TOPICS risk solutions

The threat from cyberspace

Rapid advances in IT are spawning new risks. PAGE 4

Insurance solutions for industry Issue 1/2013

Nathan Risk Suite Efficient natural hazard assessment

Industry How insurances create value

Currency crisis Europe must come closer together

editorial Dear Reader, Many of us can no longer imagine a world without computers, the internet or smartphones. Technology is advancing continually, creating new possibilities but also new risks. IT security experts believe it is now impossible to entirely preclude violations of online data confidentiality. And if data confidentiality is compromised, the important thing is to be able to take appropriate countermeasures to prevent further loss. In the USA, Hartford Steam Boiler (HSB) offers products designed to do just that. We are also working to improve network security in another way: in 2012, Microsoft and Munich Re expanded their cooperation, establishing a strategic risk partnership focusing on commercial cloud computing services. However, there can never be a single insurance policy covering all IT risks. The perils involved are simply too varied and their consequences too difficult to calculate. In particular, the possibility of a global virus attack and the enormous accumulation potential this would involve are a major challenge for the insurance industry. That is the bad news. If insurers are to offer their clients effective and reliable protection, they need clearly defined agreements detailing the type and scope of cover they offer. Transparency and up-to-date information are required to assess cyberrisks and to be able to insure them at a price that accurately reflects the risk. The good news: if these conditions are in place, then even in these times of big data, cloud computing and cyberwars, we will be able to offer customised insurance cover for more and more IT risks, and in so doing make a valuable contribution to the development of your company. Munich, January 2012 Yours sincerely,

Dr. Torsten Jeworrek Member of the Munich Re Board of Management and Chairman of the Reinsurance Committee

NOT IF, BUT HOW

Contents
Data abuse
Almost anyone can fall victim to a data breach these days. Companies are also coming under increasing attack from hackers. And there is little we can do to prevent such attacks. People with the right insurance cover that enables them to react quickly and effectively when the worst happens are at a distinct advantage.

Page 4
News 2 Efficient natural hazard assessment with Nathan Risk Suite 3 cyberrisks An underestimated peril Globalisation and expanding networks offer a growing target for attack industry More than just a cost factor  CIP Head August Prbstl talks about the value-adding components of insurance cover In the eye of the storm CIP was busy minimising losses while Hurricane Sandy was still causing havoc column The future of the euro  Greater political integration can help the currency Imprint and preview 4

14

17

20

21

Munich Re Topics Risk Solutions 1/2013

NEWS

A powerful interface
In many places around the world, investments are called for in the energy and infrastructure sectors. Projects like these require a partner with the experience and financial strength needed to provide successful support in the form of insurance solutions. Around the world, Munich Re employs about 120 engineers, who utilise their many years of practical professional experience in engineering to develop client-specific cover solutions in close dialogue with insureds, brokers, local insurers and principals. We do business throughout the world, offering products, coverage concepts and services matched precisely to your needs.
>> M  ore information at www.munichre.com/en/ touchengineering

touch engineering

Home advantage in Canada

Temple opened its new Calgary office over one year ago to allow it to focus on the oil and gas markets in the Canadian provinces of Alberta, Saskatchewan and British Columbia. The energy sectors are a target market for both property and casualty products. This includes exploration and production companies, service and drilling contractors, related supply manufacturers and wholesalers, and power generation/steam plants. The office is now staffed with a full contingent of expertise, including casualty and property underwriting and engineering know-how. Temple offers the advantages of a local insurer with substantial capacity.
>>  More information at www.templeinsurance

TEMPLE insurance

A.M. Best affirms ratings

A.M. Best Co. has affirmed the financial strength rating (FSR) of A++ (Superior) and the issuer credit ratings (ICR) of aa+ of the members of the Hartford Steam Boiler Group (HSB) in the USA and the UK. The outlook for all ratings is stable. The ratings reflect HSBs standalone strengths and the advantages derived from being part of Munich Re, such as providing HSB with access to new markets in continental Europe. HSBs already robust enterprise risk management (ERM) practices receive additional benefits from Munich Res extensive ERM resources. At the same time, the ratings recognise HSBs distinctive business profile.

Hartford steam boiler

Winter storm losses from 1980 to 2011

5 US$ bn Overall and insured losses (in 2011 values) Like the number of loss events, the overall and insured losses do not indicate any distinct trend over the past decades. High loss peaks are mostly produced by single extreme storms. For large events, the insured portion of losses tends to be lower. Overall losses Insured losses 1 Source: Munich Re, NatCatSERVICE

0 1980 1985 1990 1995 2000 2005 2010

Munich Re Topics Risk Solutions 1/2013

Risks cannot be managed holistically without having precise knowledge of their specific locations and hazard situations.

