, ,

Insurers may re-evaluate driverless car technology following fatal accident

Driverless features should not exclude drivers from safe operation of vehicles, insurers say.

A recent fatal accident involving a Tesla Model S electric sedan using an autopilot system has been called the world's first driverless car fatality and may require insurers to re-evaluate the technology.

The accident occurred after the Tesla failed to apply the brakes when a tractor-trailer made a left turn in front of the vehicle. However, human error may have also played a factor in the accident as the Tesla owner was reportedly watching a movie while operating the vehicle and the tractor-trailer driver had previously been cited for multiple safety violations.

According to Insurance Business America, the accident means insurers will need to factor in human understanding of the technology when determining risks. While some reports had previously claimed driverless cars would all but mitigate the risks of driving, this belief may have overlooked the role human understanding plays in safely operating the vehicles as well as the current capability of the software. Drivers will need to be adequately trained on the limits of the technology, IBA reported.

"Tesla itself has said 'driverless' features do not excuse human drivers from safety obligations."

In fact, Tesla itself has said "driverless" features do not excuse human drivers from safety obligations. In a statement released to The New York times, Tesla spokesperson Khobi Brooklyn said the Model S's Autopilot system "does not turn a Tesla into an autonomous vehicle and does not allow the driver to abdicate responsibility."

Insurers react to the accident
Additionally, many insurers have noted one incident provides insufficient evidence for evaluating the overall risk and innovations of driverless car technology. While this accident will need to inform evaluations of driverless technology moving forward, it should not impede the progress of self-driving vehicles as a way to reduce accidents and improve overall road safety.

"This incident will certainly be incorporated into our ongoing fact gathering efforts and recommendations," the American Association of Managing General Agents said in a statement. "[But] it would be premature to criticize Tesla Motors, the software or other technology provider whose products are part of the beta phase of the Autopilot program, before all of the contributing facts are known and understood."

However, the Times noted, many insurers will likely begin requiring more information about cars that have optional self-driving capabilities. For instance, an insurer may currently be covering a Tesla vehicle without knowing whether the particular car has been equipped with an Autopilot system.  Currently, many insurers use vehicle identification numbers when assigning rates, but this information alone would not inform the insurer of the various options selected for an individual car or whether the driver has activated the driverless software.

Very few cars with self-driving features are currently on the road, the Times reported. Most fully automatic cars are part of fleets, such as those owned by Google, and often carry special insurance and are operated under controlled conditions. Many insurers consider features such as Tesla's Autopilot software to be driver-assisted systems, not true driverless technology, and advise manufacturers to educate drivers that eyes should remain on the road and hands still be kept on the wheel.

Currently, fewer than a dozen states have passed regulations specifically related to self-driving cars.

,

Turmoil in emerging markets and internet fragmentation led risks for insurers and reinsurers

Risk managers for insurers and reinsurers may need to deal with these risks within the next three years.

Insurers and reinsurers will likely see increased risks emerging across 21 key areas, including crisis in emerging markets, unconventional monetary policies and internet fragmentation, according to a new report from SwissRe. 

In its 2016 SONAR report, SwissRe found political unrest, increased localization of internet networks within country borders and financial repression are the biggest risk factors facing the insurance and reinsurance industry for which the potential impact and scope are not yet fully accounted for.

"The report found the potential impact and scope of these risks is not yet fully accounted for." 

"Risk management is not just about managing risks in the present,"  said Patrick Raaflaub, Swiss Re's group chief risk officer, in a statement. "It is about anticipating future ones to make sure we will be in a position to deal with them. These risks may only fully reveal themselves to future generations. That doesn't mean that we shouldn't act today to reduce uncertainty and alleviate their burden."

Turmoil in emerging markets includes areas of the world to which insurers may wish to spread their business to, but cannot due to higher underwriting costs related to civil unrest or riots. Unconventional monetary policies include negative interest rates, quantitative easing and other unproven economic experiments. Finally, internet fragmentation refers to countries' attempts to isolate their web presence from the rest of the world. 

