection problems, a further difficulty in measuring the incidence of cyber crime is that due to the sensitive reputational issues surrounding a data breach or cyber attack, many cyber attacks go unreported: As Una Jagose, acting head of the GCSB, recently said, it is concerning that in a

“Symantec detected 19.4 million new pieces of malware globally in the month of November 2015 alone”

Cyber threats facing New Zealanders and New Zealand businesses are growing in scale and complexity. What was once largely an issue for IT professionals is now a crucial consideration for all of us.

9

“A further difficulty in measuring the incidence of cyber crime is that

due to the sensitive reputational issues surrounding a data breach

or cyber attack, many cyber attacks go unreported.”

recent survey of major businesses in Australia, 43% of respondents said they did not report cyber incidents as they saw no benefit in doing so. It can be inferred that published data are probably a significant underestimate of the true prevalence and cost of cyber events.

The statistics demonstrate that cyber security incidents continue to be common and recurrent for New Zealand businesses. However, despite these risks, many New Zealanders and New Zealand businesses are neither confident in their information securities nor have cyber security strategies in place. Amy Adams, Minister for Communications, reported recently that more than 80% of New Zealanders have experienced a cyber-security breach, yet only 39% have changed their online behaviour as a result. 56% of businesses have been attacked at least once in the past year. Yet only 65% of New Zealand businesses are confident that their information technology systems are effective.

New Zealand’s Cyber Security Strategy and Action Plan 2015In the face of such threats, in December last year, Amy Adams launched New Zealand’s Cyber Security Strategy. This, she says, “signals the government’s commitment to ensuring New Zealand is safe, resilient and prosperous online.”

The Strategy provides a unifying framework for government-led action to address cyber security, in partnership with the private sector. Underpinning the Strategy are the principles of collaborating with the private sector; enabling economic growth; upholding national security and protecting human rights online.

1 0

C O V E R T O C O V E R - I S S U E S E V E N

To deliver the Strategy, the Government has put together an action plan which will be reviewed and updated annually. The National Cyber Policy Office will work with government agencies and private partners to produce a public annual report on the action plan.

The action plan has four primary goals, the first of which is cyber resilience; enabling New Zealand’s information infrastructures to resist cyber threats and developing cyber tools to protect our national interests. A key feature of this goal is establishing a national Computer Emergency Readiness Team (CERT),

a central organisation responsible for receiving and providing advice on computer security incident reports and activity.

Other goals of the action plan include cyber capability, concerned with promoting cyber security awareness to arm New Zealanders with the necessary skills to protect themselves online; addressing cybercrime (which is also addressed in the National Plan to Address Cybercrime); and international co-operation, aimed at ‘ensuring the continuation of an open and secure internet’.

What New Zealand businesses should be focussing onPart of the response from Government and professional organisations to cyber threats is to help educate boards, executives and others about how to respond to cyber risks (both before and after a cyber event). The Institute of Directors’ ‘Cyber Risk Practice Guide’ provides boards with five high-level principles to help them understand and monitor cyber risk, develop strategies for seeking assurance, and oversee management:

• Take a holistic approach. This involves approaching cyber security as an enterprise-wide issue, not just an IT issue.

• Understand the legislative environment. This involves assessing legal risks by reference to the company’s specific circumstances.

• Access cyber security expertise and put cyber security on the board agenda.

• Establish a framework. Set expectations to management to establish an enterprise-wide cyber risk management framework.

• Categorise and manage the risks, including risk mitigation or transfer through insurance.

The Australian government recommends four key mitigations for businesses, which it says may reduce vulnerability to cyber attack by up to 80%:

• Application ‘white listing’: Allow only a defined list of applications to run on a network.

• Patching system vulnerabilities: Computer system vendors constantly release operating system versions containing new patches to address vulner-abilities as they are discovered.

• Patching application vulner-abilities: Similarly, applications like Java, PDF viewers, Microsoft Office release patches which should be installed.

• Restricting administrative privileges to operating systems in accordance with the user’s duties.