Munich re

NATHAN Risk Suite Geointelligence for your business

Natural hazards such as windstorms, earthquakes and floods regularly produce large losses. But where are they more likely to occur and how severe are they likely to be? You can now find answers to these questions more quickly and precisely with the NATHAN Risk Suite from Munich Re. NATHAN stands for Natural Hazards Assessment Network, a selection of geo-tools designed specific ally to meet your needs. In an era marked by climate change and growing concentrations of value, natural hazards are taking on a more significant role than ever. While the information provided by NATHAN has long been of value in the property, engineering and marine lines, new areas of application are emerging all the time. For example, risk managers now also use NATHANs abundant capabilities to search for and assess the suitability of industrial locations, and to determine the value of real estate. NATHAN optimises the assessment of natural hazard risks in relation to both individual risk locations and world-spanning risk portfolios. Working with geocoded portfolio and loss data, NATHAN can analyse and depict complex geographical correlations. NATHANs technical implementation accelerates business processes and supports business management by making it possible to take advantage of the expertise accumulated over many years in taking decisions regarding locations. Insurers require ever more precise assessments of risks and of the loss potential posed by natural hazards. Because only insurers that calculate appropriate prices for current and future risks will create a sound foundation for sustained success. We support clients with customised, innovative services for gauging individual risks and assessing portfolios. The added value derives from combining risk data with the natural hazard exposures at the individual risks locations in order to identify the risks efficiently, monitor risk portfolios over the long term and discover any hotspots or accumulations. We have the right products to meet our clients every need, not just in underwriting but also in industry, for captives and for financial services providers.
>> More information at www.munichre.com/touch/naturalhazards/en

Munich Re Topics Risk Solutions 1/2013

Cyberrisks

Rapid progress spawns new risks

Information technology is changing our world with both positive and negative effects. An overview of risks and their consequences for insureds and insurers.

Doris Mhlmann-Burger and Heidi Anneliese Strau

The growing use of information technology (IT) in society and industry has major repercussions for everyday life. Increasingly sophisticated means of collecting, processing and storing data are not only changing our working lives and social contacts, but also establishing new parameters for industry, trade, traffic and transport, as well as for the supply of energy and raw materials. Healthcare systems, international economic and political relations, and military systems are likewise changing constantly as a result of the rapid advances in IT. Information flow and density are increasing The rapid development of information technology and its growing number of uses make it possible to store ever larger volumes of data1, be it for private or business purposes. Storage media are not only becoming ever smaller and more powerful, but also cheaper. At the same time, increasingly fast processors permit more rapid access and complex analyses. In this way, data can
1

be evaluated to various extents and for a whole variety of purposes, regardless of regional borders and areas of application. For companies, this opens up new business opportunities, for instance by processing information on customer behaviour. Yet these new opportunities also give rise to risks, particularly with regard to such sensitive data as those concerning the workforce or customers. The risks increase when data are stored and transmitted via the internet and not in closed systems. The advantage of comprehensive, timely analysis is offset by the higher risk of unauthorised access, especially when using unprotected, i.e. public, wireless local area networks (WLAN). What is more, the growing use of multifunctional smartphones has made it easier to process business data on personal computers at home. Since such computers are normally not equipped with the same high-security precautions as company computers, the risk of data breaches is considerably higher. To boost efficiency in day-to-day work, many companies offer their staff external access to the companys computer system, for instance in the form of single sign-on, meaning that the user need only log in once in order to access all systems for which he/ she is authorised. However, this increases the risk of unauthorised access, especially in combination with the use of remote devices, if third parties are able to

 he terms data and information are effectively synonymous T their use depends on what is customary in a par ticular branch of industry. We have therefore deliberately refrained from drawing a formal distinction between the two terms.

Effective protection against data theft and misuse is now an illusion. Munich Re Topics Risk Solutions 1/2013 5

cyberrisks Dimensions of cyberrisks

Denial of service Extortion Electronic vandalism Theft of data Computer virus

Security

Privacy laws HIPAA Gramm-Leach-Bliley Act**

Primarily first-party

Reputation

Compliance and privacy

Primarily third-party

Massive distribution of false information Systematic posting of wrong info on web pages

Liability

Intellectual property infringement Product/service failure* Privacy violation

* Health Insurance Portability and Accountability Act ** US federal law governing financial institutions obligation to protect customer data

decipher the code or manipulate a user account, with potentially devastating consequences for the stored data. As data are often among a companys most valuable assets, preventing the loss of data and its consequences can be a key factor for success. For this reason, demand for insurance to cover the risk of data loss or theft has recently increased considerably.

Greater vulnerability through globalisation and interconnection Globalisation brings both advantages and disadvantages for IT users. Internet connections effectively permit access to data, systems and entire organisations throughout the world. However, on the downside, they may also lead to growing losses, as the risks increase with closer networking. Widespread failure of the internet could lead to extensive claims as many companies depend on the web for their day-to-day business. This has created a corresponding interest in insurance cover for IT-related business interruptions. Risks: Unauthorised access Internet breakdown/failure Insurance policies affected: IT/cybercover Effect for insurers: Significant increase in demand for insurance products

