What’s the password?

What's the password?

Managing the unmanageable

How easy is it actually for a criminal to figure out your online passwords and how can you stop this from happening? In this week’s blog I’ll unpack my own personal journey of password purification. Welcome to part 2 of the series around personal cyber security. My friends at the SA Insurance Crime Bureau (https://www.saicb.co.za) published this wonderful graphic last year to explain how easy it is for criminals to figure out your password.

How long it takes to crack your password depends on length and complexity
How long it takes to crack your password depends on length and complexity

In other words, if you have a password with less than 10 characters, without combining numbers, letters and symbols, you might as well just post the password on your social media pages along with your bank statements. Someone asked me in a talk I was doing a few weeks ago, “Tell me oh wise LiabilityGuy, how is it possible that a ten-digit password can be cracked so quickly?” They may not have said it exactly like that but actually it’s not as simple as hackers just letting a super computer program run, inputting millions of combinations although the technology is definitely available. This is because most, well-maintained websites will generally have lockout features so after a few guesses, the user will be prevented from more than say, 5 consecutive incorrect guesses.

So if the hacker only has 5 guesses at time to try a possible 10 billion combinations it would take a lifetime to derive the key. That is of course if the hackers were simply trying to access the database through the front-end login page. Incidentally, since I posted my previous article about my attempted hack a few weeks ago, there have been almost 1300 brute force attacks on this site. Those are attackers trying to guess my administration password.

Brute force attacks often employ the use of stolen passwords and email combinations rather than just guesswork.
Brute force attacks often employ the use of stolen passwords and email combinations rather than just guesswork.

It is quite unrealistic to expect that hackers will try millions of passwords, waiting between lockouts, to get into a site. That’s like buying one cigarette at a time after each lockdown. Whenever you read about large-scale hacks, what has almost always happened is that hackers have stolen the entire database and then will use automated tools offline to “guess” the passwords in a copied database. Working offline they have as much time as they need to crack your well thought out password and username combo.

This brings me to the real reason for my blog. You see having a well-structured, complex password is only half the battle. Making sure that once it has been cracked, that it can’t be used in multiple attacks on other sites is the other half. If you reuse your password on many other sites, those brute force attacks become so much easier for the cyber criminals.

Credential re-use is a huge problem amongst internet users. Depending on which survey you look at, the range of lazy internet users who reuse their passwords is anywhere from 50% to 65%. Surprisingly a study done by DataProt in February 2021 showed that Gen Z users (age 16 to 24) are the biggest culprits with well over 70% using the same password and user combos across multiple sites.

The reason why we do this is simple, or rather it’s our need for simplicity that drives this reckless behaviour.

Even though I have some knowledge of cyber risk, I too have been guilty of this. In fact up until recently I would say that I was a habitual password regurgitator. I wonder if there is a support group for us? Fortunately this habit came to an end late in 2020 when I received one of those dreaded heads-up messages from Google to say the password I use on my account had turned up in one of the recent hack attacks.

If you set up google alerts in your security settlings they will let you know if any of your saved passwords or emails have been stolen.
If you set up google alerts in your security settlings they will let you know if any of your saved passwords or emails have been stolen.

This was the push that I needed to rethink my approach to my own cyber risk management. That inspirational moment was quickly followed by massive dread – how the hell would I remember which sites I have signed into over the years, let alone change the passwords?

A little LiabilityGuy disclaimer: I haven’t tried many methods but the one described below is working for me. If by the time you read this, I have subsequently been hacked…delete my profile from your memory and buy a typewriter and a telefax machine.

  1. If you use Mac OS then chances are you’ve allowed Safari to store your passwords in your keychain. You’ll have to sign into the Keychain with your mac password to see the list of sites and the user name, password combos. This was the category I was in.
  2. If you use Firefox, Chrome, MS Edge or Internet Explorer you may have allowed your browser to store the passwords. Those can all be found by clicking on the settings in the browser and then going to the security and passwords section. Easy.
  3. If you use Internet Explorer may I suggest you seek help from a mental health professional and join the 21st century as soon as possible. Just kidding, there is actually a video here
  4. If you haven’t allowed your browser to store your passwords then the only option available to you is to mine through your old emails and search for account registration emails that have been sent over the years. Try using phrases like “account confirmation” or “registration email”. I also recommend drinking heavily if using this method.