As Insurance Business America noted, while insurers may not be dealing with these issues yet, these risk factors may have a significant impact on the industry within the next three years.

Internet fragmentation and insurers
Internet fragmentation has been a concern of technology experts and Internet activists for some time. As The Wall Street Journal reported, Vinton Cerf, a telecommunications expert considered to be one of the "Fathers of the Internet" warned last year that internet fragmentation could lead to increased government surveillance, poor cybersecurity and restrictions on freedom of information.

Internet fragmentation is already occurring in many parts of the world. As the Journal reported, Google has already seen limits placed on its search engine in parts of Europe and Asia, and Germany has seen calls for data storage and email that are national and isolated from the world wide web.

While Cerf spoke largely to the political and ethical concerns of limiting citizens access to the internet, the SwissRe report focus on the increased risks such policies pose to companies' abilities to carry out businesses. When firewalls and software are used to block out unwanted information and isolate information technology systems from global networks – whether by a private business or a national government – it can result in more difficult communications.

For insurers this can increase costs and disrupt existing businesses models when they operating across borders. Siloed IT systems may also lack the security insurers require for transmitting sensitive information. 

Other emerging risks identified in the SwissRe report include:

  • Legal and pricing risks of the sharing economy.
  • Mass migration
  • Precision medicine
  • Biomechanitronic organs and prosthetic limbs
  • Bitcoin
  • Ocean pollution from microplastics 
,

Cyber insurance benefits from security officer input

Information security officers and risk managers can work together to select and customize cyber insurance policies.

Cybersecurity insurance, once under the exclusive jurisdiction of risk managers, is becoming an increasingly collaborative experience for both risk and information security officers.

According to a recent report, the purchase of cybersecurity insurance is not only increasing – up 27 percent in the U.S. in 2015 – but the economic damage of a successful cyberbreach is also going up. Previously, traditional insurance policies may have included some coverage of cyber incidences, but now most insurers will require specific cyber insurance policies to cover these vulnerabilities, TechTarget reported.

Industry experts speaking with TechTarget noted that early cyber insurance policies were often very broad. Today, though, cyber insurance offers a range of nuanced coverage, which may include financial protections for data breaches, ransomware attack, forensic teams, notification expenses and other liability costs. Companies with specific risks, such as loss of valuable intellectual property, may also wish to customize their policies further. This is why information technology officers are becoming increasingly involved in selecting an organization's cyber insurance coverage.

Customizing a cyber insurance policy
As Security InfoWatch reported, the involvement of security officers is especially important as businesses navigate the many different policies and price points that are available to them. The number of companies purchasing cyber insurance increased approximately 250 percent between 2013 and 2015, the news website noted, but collaboration with cybersecurity professionals isn't increasing at the same rate.

Working with a security officer affords another advantage as well: It can help to lower the cost of the insurance the organization selects. Security InfoWatch found that many insurers offer lower rates to organizations that take active steps to reduce their risks. One way to do this is to have a cybersecurity program in place before purchasing insurance. This may include employee training on best practices, a breach response plan and internal and third-party audits of corporate networks, cloud providers or other services that access sensitive information. Organizations should also ensure all third-party vendors are complying with internal cybersecurity procedures during their interactions with networks or networked devices.

"Working with a security officer can ensure compliance with the insurer's cyberrisk mitigation requirements."

Reviews by security professionals may be especially important as the cyber risks covered by insurers evolve. According to New York Law Journal, some insurers may offer "stand-alone" policies adapted for the organization's specific needs, while others offer cyber-related provisions attached to other more general policies. Therefore, it is very important for an organization to understand the coverage provided by the specific policy it is purchasing, as well as the liabilities it must assume. 

For example, if companies fail to follow the requirements laid out in their policy – such as not properly securing their servers or training employees on mitigating cyber risks – they may nullify their insurance coverage. Information security officers should be able to review the insurance policy and ensure all required actions are completed.