Munich Re Topics Risk Solutions 1/2013

Cyberrisks Critical infrastructure is a target Various recent cyberattacks have shown that infrastructure is increasingly becoming a target for attack. Systems in the following sectors are considered to be particularly critical Telecommunications Traffic control systems (road traffic, shipping, air traffic) Utilities infrastructure especially for water and electricity (e.g. smart grids) Healthcare and medical supply systems Control systems (e.g. in nuclear power plants) Cyberattacks are facilitated by the widespread use of remote control systems. They allow infrastructure systems to be accessed via software interfaces, increasing the risk of a system failure due to un authorised access. Sudden breakdown of the electri city supply, for instance, can have major consequences. Today, electronic components are essential in almost every area of daily life and in industry, making modern society considerably more vulnerable to attack. The damage caused by a blackout lasting a few hours would probably remain manageable. However, if the power outage were to affect a large area and continue for a longer period of time (several days), it could even endanger a societys economic and social stability. Operation of other critical infrastructure systems, such as the water supply, telecommunications and the transportation systems, would at the very least be restricted. Production stoppages and the breakdown of trade would cause considerable economic losses, sending insurance losses soaring, too. Risks: Unauthorised remote access Infrastructure failure Insurance policies affected: IT/cybercover, in some cases property insurance, personal lines Many governments have introduced more stringent regulations to protect against attack as the cyberrisks and loss potential have increased. A companys management can be personally liable for compliance with these regulations. This duty can be delegated only to a limited extent and the company must ensure that both its own employees and external staff are trained accordingly. This has a considerable impact on D&O covers and especially on insurance of technical executives. In some cases, the protective regulations are at odds with the consumers personal rights, for instance where they provide for unrestricted access to viders customer data. The same also applies when pro of telecommunications services are required to store and, if necessary, share connection data. Risks: Increasing regulation means higher risks for insurers Insurance policies affected: Liability

Outsourcing data creates new risks Outsourcing the processing and storage of data (cloud computing) helps to cut costs and is therefore becoming increasingly popular. Depending on the providers location, the legal requirements to be met in terms of scope and content not only differ, but are sometimes even contradictory. One feature common to all cloud services, however, is that the data and software are no longer physically controlled by the companies. It is therefore important to ensure that the providers of cloud computing solutions comply with the companies requirements in respect of security or protection against unauthorised access. Firms should also take note of their providers financial soundness (adequate capital base). Clearly defined quality requirements and professional interface management are likewise indispensable. While large providers of cloud computing are probably better able to meet high security standards, their size can make them a potential target for cyberattacks, as a successful attack would permit access to numerous companies data.

Supervision, legislation and compliance Companies with global activities which use the internet as a marketing and sales channel must comply with numerous privacy and supervisory regulations. Despite all efforts to comply with the partly contra dict ory regulations, some degree of legal uncertainty still remains as to the requirements and standards actually to be met by companies. The different national regulatory frameworks also affect insurers and their coverage concepts for IT risks. Since a uniform worldwide approach is impossible, products must be individually adapted.

Munich Re Topics Risk Solutions 1/2013

Cyberrisks Both the company using cloud computing and the provider are interested in insurance cover against loss of data in order to be prepared for the consequences of a business interruption. In the event of a significant loss of customer data at a cloud computing provider, the insurer may be faced with a double claims burden. The customer can file claims against the insurance company due to the loss of its own data and any associated business interruption (first-party claim). The provider will also turn to the insurance company on account of the liability claims asserted against it (third-party claim). On the other hand, a low limit can be defined for liability claims in the service agreements concluded between the cloud computing provider and its clients. Risks: Cloud computing leads to a more vulnerable IT environment Insurance policies affected: IT/cybercover (loss of data, business interruption, liability) Insurers may be faced with a two-fold claims burden: loss of data and liability claims against the provider Constant availability changes everyday life The rapid pace of developments in IT not only has repercussions for companies, but also affects our social life and the way we interact. More and more people and households are permanently connected to the internet and can constantly be contacted online, fostering a culture of permanent availability. Young people in particular find it increasingly difficult to draw a clear line between work and leisure and to ensure sufficient relaxation. This is reflected in the growing number of people suffering from stress, depression and burnout. This phenomenon is further reinforced by the greater speed and complexity of modern life with all its technical advances. The evergrowing stream of information must be analysed rapidly, leaving little time to concentrate on specific aspects and explore them in depth. The long-term effects, e.g. an increasing lack of concentration, are not yet clear. More and more areas of life are being confined to the virtual realm. Personal conversations or telephone calls are being eschewed in favour of social networks, chat rooms and similar forums. Anyone who does not use these forums runs the risk of dropping out of contact. Less stable personalities can easily lose themselves in this world of illusions and end up taking it more seriously than reality. In the worst case, this can lead to a feeling of emptiness and loneliness.

What is cloud computing?

Cloud computing is a special form of outsourcing in which parts of the IT environment are rented as a service, instead of being operated by the company itself. A distinction is made between the following types of cloud computing: IaaS (Infrastructure-as-a-Service): Instead of setting up their own IT infrastructure (computers, networks, storage devices), companies rent them as required. PaaS (Platform-as-a-Service): The company is granted access to use a programming or runtime environment. SaaS (Software-as-a-Service): Programs are no longer purchased through licences. Instead, software compilations, applications and programs are used for a prescribed period of time. The use of cloud services requires an unambiguous procedure for classifying and handling information. Depending on how sensitive the data are, precautions must be taken by both the outsourcing providers and their customers. Confidentiality (encryption when transmitting and storing data), availability and integrity of the information must be assured. Risks cannot be excluded entirely when using cloud computing services. Potential losses such as those due to business interruption or loss of reputation can only be partly covered by claims for damages. Microsoft and Munich Re entered into a strategic partnership in 2012 in the field of commercial cloud computing. The two companies are seeking to improve risk management and modelling in order to drive forward underwriting and business innovation.

