For Laura Langone, senior director of global risk management and insurance at PayPal, risk management is all about bridges. As PayPal has made a practice of bridging the banking, retail and technology sectors, Langone’s approach to insurance coverage focuses on manuscripting to bridge traditional industry verticals. Underwriting innovation does not necessarily come easily to the insurance industry, however. To that end, her approach to the insurance markets requires extensive education efforts to bridge the gap between internal processes and stakeholders and their prospective brokers and underwriters.
Langone spoke to Risk Management about managing risk at modern, industry-spanning enterprises, the ongoing challenges of cyber insurance, and the communication required of risk managers.
RM: Like many of the biggest new companies today, PayPal branches into multiple industry sectors. How does that impact your overall approach to risk management?
Langone: It requires more work. With companies like PayPal where you’re being innovative with technology that disrupts or bridges traditional markets, you really have to go across industry sectors to understand the nuances and the issues and, as it relates to risk management, what the insurance services are so that we can bridge verticals in one manuscripted solution. For the last 20 years, the industry has done a good job with trying to hone in on a vertical, like banking or logistics, and a lot of the brokers and insurance companies have developed specific risk assessment information, collected data around those verticals, and developed innovative but specific policies based on traditional sectors.
With a company like PayPal, we’re going to want the benefit of some of that language, so the question becomes how we tap in. That’s what risk managers increasingly have to do: bridge those gaps by going in and educating their existing client service team and educating multiple groups in the insurance marketplace that we might not normally see. We also have to educate ourselves. One of the challenges for me when I came on was really understanding where the markets are, whether they exist, what they afford, and the most beneficial way to present ourselves in the marketplace.
RM: Are there any particular lines you have found more challenging than others?
Langone: The line that is very challenging is still cyber. When I think about cyber, I think about my internal process from end to end and identify all the things that could go wrong. Still, with a technology cyber program, it is really about the data, it is not about loss of property per se, it is loss of information, so you have to go to multiple policies to find coverage for your complete process. That is the most frustrating part.
The other frustrating part is that the brokers and insurance companies talk a lot about cyber as your biggest risk, but the capacity out there is just not that great. No one is getting the capacity for the cost, and some of the costs that are covered are ones we can handle. What we’re trying to do is find the spot where it will hurt us internally, where we really do want insurance indemnification to fit in, and figure out how much is enough. At the end of the day, a lot of what we do is read around contractual arrangements, because a lot of risk is still on your balance sheet.
RM: Are there any recurring holes you see in the cyber coverage options available?
Langone: With many policies, you have a lot of sublimits, so you have to be careful because you might think you have something but it is sublimited and is contingent on something else in the coverage wording. Companies should spend more time carefully looking at their coverage, their end-to-end processes and their biggest concerns, and tapping into the policies that they have to look for potential coverage. Then they need to figure out how to fix those gaps and identify exactly what policy to go to in a given scenario.
RM: How do you overcome some of that push-back from insurers when negotiating coverage?
Langone: When we go to market, we bring in our internal resources to explain our business, but I have seen it both ways—some companies don’t want to reveal any information, they instruct the risk manager to just fill out the application. What concerns me is sometimes insurance carriers and underwriters don’t really understand your business, and then they write policy language or give you a standard contract and you end up realizing it is not very clear. Ambiguity will work in the favor of the risk manager, hopefully, but both parties—and the C-suite and the boards—want to know that, when you go out and get coverage, you are actually getting something that is going to cover the nuts and bolts of what we do.
The risk manager’s job is to make sure there is full transparency to the market, so you are trying to get the best coverage you can, but also coming back in to the internal market to explain exactly what coverage means and make sure that people are clear on what is not covered, too.
RM: Is pricing particularly responsive as you go through all of that extra work?
Langone: I definitely think so. I don’t know if that is a reflection on education or on the market—the market is pretty soft, there is capacity, and I think many companies are benefitting from that, unless you have had a loss. When I worked in biotech, after all the losses in pharmaceuticals, insurers did not want to write us, they would just say to self-insure and form a captive. But by going in and showing how we were different, we could get coverage. Now in cyber, I really do find it valuable to educate. The other side is that, if you find you really don’t have a market, you should be aware of that and you need to think of other strategies.