2222222222

Property Risk

Beyond Protected

Research-based engineering and predictive analytics help underwriters take on bigger risks.
By: | December 14, 2016 • 8 min read

Properties designated as Highly Protected Risks (HPRs) can get significantly greater policy limits with a much lower rating structure for their P&C exposures if they continue to keep pace with technology.

Advertisement




Highly Protected Risk properties often are subject to a much lower than normal probability of loss by virtue of low hazard occupancy or property type, superior construction, special fire protection equipment and procedures and management commitment to loss prevention.

It used to be a property could attain HPR status with just state-of-the-art fire sprinkler systems. Risk managers now need to think HPR 2.0, experts say, and expand the concept beyond sprinklers to the risk exposures that develop in tandem with new upgrades.

“The idea that the majority of loss is preventable has been the center of our business model for 180 years,” said Brion Callori, senior vice president of engineering and research at FM Global, one of the first and largest HPR insurers.

“The amazing thing is how well it still works,” he said. “I think this is why it’s gotten more industry interest in last five to 10 years.”

Brion Callori, senior vice president of engineering and research, FM Global

Brion Callori, senior vice president of engineering and research, FM Global

Underwriters are quantifying and underwriting the exposures that face a single building, a campus, a system, or even a supply chain by using modern tools such as computer models, heat maps and predictive analysis.

Solar panels, clean rooms, data storage and mega warehouses are all examples of property uses adding new hazards. As HPR engineers study those additions, they are also able to design ways to tackle the hazards they create.

Take for example, automatic storage and retrieval systems used in warehouses built larger today with narrower aisles and higher stacking. The ability to store more inventory becomes more important as space grows increasingly expensive. Research on the most advanced sprinkler technologies available aims to protect products, help reduce losses and minimize business interruptions.

“As we move to a just-in-time, more global economy, that’s where the clients’ exposures have changed in the past 30 years; they are all over the world.” — Mike Martin, EVP, general manager of national insurance property, Liberty Mutual

More carriers, armed with research and statistics, have a new perspective on HPRs and are willing to invest in the market. The more “protected” a risk is against specific exposures, the more capacity an underwriter will commit, with broader terms and at a better price.

“As it expands in different industry groups, the HPR engineering and underwriting has been able to expand to follow that and meet the exposure of these different facilities,” said Greg DiPrato, senior vice president of the global property practice at Lockton.

The modern HPR method is based on a system FM Global created nearly two centuries ago to identify ways to reduce losses from fire, explosions or natural disasters at mills. To this day, FM Global engineers continually research how to improve on safety measures such as using more efficient fire suppression, finding the strongest roofing materials or identifying less risky locations.

Liberty Mutual Insurance is another leading HPR insurer with a long history of finding solutions to risk exposures with help from a dedicated team of engineers.

“The definition of highly protected risk has really not changed, not one bit,” said Mike Martin, EVP and general manager of national insurance property at Liberty Mutual. “As we move to a just-in-time, more global economy, that’s where the clients’ exposures have changed in the past 30 years; they are all over the world.”

Research-Based Engineering

The traditional insurance model is an actuarial model, where you look at the losses that happen in an occupancy or an industry class, project forward and say those are the losses you expect in the future, Callori said.

HPR designation for FM Global goes along with what’s called research-based engineering aimed at preventing loss. It’s tough to justify the return on investment for becoming HPR based only on reduced pricing or increased capacity in today’s marketplace.

Advertisement




“We want to learn from the losses that happened in the past and figure out how to prevent them from happening in the future,” said Callori. “Our clients can take control of their own destiny going forward, and the way we do that is through the engineering.”

“The buyers look for someone that can really add the value to the partnership and help them manage their total cost of risk, not only just the physical loss but also the business continuity,” Martin said.

While most new construction in the U.S. today is built to fire code, which usually confers HPR status, it’s what you put into it and what you do with it once it’s finished that can take away an HPR designation. Conversely, the exposures in almost any building can be adapted to attain HPR status, as long as you are willing to invest in the requirements, Lockton’s DiPrato said.