Munich Re Topics Risk Solutions 1/2013

Cyberrisks The great popularity of social networks also enables strangers or outsiders to gain access to information about peoples private and professional lives. The danger is greatest if users do not restrict access suffi ciently, are careless with confidential information or mix private and professional information. The same also applies if providers do not offer suitable means of preventing unauthorised access or only make it easy to enter and save information, but not to delete it. Another problem is that many services are only avail able online (instruction manuals, for instance, or travel and other sales portals). Access is impossible for those who do not use the internet. Demand for insurance to protect users against invasions of personal privacy, such as cyberbullying or identity theft, has risen as the use of social networks has become more widespread. Until now, such insurance was only possible in the form of personal injury cover provided under a personal umbrella policy. Since personal injury claims in personal lines have increased recently, many providers have decided to exclude electronic aggression from these lines of business. Risks: Identity theft, cyberbullying Insurance product: Liability Cyberattacks Modern IT has created a new platform for criminal activities of every kind: from theft, fraud, damage to assets and extortion through espionage, reputational damage and child pornography to terrorism and even acts of warfare. Cyberattacks are not uncommon, as almost daily reports in the media prove. The computer worm Stuxnet demonstrated all too clearly the extent to which criminal activities in cyberspace have increased and how far-reaching their consequences can be. Companies can become the victims of cyberattacks just as easily as private individuals. Attacks can be launched from the outside (genuine attacks) or inside, for instance out of revenge, or through the careless handling of data or information on security measures. Security programs offer protection against malware such as viruses, Trojans and worms, but the programs must be kept up to date at all times. Not all users take suitable precautions, be it because they underestimate the risks or because they are simply unaware of vulnerabilities in the IT environment. Such vulner abilities may be technical in nature, for instance when sensitive information is transmitted via public wireless networks or personal data are inadequately protected. They may, however, result from personal conduct, for instance if data are treated carelessly. In addition to establishing the obligatory precautions, companies must also consider whether or not they pose an attractive target for attack and should therefore invest more in defensive mechanisms to make life more difficult for hackers. If they have the right equipment and know-how and put in the necessary effort, cyberspecialists can find technical, procedural or social shortcomings which enable them to penetrate virtually every corporate network. Since com panies cannot dispense with IT, it is almost im possible to completely exclude the risk of damage through webbased criminal activities. Another reason why cyberattacks have become so attractive is because the perpetrators stand to make a very tidy profit without much financial input. Many of the data saved by companies or individuals can be sold for high prices. Credit card data are already publicly traded and other valuable data can easily be procured through the black market or by order.

Munich Re Topics Risk Solutions 1/2013

Cyberrisiken Cyberrisks

HSB insures personal data

Data breaches exposed more than 232 million personal records worldwide in 2011, including approximately 23 million records in the United States. Deliberate breaches target customer-related information in order to use it for fraud.

Many IT security experts warn that data breaches can no longer be prevented, only managed. Adequate data breach insurance should therefore be a standard part of commercial insurance protection for businesses of all sizes, as every business is potentially exposed to loss of business and reputational damage. In the United States, Hartford Steam Boiler helps smaller businesses to protect the personal infor mation they keep on customers, employees and others, and to respond when sensitive data are stolen, hacked, or lost. Unlike larger organisations, a smaller business is less likely to have the knowledge, manpower or financial resources to respond properly to a data breach. HSBs Data Compromise coverage is designed to help commercial clients respond to the financial burden and service obligations of a data breach. The coverage can help pay the costs of outside legal counsel, forensic IT review, notification of customers, credit moni toring and identity restoration services for affect ed individuals. Third-party coverage is also available. HSBs Identity Recovery coverage protects small business owners from identity theft and fraud. It is not limited to out-of-pocket expenses, but also offers services to help ID fraud victims restore their credit records and pre-theft status. These products are added to the commercial insur ance policies of other insurance companies that partner with HSB, and to HSBs Freestyle Advantage equipment breakdown coverage, which is available directly through agents and brokers in the United States. The service components of HSBs data breach coverage are extremely important, since smaller businesses have to meet specific legal requirements in most US states. Forty-six states, plus Puerto Rico, the District of Columbia, Guam and the US Virgin Islands, require that individuals be notified when their personal information is breached. Consumers, meanwhile, have come to expect that a business will provide services to help prevent identity theft and fraud.

10

Munich Re Topics Risk Solutions 1/2013

Cyberrisks Physical versus non-physical damage due to cyberattacks A general malware attack is directed against numerous computer systems with the aim of causing the greatest possible damage. A targeted attack, on the other hand, is directed against a specific company, institution or country. The computer worm Stuxnet is one example of such an attack: it was specifically designed to attack Siemens management systems and for the first time successfully caused physical damage to property. This distinction between phys ical and non-physical damage is important for insurers. In all IT scenarios and first-party IT/cybercovers, the loss trigger, i.e. the cause of loss, is always nonphysical damage. The disappearance, non-availability, blocking or manipulation of data is sufficient to trigger a loss. In the case of physical damage, on the other hand, the insured object must normally have been exposed to chemical or physical influences due to fire, flooding or an earthquake, for ex ample. Most property covers are based on the concept of physical damage. If viruses causing physical damage and thus triggering a loss under regular property covers become more frequent in the future, insurers and reinsurers could be faced with a considerable accumulation problem. Risks: Computer viruses capable of causing physical damage could result in a serious accumulation problem for insurers and reinsurers. Policies affected: Property (physical damage) Cyberwar Cyberwar is a special type of cyberattack. The fundamental question is: when does a cyberattack become an act of aggression? Do virus attacks by bugs such as Stuxnet or Flame fulfil the criteria? For insurers, it is important that the facts be clarified, particularly from the point of view of whether clauses excluding acts of warfare or terrorist attacks should apply. Even the question of which law applies when defining cyberwar cannot be answered satisfactorily. In most cases it is impossible to determine who was behind attacks such as those with Stuxnet or Flame, what triggered them, how the war is being conducted and where exactly it is taking place. At NATOs Cooperative Cyber Defence Center and the International Red Cross in Geneva, as well as elsewhere, experts on international law from around the world are currently debating the question of whether ordinary international law could also be applied to cyberwar. What the signatories to the Geneva Conventions and their additional protocols had in mind when wording their agreements was armed conflicts, not the invis ible methods of attack permitted by the internet. NATO experts are currently working on a Manual of International Law applicable to Cyber Warfare. The US published a document entitled International Strategy for Cyberspace2 in May 2011. It sets out guidelines and instructions for action to be taken by the country to counter web-based threats in the future. The strategy states that: States have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace. Certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners. When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.3 US Defence Secretary Leon Panetta has also expressed concern over the possibility of a major cyberattack against the country and its critical infrastructure. As a result, the 2012 budget for military research into cyberwarfare was almost doubled, with research focusing in particular on so-called offensive force.4 Risks: Cyberattacks may be deemed acts of war. Infrastructure failure Policies affected: Property and liability insurance