Number 4 above is a very painful exercise but don’t let this deter you on your recovery journey from pathological password peddling. I had actually registered for many different online services over the past decade so I determined that all I really needed to do was focus on the ones I had used most frequently over the past few years. I figured that my credit cards expire every 3-4 years so that sort of data probably wouldn’t have much value on the older sites and I’d changed my physical address a few times in the longer time span. In other words, I perceived the risk as lower on those accounts and dismissed them.

I was pleasantly surprised that most of the password storage options in browsers these days do have features that allow you to generate unique random passwords, some will even tell you on which sites you have reused passwords. If you aren’t going to use a separate password manager app, these browser solutions may be enough for you to sleep at night.

For me, I just felt that having all my data sitting in the browser database (even if it is encrypted) didn’t feel like enough so I opted to use a standalone password manager app. There are many available online. If you want a list of the top ones you can check this site out.

After checking out the costs and features I settled on Last Pass – perhaps the term “Ease of Use” in the ranking, sold me on it. I haven’t tried the rest so please send me your thoughts if you choose another.

Once you have the list of sites and passwords you can load them into the password manager, then you have to visit each site and change the password to a more complex unique one generated by the app. Its a pain but less painful than having your identity, money or reputation stolen from you.

I think Password Managers are excellent because:

  • You only need to remember 1 password. That’s the one you use when you start up your browser.
  • You can set up multi-factor authentication to protect the password vault. So you can use your Google Authenticator or any of your other favourites.
  • You can use the password manager to generate random, extremely difficult passwords.

The Last Pass app allows for combinations of passwords up to 99 characters and you can choose how complicated you want it to be. If you don't have to remember it - go big!
The Last Pass app allows for combinations of passwords up to 99 characters and you can choose how complicated you want it to be. If you don’t have to remember it – go big!

  • They have dashboards that will alert you if any of your emails are compromised and appear on the dark web. Interestingly when I was doing this blog an alert came in today:

  • You’ll be notified if you accidentally reuse your credentials again. You also get told if they are weak. Don’t take this personally. Just change them. Be strong.

It hasn’t all been plain sailing. I started the project in December 2020 whilst on holiday but quickly realised that it’s a mind numbing exercise to change all my passwords. Rather than doing it in one sitting I resorted to changing the core sites first and then slowly added the others as I logged into them over the subsequent months.

I also discovered that you need to turn off the autofill features in your browser after you load the password manager otherwise, old passwords get entered by accident and you get locked out of whatever site you are trying to access. This actually happened on one of my bank accounts and I had to go verify myself in person but that’s a story for another day.

I’ve completed the process now and I’d still give LastPass 8 out of 10 and I do believe I’m safer online now than when I started the exercise.

I’m the LiabilityGuy.

This article was originally called “what’s the $**&%# P@55word?” but the URL kept bombing out.

Smile. You’re on Hacker TV

Smile. You're on hacker TV

Falling victim to sextortion scams

A few months ago I received an email from myself. Strange you may think to be sending mail to oneself? That’s what I thought too although perhaps more disturbing was the content of the mail. The email was from a hacker:

This talented social butterfly had purportedly gained access to my computer and had apparently recorded me whilst I was checking out some adult content. A split screen video had then been created with one half showing what I was viewing and the other showing me, well…scrolling with one hand I guess?

I apologise for the graphic imagery and let me help regain your composure by stating that this never happened. The email is real but the content had been carefully crafted to apply to a significant portion of the population. According to PornHub they have over 120 million daily viewers. Multiply that by the innumerable adult sites and you have an exponential number of potential targets for this particular email.

The scam relies on our overwhelming need to to preserve our dignity and to keep our internet browsing habits secret at all costs, or at least at the cost of $653.

I ran the bitcoin address through the Bitcoin Abuse Database and discovered that it had been reported 133 times and had accumulated 0.900351BTC which at todays rate is about R700,000 in 8 transactions. Now I don’t know how many of these emails were sent out but given the low work effort required to send emails, the return on investment is significant.