When a warehouse built to store steel is then converted to plastic products containing lithium ion batteries, it may lose its HPR status because the existing shelves and sprinkler system can’t adequately contain a lithium ion or plastic fire.

Adding solar panels atop a building creates a load factor, wind exposure and voltage exposure to firefighters that must be addressed. The HPR engineers will find ways to protect the buildings, DiPrato said.

“Everybody is worried about cyber hackers from another country, yet still the easiest way to get to your servers is for someone to just walk into your building if they are not questioned.”— Brion Callori, senior vice president of engineering and research, FM Global

After engineers identify a building’s hazards and make their recommendations on how to reduce losses, the client often must prioritize the budget to incorporate everything that’s recommended at every location, Callori said.

To help with that, engineers, such as those at FM Global and Liberty Mutual, have developed predictive analytics tools to help clients focus their limited capital for the most effective route to attaining highly protected risk status.

To help clients determine where best to invest, FM Global offers clients four predictive analytics tools: Risk Mark; Locations Predisposed; Relative Likelihood and Equipment Factors. These tools look at a structure, its location, its use and the machinery inside and make recommendation about likely losses and best value for investing in loss mitigation.

A quick review of losses at properties that follow recommended safety improvements compared with those that didn’t shows the HPR buildings had less loss, Callori said.  For example, 86 percent of the dollar value for 126 large losses at FM Global locations last year happened at non-HPR facilities.

What’s Next? Cyber and Energy HPR

“As a client develops a facility for their needs, the carrier engineers are brought into the process,” DiPrato said. “Lockton has broker engineers that work as consultants to the client and help in those discussions with the insurance carrier. There’s a lot that goes on to keep everything on an HPR status as technology keeps developing.”

Engineers are beginning to take the HPR approach to new directions, such as confronting alternative energy storage and cyber hazards. Field engineers look at physical security exposures and develop ways to protect against cyber hazards using HPR techniques in new ways.

“Everybody is worried about cyber hackers from another country, yet still the easiest way to get to your servers is for someone to just walk into your building if they are not questioned,” Callori said. “The HPR definition can evolve to hopefully protect [against] cyber hazards.

“We’re working on developing a tool that we think is going to be very valuable for the risk managers to actually understand what their exposures are,” Callori said. “That will be straight from HPR.”

Underwriters are going to start to think about HPR cyber protection in the same way they do about fire, said Michael Korn, a managing principal and leader of the national property practice at Integro Insurance Brokers. What are the data controls that are in place? Do you have really robust encryption? Do you have firewalls? How do you back up your information? What employee controls do you have over information?

Playing in the Primary

The most common HPR programs are structured as single carrier; quota share; and shared and layered, said Korn.

Each insurance company “has a particular appetite for where they like to play in a program,” he said.

Michael Korn, managing principal; leader of the national property practice, Integro Insurance Brokers

Michael Korn, managing principal; leader of the national property practice, Integro Insurance Brokers

“You have to put it together as part of a jigsaw puzzle,” said DiPrato. The way the market is today, with a lot of capacity and a lot of players out there, you can put together a lot of options, he said.

“The better the risk — the more HPR it is — the more underwriters are interested in being on it because the chances of having a loss are so much less,” Korn said. Some insurers have very large amounts of capacity and will do a single carrier deal.

Some larger risks might have 15 carriers, and each one is doing a different piece of the puzzle, Korn said.  For example, if a client needs $2 billion worth of capacity, a broker might set up a quota share, where one carrier assumes 30 percent of the program. The broker then builds a tower that goes all the way up to full value with additional quota share players, Korn said.

In a shared and layered program of the same size, a broker can set up a primary layer of $500 million, for example, and add additional layers to reach the needed $2 billion capacity.

Advertisement




The lower in the tower, the more premium the insurer gets because the chance of impact from a loss is much greater. Those insurers that write excess of the primary get less premium because they take on less risk.