Additionally, organizations need to ensure they have purchased adequate coverage for their risks. As the Journal noted, following the notable breach of Anthem in 2014, the company exhausted its cyber insurance coverage through credit reports and notifications for affected customers alone. An information security officer will be able to help risk managers access the appropriate level of coverage for the organization.

,

Indiana raises cap on malpractice damages

Several states have seen changes to their medical malpractice damages caps.

An Indiana House of Representatives committee recently approved raising the state's medical malpractice compensation cap for the first time since 1999.

In a vote of 11-1, the House Judiciary Committee increased the maximum amount victims of malpractice could receive from $400,000 to $1.65 million. Under the new legislation, the cap would then increase every four years until 2031 in order to keep up with inflation. After that the final cap would be set at $2.25 million.

The bill will have to pass full House approval before moving on for Senate consideration. As Insurance Journal reported, a similar bill was previously killed in the senate.

Speaking with the Journal, Republican Sen. Brent Steele said the bill was designed to be a compromise between protecting patients from injuries and fatalities caused by medical misconduct and physicians who were worried about rapid increases in malpractice insurance costs.

"My goal is that we address those in a periodic increase because we the Legislature don't do a very good job with keeping pace with the cost of living," Steele explained.

The possibility of an increased cap has attracted the ire of some of the state's medical associations, which say it would force doctors to absorb the cost of more expensive malpractice insurance premiums, especially if the cap continues to increase until 2031.

Speaking with Insurance Journal, Mary Abernathy, executive director of Medical Education at St. Vincent Indianapolis Hospital, said the increased cap may also deter students from choosing to study medicine or stay in Indiana once they complete their studies.

Malpractice caps challenged and defended
Meanwhile, recent court challenges of medical malpractice caps have been largely unsuccessful. In October 2015, the Nevada Supreme Court, in a unanimous decision, overturned a lower court's determination that the state's $350,000 cap on non-economic damages as unconstitutional. The cap was authorized by Nevada voters in 2004 as part of a reform ballot initiative called "Keep Our Doctors in Nevada." Along with the cap, the legislation placed a limit on contingency fees attorneys could charge victims of medical malpractice.

In May 2015, Missouri Gov. Jay Nixon also signed a medical malpractice damage cap into law, even though the state's Supreme Court had struck down similar limits as unconstitutional three years prior. The law capped most medical personal injury damages at $400,000, though other economic losses, such as medical costs resulting from the injury and lost wages, would be exempted from the cap. The bill also allowed for "catastrophic" cases, such as paralysis, loss of vision and brain injury. The cap for these damages would be $700,000. For wrongful death cases, damages were set at $350,000 to $700,000. The measure was passed with bipartisan support.

However, other states, such as Florida, have seen judges rule against existing malpractice damage caps. In July 2015, a Florida appeals court ruled the law's limits on pain and suffering damages were unconstitutional in personal-injury cases. In 2014, the Florida Supreme Court also rejected limits on non-economic damages in wrongful-death cases.

,

Survey finds cyberinsurance will grow in 2016

More businesses will be purchasing cyber insurance in 2016 than ever before, a new study finds.

More organizations are expected to incorporate cybersecurity insurance into their risk management portfolios in 2016, a new study finds.

According to the 2016 Global State of Information Security Survey from PricewaterhouseCoopers, more business are expected to seek out cybersecurity policies in the coming year as more insurance companies will begin offering the coverage. Speaking with CIO Dive, David Burg, a global and U.S. cybersecurity expert with PwC, said cybersecurity insurance is one of the fastest-growing sectors in the industry.

"More business are expected to seek out cybersecurity policies in the coming year."

"In part, this is because businesses understand that they can't stop increasingly frequent and sophisticated cyberattacks, so they are purchasing insurance as a way to help mitigate the financial impact," Burg explained. "Many see cybersecurity insurance as a new tool to help manage corporate risks."

