The purpose of most actuarial methods is to estimate ultimate losses, or total losses, for a particular accident period. Once an estimate of the ultimate losses is determined, outstanding losses or required reserves are easily calculated by subtracting the paid losses from these total losses.

Almost all actuarial models rely on loss development patterns, or how reported and paid losses are expected to grow through time. Actuaries build loss development triangles to analyze these growth patterns. The assumption behind loss development patterns is that future losses will grow in a manner similar to the way that past losses have grown.

The loss development method is a very common method seen in actuarial reports. Suppose I am at a football game and my team scores 20 points in the first quarter of the game. One estimate that I can make of my team’s total score for the game is 80 points (4 quarters x 20 points). This is very similar to the loss development method which takes the reported or paid losses and simply multiplies them by a growth factor to estimate ultimate losses. The weakness of this method, as seen by my estimated total score of 80 points, is that it is subject to huge variability depending on how much is reported or paid in a very short period of time. As the accident period ages, however, this method becomes more stable.

The Bornhuetter-Ferguson method is another method often utilized. It addresses some of the volatility concerns seen in the loss development method for immature accident periods. Suppose again that my team has scored 20 points in the first quarter of the game. I know that my team averages 28 points a game. Another way I can estimate my team’s total score for the game is to take the 20 points my team has already scored and add 21 points, or ¾ of my team’s average score of 28 points (for the 3 remaining quarters), to get an estimated total score of 41. This seems like a much more realistic estimate of my team’s total points. This is similar to the Bornhuetter-Ferguson method which combines the reported or paid losses to date with an estimate of the unreported or unpaid losses. The estimated unreported or unpaid losses are based on a forecast estimate of total losses and the growth patterns observed in the loss development triangles.

The expected loss method is another possible technique. In my football example above, my team averages 28 points a game. I can estimate that they will score 28 points today, even though they have already scored 20 in the first quarter. The expected loss method relies strictly on the experience from past accident periods and is most likely only useful for a very immature accident period.

Because most actuarial methods rely heavily on assumed growth patterns, it is important that your actuary look at your specific growth patterns and not just rely on industry sources. Even if you don’t have a huge volume of losses, information can be gleaned from these patterns that will assist in making a more accurate estimate of ultimate losses for your entity. I think I may put together a “point development triangle” for my team to assist with my in-game estimates of total points instead of assuming they will increase evenly over time!

Everyone wants vaccination rollout to be going faster, but we are making great progress here in Dane County, Wisconsin.  We have more people vaccinated against COVID-19 than we’ve had people who have tested positive. It took us about a year for about 38,000 Dane County residents to test positive for COVID-19. In just over six weeks of having vaccine available, 56,798 Dane County residents have been immunized with at least one dose of vaccine. That is just over 10% of our population. Nearly 29% of Dane County residents 65 years old and older have at least one dose of the vaccine.

Vaccine supply is still very limited here and, therefore, some groups have been prioritized over others.  At this writing, the groups eligible for the vaccine in Wisconsin are: frontline healthcare workers and long-term care facility, fire and police personnel, EMS staff, and people who are 65 years old or older  We anticipate the following groups will become eligible for the vaccine in March:  educators and child care workers, individuals enrolled in Medicaid long-term care programs, some public-facing essential workers (like food supply, public transit, utility and communications infrastructure, and 911 operators), non-frontline health care essential personnel, congregate living facility staff and residents.  We do not expect the vaccine to be available to the general public until late spring.

Dane County partners with the City of Madison to operate Public Health- Madison Dane County. PHMDC is continuously collecting information from employers and other organizations who employ staff who might soon be eligible for the vaccine.  When it is time for a group to be vaccinated, PHMDC will contact these organizations with instructions on how their individual staff member could register for a vaccination.  Here is a link to a video on what folks who are getting a vaccine through Dane County should expect:

https://www.publichealthmdc.com/coronavirus/covid-19-vaccine

Until a much larger percent of the population is vaccinated, wearing a mask remains one of the most effective things that government employees can do to protect themselves and their loved ones. Now is a good time to remind employees to be sure their masks are meeting all of CDC’s recommendations. A lot of people have been talking about wearing two masks, but the CDC has not made any official recommendation about that.  Rather, the CDC recommends:

• Non-medical disposable masks
• Masks that fit properly (snugly around the nose and chin with no large gaps around the sides of the face)
• Masks made with breathable fabric (such as cotton)
• Masks made with tightly woven fabric (such as fabrics that do not let light pass through when held up to a light source)
• Masks with two or three layers
• Masks with inner filter pockets