2 Source: 3 Source:

http://t3n.de/news/cyberwar-usa-drohen-hackerangriffenmlilitarschlag-310608/ http://arstechnica.com/tech-policy/2011/05/us-warns-ofmilitary-response-to-severe-cyberattacks/ 4  Source: http://securityaffairs.co/wordpress/6470/security/uscyber-warfare-budget-cuts-and-shortage-of-cyber-experts.htm

Munich Re Topics Risk Solutions 1/2013

11

Cyberrisks Interactions between IT trends

Technical development and interconnection

Modern infrastructure

Globalisation

Non-malicious events and failures

Cyberattacks

Regulatory compliance law Cloud computing/ outsourcing

Cultural change
low middle high Trend Event

Impact of operational disruptions In addition to deliberate attacks, operational disruptions pose a major loss potential for complex, vulner able IT environments, especially when they affect networked infrastructure. Such disruptions can be caused by events such as fire or natural hazards like snow pressure, windstorm, hail, earthquakes, volcanic eruptions or flooding. However, IT operations may also be brought to a standstill through human error (such as configuring complex IT systems incorrectly), as well as through faulty processes or systems generally. The danger for insurers and reinsurers is that this can trigger additional claims above and beyond those normally associated with natural catastrophes. Future of IT Important trends The trends outlined below have not yet become established, be it on account of technical limitations or lack of cultural acceptance. Despite this, they should be monitored so that existing covers can be adapted as necessary and/or the associated business opportunities seized.

Intelligent hardware, equipment and/or assistants may one day be capable of continuously interacting with humans and taking over certain functions, especially in a personal environment. These systems would analyse peoples behaviour and use their results as the basis for autonomous decision-making. As humanoid robots, these machines might be able to take over routine tasks not only in hotels or nursing homes, but also in private houses. It should be borne in mind, however, that robot malfunctions might also cause damage. What is more, being nursed by robots machines devoid of life could heighten patients feelings of loneliness and thus undermine their emotional well-being. The trend toward automating human actions and activities is also reflected in autopilot systems and unmanned aerial ve hicles (UAVs). Here too, malfunctioning components or systems could cause considerable damage UAVs have been known to get out of control and crash.

12

Munich Re Topics Risk Solutions 1/2013

Cyberrisks Cyberware, that is to say implants that merge man and machine, still belongs to the realm of science fiction. One day, however, such implants might become much more than merely prostheses replacing a human function. They might instead supplement the human body with additional functions. A persons brain, for instance, might be connected to a computer in order to control processes by thought. Nerves might be connected to neural networks in order to move a rtificial limbs. Some bold visions even foresee the possibility of interlinking peoples brains so that they can communicate without speaking. Just what impact such developments might have on society (e.g. dividing it into normal and enhanced human beings) or on the insurance industry cannot be foreseen at present. Risks: Intercommunicating machines, humanoid robots Policies affected: Will not become clear for some years to come.

Interactions between IT trends IT trends and developments not only have a direct impact on their respective environments, but also reinforce one another. The diagram on the previous page illustrates the close links between IT trends and disruptions such as cyberattacks and system failures. However, it is not always possible to define the various factors clearly or to determine the extent of their influence on one another (low, middle or high) precisely.

our Experts Doris Mhlmann-Burger Munich Re, Munich Corporate Underwriter Property dmuehlmann-burger@munichre.com

Heidi Anneliese Strau Munich Re, Munich Risk Manager Emerging Risks hstrauss@munichre.com

Munich Re Topics Risk Solutions 1/2013

13

Industry

Protection, strength, business success

Insurance is more than just financial protection. August Prbstl explains how having the right insurance cover can give com panies a real competitive edge.

August Prbstl has been Head of Corporate Insurance Partner since 2009.