“You approach certain insurers with the idea they want to play in the primary,” Korn said.

Other insurers are more capacity players and typically don’t offer engineering services. They “like to play in the excess,” Korn said. They put up capacity rather than engineering services and receive less premium, Korn said.

The value proposition for Liberty, “is not just the pure insurance product, but things that aren’t covered such as protecting a client’s market share, helping with revenue streams and also reputational risk,” Martin said. “Our loss prevention solutions support a good risk management team, helping them avoid some of those things.” &

Juliann Walsh is a staff writer at Risk & Insurance. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Cyber Resilience

No, Seriously. You Need a Comprehensive Cyber Incident Response Plan Before It’s Too Late.

Awareness of cyber risk is increasing, but some companies may be neglecting to prepare adequate response plans that could save them millions. 
By: | June 1, 2018 • 7 min read

To minimize the financial and reputational damage from a cyber attack, it is absolutely critical that businesses have a cyber incident response plan.

“Sadly, not all yet do,” said David Legassick, head of life sciences, tech and cyber, CNA Hardy.

Advertisement




In the event of a breach, a company must be able to quickly identify and contain the problem, assess the level of impact, communicate internally and externally, recover where possible any lost data or functionality needed to resume business operations and act quickly to manage potential reputational risk.

This can only be achieved with help from the right external experts and the design and practice of a well-honed internal response.

The first step a company must take, said Legassick, is to understand its cyber exposures through asset identification, classification, risk assessment and protection measures, both technological and human.

According to Raf Sanchez, international breach response manager, Beazley, cyber-response plans should be flexible and applicable to a wide range of incidents, “not just a list of consecutive steps.”

They also should bring together key stakeholders and specify end goals.

Jason J. Hogg, CEO, Aon Cyber Solutions

With bad actors becoming increasingly sophisticated and often acting in groups, attack vectors can hit companies from multiple angles simultaneously, meaning a holistic approach is essential, agreed Jason J. Hogg, CEO, Aon Cyber Solutions.

“Collaboration is key — you have to take silos down and work in a cross-functional manner.”

This means assembling a response team including individuals from IT, legal, operations, risk management, HR, finance and the board — each of whom must be well drilled in their responsibilities in the event of a breach.

“You can’t pick your players on the day of the game,” said Hogg. “Response times are critical, so speed and timing are of the essence. You should also have a very clear communication plan to keep the CEO and board of directors informed of recommended courses of action and timing expectations.”

People on the incident response team must have sufficient technical skills and access to critical third parties to be able to make decisions and move to contain incidents fast. Knowledge of the company’s data and network topology is also key, said Legassick.

“Perhaps most important of all,” he added, “is to capture in detail how, when, where and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defense stronger.”

Cyber insurance can play a key role by providing a range of experts such as forensic analysts to help manage a cyber breach quickly and effectively (as well as PR and legal help). However, the learning process should begin before a breach occurs.

Practice Makes Perfect

“Any incident response plan is only as strong as the practice that goes into it,” explained Mike Peters, vice president, IT, RIMS — who also conducts stress testing through his firm Sentinel Cyber Defense Advisors.

Advertisement




Unless companies have an ethical hacker or certified information security officer on board who can conduct sophisticated simulated attacks, Peters recommended they hire third-party experts to test their networks for weaknesses, remediate these issues and retest again for vulnerabilities that haven’t been patched or have newly appeared.

“You need to plan for every type of threat that’s out there,” he added.

Hogg agreed that bringing third parties in to conduct tests brings “fresh thinking, best practice and cross-pollination of learnings from testing plans across a multitude of industries and enterprises.”

“Collaboration is key — you have to take silos down and work in a cross-functional manner.” — Jason J. Hogg, CEO, Aon Cyber Solutions

Legassick added that companies should test their plans at least annually, updating procedures whenever there is a significant change in business activity, technology or location.

“As companies expand, cyber security is not always front of mind, but new operations and territories all expose a company to new risks.”