The CDC does not recommend:

• Masks that do not fit properly (large gaps, too loose or too tight)
• Masks made from materials that are hard to breathe through (such as plastic or leather)
• Masks made from loosely woven fabric or are knitted, such as fabrics that let light through
• Masks with one layer
• Masks with exhalation valves or vents
• Wearing a scarf or ski mask as a mask

Here’s a visual that we shared with our employees:

https://publichealthmdc.com/images/cdc%20mask%20recommendations.PNG

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

Medical marijuana use continues to be a point of controversy, both in the medical and legal communities. In order to understand why, we need to clearly distinguish between two different issues: one is if society at large is ready to decriminalize marijuana, and two, the need for medical marijuana. This article will focus only on its relevance to medical use.

It has been used for thousands of years and has been considered a “light” drug compared to heroin, crack or heavy narcotics.

Marijuana is also called cannabis and it includes three main substances: THC, CBD and CBN. There are cannabinoid receptors all over the body that affect appetite, pain sensation, mood and memory. The “high” sensation comes from CB1 receptors in the brain by THC, mainly dopamine release.

There are three types of plants that produce distinctive effects:

1. Indica – more CBD or “downer”
2. Sativa – more THC or “upper”
3. Endless hybrids

It can be dispensed in multiple formats:

1. Inhaling – more traditional, faster action - 30-60 minutes, better titration
2. Edible – brownies, candy – slower action but longer effects, difficult to titrate
3. Topical – oils, etc.

At this time:

1. Dispensaries do not have strict quality control due to the ongoing development of new strains with unknown potency and effects.
2. The vast majority of clients have pain-related complaints and some have addiction issues that are a contraindication for marijuana use.
3. Some products have questionable and variable amounts of THC and CBD.
4. Doctors do not “prescribe” marijuana, but authorize “permits” for use and possession (ASAM).

Use comes with risk:

1. Marijuana has moderate dependency potential, lower than alcohol and narcotics, but higher than LSD or Mescaline. The potential of it being lethal is low, but so is the potential for LSD being lethal. (Gable 2006).
2. Its side-effects include addiction/withdrawal symptoms, cannabis associated psychosis, memory issues, weight gain, sleep disturbance, alteration of time perception, amotivational syndrome and hyperemesis. (Greydanus 2013).
3. Seth Ammerman from the American Academy of Pediatrics says: “Teens who use marijuana regularly may develop serious mental health disorders, including addiction, depression and psychosis.”

Until recently, the use of marijuana to treat patients had not been brought to light by the medical community. Although initially used to treat gravely ill patients, medical marijuana has been used in the last few years to treat general pain, glaucoma, and neurological and psychiatric issues.

Currently there are minimal studies available as medical marijuana is still classified as an illegal substance at the federal level. With more states legalizing medical and recreational use of marijuana and a current push to legalize it at a federal level, there is no question that medical marijuana use is here to stay. If the current federal legislation passes, more research will be needed to help clarify its use in the future.

As a result, employers need to take note and focus on the legal aspects of the medical and recreational use in each state and what work restrictions will be allowed federally and statewide.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

Cybersecurity rests at or near the top of risk managers’ lists of concerns for 2021.  Remote work and online commerce have exploded due to the pandemic, and criminals have taken note. The FBI’s Internet Crime Complaint Center (IC3) online claims volume has nearly quadrupled since the beginning of the COVID-19 pandemic. Cyber insurance can mitigate the risk, but it is not a substitute for good security.

The Key Threats are Ransomware, Fraud and Malware

Local governments are among the favorite targets of ransomware. Atlanta, Baltimore and New Orleans have suffered attacks in recent years, with recovery taking weeks and costing millions. Many smaller towns, school districts and hospitals have been victimized.[1]

Ransom demands averaged $886,625 in 2020. Although the FBI and the US Conference of Mayors urge victims to refuse payment of ransoms, typically requested in Bitcoin, some have no choice.

“Ransomware-as-a-service” has further lowered the cost of entry for criminals, and ransom is no longer the only concern. Criminals now threaten to disclose confidential data, not just encrypt it.

Ransomware is not the only cyber threat, of course. Payment fraud schemes, which trick an employee to wire or send ACH funds to a hacker’s account, make up another large share of cyber claims, according to NetDiligence and Coalition studies. Upon discovery, the funds are usually long gone, and two innocent parties are left with a divisive financial dispute.