14

Munich Re Topics Risk Solutions 1/2013

Industry Topics Risk Solutions: Mr. Prbstl, what makes a good industrial insurer? August Prbstl: From a clients perspective, the insurance should protect a critical asset, thereby enhancing its value. However, at Munich Re we are not content with this alone. Our Corporate Insurance Partner unit, where we pool our industrial know-how, has set itself the additional target of helping our clients to increase their sales and profitability. How do you achieve that? Broadly speaking, we strengthen the insureds business model from a risk standpoint. In some cases, we also assist by reviewing the risk landscape and models. Thus, we improve our clients financing opportunities and provide an advantage perhaps not otherwise achievable. You can read some examples illustrating this approach in the text inserts alongside this interview. Insurers are often criticised for not being innovative enough to meet the needs of their clients. Is there some truth in that? In the past, traditional insurance products have indeed been an excellent solution. However, that has changed. Today, many of our clients operate in a highly challenging market environment marked by global isation, changing attitudes and new technologies. Clearly, this also produces new risk scenarios. And this is what we need to be prepared for. Is this a major problem? I wouldnt describe it as a major problem it is more of a challenge. The executive levels at client com panies keep telling us that for them insurance is purely a cost factor. Our product is perceived as being reactive in nature and essentially a burden on their balance sheets. It is thus declining in importance for corporate clients. What they get is a promise to pay should something happen. However, that alone does not appear to be enough to make our product attract ive in the eyes of industrys decisionmakers. Companies expect more in the modern business environment. What can insurers do to enhance their product appeal? A lot. At Corporate Insurance Partner, we can offer our industrial clients customised insurance solutions that support them in their negotiations with the investors and banks that finance their growth. This is also true of the growing requirements of regulators and rating agencies. In short, insurance needs to be an enabler of our clients businesses, proactive in function and able to improve their profitability. This requires a creative mindset. What makes you so sure that industry needs this type of business-enabling insurance? It is a trend we have been observing for quite some time now. Of course, not all clients believe they need insurance as a business enabler. But more and more risk managers are thinking about how insurance can optimise their risk management practice and added value. This leads to a much broader view of risk mitigation and transfer mechanisms, and ultimately that is where the wheat is separated from the chaff. Insurers need to constantly develop to raise the quality of their intellectual property and keep up with the various changes affecting clients. This in turn means investing more in human capital and research capabilities, and increased insurer capital requirements. At Munich Re, we aim to be at the forefront of this development by combining our excellent knowhow with our financial strength and solidity. We need to perform well both in traditional business and in areas off the beaten track, so to speak.

Being a business supporter/ improver A client asked us to assess a plot of land it was thinking of buying to establish a distribution centre. Our analysis found it was susceptible to flooding. Based on this, the client decided against purchasing the land and this saved the company from a future potential loss, which could have had manifold impacts on its business continuity management, financials, etc.

You have called for creativity. However, many types of insurance are heavily standardised, for example property business. Is creativity even possible in some traditional areas? Granted, there are some lines where creativity and innovation are difficult to introduce on a day-to-day basis, but there are sound reasons for this. In property, the market has developed over the years towards uniform insurance conditions. The advantage of this is that it is possible to corral the substantial capacity our clients seek. This is especially true of catastrophe exposures. It is therefore important to commoditise for marketing efficiency. But it is not conducive to innovation. In fact, innovation is only one ingre dient in the value recipe. The true measure of insurance value is its impact on a clients business and how it supports our clients value creation, irrespective of whether it is traditional or innovative.

Munich Re Topics Risk Solutions 1/2013

15

Industry

What special contribution can Corporate Insurance Partner offer its clients in such an environment? Commodity products are usually about price and market share, but value and price are not the same. Corporate Insurance Partner has a streamlined structure in which expertise and know-how play a major role. We are not focused on market

share but geared to understanding our clients risk landscape and the key drivers as they change. Through insurance we can drive the business success of our insureds. Can you give us a concrete example of this? At our London office, where all lines of business and the full suite of solutions transacted by CIP are rep resented in the worlds largest insurance market, it is key for them to stand out from the competition they face. We see our role as more about being a business supporter and improver in traditional lines. For example, in property the added value is our risk management culture and we look to support and hopefully improve our clients abilities to assess and mitigate their risks. We achieve this through the delivery of expertise such as loss control engin eering or the evaluation of supply chains. Many clients also appreciate Nathan Risk Suite, a tool which includes a natural catastrophe risk mapping functionality. What about long-tail liability? In liability, the market is also trending more towards commoditisation. Anyone that focuses solely on market share in an environment like this runs the risk of becoming embroiled in a

Enhance financing capabilities We are known for our performance guarantees in the renewable energies field. These have proven to enhance sales and profitability for our clients, whether for manufacturers or operators of large solar parks, because the insurance is viewed as a credibility determinant of the in sureds technology due to Munich Res reputation for engineering expertise. In some ways, customers of our clients now regard our policy as a form of quality standard as well as a sales enhancer and thus a true business enabler. Also, the business enablement of our policy has led to the increased bankability of the insured with its own financial institutions.

Protect a critical asset Critical assets come in many forms depending on such things as industry, geography and legal climate. Obviously, physical assets can be critical, but today intangible assets are also extremely important. Intellectual property, cyberrisks and reputation are just three that come to mind that can have a serious impact on an insureds business if not comprehensively managed. CIP does provide insurance in these areas, but it is done in a partnership with the client. For example, we established such a partnership with Microsoft Corpor ation regarding a new area of business for them whereby both parties worked together in understanding the risk, developing rating models and ultimately sharing the risk in a jointly designed solution.

destructive price war. This is defin itely not our approach. Instead of mass products, we focus on risk solutions that exactly match our clients needs. We do not limit ourselves to particular industries but service all sectors. Munich Re has the expertise and technical know-how of a leading global risk carrier, which enables us to accurately assess risks and the potential effects of coverage on the client. Clients benefit from this, for example through greater contract certainty.