The PwC survey found instances of threats to cybersecurity increased 38 percent in 2015 over the previous year. Additionally, the theft of intellectual property via cyberattack increased by 56 percent. However, total financial losses due to cyberattack were down 5 percent from 2014, likely due to increased investment in cybersecurity. The survey found respondents increased their cybersecurity spending by an average of 24 percent.

The growth of cyberinsurance
Organizations implemented a variety of strategic initiatives in response to cyberthreats, the PwC survey found. The vast majority, 91 percent, used a risk-based security framework, while 69 percent used cloud-based cybersecurity and 59 percent utilized cybersecurity insurance.

The number of global respondents purchasing cyberinsurance was up 45 percent from two years ago. In the U.S., the market is even more mature, with 63 percent of American respondents saying they had purchased cyberinsurance for their business.

The survey found businesses are also taking advantage of preventative measures when it comes to reducing cyber vulnerability. More than half initiated employee training and awareness programs and had security standards in place for working with third parties.

Meanwhile, the National Association of Insurance Commissioners' Cybersecurity Task Force is working on a standard for data security and the investigation and notification of a breach of data security for insurance companies.

"Businesses should customize their cyberinsurance policies to their own threat assessments."

As Lexology reported, the model would implement guidelines for the insurer's clients to follow, including creating comprehensive written information security programs to protect personal data and designating employees in charge of risk assessment, including identifying threats and implementing safeguards to control these threats.

While the standard may serve as a good baseline for insurers, Burg cautioned businesses should be sure to customize their cyberinsurance policies to their individual needs and risk factors.

"A challenge for many businesses is the fact that there's no one-size-fits-all recommendation for buying cybersecurity insurance," Burg told CIO Dive. "The right policy will vary by company size, industry sector, type of data stored, maturity of security controls and individual risk tolerance."

Burg also cautioned it's important for businesses to realize cyberinsurance does not negate the need to follow best practices and incorporate awareness of cyber threats into the company culture. While insurance can help to mitigate financial loss, damage to a business' reputation following a cyberattack can be even more harmful than the attack itself.

,

Ransomware incidents may increase following high-profile attack

ransomware attacks amass an estimated $1 billion in hostage fees per year

A little-known method of cybercrime called "ransomware" may become more common after hackers managed to successfully extort $17,000 in bitcoins from a California hospital.

Ransomware refers to any malicious software used to infect a machine or network and encrypt its data. The data is then held hostage until its owner pays a fee to the cyberattacker, usually in bitcoins, before the data is deleted or leaked. Hollywood Presbyterian Medical Center announced it had paid thousands in the difficult-to-track currency after hospital staff were locked out of patient medical records and other systems for almost a week.

"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," the hospital's CEO Allen Stefanek said in a statement. "In the best interest of restoring normal operations, we did this."

Stefanek added patient care was not compromised by the attack and there is no evidence that personal data of any employees or patients was leaked.

"Ransomware attacks amass an estimated $1 billion in hostage fees per year."

Prevalence of ransomware attacks
While ransomware might be a term few have heard, the cybercrime is more common than many realize. According to The Hill, ransomware attacks amass an estimated $1 billion in hostage fees per year. The news outlet noted that number might actually be much higher, as many victims will pay the demand without reporting the crime. In fact, officials from the FBI's Cyber and Counterintelligence Program often advise victims to pay up, especially for sensitive data such as medical records.

In most cases, The Hill reported, hackers restore data as promised after receiving the demanded fee. However, estimates on the amount of victims who pay vary widely, the news outlet found. A U.S. Department of Justice report on one particular ransomware virus found only 1.3 percent of its victims paid, while a more general study from the United Kingdom found 40 percent of all ransomware victims pay hacker fees.

Preventing attack
According to Business Insurance, cyberexperts are predicting an increase in the use of malware to seize data and charge for its return, as hackers will likely be encouraged by the lucrative fee extorted in the hospital attack. However, several cybersecurity best practices can help organizations to reduce their vulnerability to ransomware.