Malware and other direct hacks persist. We recently discovered that Russia malware is present on many sensitive government and business systems and it will not be easy to remove or fix.[2]

Cyber Insurance Can Give Protection  

Cyber insurance is a traditional answer to this growing risk. The global cyber insurance market is expected to grow more than 21% next year, and to reach $20.4 billion by 2025. Before the pandemic, cyber insurance rates were increasing by 4% to 5%.

Cyber policies can be standalone or packaged with other coverage. Organizations should no longer count on provisions in their general liability or errors and omissions coverage to apply. A federal district court recently declined to find E&O coverage for a $520,000 wire transfer fraud based on a theft exclusion in the policy.[3]

Buying a social engineering policy, however, is not a panacea. It may not cover claims brought by a third party against an organization duped by a fraudster. Gap analysis is crucial.  With the right coverage, an insurer may help negotiate and pay a ransom.

An Ounce or More of Prevention is Worth It

The risk can be insured, but as both claims and the cost of insurance grows, insureds must take it upon themselves to mitigate risk through prudent cybersecurity and privacy practices. Here are some key actions an organization can take:

Have an incident response plan and team in place. Require multi-factor authentication. Review your software patching protocols. Force password changes. Give employees the least privileged access needed for their jobs.  Keep a short leash on administrative privileges. Back up your systems – it is a lifesaver in case of ransomware.

Finally, train your employees and create a culture of awareness and security. People are an organization’s greatest cyber risk, and its best measure of protection.

[1] See 2020 Report at https://www.sungardas.com/en-us/ransomware-attacks-on-us-government-entities/

[2] See Solarwinds Alert at https://www.lathropgpm.com/newsroom-alerts-72615.html

[3] See decision at https://law.justia.com/cases/federal/district-courts/new-jersey/njdce/2:2018cv04131/369490/55/

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

You’re finally ready to set the date. You’ve got big plans to sell the home, buy that RV and travel across the country! You’ll be free to hit the open road in 12 months. But if you’re like many successful public risk managers, you have spent years building a valued and respected risk management program within your entity and you do not want to leave your “baby” in the hands of just anyone. How may an effective succession planning program help you?

Succession planning is a process that ensures your entity is prepared for the future and is able to achieve its goals without suffering a leadership shortage. Typically, the public sector has been behind the curve when it comes to its leadership training and development. The fact that the public sector faces the challenges of changing administrations, politics and priorities are all the more reason developing a strong, sustainable succession planning program is important.

Here is a brief guide to get you started:

1. Create an organized, voluntary leadership development educational program for interested employees. Focus on building leadership skills and performance rather than planning for a replacement. You will then be able to establish an entire pool of would-be replacements. Leadership development planning won’t just help you build a future for employees you consider to be promotable, but it will also expose the employees who aren’t promotable.
2. The employees with the highest potential will be those who are self-aware, socially aware and willing to keep learning. They’ll also be great problem-solvers, adaptable and able to take on more responsibility. Risk managers have to have great people skills and be able to multi-task gracefully. You have established important relationships with physicians, brokers, vendors and other internal managers. You want to see a smooth transition with your replacement.
3. Include job shadowing in your succession planning program that enables participants to have a hands-on opportunity to see what a risk manager encounters on a daily basis.
4. Make sure you have senior and line management buy-in. Remember to keep your legal team on board and to not subvert any personnel policies.
5. Do not groom an “heir apparent” without giving consideration to participants in the program but do not assume your pool of candidates are only those program participants.

You may discover great leaders within your organization when you least expect it. Perhaps you took notice of a pandemic response committee member who always volunteered and did their homework for meetings.

The best succession plans are living, breathing things that get reviewed and refreshed on a regular basis. Your leadership training should reflect what will be required of your key employees not only today but in the future.

There are many ways you can go about succession planning. The best succession plan is the one that fits your entity. The best successor for you is the person who has been given the tools to learn how to be a great risk manager and allow you to say farewell knowing your department and your organization will be left in safe hands.  You’ll be able to sleep well at night in that RV!

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

Global natural disasters continue to rise year over year, with 2020 totaling $210 billion of losses.

As the frequency of these events rises, it is critical to have a sound plan for managing through the cost recovery phase of a significant impact on your organization. Public entity insurance/risk managers have the unique challenge of clearly documenting, segregating then correctly assigning the claim costs to potential areas of recovery existing in both insurance and FEMA for the same event.

An essential item to remember in any complex claim submission is to be proactive from the start. Keep in mind, it is the organizations’ responsibility to present the claim and the receiving party’s responsibility to review and adjust it.