16

Munich Re Topics Risk Solutions 1/2013

Cyberrisiken Industry

Business enabling is our ethic

Corporate Insurance Partners business-enabling ethic permeates throughout the life cycle of an insurance policy from the initial explor atory discussions until the last claims cheque. Sometimes, this involves taking initiatives that may not necessarily be part of normal business practice. In October 2012, our Corporate Insurance Partner colleagues in the USA had the latest opportunity to illustrate why this is an integral part of CIPs cultural fabric. It all started days prior to super storm Sandy striking the US eastern seaboard. Our CIP underwriters, engineers and other experts used their collective experience to help identify which clients would be in Sandys path, contacting them and explaining at length what action they should take to ensure they would be up and running as soon as possible after the catastrophic event hit. These efforts con tinued in the aftermath of the storm with our engineers visiting our clients.

Highlights
As Sandy approached the US eastern seaboard, Munich Res offices in Princeton and NY faced their own issues from the impact of the storm and had to take various measures to cope. The lack of power at our offices and our colleagues homes meant that many Corporate Insurance Partner staff in affected areas were working remotely from their cars to keep their Blackberrys charged, and from Munich Res designated Princeton hot spot to assist clients. Understanding that insurance is about a promise and associated obligations, our CIP colleagues in the US took it a stage further by: Surveying the list of clients that were geographically located in the area where the storm could potentially hit. Utilising the predictive modelling capabilities of our Munich Re Cat Management team, including local US expertise, to identify specific clients who could potentially be affected.

Working with our sister company HSB and distributing checklists to our clients to support them in how to prepare for the oncoming natural catastrophe and minimise losses from the storm. Identifying the needs of our clients after the event and then taking action to assist. This involved the unusual step of connecting clients with each other to exchange ideas on how to cope and keep their businesses running. It also included one of our Princeton-based underwriting engineers driving to lower Manhattan to advise major clients like the Port Authority of New York and New Jersey on managing the flooding at the WTC site. Lastly, working closely together with the claims department and adjusters to make sure claims are paid promptly and fairly to get clients back to business as soon as possible.

Hurricane Sandy also left a trail of damage on the New Jersey coast.

Munich Re Topics Risk Solutions 1/2013

17

Industry What do you think are the key qualities of enablement through insurance? Insurers need to invest significantly in research and development. We have talked about just how much the clients environment is changing and with it the requirements of new risk solutions. Confidence in the insurers financial strength is also crucial. High net capacity is very important for clients. At Munich Re, we invest in these qualities and continuously build upon them. However, our greatest asset is that we can combine what we learn from our clients with our expertise, imagin ation, high net capacity and superior financial credibility.

Provide an advantage perhaps not otherwise achievable The management of a pharmaceutical company recognised the impact to its business model of the potential costs of a production site closure, whether its own or a suppliers. Such a risk is not commonly insured in the traditional market. The client wanted to retain the risk in its captive, but had no rating basis and it was also

concerned about the potential size of loss. We provided a risk-sharing solution that allowed the captive to insure and retain the risk coupled with an additional tower of protection to transfer the portion the client decided to mitigate by way of risk transfer. Such an integrated solution resulted in a building of knowledge, capability and capacity a combin ation perceived by the client as a true competitive edge.

The enabling method

Industries and markets are changing rapidly today due to the increasing velocity in which events and information impact business. Consequently, it is vital to keep up to date on our clients and brokers to ensure we fully understand them and their challenges. Also, it is important that we make sure they are aware of ours. This may seem obvious, but all too often subtle changes can be occurring that are not easily noticeable. Only finding this out at the time of negotiating a contract (or, worse still, after), is almost certainly too late. Therefore, part of business enabling is how an insurer delivers its products and solutions. The method is as important as the instrument itself. As a leader in its field, Corporate Insurance Partners Energy Department places significant emphasis on this. Regular surveys with brokers are carried out that ask the following specific questions: Do we fully understand the clients and brokers value chain? Are we responding effectively to the clients and brokers needs? Do we show an appreciation and understanding of the clients and brokers ideas and changes in business situations? Are we concentrating on the essentials and setting meaningful prior i ties in the business relationship and therefore making clear decisions? Do we deliver comprehensive and qualified knowledge to the client and broker? Are we openly cooperating to optimise results? The feedback from the surveys then allows us to benchmark and, by examining ourselves in this way, look to perfect the enabling method and enhance the value for all.

18

Munich Re Topics Risk Solutions 1/2013

You want to minimise risks and safe guard your innovation capacity?

Risks are becoming more complex, and new risks are constantly emerging. Companies increasingly need a strong partner to help minimise their risks and safeguard their financial and innovation capacity. Our operating field Risk Solutions will develop an individual and customised insurance solution for you. Our clients benefit from our experience, commitment, and innovative drive. You can find the right contact partner quickly and simply with our Risk Solutions Quickfinder at www.munichre.com/rs. not if, but how

Munich Re Topics Risk Solutions 1/2013

19

column

economics from a risk perspective

The future of the euro: Can we learn from the USA?

