Monthly Archives: June 2015

Affordable Care Act Survives (Again)

affordable_care_act

The U.S. Supreme Court has spoken on the highly anticipated King v. Burwell case.  Subsidies are legal in all 50 states, rather than only in the states with their own insurance exchanges.  The political debate continues and the Justices will receive criticism/praise (depending on one’s personal viewpoint) for having upheld the universal subsidies implementation of the ACA law.  This ruling seems to contradict the plain language of the law and the evidence that the language was intentionally written as it was to coerce the states into setting up exchanges.

Ironically, the Supreme Court found in 2012 that the federal government could not coerce the States into expanding their Medicaid programs under the ACA.  I can’t help but wonder if that specific ruling played into the Court’s ruling on King v. Burwell.  Stay with me… If the court had found that the plain meaning of the ACA language and the evidence (as provided by Gruber) suggested that subsidies were limited only to States setting up their own exchanges, then the Court would have to say that the federal government was once again attempting to coerce the States.  And since it already ruled once that the federal government could not coerce the States on Medicaid expansion, would it not then have to say that the subsidy/exchange coercion is also illegal and thereby throw out the subsidies entirely… in all 50 states regardless of exchanges?

If you follow and buy into my logic, then the Supreme Court Justices (most notably Chief Justice Roberts and swing vote Kennedy) were choosing between upholding the imperfect law as is, or a significant rebuke of the ACA’s subsidy system that would have left them with a glaring inconsistency with their 2012 ruling on Medicaid expansion, or a complete destruction of the ACA law by revoking all subsidies.  Given those choices, I’m not surprised that Roberts and Kennedy chose the first option.  The SCOTUS is not supposed to be political or partisan, but they are human.  I don’t believe that Roberts and Kennedy were comfortable with any of the choices other than upholding the subsidies, despite the statutory language and clear intent of the law’s architects.

Another effect of this ruling could be a further centralization of the U.S. health care system at the federal government level – an outcome that is likely fine with the Obama administration’s single-payer acolytes.  The New York Times suggested that the ruling removes a primary reason for States to establish and operate health care insurance exchanges, so many States may just let the Feds takeover the entire process.  Another bit of irony since that reasoning further supports the notion that the law’s intention was indeed to condition subsidies on State-run exchanges.

The political battle over the ACA will continue for years to come.  For now though, the significant legal challenges that might upend the law seem to be exhausted.  From an insurance perspective, it seems to me that it’s time we all accept the ACA as settled law, for good or for bad, and figure out how to best live with it.  And if you happen to believe that the law includes provisions supporting “death panels” then this may be easier said than done.

Advertisements

Wanted: Cyber Insurance

wanted-cyber_insurance

Staying with the theme of last week’s post – which was an exercise in exasperation over the ongoing stream of high-profile data breaches – I decided to examine the insurance industry’s readiness/appetite to respond to this risk.  My conclusion?  The demand for cyber insurance is clearly surpassing the available capacity for such coverage.  That conclusion certainly isn’t a surprise to anyone, and the reasons given for limited cyber insurance capacity are logical.  Nevertheless, your humble blogger senses that there is reason to be concerned that the nascent cyber insurance market may not develop as risk managers hope and expect.

Insurance Journal reports that there are just a few insurers cautiously wading into the cyber insurance market at this time, and that their offerings are limited by policy exclusions and low limits of insurance.  Insurance buyers are seeking far more coverage than the insurance industry is ready and able to supply at this time, reportedly because the actuarial data is insufficient to properly model cyber risk and to price the risk appropriately.  More time and data is needed, experts say.  Red flag alert.

Underwriting more conventional risks such as property losses caused by fires and storms, or liabilities for slips/falls, will clearly benefit from mounds of historical data.   Fires, storms, and slip/fall hazards present relatively stable risks.  One can argue the nuances, such as improvement of flooring technology to reduce slips/falls, and better fire protection systems, but the inherent nature of fire, slips/falls, etc. are fairly constant.  Personally, I am not convinced that the cyber actuaries and underwriters are going to find anything close to a stable risk model for the cyber risk insurance products they are working on.

If we have learned nothing else over the past 20 years, we have learned that “internet time” passes by very quickly.  Just as we become comfortable and proficient with the latest technology, obsolescence sets in.  In my past life as a software developer, I spent a fair amount of time with my fingers in source code and I know just how quickly those coding skills atrophy simply because of the swift passage of time that brings about new software tools, methods, and insights.  The basis of many cyber risks is in the billions of lines of source code throughout our systems.  It stands to reason that just as the insurance industry grows comfortable with the cyber risk threat from an actuarial and modeling perspective, the target will have moved as the software and systems rapidly evolve – frequently with insufficient time to harden and protect the code from the creative attacks of hackers.

There should also be some concern over the extent to which cyber risk is or is not an insurable risk according to the textbook definition.  The insurance industry functions best when the law of large numbers can work across a multitude of similar exposure units, and when losses are independent and not catastrophic.  Geographic concentration of a book of business without adequate reinsurance in hurricane-prone locations has killed some insurance carriers in the past.  What might a particularly nefarious and unanticipated piece of viral source code do to the Fortune 500 and their cyber insurers if it proliferates through a common and previously unknown code vulnerability in common platforms such as Oracle databases or Cisco routers?

Cyber insurance is in great demand, and the headlines provide witness to why this is so.  The unanswered question remains, to what extent can and will the insurance industry have the capacity to meet this demand or will alternative risk management techniques be forced to fill the gap?  The cyber insurance market may well be even more challenging than the terrorism risk insurance market.

We live in interesting times.

Another Day, Another Data Breach

hacked

It’s no wonder that the cyber risk sessions at April’s Risk and Insurance Management Society Annual Conference were standing room only.  We’ve just learned that as many as four million people’s information has been breached on government computers.  This comes on the heels of an IRS admission that 100,000 taxpayers may have had data from past tax returns stolen.  These instances prove that even our government is far from immune to the dangers and failures that have plagued the likes of private sector giants, Target, Home Depot, and Anthem Health.

I don’t have a particular statistic to cite, but my fear is that we are seeing only the tip of the “data insecurity” iceberg.  How many small breaches of far less secure databases are occurring for each one of these high-profile, high-stakes breaches?  Even if there are not a multitude of smaller breaches occurring, the aforementioned highly visible breaches cast a pretty wide net.  I have no indication that I or my family have been caught up in the federal government’s latest data breaches, but between my wife and I, we are receiving complimentary identity protection services as a result of links to all three of the aforementioned private sector hacks: Target, Home Depot, and Anthem.

Perhaps the larger question should be (spoken with utter exasperation), “What in blazes is going on?!”

The explosion of the internet in 1990s ushered in an era of exponential connectivity and information sharing, which is generally a good thing.  Unfortunately, it seems apparent that the rapid expansion of connectivity has outpaced our ability to protect the valuable data that naturally results from all of this connectivity.  In our rush to automate and connect everything (and to benefit from the incredible productivity and wealth growth that results) have we put the proverbial cart before the horse?  Or is it just a fact of our new digital life that our vast connectivity of devices and databases means that data is going to be at risk to some extent no matter what we do?

No matter how these questions are answered, risk management and insurance are both going to play integral roles in the cyber risk world.  It looks to me like we’re in the midst of a “Wild West” sort of era – and my concern is that there is likely to be a shoot-first-ask-questions-later approach to our data systems and our risk management processes.  That tends to produce considerable collateral damage.