Also, even though FEMA may be “the payee of last resort” following the conclusion of an insurance claim submission, it is critical to start with a holistic claim submission that includes all of your insurance policy “buckets” or assumed areas of collectability as well as potential eligible FEMA categories that may apply.

Three additional items for consideration include:

1. Prepare a Rough Order of Magnitude of your loss within the first two weeks:

To have the full view of the potential loss put into context, be sure to prepare a summary identifying all areas of your loss with associated estimated or expected costs. For example, if there is building damage, obtain contractor estimates for repair to demonstrate the ultimate costs as you choose the vendor to commence. Or, if claim items are too early to quantify, such as business interruption, include the item as “to be determined” or “TBD.” This will help the adjuster and examiner consider the worst-case scenario, including potential future claim items as they set the insurance reserve.

2. Be sure to tell the claim story in narrative form:

Another critical component of the claim submission, aside from detailed costs submissions, is the inclusion of a narrative or summary explaining the timeline and reasons for each decision made and where/how they are connected to an area of coverage in the insurance policy and/or FEMA grant.  Often an organization misses the need to put a “story behind the numbers” in a claim submission, leading to confusion on what occurred.  Keep in mind a complicated insurance claim can take between 6-18 months to settle, so a detailed narrative recounting all pertinent facts is crucial to memorialize actions and context when the time approaches for a settlement.

3. Remember how cash-flow is key to fund your recovery:

Lastly, an effective claim presentation with proper insurance coverage can become a tool for cash-flow during a loss. Remember that the insurance claim doesn’t have to be paid only at the end of the process. The adjuster can release funds as items are agreed to and supported. As the organization proves damages through the adjustment process, ask for partial payments, always work to minimize the “undisputed amounts,”: and then ask for the money. This will help the organization maintain cash flow during the recovery process and ultimately speed up the phase for FEMA to reimburse eligible remaining cost items not paid through your insurance policy.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

When it comes to employee injuries and illnesses, the intersection and overlap of state workers’ compensation laws with federal laws such as the Americans with Disabilities Act can present seemingly endless questions. While there are seldom easy answers, a basic understanding of these regulations is helpful in addressing employee needs and fulfilling employer obligations.

Workers’ compensation laws vary by state and are designed to assist employees who suffer a job-related injury or illness.  These laws ensure injured employees receive access to medical care and some degree of wage replacement for time off work due to the incident.

The Americans with Disabilities Act (ADA) is a federal law that prohibits discrimination against individuals with a disability. With respect to the workplace, it is designed to protect those who can perform the essential functions of a job with or without reasonable accommodation. Under the ADA, employers are required to provide reasonable accommodations to qualified individuals with disabilities unless doing so would pose undue hardship on the organization.

Complications and compliance issues arise when an employer is inconsistent or applies different approaches to occupational versus non-occupational injuries or illnesses.  For example, an opportunity to continuing working should be made available regardless of whether an employee strained their back restocking shelves at work or undertaking a weekend home improvement project.  Employer policies that require injured employees to be free of restrictions before returning to work are in violation of the ADA. Using a 100% recovery standard removes the opportunity for the employee to pursue reasonable accommodation.

A central element of ADA compliance revolves around the concept of the interactive process and how it applies to stay at work/return to work. The interactive process is a way for an employer to determine if an employee has a disability and if there are reasonable accommodations that can be made to accommodate the condition.  This typically consists of a conversation between the employer and the employee to address the injury or condition, potential restrictions or limitations, and whether an accommodation will likely be successful.

Employers must engage in the interactive process when they become aware that an employee has a disability or has requested an accommodation.  There may also be an obligation if the employer is aware or should have been aware that the employee has a condition that is causing problems with work.  Additionally, when an employee has exhausted all leave, whether related to an occupational or non-occupational occurrence, employers are obligated to initiate the interactive process.

One of the best resources employers can consult to illustrate how to conduct the interactive process is the Job Accommodation Network (JAN), a service of the U.S. Department of Labor.  JAN outlines the following six steps:

1. Recognize an employee’s accommodation request and acknowledge the duty to initiate the interactive process.
2. Gather the information necessary to assess the employee’s situation such as their job description, healthcare assessment, and any related job restrictions.
3. Explore accommodation options and what type of environmental accommodations could be made that would be helpful to the employee.
4. Choose an accommodation or ask an employee which of the identified accommodations is preferred.
5. Implement the accommodation and ensure it works as intended.
6. Monitor the accommodation to ensure it works effectively and be prepared to address new developments as they arise.