Would anyone actually pay? Well in this case 8 people actually did and you may wonder why? Is it a guilty conscience that drives this? I somehow doubt it. What is more likely is that some of these emails would contain your email address and perhaps a password that looks familiar. This convinces the victim that the hacker must have access to their computer or network. The coincidental viewing of adult content is just the kicker that pushes the hapless pornosseur over the edge to pay the ransom.

So where do the email and password combinations come from?

Every year hundreds of millions of emails and passwords are stolen in cyber breaches. In fact a week before I wrote this blog, it was reported by several cyber security sites that a database of 3.2 billion emails and passwords had been exposed on 2nd February. Its estimated that is around 70% of global internet users. It appears that this database is simply a compilation of stolen data from other breaches that have happened over past few years. It is in such data dumps that hackers obtain these valuable nuggets of information to either convince you that they have you inflagrante delicto or to hack into your other accounts.

In a 2019 Google Survey, it was estimated that over 65% of internet users, use the same password on multiple accounts. Don’t do that or you’ll find yourself the victim of something far more sinister and serious than the sextortion scam I’ve spoken about here today. Try not to watch porn either.

If you do re-use your credentials as I have before, in the next edition I’ll be sharing my experience tightening up on my own personal cyber security and making the leap to unique and complicated password management. The easy way.

I’m the LiabilityGuy.

 

The dirty business of directors’ liability

The dirty business of directors' liability

A discussion about D&O Insurance

Last week was a blur, I spent three days on the road with the Insurance Bootcamp folks. We’ve done Cape Town, Durban and Joburg and now I’m sitting in my hotel room, massively inspired to write a little something of this grand adventure.

Eager insurance pros magically fill the Balalaika conference room
Eager insurance pros magically fill the Balalaika conference room

Firstly let me clarify that Insurance Bootcamp has nothing to do with physical exercise. Nor does it involve brokers in a race to pilfer each other’s clients, nor is it a wrestling match between underwriters as they try to beat each other into submission with rate cuts. In fact, it mostly involves chugging down coffee and baked goods whilst spewing forth great wisdom about the mysteries of the world’s second oldest profession. This particular Bootcamp focused on the ever-expanding mountain of litigation risks facing business owners.

As such financio-legal wisdom is not easy to come by (I do believe I just created that fantastic term by the way. Readers may use it as they wish without fear of copyright reprisal). Anyway, forgive the digression but any notion that I may have possessed this peculiar combo of financial services and legal knowledge was quickly shattered when an obviously impressed delegate, who was clearly paying attention to my slides, complimented me on my choice of socks. Herewith a photo of day 1, 2 and 3 socks for your information.

Day 1 thru 3 foot cover
Day 1 thru 3 foot cover

Aside from a clear demonstration of superior taste in footwear I’d been asked to share some of my experiences with some oft misunderstood areas of liability business namely, Professional Indemnity (PI) and Directors & Officers Liability (D&O). Who names these products by the way? You’d think that given the flexibility of acronyms, that a bit more creativity would’ve been applied. For example, the latter could have been named Derivative Indemnity Liability – Directors & Officers, also known as DILDO. Just think of the possibilities. Upon being appointed to the board, a director could state, “there’s no way I’m exposing my ass unless you get me a DILDO” or ” go ahead and sue me, I’ve got a DILDO and I know how to use it”

Given that there may be readers of this blog who are not in the insurance industry and whom are possibly sensitive to the use of the DILDO, I shall revert to the original D&O.

So what is it then? It’s a legal defence and damages policy invented by Lloyd’s back in 1930, probably as a consequence of the Great Depression. Someone felt it was a good idea to insure the directors just before they threw themselves out of a high-rise window. After all what good would the embattled CEO be to a disgruntled shareholder when he was broke, both physically and financially.

Unlike the basement-diving, kamikaze directors of the time, the cover never really hit the ground, that is until the Americans got hold of it. Americans love liability policies as much as they love guns. Guns can also be useful for solving shareholder disputes by the way. Cheaper than the D&O policy and you don’t have to provide a copy of your financials to get one.

Dirty Business
Dirty Business

So, many years later, this incredible piece of insurance wordsmithery found its way to the shores of our country. South Africa, the land of opportunity. The place where even the most corrupt of politicians can legally earn a living by fleecing honest folks out of their hard-earned cash. Fortunately D&O insurance is gaining popularity amongst private sector directors, because unlike their public sector counterparts, they are actually held accountable for their mistakes.