For one, frequent and routine backups of data can weaken a hacker's ability to fully restrict an organization's access to its own information. Additionally, isolating as many components in the network as possible can make it more difficult to gain entry into the entire system. Cyberinsurance coverage with built-in ransom policies can also make it easier for organizations to cover losses if paying a fee is necessary to protect sensitive data.

Employee education can also be helpful in preventing a ransomware attack. As International Business Times reported, the malware used for these cybercrimes typically enters a network after being unwittingly downloaded by an employee, often through email attachments disguised as legitimate files. Training staff to recognize potential cyberhazards can work to decrease the organization's risk level.

,

Large insurer reports losses, calls for ACA reform

Large insurance companies are continuing to show loses on ACA plans.

Another large health insurance provider is reporting losses from plans offered on the Affordable Care Act's public health insurance exchange and spelling out concerns for the future of the public exchange.

Aetna Inc. announced the plans it offers through the ACA Marketplace remained unprofitable in 2015. Although profits on ACA plans improved as the year progressed, the company still reported losses of 3 to 4 percentage points, according to Business Insurance.

Despite the financial setback of marketplace plans, the insurer reported a 38.3 percent net income increase in the fourth quarter of 2015 over the year before. The company's revenue also increased by 1.9 percent last year.

However, overall losses suffered on the ACA were down from the previous year for the insurer. As reported by Business Insurance, Aetna Executive Vice President Shawn M. Guertin attributed the improved performance to higher rates, the promotion of medical cost initiatives and risk adjustment. However, CEO Mark T. Bertolini added that the company maintains reservations about the long-term health of ACA plans.

"Aetna's CEO said the company maintains reservations about the long-term health of ACA plans."

"We continue to have serious concerns about the sustainability of the public exchanges," Bertolini said in a call to investors. "We remain concerned about the overall stability of the risk pool."

Speaking with Bloomberg, Guertin added that even though Aetna's ACA performance is improving, that shouldn't distract from the need for changes in the marketplace.

"I don't want that to get lost in this discussion," Guertin said. "We do need things in the long haul to be done to make this a stable risk pool and one that can provide affordable coverage to people over time."

Additional losses reported
As Nasdaq reported, Aetna's announcement is one of many in recent weeks from insurers reporting ACA plans had a negative impact on their 2015 earnings. Anthem Inc. announced enrollment fell below expectations, though it was able to break even for the year. Blue Cross Blue Shield of North Carolina also reported a net loss of $400 million for its first two years on the ACA exchange. The company responded by eliminating sales commissions for its agents and suspending advertising of Obamacare plans.

UnitedHealth Group Inc. announced it suffered around $475 million in losses on its ACA plans and deepened its projected losses for 2016. Its latest projections call for $1 billion in losses on Obamacare plans, and the company has suggested it may withdraw from the marketplace in 2017.

According to Forbes contributor Chris Conover, larger insurers such as Blue Cross Blue Shield and Aetna will be better able to sustain financial setbacks on ACA plans as the marketplace adjusts. However, it will be more difficult for smaller insurers to continue offering these plans under current ACA policies.

As Conover noted, the Obama administration has already implemented a few changes in response to insurer complaints, including eliminating six special circumstances under which consumers could sign up for health coverage outside of the standard open enrollment period. However, many insurers, including Aetna, have vocalized the desire for additional reform.

That said, Aetna also announced it was satisfied with its overall performance for 2015. In previous statements earlier in the year, Bertolini cautioned it is too early to give up on the ACA exchanges. 

, ,

Finance industry faces increased cyberrisk

The finance sector is targeted for cyberattack 300 times more frequently than any other industry.

Europe's largest lender, HSBC Holdings P.L.C., was forced to suspend services on Friday, Jan. 29, following a cyberattack.

While normal operations were interrupted by a denial of service attack, the company said it was able to successfully defend its systems and customer transactions were not affected.