For smaller companies that might not have the resources or the expertise to develop an internal cyber response plan from whole cloth, some carriers offer their own cyber risk resources online.

Evan Fenaroli, an underwriting product manager with the Philadelphia Insurance Companies (PHLY), said his company hosts an eRiskHub, which gives PHLY clients a place to start looking for cyber event response answers.

That includes access to a pool of attorneys who can guide company executives in creating a plan.

“It’s something at the highest level that needs to be a priority,” Fenaroli said. For those just getting started, Fenaroli provided a checklist for consideration:

  • Purchase cyber insurance, read the policy and understand its notice requirements.
  • Work with an attorney to develop a cyber event response plan that you can customize to your business.
  • Identify stakeholders within the company who will own the plan and its execution.
  • Find outside forensics experts that the company can call in an emergency.
  • Identify a public relations expert who can be called in the case of an event that could be leaked to the press or otherwise become newsworthy.

“When all of these things fall into place, the outcome is far better in that there isn’t a panic,” said Fenaroli, who, like others, recommends the plan be tested at least annually.

Cyber’s Physical Threat

With the digital and physical worlds converging due to the rise of the Internet of Things, Hogg reminded companies: “You can’t just test in the virtual world — testing physical end-point security is critical too.”

Advertisement




How that testing is communicated to underwriters should also be a key focus, said Rich DePiero, head of cyber, North America, Swiss Re Corporate Solutions.

Don’t just report on what went well; it’s far more believable for an underwriter to hear what didn’t go well, he said.

“If I hear a client say it is perfect and then I look at some of the results of the responses to breaches last year, there is a disconnect. Help us understand what you learned and what you worked out. You want things to fail during these incident response tests, because that is how we learn,” he explained.

“Bringing in these outside firms, detailing what they learned and defining roles and responsibilities in the event of an incident is really the best practice, and we are seeing more and more companies do that.”

Support from the Board

Good cyber protection is built around a combination of process, technology, learning and people. While not every cyber incident needs to be reported to the boardroom, senior management has a key role in creating a culture of planning and risk awareness.

David Legassick, head of life sciences, tech and cyber, CNA Hardy

“Cyber is a boardroom risk. If it is not taken seriously at boardroom level, you are more than likely to suffer a network breach,” Legassick said.

However, getting board buy-in or buy-in from the C-suite is not always easy.

“C-suite executives often put off testing crisis plans as they get in the way of the day job. The irony here is obvious given how disruptive an incident can be,” said Sanchez.

“The C-suite must demonstrate its support for incident response planning and that it expects staff at all levels of the organization to play their part in recovering from serious incidents.”

“What these people need from the board is support,” said Jill Salmon, New York-based vice president, head of cyber/tech/MPL, Berkshire Hathaway Specialty Insurance.

“I don’t know that the information security folks are looking for direction from the board as much as they are looking for support from a resources standpoint and a visibility standpoint.

“They’ve got to be aware of what they need and they need to have the money to be able to build it up to that level,” she said.

Without that support, according to Legassick, failure to empower and encourage the IT team to manage cyber threats holistically through integration with the rest of the organization, particularly risk managers, becomes a common mistake.

He also warned that “blame culture” can prevent staff from escalating problems to management in a timely manner.

Collaboration and Communication

Given that cyber incident response truly is a team effort, it is therefore essential that a culture of collaboration, preparation and practice is embedded from the top down.

Advertisement




One of the biggest tripping points for companies — and an area that has done the most damage from a reputational perspective — is in how quickly and effectively the company communicates to the public in the aftermath of a cyber event.

Salmon said of all the cyber incident response plans she has seen, the companies that have impressed her most are those that have written mock press releases and rehearsed how they are going to respond to the media in the aftermath of an event.

“We have seen so many companies trip up in that regard,” she said. “There have been examples of companies taking too long and then not explaining why it took them so long. It’s like any other crisis — the way that you are communicating it to the public is really important.” &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected] Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]