The policy really is a “must-have” these days for all directors and business owners. Why, you ask? Why, oh wise liability guy with great socks?

Well, Directors and Officers liability insurance protects business leaders from litigation which may be initiated against them by stakeholders. A stakeholder, in the context of the Companies Act, is not a person wielding a large cut of beef, nor a fearless hunter digging up dirt and seeking out blood-sucking miscreants (although I’m told Thuli Madonsela is making excellent progress in her investigations these days). Actually a stakeholder could be any party that suffers a loss as a result of the negligent actions of the directors or officers in carrying out their fiduciary duties. The word fiduciary it turns out is hysterically funny to my teenagers, who immediately identified the hidden colloquial term, “douche”. For those that don’t know, the word really refers to the high standard of care expected of directors, rather than a derogatory term that could be used to describe a politician.

Don't throw away your vote
Don’t throw away your vote

A client of mine had the misfortune of going head to head with the National Consumer Commissioner a while ago. It’s ok to chat about this because neither of the protagonists in the tale subsequently retained their positions. The whole sordid debacle did however cost the CEO and the Company over R7m in legal fees. Fortunately the DILDO was close at hand and a large portion of the financial pain was taken care of by the insurers.

So it would appear that having this specialist insurance is a necessity and that every decision maker in the company should have the benefit of a policy. This, coupled with the relatively low premiums charged by insurers does mean that brokers are able to sell the cover with relative ease. Like selling firepools at a national security conference. Herein lies the danger for the insurance agent selling the cover. The temptation to spend less time explaining the cheaper covers to a potential insured is ever-present. Exclusions and notification requirements for D&O can be a little different to traditional policies. Given that the directors personal assets are at stake when a claim ensues, the risk of repudiation should be mitigated through careful explanation of cover with every client.

Sounds complicated? Herewith something simple for my fellow insurance intermediaries, for free:

The Liability Guy’s Theory of Relativity, “The amount of commission derived from the sale of D&O is inversely proportional to the amount of shit coming your way, if you make a mistake.”

In all seriousness, hats off to the Risk SA guys and all involved with Insurance Bootcamp. Great to be a part of the event.

A selfie. Me and 200 friends in Jhb
A selfie. Me and 200 friends in Jhb

I’m the Liability Guy, take care.

What the hell is a liability anyway?

What the hell is a liability anyway?

And should you care?

Setting fire to the neighbours property, kids bouncing off jumping castles, cosmetics that burn your face off…. What the hell is a liability? Who the heck is a third party? Whatever happened to the second party? These and other conundrums solved in the first blog in a series that demystifies my world of liabilities.

A lot of people ask me what on earth a liability actually is? If you’re an accountant, too much liability is not a good thing. In the financial world a liability is the other side of the balance sheet; the dark and scary side that keeps you up at night. For many South Africans it’s the only side of the balance sheet unfortunately. Debts and sacks of money owed to other people often make up the bulk of financial liabilities.

By now you are thinking, “I knew this blog was going to be crap, if I wanted to be reminded of my financial woes I’d check my shares in a certain furniture and clothing retailer” I know you are thinking this because as I am writing it, I too am contemplating a much needed root-canal treatment rather than completing the blog.

Fortunately the type of liability that I am involved with, has nothing to do with accounting. Sorry bean-counters, there’s no ledger-porn to see here. I am the Liability Guy and welcome to the wondrous world of legal liability. This you’ll soon find out is much more exciting because it is here that we deal with:

    • Killer cosmetic compounds that want nothing more than to give your customer that permanently surprised, “where are my eyebrows?” look.
    • Erratic and irresponsible employees that light up more than a cigarette in your client’s warehouse whilst having a sneaky fag in the no-smoking area.
    • Clumsy customers who fall down the stairs in your shop because they’re more into WhatsApp than watching where they are going. If you break it, you buy it doesn’t count when the damaged goods are your client’s legs.
    • Sugar spiked toddles on a such a high in that play area at your restaurant that they bounce right off the jumping castle and straight into Mrs. Mathebula celebrating her 80thbirthday. Maybe that’s why they call them off-spring?