Managing workforce absence requests and accommodations is challenging. Occupational versus non-occupational injuries present unique complications and circumstances. Employers must remain informed on current laws and regulations while maintaining adherence to existing organizational policies and procedures.  Consistency is essential to ensuring compliance with overlapping state and federal regulations.  For more information, visit the Job Accommodations Network website www.askjan.org

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

I want to see mainstream autonomous vehicles (AVs), but I remain bearish about mainstream high-level autonomy.

My reasons for bearishness are not related to the technology that powers self-driving cars, or demand for AVs. Instead, it’s the systemic risk that wide-scale AV deployments create. What will change when we have numerous fully autonomous cars on the road?

Most of the commentary about AVs doesn’t consider second-order effects in their deployment so I’d like to start a discussion on that. (In this post I take high-level autonomy as a technological eventuality and assume a political climate that supports that.)

• Level 4: High Automation. Automated, but geographically restricted, dynamic driving even if a human driver fails to respond.
• Level 5: Full Automation. Unconditional, full-timer performance of all dynamic driving needs.

Many of the arguments for AVs are centered around safety and optimization. Those arguments are hard to disagree with if you are comfortable with change (again setting the tech and political issues aside). First, let’s consider safety. About 3,000 people die per month in the US from traffic accidents (a broader metric than just automotive deaths, but representative here). That 3,000 is a lot, and a number that the AV safety argument draws on, though the fatalities are lower per capita than most other countries. Still, how did we get to the number 3,000 in the US?

If we look at how automotive deaths have trended over the past 100 years, driving has become much safer, especially as measured by deaths per billion vehicle miles traveled (VMT). Chief causes of improvement: better roads, regulations, Ralph Nader-driven safety measures to the vehicles themselves, and fewer vehicle mismatches like fast cars and slow horses sharing the same road.

Those safety and infrastructure measures are not present equally around the world. In some places, traffic deaths are caused more by bad roads and lack of nighttime lighting than anything else. The cars and drivers can only do so much.

As a thought experiment, instead of decreasing, what would it take to increase traffic deaths per capita? With traditional cars, forcing automotive deaths to increase would be nearly impossible. It would take a strange coordinated, long-term purposeful political and corporate attack to eliminate safety regulations like speed limits, seat belts, air bags, car crumple zones, driver intoxication limits, driving age limits, budgets for road repair and clearing, signage, lighting, traffic monitoring, rapid post-crash response, and more. It would in theory be possible to lower automotive safety through those top-down means. But it would not be possible at scale to force or trick individual drivers into killing each other.

Individual, non-scaled shocks to automobile precursors like horses were also common. Many early transportation accidents were caused when horses became spooked, either by other horses or from encountering passing trains, cars, or the occasional marching band.

It’s interesting to look at the safety of horse-drawn buggies today. The nature of the accidents has changed. Today, the anachronous but legal drivers of buggies mostly suffer from accidents when hit by speeding cars and trucks. Many of those crashes today are caused by mismatched vehicle size.

Again, while horses and horse-pulled vehicles were and are less safe than automobiles today, since every horse-driven vehicle required a sentient being to control a sentient being, limits on systemic risk also held. No one can cause horses to create accidents at scale.

The safety argument claims that with AVs the 3,000 monthly traffic deaths of today could be reduced to close to zero. Where humans lose focus, become distracted, get stressed, make mistakes, don’t notice an oncoming accident, fall asleep, drive intoxicated, refuse to buckle their seat belts, drive without maintaining safety features on their cars, AVs would never do that. AVs represent a potential improvement on human driving. Why would anyone argue against that improvement and for the status quo of 3,000 monthly deaths in the US? Who would argue for status quo of 100,000 monthly deaths globally? But what second-order risks are there in this argument?

When it comes to the other argument in support of AVs — optimization — the arguments also avoid second-order effects. The reason for this seems to be similar to why we seldom hear of unintended effects in other types of new business innovation. That is, the businesses that innovate are rewarded for their innovation and presumed ability to scale to a large market. They are not rewarded for considering whether their innovations increase risk elsewhere.

The optimization arguments center on what would be possible with fully autonomous vehicles. And I like to imagine the potential. Self-driving cars could coordinate to distribute traffic, travel much closer together than human-driven cars, free people from the drudgery of unhealthy and boring driving for more productive work, collect and share environmental data, moderate demand through price changes, carry the very young and very old safely, allow people to sleep rather than manage their commute, reduce needed fuel, and on and on.