Steps to improve cyber security include improving IT-related steps as above. But they also include addressing employee risks such as the need for employees to be vigilant in relation to passwords, confidentiality of data and scam emails; procurement issues such as checking trading partners’ cyber security processes and requiring suitable cyber security measures on the part of such partners; and reducing the quantity of any marketable data held by the business, and the period for which it is held, to reduce the attractiveness of the business as a target.

Steps to improve cyber resilience include devising and testing an emergency response plan, ensuring that appropriate immediate advisory services are in place to manage the situation and contain any damage in the event of a serious cyber event, and arranging suitable insurance to cover both first-party and third-party losses, together with event containment measures if appropriate.

“Steps to improve cyber resilience include devising and testing an emergency response plan”

1 1

Toby Gee

Oliver Tapper

What can the insurance industry do to assist New Zealand businesses?Insurers play a key role in cyber resilience, which should enable them to participate actively, not merely after cyber events, but also in helping to increase cyber security in the New Zealand business community.

Once a CERT has been established, insurance companies can assist by sharing information and threat analysis with the CERT in order to examine existing threat patterns and techniques, and by participating in regular cyber security exercises to test preparedness for major cyber incidents.

Aside from assisting a CERT and partnering with the government as part of its Cyber Security Strategy, insurers can play a key role in assisting businesses by providing specialist cyber risk policies which effectively manage the risks related to data breach and reduce the significant costs that can result from them. The scope of such policies, if well explained, is in itself a useful educational tool in assisting businesses to understand and manage cyber risks.

However, results from Minter Ellison Australia’s 2015 cyber security survey, which assessed results from over 150 organisations across Australia, show that cyber insurance has not yet been widely embraced. Only 25% of survey respondents confirmed their organisation held specialist cyber risk insurance, and a further 35% were unsure whether their current insurance arrangements adequately covered cyber risk.

The Minter Ellison survey suggests that organisations may not realise that many traditional insurance policies do not provide adequate protection in the event of a cyber attack, because, for example, their definition of ‘property’ is limited to tangible physical property such that risk resulting from data breach will not be covered; and because other types of risk associated with a significant cyber attack or regulatory costs are also not typically covered.

Specialist cyber risk insurance is still a relatively new product. The majority of such products in the market provide hybrid policies, which include cover for:

• First party losses, such as the cost of hiring IT and/or forensic accounting experts to identify and address the cause of the breach, or engaging public relations specialists to assist in limiting reputational damage;

• Regulatory costs, including fines or penalties, and notification and monitoring expenses; as well as

• Third party cover for any claims arising from a data breach.

However, insurers may be able go further, to help to minimise the overall impact of cyber events to ‘New Zealand Inc’, by providing proactive risk management and mitigation services such as:

• lists of approved emergency response teams (IT experts, legal advisors, public relations services, etc);

• premium reductions for businesses which can demonstrate they are adopting responsible cyber security policies such as implementing the key

mitigations recommended by the Australian government and potentially other suitable risk mitigation steps.

We expect to see an ongoing increase in the take up of specialist cyber risk policies as organisations increasingly turn their mind to their cyber risk profile on an enterprise-wide basis. Forward-looking insurers will use their insurance policies and associated documents to assist in minimising claims, should they occur, and enabling themselves to provide lower premiums to businesses which can demonstrate lower risk by adopting appropriate safeguards.

Whatever steps insurers and businesses do or do not take, cyber risks are set to loom large in the coming years. Smart approaches in addressing them are likely to lead to market advantage and great business sustainability.

1 2

C O V E R T O C O V E R - I S S U E S E V E N

Update! Update! Update!

The revised Fair Insurance Code has come into forceLast year, Cover to Cover explored the key changes to the revised Fair Insurance Code. The new Code came into force on 1 January 2016, and applies to members of the Insurance Council of New Zealand. It imposes new duties on insurers of individuals and entities employing fewer than 20 people, and increases the monetary awards that may be made against such insurers.

Insurers may receive more complaints under the revised Code, particularly from Canterbury earthquake claimants with unresolved claims.

New Code obligations and earthquake claimsThe new Code includes:

• A commitment to high standards of service.