You may be wondering what all these ridiculously, tragic scenarios have in common? Well the truth is they will all probably result in a lawsuit against the owner of the business. There is of course insurance that can cover these events and the source of claims against these policies are generally those that have resulted in injury or damage sustained by a mysterious group of people we call, “third parties”.

“A third party”, I see you raise both eyebrows. “I’m always up for a party, maybe even a second party but a third party? Will there be beer-pong, balloons, a cake or a cow on a spit? Three parties though. Who has that kind of staying power?” you may wonder.

Again, you’ve been misled, just like our accounting friends earlier in this article. The kind of third parties we talk about in liability insurance circles have nothing to do with people drinking and carrying on like teenagers, unless the business being sued is a bar. By the way, if you get drunk in a bar in some parts of the USA and cause an accident, the injured parties may actually sue the bartender for getting the driver drunk. True story, and similar things are on the cards in South Africa in proposed amendments to our own liquor laws.  Did you see what I did with the word “parties” there?

The third parties we talk out in liability insurance are the hapless group of individuals (or even other businesses) who seem to have zero luck and are always on the receiving end of dangerous goods or poor services, inevitably leaving them out of pocket , injured or worse. We call them third parties because they are not a party to the insurance contract directly. The first party is the policyholder (the butcher, baker, candlestick maker or whomever had the foresight to buy the policy), the second party is generally accepted as the insurance company although you will never hear mention of the second party. We don’t ever talk about them. Are they are like the uncle who gets drunk at the family dinner and tries to get amorous with the garden gnome on the front lawn?  Or are they the invisible heroes who want no credit for saving us from financial ruin? That I suppose depends on whether the claim gets paid…

In any event, this tale is not about the invisible second party. Just remember that the third party is the disgruntled, injured and often litigious individual who wants to take you to court. Unless you are a former president of a beautiful country at the tip of Africa, in which case a whole country may want to take you to court.

 

Don’t get me wrong, many third parties have good grounds for litigating and it is possible that the business actually did something to warrant being sued. Accidents do happen and someone is generally to blame when they do. If it’s not obvious whodunnit then both sides may have their day(s) in court. That’s generally where things get expensive and legal liabilities quickly start to turn into financial liabilities. Lawyers of the world rejoice. Accountants, you are back in play.

It’s these expensive processes in court and the fact that the business may have to compensate the injured third party that warrants buying liability insurance. This is also the primary reason why I have a job. So if you’re a broker, please sell more liability insurance.

Over the next few months I’ll be writing more about the wonders of liability so please be sure to follow this blog.

Note that as I am the LiabilityGuy I have to include a suitable disclaimer so please don’t treat any of these blogs as legal or financial advice. Be sure to chat to your broker if you’re a policyholder or if you’re a broker yourself, chat to your favourite insurance underwriter (follow my eyes) to get some detailed training or product information. The opinions expressed here are all my own, written in my personal capacity.

Related article on this blog : Coffee Cups, Ladders and Vibrators

Coffee cups, ladders and vibrators

Coffee, ladders and vibrators

The great label debate

I woke early this morning with a burning sensation in my eye. Turns out disposable, daily wear contact lenses have some kind of programmed obsolescence. After 3 days of continuous wear they will try to integrate themselves permanently with your cornea, like a political leech that overstays its welcome after the campaign, or lands it’s plane on your restricted airstrip for an impromptu wedding.

Being that the confounded lenses du jour are over R20,00 each, I had made it my austere mission to make them last longer than a Kardashian marriage. Having failed dismally, I “peeled my eyes” and replaced the offending prosthetics with new ones. It occurred to me at this point that I had not really paid attention to the warnings on the packaging nor to the rather obvious name of the product, being “Dailys” and I was indeed behaving like a living brain donor (the giver not the receiver).

I’m The Liability Guy and each day has me wading through a variety of legal quagmires with my clients, looking for ways to avoid the possibility of a law suit. Most product manufacturers for instance, worry about this mythical beast called the CPA. Contrary to popular belief, the CPA is not Chronic Pulmonary Aspergillosis but rather the Consumer Protection Act. These two things are vastly different, with one being a suffocating affliction that constricts abilities and the other, a crippling disease of the lungs.