Over the past decades, systemic shocks to optimization of traditional driving have operated differently than they probably would for AVs. These previous shocks were in the form of oil embargoes, regulation, and company-level shocks affecting commodity prices (sheet metal etc) and import/export duties.

Ignorance has never been bliss, but it is even less so today. Cybercriminals are always looking for vulnerabilities to exploit. This is why Bob Mueller said over a decade ago that there are only two types of companies in America: those that have been hacked and those that will be hacked. A decade later that sentiment is still true, except that many have been hacked numerous times. Many cybercriminals attack on a daily basis. Their target is your information.

Sadly, in the decade since Mueller made his statement we’ve made little progress in the war waged against us by cybercriminals. For the most part, our technical efforts -- while impressive -- have been reactionary.

How do we begin to combat such a threat? It begins with education.

For example, audiences at conferences, workshops and employee training sessions are still amazed when I speak to them of password cracking software, the need for updates, and simple tips on staying safe. Most viruses are still delivered via email and most passwords are still too simplistic. It is astounding that with all the articles, jokes, and anecdotal emphasis on password complexity, the most popular password in America is still some form of “Password” (P@ssw0rd, Password 123, Password 123!, etc.). This is why all companies should regularly emphasize cyber awareness training for all their employees. It seems logical that if you shrink the target, you will also shrink the cybercrime industry. Training in antivirus technology, update and password management, and education seem to be a no-brainer. This could easily and inexpensively be done through community colleges and different types of IT education programs.

The boom in cybercrime has created a corresponding increase in cybersecurity jobs. Yet the industry of cybersecurity is reported to have currently over 1.5 million positions going unfilled -- and an expected three million by 2021 -- because there are not enough educated and qualified people to fill the positions. Only recently have colleges and universities begun to offer an emphasis in cybersecurity, with only a few offering a degree in it, despite the fact that the IT industry allows stackable credentials (A+, N+ or S+).

The education industry needs to work with government and business to establish regional cybersecurity operational centers (CSOCs). Students would receive real world training to accompany their academic training (using certificates like COMPTIA’s as the final exams in classes like networking—N+). These students could work alongside experienced professionals at the CSOCs, and, as interns, work at organizations (SMBs, non-profits, government) that will also benefit from added emphasis on cybersecurity. Educational institutions would be able to market cyber awareness to the consumer while also benefiting from relationships with the organizations where they have placed interns. This idea is win-win. Education wins with increased student populations and more fully developed community relationships. Government, business, and NGOs benefit from improved security and better
educated employees. And everyone becomes less of a target for cybercrimes. The battle will always be engaged, but at least we won’t be in full surrender.

Modern terrorist attacks require little technology, just dedicated terrorist(s) with automated weapons, often supported by body worn suicide bombs – and unlike natural catastrophes, which can cause damages over a widespread area, the “damage footprint” of a terrorist attack can be measured in square yards. Most of the damage incurred by the 9/11 attacks occurred on a building site of only sixteen acres. Contrast that to the havoc of Hurricane Katrina where damage was so widespread that every county in Mississippi and Louisiana, along with 22 in Alabama and 11 in Florida, were declared federal disaster areas. But this footprint does not tell the whole story. The impact can be felt far beyond the specific area targeted. The surrounding areas, where follow up security operations are carried out - such as those in Boston - are likely to face interruption. This could be as a result of denial of access, further threat or loss of attraction. As such, traditional terrorism products which require a physical damage trigger may not offer coverages for many loss scenarios.

The spatially concentrated nature of a terrorist event makes it difficult to insure against. Successful insurance underwriting requires adequate spreading of risk, across industries, lines of coverage, and most importantly, geographies. Since insured value is most highly concentrated in densely populated urban areas, the very places terrorists seek to target, avoiding the excessive concentration of risk is a rigorous task. This underwriting challenge, coupled with the steadily declining rates for terrorism insurance over the past ten years, contribute to insurance companies' reluctance to devote their capital to covering terrorism risk. Underwriters of terrorism insurance also face challenges with the inherent uncertainty of terrorism events and the loss associated with them. As data for terrorist attack loss is very limited, particularly compared to natural catastrophe data, insurers face difficulties in appropriately pricing their risk and must load factors for this uncertainty into their charged rates. In the RMS probabilistic model, the measure of uncertainty for terrorism risk modeling (known as the coefficient of variation) is almost six times higher than the expected average annual loss itself.