Dr. Michael Menhart, Head of Economic Research at Munich Re mmenhart@munichre.com

Events seem to keep following the same pattern: first, one of the financially beleaguered countries in the eurozone comes perilously close to insolvency. Then the other eurozone countries squabble among themselves and with the International Monetary Fund (IMF) over what action to take. In the end, they agree to yet another bail-out. Critics of these bail-outs like to cite the United States as an example. No one panics in the US when one of its states declares a financial state of emergency, as happened with California in 2009. The others do not rush to the rescue with overnight bail-out packages. Could we not follow their example here in Europe? Unlike the eurozone, however, the United States has the structural conditions in place to survive the bankruptcy of one of its states without this leading to major upheavals. This is partly due to the American peoples much greater mobility. Every year, 2.4% of the population move from one state to another. Almost two million people used to live in Detroit when it was Americas motor city. Today, it has a population of just 900,000. Though this is most certainly a blow for the region, the consequences for the city would have been a lot worse had people stayed there without any hope of finding new jobs. In the EU, cross-border migration totals no more than 0.3% per year. Another aspect is the fact that all US states are aboard the mother ship of the United States of America. They cannot sink, even when bankrupt. Federal grants, i.e. money

from Washington, account for over 30% of the states income. Around 80% of the US sovereign debt is accumulated at federal level. Even if a state becomes insolvent, the public infrastructure remains untouched, at least in its basic form. The people living in a US state would feel the pinch of a state bankruptcy much less than their counterparts in a eurozone country.

Europe needs more political integration

We Europeans could say: So what? If national insolvency is such a painful business, then surely this gives governments all the more reason to look to their finances. Do we have to rescue debt-ridden countries with our taxpayers money? However, there is also another very important aspect to consider: the USA is not only a currency union, but also a political union. If the state of Alabama were to become insolvent, no one would need fear the prospect of it withdrawing from the US dollar currency union, let alone the USA as such. No one would be afraid that Alabama might be the first of several states to break away from the economic and currency union. The risk of a contagion effect is the biggest problem facing the eurozone. If Greece were to leave the eurozone tomorrow, thus throwing open the door, this could diminish confidence in other ailing countries continued membership and subsequently destabilise the entire eurozone.

Does that leave us eternally open to blackmail? No, for even in the eurozone, individual countries must be allowed to become insolvent. This is only feasible, however, if such an insolvency can occur without the overall architecture of the currency union being called into question. We do not need to become the United States of Europe to achieve this. But Europe does need more political integration than at present. More Europe and the direct responsibility of the individual countries are therefore not mutually exclusive: they are essential for a currency union.

20

Munich Re Topics Risk Solutions 1/2013

Preview of issue 2/2013

Bridges without hitches
Building a bridge like this requires a comprehensive risk management programme. But even then, a c onstruction project of this scale still involves many factors that could jeop ardise scheduled completion. Tailor-made insurance covers offer protection against the financial consequences of such delays.
>> Y  ou can also subscribe to Topics Risk Solutions as an e-mail newsletter at www.munichre.com/trs/en/newsletter

2013 Mnchener RckversicherungsGesellschaft Kniginstrasse 107 80802 Mnchen Germany Tel.: +49 89 3891-0 Fax: +49 89 399056 www.munichre.com Responsible for content Group Communications Editor Regine Kaiser Group Communications (address as above) Tel.: +49 89 3891-2770 Fax: +49 89 3891-72770 rkaiser@munichre.com Picture credits Cover: iStockphoto Inside front cover: Robert Brembeck pp. 1, 2 left: Shutterstock p. 2 middle: picture-alliance/ Design Pics p. 2 right: Hartford Steam Boiler Inspection & Insurance Co. p. 3: NASA p. 4: Getty Images/Fuse p. 10: Getty Images, Danil Melekhin pp. 14, 16: Gerhard Blank p. 17: Reuters p. 19: plainpicture p. 20 illustration: Kevin Sprouls Inside back cover: Shutterstock, Karin Hildebrand Lau

Editorial deadline 2 January 2013 Printed by Color Offset GmbH Geretsrieder Strasse 10 81379 Mnchen Germany Corporate Insurance Partner CIP offers holistic insurance protection for industrial and corporate clients throughout the world. The portfolio includes coverage concepts for property, energy, engineering, casualty and special enterprise risks. www.munichre.com corporate-insurance-partner@ munichre.com Hartford Steam Boiler Leading monoliner and inspection company for engineering risks. Apart from engineering covers, its range also in cludes specialty and engineering solutions, claims management and risk management services. www.hsb.com Tel.: +1 800 472-1866 Customer_Solutions_Center@hsb.com KA Kln.Assekuranz Agentur GmbH Internationally operating underwriting agency for industrial risks, specialising in marine and group accident insurance. www.koeln-assekuranz.com Tel.: +49 221 39761200 info@koeln-assekuranz.com

Temple Insurance Company Temple Insurance Company underwrites large industrial and risk management acounts. Our Technical and Special Risk Department provides property-casualty products directly through the Can adian broker network. www.templeinsurance.ca Toll free (North America): +1 877 364-2851 Tel.: +1 416 364-2851 Fax: +1 416 361-1163 Watkins Syndicate 457 Lloyds biggest marine insurer with an extensive portfolio of solutions for accident and health, liability, cargo, marine and logistics, offshore energy, space flight, and yachts. The Watkins Syndicate operates its own department for terrorism risks. www.watkins-syndicate.co.uk Tel.: +44 20 78863900 info@mrunderwriting.com

 2013 Mnchener Rckversicherungs-Gesellschaft Kniginstrasse 107, 80802 Mnchen, Germany Order number 302-07703