Anyway, this rather complex piece of legislation gives us all the most amazing rights as consumers, one of which is the right to be warned, in a way we can understand, about the hazards or dangers of using products.

Read small print to avoid discomfort
Read small print to avoid discomfort
Warning signs for first time ladder users
Warning signs for first time ladder users

These photo’s illustrate the nature of warnings where the consumer is depicted as an ignoranus (that’s an ignorant ass) incapable of logical, adult thought.

Most of you will have heard of the infamous McDonald’s coffee cup claim. No? Basically the story of Ms Stella Liebeck. The poor old lady that soaked her privates in hot coffee as she left the drive thru of the local McD’s . Personally I think a rusk works better.

coffee
In any event, the court determined that the beverage was too hot and that she should’ve been warned about the impending danger. It’s thanks to Stella that we all have those delightful “hot” warnings on our coffee cups now. That whole caffeinated event cost Mickey D’s over $3m. Incidentally, there are now also groups in the US that are lobbying for labels on fast food that warn consumers that they may get fat. That’s like warning someone there might be traces of pee in the public pool.
 
Warning customers in South Africa of danger isn’t as easy. Especially seeing as we live in one of the most dangerous places in the world. I mean do I really care what the weight limitation is on a ladder when every step I take in the street could be my last. And then there are the unfortunate gaps in literacy skills across our country, particularly in Limpopo where they have some of the best educated rivers in the republic. This means that making sure everyone understands all the hazards is a challenge and perhaps also the reason why the use of pictograms has become popular.
Perhaps they should put warnings on the pictures of politicians on ballot forms?

Don't throw away your vote

 

A Question of Trust

A question of trust

The insurance grudge

A recent article depicting insurance as one of the least trusted industries prompted me to write an article for Risk SA a few years ago. In the event that you think it’s worth circulating there is a link to that PDF version at the bottom of the page.

The article on the most (and least) trusted professions in South Africa was originally written by a fellow called Quinton Bronkhorst for Business Tech. I can only assume he had to wade through tons of mind-numbing figures before getting to the table below, which I think you’ll agree is quite distressing if you’re in journalism, law enforcement, insurance or politics.

The original report was produced by global market research company, GFK. I always take these global studies with a pinch of salt because the samples used to derive the information are often relatively small, particularly once you drill down into the South African specifics. In this particular instance, 28 000 people were interviewed around the world. The number included 1194 South African respondents.

The numbers in the table indicate that of the total number of people interviewed, a specific percentage trusts the specific profession. This means effectively that out of 1194 South Africans, 95 per cent said they trust doctors compared to only 43 per cent who trust politicians. It seems likely that 43 per cent of the respondents were politicians. Incidentally, if one benchmarks SA against other countries – politicians, on average, have a trust level of 31 per cent. We are more trusting of our elected officials. I guess that is borne out of our recent election results where a slew of corruption charges against some individuals appear to be less concerning to the populace than the dress code in parliament.

Also worth noting is that 5% of the respondents don’t trust anyone.

As an insurance professional, I took serious umbrage to the notion that we only scored 57%, especially when one looks at the overall context, even cab drivers, whom I assume are actually mini-bus taxi drivers, scored higher than the insurance industry. For goodness sake, even South African policemen fared better than insurance agents. .

 It would be far too easy for us to dismiss the insurance numbers by simply sticking the whole industry into the grudge purchase box. However, I don’t believe the nature of the product or service has anything to do with trust. In fact, if trust were inextricably linked to the nature of the service, even doctors would find their score slipping to the bottom of the table. Not too many people enjoy a visit to the doctor, unless you are a hypochondriac or a medical sales rep.

If the negative perception is not related to the nature of the service then perhaps it is related to the dreaded claims rejection? Shortly after I read the Trusted Professions report, I noted that the Ombud for the short-term insurance industry had also published some figures. The Ombud is a free resource for consumers who feel their claims have been unfairly rejected. In 2013, he received just under 10,000 complaints. This is a pretty big number but the reality is that out of almost 2.7m claims, less than 0.4% resulted in a dispute with the consumer.