Now that more than 5 years have elapsed since the Canterbury earthquakes, claimants with unresolved claims may complain that their insurers are not providing a high standard of service.

• An obligation to manage claims quickly, fairly and transparently.

The revised Code has a new focus upon the management of claims as well as the result. Claimants may complain about the general handling of their claims or focus on delays relating to particular issues.

The revised Code is expressed to apply to conduct only from 1 January 2016 onwards. However, where an insurer’s unwillingness to accept elements of a claim or a long investigation is ongoing, claimants may say that the standard to be expected of ongoing conduct should take into account past delays. Claimants may argue that since matters have gone on for so long, there is a heightened duty to resolve claims quickly, such that a period which would ordinarily be regarded as acceptable may be regarded as unsatisfactory. Claimants may also seek to hold insurers to new minimum timeframes, such as the obligation to provide updates at least every 20 business days, even though the claims arose long before the Code took effect.

The ICNZ scheme participants have agreed an increased maximum fine of $100,000 for breaches of the Code. But this may not be available to insureds for all breaches, as dispute resolution schemes have their own limits. For instance, the terms of reference for the Financial Services Ombudsman, which is the nominated scheme for some insurers, currently limit claims

for inconvenience or expense suffered by the insured to $3,000.

Recent earthquake complaints decided by the OmbudsmanEarthquake-related complaints can range from complaints about reinstatement strategies to allegations of misleading behaviour. For example:

• In case 124062/2013, the insurer’s loss adjuster met the claimant to undertake a property inspection. The claimant alleged that the loss adjuster said in the meeting that a rebuild strategy was appropriate. The claimant said that the insurer was therefore bound to rebuild. The loss adjuster did not recall the conversation but said that it would have been an unusual statement for him to make following only one assessment. The Ombudsman held that, not being a court of law, its ability to investigate contradictory evidence is limited. It rejected the claimant’s claim that there was a binding contract to rebuild and its claim for relief for delay, noting that earthquake claims involving ‘TC3’ (technical category 3) zones generally took more time to investigate than others.

• In case 125836/2014, the

In this section we comment on recent Canterbury earthquake decisions and other selected recent developments in New Zealand insurance law

1 3

claim was a dispute about the estimated cost of a rebuild. The complainant said that the insurer had not provided sufficiently for inflation. The Ombudsman considered building industry evidence regarding inflation generally, and said it would put more weight on an opinion relating to the specific rebuild in question. The Ombudsman ruled that the insurer had caused significant delay between November 2011 and June 2012 and had misled the complainant by saying that it had inflation-adjusted the rebuild cost. The insurer was to compensate the claimant for the cost of obtaining a survey and drawing up plans, and to pay $3,000 for the delay.

• In case 123500/2013, the Ombudsman said that delay may be acceptable where it is the result of attempts to discuss, negotiate, and resolve a complaint. The claimant complained that the insurer had delayed in issuing a letter of “deadlock”. The Ombudsman disagreed and said that the purpose of an internal complaints process (of which the letter of deadlock was part) was to try to resolve the complaint before escalating it to the Ombudsman.

Delay claims often involve a number of aspects of the management of a claim, and can be time-consuming for insurers to investigate and deal with. Insurers should be mindful of their enhanced obligations under the revised Code and be prepared to face more complaints of this nature.

We do not have any comments on recent Canterbury earthquake cases in this issue.

Andrew Horne

John Fowler

“The Ombudsman ruled that the insurer had caused significant delay between November 2011 and June 2012 and had misled the complainant by saying that it had inflation-adjusted the rebuild cost.”

1 4

C O V E R T O C O V E R - I S S U E S E V E N

Toby GeeSpecial Counsel

Andrew HornePartner

Neil MillarPartner

For more information, please contact us: E: covertocover@minterellison.co.nz w: www.minterellison.co.nz/insurance

Stacey ShortallPartner

Jeremy MuirPartner

Kara DalySpecial Counsel

Lloyd KavanaghPartner

Zane KennedyPartner

Oliver MeechPartner

1 5

C O V E R T O C O V E R

1 6

MINTERELLISON.CO.NZ/INSURANCE