As Business Insurance reported, this is the second time in the same month the lender has faced service interruption, though the company confirmed the first incident was not related to cyberattack. However, both events are part of a series of recent technological failures for the British financial industry that have prompted lawmakers to call for increased investment in cyber infrastructure and security.

"The financial industry is targeted by cybercriminals 300 times more frequently than any other industry."

As Forbes contributor Steve Morgan noted, American financial institutions have also stepped up their efforts to combat cyberterrorism. Bank of America Corp. CEO Brian Moynihan stated his company spent $400 million on cybersecurity in 2015. Additionally, Moynihan noted cybersecurity was the only section of the company's budget that was not subject to financial restraint.

The need for cybersecurity in the finance industry
According to some industry experts, this increased investment in minimizing cyberrisk can't come soon enough. A report from software security firm WebSense found the financial industry is targeted by cybercriminals 300 times more frequently than any other industry.

"Increasingly, cybersecurity is a primary focus for businesses of all sizes in every industry, but no more so than for the financial services sector," the Websense report found. "Today, financial leaders and authorities are acutely aware of the financial sector's status and vulnerability as a major target of cyber-attacks. No less than 80 percent of leaders in the banking and financial services sector cite cyberrisks as a top concern."

The report noted that in addition to straight monetary loss that a financial institution can incur from service disruption or theft due to a successful data breach, additional long-term damage to the company and its consumers could be incalculable. Loss of consumer confidence and reputation damage can lead to reduced profitability for the lender, and higher debt levels and currency devaluations could have cascading economic impact, the report found.

As Lexology reported, the financial industry saw increased attention from regulatory enforcement and legislative actions in 2015, and that trend is expected to continue through 2016. The U.S. Securities and Exchange Commission established that it could bring enforcement actions against financial institutions that fail to meet certain cybersecurity standards, and the New York Department of Financial Services and the Financial Industry Regulatory Authority both issued reports containing recommended best practices for mitigating cyberrisk within the sector.

From this activity, key trends for cyberprotection of financial services emerged, Lexology noted. These recommendations include identifying potential risk, working with senior management to create cybersecurity frameworks and creating training programs for employees across all departments in order to minimize cyberthreats. Additionally, both the NYDFS and FIRA stressed the need to routinely review internal cybersecurity procedures as well as any purchased cyberinsurance.

, ,

FDA issues guidelines for medical device cybersecurity

Medical devices with wireless network access may be points of vulnerability for health care institutions.

The U.S. Food and Drug Administration is placing additional pressures on medical device manufacturers to address cybersecurity concerns.

The FDA has issued a draft with recommendations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices currently on the market. The draft is designed to address the evolving nature of cybersecurity threats by encouraging manufacturers to consider these risks not only at the design phase, but as ongoing maintenance to the products.

"Manufacturers should consider addressing cyberrisks as ongoing maintenance of the products."

"All medical devices that use software and are connected to hospital and health care organizations' networks have vulnerabilities – some we can proactively protect against, while others require vigilant monitoring and timely remediation," said Suzanne Schwartz, acting director of Emergency Preparedness/Operations and Medical Countermeasures, in a statement.

As Threatpost noted, the core of the FDA's recommendations involves the sharing and dissemination of cybersecurity information and intelligence. The draft urged manufacturers to be aware of the vulnerabilities of their products and design efficient communication policies and procedures that could address risks prior to exploitation, or at least early in the process. The draft also calls for routine updates to a device's cybersecurity systems.

While the FDA will not require notification or review for regular cybersecurity upgrades or maintenance procedures, the draft does state any threat that could compromise "the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death" would require device manufacturers to notify the agency.

As Reuters noted, the FDA draft is not legally binding, but is designed to serve as a guideline for manufactures before serious harm occurs.

The cybrerrisk of medical devices
As CBS New York reported, cybersecurity experts have cautioned that health care institutions are also vulnerable to cyberattack through wireless medical devices. As the new outlet reported, devices such as IV pumps are often connected to secured hospital servers, but require no username or password to use, creating a vulnerable point of intrusion for the network.