So if the grudge purchase factor and claims payments are not the cause of our risky reputation, what remains?

Some years ago, I was privileged to attend a presentation delivered by market leader, Peter Todd. In his presentation he spoke of insurance professionals having a noble purpose. The word noble or nobility, generally conjures up all sorts of regal, even saintly imagery. This struck me as strange as many of the professionals I had worked with in the industry over the years knew the risk transfer business inside out, but didn’t exactly fit the knightly bill.

Knights of the Rating Table

Todd’s reference to our noble purpose had quite an impact on me. Attention had been thrown on the fact that much of the negative perception in our industry is self-perpetuating, partly through the way some insurers market their services but largely due to the way the individuals in the industry carry the message.

There isn’t a great deal we can do to halt the commoditisation of insurance products and I guess to some extent, buying insurance will always largely be about the premium. I do however believe there is something we can do about the way we carry our noble purpose message every day.

 I’ve worked in a big insurance company, a few global reinsurance companies, a couple of Underwriting Agencies and more recently, in a local brokerage, and I noted a few things that many of these firms had in common:

    • Most of the older staff had not made a conscious choice to be in insurance. They had fallen into the industry. Many would even joke that they’d been sentenced to life but commuted to short-term.
    • Often these businesses struggled to attract and retain younger talent. Graduates with some insurance experience were in high demand due to their scarcity. Many actually left the industry after gaining some work experience.
    • Generally, a high percentage of the staff (particularly in the bigger companies) had a negative perception of insurance themselves. It was not uncommon for brokers to blame insurers in front of clients when a claims problem arose and it was not unusual for insurers to dismiss brokers as perpetual moaners when policy issues arose.

The talk made me think about how I perceive the industry that I’ve earned a good living out of over the past 23 years. It also made me think of the enormous impact the industry had on my kidneys and liver for the first 10 years, but that is a bleary-eyed, dialysis infused story for another time.

I was transported back in time to the moment I started in insurance. I recalled being almost immediately embarrassed by my chosen profession. I discovered in my early 20’s, at a very impressionable age for a young underwriter, that insurance was not as sexy as depicted in the brochure. In fact I remember concocting a joke that elicited much mirth at insurance functions. I’d introduce myself as an underwriter, then I would quickly qualify that an underwriter was like an undertaker. The only difference being that an undertaker had clients that were livelier. This joke, it transpired, was not very funny to non-insurance people, or to undertakers. My colleague, Ed Jordan recently shared a story with me that I believe to be more apt. Upon arrival at a retirement home to deliver a load of baked goods (a charitable initiative of SHAs), he was confronted by an old fellow who commented on the use of the word underwriter on the side of our team van. “Is that like an undertaker?” muttered the old boy. “Similar, but we take care of you whilst you’re alive” responded Ed.

Unfortunately it would appear that this vocational embarrassment is not unique, and still exists in today’s insurance industry. Some would argue that the sector is filled with brilliant products that no one really wants to buy, sold by people that don’t really want to sell them. Not only a grudge purchase but a grudge sale too. Somewhat of a miracle then, that the combined short and long-term industries produce almost 20% of the country’s GDP and employ over 100,000 people.

The 2013 KPMG report draws attention to how the insurance industry is trying to clean up its image. R2.1 bn in fire and hail claims were paid in the last quarter of 2012 alone. Without that valuable service many people would have lost their homes, cars and even their jobs. If one adds to that the number of families that benefited from life policies (R6.8 bn across the whole year) it becomes apparent that society would actually grind to a screeching halt without the risk transfer industry.

The KPMG report is extremely comprehensive but I very much doubt that the majority of people employed in the insurance industry even know of its existence, let alone read it. So if we as an industry don’t know about the impact of our noble purpose, how can we expect this from the begrudged buyers?

A political party recently used the phrase ‘A good story to tell’ in its 2014 election campaign. The insurance industry is filled with ‘great stories to tell’ but if we don’t tell them no one else will. We will be doomed to hover around the bottom of the Trusted Professions list, saved only from last place in morbid hope that our politicians will continue to disappoint the electorate.

I’m the Liability Guy.

References: 

SA’s Trusted Professions

Ombudsmans report

KPMG Insurance Report  

Risk SA Article