Insurance, Evaluation, Risks

Jack Lloyd

2008-06-16

The bond insurers MBIA and Ambac are going bankrupt because they wrote insurance for mortgage backed securities which are now failing at rates far higher than they had estimated. This is a pretty common problem with insurance; humans tend to be really bad at estimating or pricing risk.

One thing I did not know about until recently is that the party who pays the ratings companies to determine debt ratings is not the customers (the person buying the debt) but the debt originator. So companies that wanted to sell asset-backed securities (or any other kind of debt) had an incentive to shop around to find the company who would give the highest rating, and the ratings companies (primarily Moody's and S&P) had a race to the bottom, eventually giving AAA ratings (the highest rating, the same given to US Treasury bonds, which are backed by the full credit of the US government (for whatever that is worth)) to CDOs which are, at the moment, worth 20% of their original value.

This scheme sounded very familiar to me! In fact it is exactly the same problem that plagues the FIPS-140 and Common Criteria evaluation processes. In these, the cost is borne by the vendor, when they pay a lab to run the evaluation for them. This is, for them, purely a cost of doing business: it allows them to sell their product to the federal government. Certainly they do not (in my experience, at least), approach it as an opportunity to verify the security of their systems. So the best resolution for them is to find the lab that will do the evaluation fastest and cheapest, and with as little trouble for them. And, just as with debt ratings, the risks are not borne by the originator, but with the consumer (in this case, the federal government).

One big difference here is how the market responds to these risk pricing failures. The share prices of MBIA and Ambac have dropped to 10% and 3% (respectively) from their value just a year ago, and it seems likely they will go completely bankrupt within another year (especially after the fallout from commercial real estate, municipal bonds, and Alt-A loans hits). Similiarly, Moody's share price is 60% of its previous value, since it seems likely they will lose business in the future: why would anyone trust their ratings, when they managed to be so completely and catastrophically wrong (and for so long)? In contrast, the company that gave a Common Criteria EAL4 evaluation (EAL4 is usually considered the 'highest commercially feasible' evaluation level) to Windows 2000, is most likely ticking along just fine. I'm not sure if it would be a good idea, but it certainly would be interesting if evaluation vendors were liable to their customers (the real customers, the purchasers and users of the software) in the event that their evaluation turned out not to mean much.