According to a report from HealthCare IT News, the biggest draw to medical devices for hackers and other cybercriminals is electronic protected health information.

"The biggest draw to medical devices for cybercriminals is electronic protected health information."

"In the last two years, healthcare providers and insurers have been hit by some of the most severe network intrusions ever observed, exposing millions of patient records and costing victim organizations tens of millions of dollars," Dan McWhorter, vice president of global threat intelligence and strategy at FireEye cybersecurity firm, told the news outlet.

Government-affiliated cyberterrorists also frequently target the health care industry, McWhorter noted. The increased use of Internet-connected medical devices, which often provide life-saving services, creates unique vulnerability as data-sharing between secure servers and remotely connected devices can create potential openings for exploitation.

The FDA's increased focus on the cyberrisk of medical devices follows the Obama administration's executive order on improving critical infrastructure cybersecurity issued in February 2013. The FDA cybersecurity draft will be open for public comment for 90 days.

,

Experts argue over effect of Rubio’s provision on the ACA

While Marco Rubio's presidential campaign claims his spending provision has killed Obamacare, some experts say this claim is overinflated.

A health care provision spearheaded by Republican senator and presidential candidate Marco Rubio may have dealt a significant blow to the Patient Protection and Affordable Care Act. On the other hand, some media outlets and industry experts are cautioning such claims are merely overstated political fodder for campaign season. 

According to a Tweet published by Rubio's campaign, the senator was able to "kill Obamacare" through a health care provision he pushed into a 1,603-page spending bill in December 2014. The New York Times reported the provision has "tangled up the Obama administration, sent tremors through health insurance markets and rattled confidence in the durability of President Obama's signature health law." 

"Through his provision, Rubio was able to cut funding sources for the risk corridor."

At issue is Rubio's effort to dismantle the Affordable Care Act's risk corridor provision, which is designed to provide federal compensation for health insurers and stabilize insurance premiums during the initial years of the ACA. As Obamacare requires insurers to sell policies without screening for pre-existing conditions, the risk corridor would help to offset losses if insurers set premiums too low and paid out too much in medical coverage due to a high volume of unhealthy policyholders.

As The New York Times reported, Rubio attacked risk corridors as "a taxpayer-funded bailout for insurance companies," and through his spending provision was able to cut funding sources for the measure. As a result, insurance companies will only receive 13 percent of the compensation they were expecting in this fiscal year.

Without risk corridors, insurers are likely to raise their premiums or withdraw from the public exchange markets, hurting consumers and undermining confidence in the ACA, the Times reported. Meanwhile, Rubio's campaign claimed reduced funding for the provision saved taxpayers $2.5 billion.

Things are complicated, but not dire
However, in a column for The Los Angeles Times, economic reporter Michael Hiltzik called both Rubio's and the Times' claims "a little overheated, wholly misleading and spectacularly cynical."

"The risk corridor created a system of checks and balances while discouraging racketeering."

For one, the risk corridor provision is funded by the U.S. Department of Health and Human Services through charges on premiums that exceeded claimed costs, not taxpayer money. The system effectively created a system of checks and balances designed to compensate insurers while also discouraging racketeering – and protect consumers in the process, Hiltzik argued.

What Rubio's provision did do was prevent the HHS from funding the risk corridor through any other revenue streams – meaning if insurers needed to recover more than the profitable plans can cover, as was the case for the last fiscal year, the government may have a hard time coming up with the difference.

But while that prospect is more difficult, it's not impossible. As Nicholas Bagley, an assistant professor of law at the University of Michigan Law School, noted, the HHS has already announced its intent to cover the risk corridor in full. Furthermore, if the HHS is unable to come up with the funds, insurers could sue the government for failing to meet the promise of the risk provision and possibly force Congress to repeal Rubio's provision.  

"Marco Rubio hasn't killed Obamacare and he hasn't saved taxpayers any money," Bagley wrote. "All he's done is throw a wrench in the works."