Kidnap & Ransom

Covering a Dangerous Risk

Demand is growing for kidnap, ransom and extortion insurance, with a specific need for real-time security intelligence around the world.
By: | December 14, 2016 • 5 min read

Two people are kidnapped and held for ransom somewhere in the world every hour, according to some estimates, and approximately $1.5 billion in ransom is paid to kidnappers every year.

Advertisement




Kidnap and extortion is on the rise across the globe, and demand for KRE (kidnapping, ransom and extortion) coverage is growing. Insurers are offering more comprehensive policies to meet the risk.

KRE insurance typically covers all risks related to kidnapping events. Most policies offer reimbursement for things like ransom and extortion payments, independent security consultants, crisis management, public relations campaigns, and accidental death and dismemberment.

These policies can also reach well beyond the event itself to include rehabilitation services, psychiatric care, salary replacement and relocation.

A typical cap on KRE policies is $1 million per occurrence. Due to the low claim rates, theses policies also offer cost-effective premiums relative to the risk they cover and the value they provide.

A March 2016 report by Arthur J. Gallagher & Co. said premiums range from $600 per million for companies with limited exposure to up to $3,000 per million for high-risk exposure.

Despite the growth in the KRE market, it’s hard to obtain accurate data on kidnappings and ransoms paid because many go unreported, said Christopher Arehart, senior vice president at Chubb. Organizations are unlikely to publicize the kidnapping of an employee, or even that they have a KRE policy.

While there’s no evidence to prove that having a policy could attract kidnappers or extortionists, it’s something most clients want to keep private.

“It’s a quiet product that is often sold discreetly and they hope they never have to use it. The last thing they want to do is let everyone know something like this has happened,” Arehart said. “But I can say we have seen a steady drumbeat of submissions and interest in our policy.”

A “Network of Expertise”

Dan Burns, president and CEO of specialty risk underwriters Pro Financial Services in Chicago, said customers aren’t just paying to insure the risk, they’re also buying a “network of expertise.”

Clients can often tap their KRE insurer and policy for security and legal advice, employee training and insight into local risks.

Dan Burns, president and CEO, Pro Financial Services

Dan Burns, president and CEO, Pro Financial Services

While a KRE policy can be a literal lifesaver in terms of securing the freedom of an employee, they are infrequently triggered and used more for peace of mind with employees, he said. Increasing publicity about global instability and kidnappings has more companies looking to these policies to establish a relationship with security experts.

“What you’re buying is access to a very experienced global security network that has experience and familiarity in dealing with situations that most clients have and never will encounter,” Burns said.

Arehart said that Chubb offers its KRE policyholders security advice, training and up-to-the-minute risk analysis on more than 100 countries from the Ackerman Group, an organization that specializes in crisis management, executive protection and hostage recoveries.

Paying Ransom is Illegal

“Kidnap and Ransom Insurance: At an Inflection Point,” a 2015 report by Cognizant, said the KRE market will be a $12.4 billion opportunity by 2019. Major insurers include AIG, Travelers, Hiscox and Chubb.

Cognizant noted, however, that insurers are grappling with challenges in underwriting, claims adjudication and loss control.

One issue that falls into a gray legal area is that under U.S. law, it is illegal for organizations or individuals to provide “material support or resources” to terrorists, which could be interpreted to cover ransom payments if a kidnapping is committed by a group the U.S. Department of State considers a terrorist organization.

In June 2015, President Obama said in a statement that the federal government would work closer with families to resolve hostage situations with a dedicated coordinator.

“What you’re buying is access to a very experienced global security network that has experience and familiarity in dealing with situations that most clients have and never will encounter.” — Dan Burns, president and CEO, Pro Financial Services

He reaffirmed that the government would not make ransom payments to terrorist groups, but left the door open for families to proceed without fear of government prosecution.

“In particular, I want to point out that no family of an American hostage has ever been prosecuted for paying ransom for the return of their loved ones. The last thing that we should ever do is add to a family’s pain with threats like that,” said Obama.

Neither the U.S. nor the Canadian government has ever prosecuted individuals or companies for paying ransom.

Brianna Guenther, an attorney at Burnet, Duckworth & Palmer law firm in Calgary, Alberta, said there is no definitive case law on when or if an insurance company can legally reimburse an insured for a ransom payment to a terrorist organization, although arguably there are statutes that could prohibit it.

“Based on past practice, if you end up paying to get someone back, it doesn’t seem likely that they would go after and prosecute you. But they still do have laws that give them the power to,” Guenther said.

The global legal environment isn’t any clearer. Since 2014, the U.N. Security Council has been urging countries to bar the payment of ransoms.

In November 2014, the U.K.’s Counter-Terrorism and Security Act banned the payment of ransoms by insurers. That affects all KRE policies written in the U.K.

Peter James, account executive in the global organizations division at Clements Worldwide, noted that all KRE policies only cover ransom payments on a reimbursement basis.

Evolving Criminal Tactics

KRE policies are also adapting to keep pace with evolving strategies including hoax “virtual kidnappings” and “virtual extortion.”

The Arthur J. Gallagher report identified virtual kidnapping as a “significant trend” that is increasing due to availability of data and the low cost of the crime.

Advertisement




The report said that many KRE policies offer coverage for virtual kidnapping without additional endorsements.

Regardless of how these schemes use technology, Arehart of Chubb said, a KRE policy provides value.

In most cases, risk consultants can evaluate and rule out virtual kidnappings with a proof of life evaluation, he said. A properly constructed KRE policy can also respond to some ransomware events where a criminal demands money or threatens to destroy files.

“A KRE policy can really shine when it’s less about the virus coming into the system and more about the human extortionist using a computer to get information,” Arehart said.

“We’re seeing more companies carry these policies out of a sense of duty or care,” Burns of Pro Financial said. “You need to do right by your employees and having this type of coverage in place is pretty important for them.” &

Craig Guillot is a writer and photographer, based in New Orleans. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

2017 RIMS

Resilience in Face of Cyber

New cyber model platforms will help insurers better manage aggregation risk within their books of business.
By: | April 26, 2017 • 3 min read

As insurers become increasingly concerned about the aggregation of cyber risk exposures in their portfolios, new tools are being developed to help them better assess and manage those exposures.

 One of those tools, a comprehensive cyber risk modeling application for the insurance and reinsurance markets, was announced on April 24 by AIR Worldwide.

Scott Stransky, assistant vice president and principal scientist, AIR Worldwide

Last year at RIMS, AIR announced the release of the industry’s first open source deterministic cyber risk scenario, subsequently releasing a series of scenarios throughout the year, and offering the service to insurers on a consulting basis.

Its latest release, ARC– Analytics of Risk from Cyber — continues that work by offering the modeling platform for license to insurance clients for internal use rather than on a consulting basis. ARC is separate from AIR’s Touchstone platform, allowing for more flexibility in the rapidly changing cyber environment.

ARC allows insurers to get a better picture of their exposures across an entire book of business, with the help of a comprehensive industry exposure database that combines data from multiple public and commercial sources.

The recent attacks on Dyn and Amazon Web Services (AWS) provide perfect examples of how the ARC platform can be used to enhance the industry’s resilience, said Scott Stransky, assistant vice president and principal scientist for AIR Worldwide.

Stransky noted that insurers don’t necessarily have visibility into which of their insureds use Dyn, Amazon Web Services, Rackspace, or other common internet services providers.

In the Dyn and AWS events, there was little insured loss because the downtime fell largely just under policy waiting periods.

But,” said Stransky, “it got our clients thinking, well it happened for a few hours – could it happen for longer? And what does that do to us if it does? … This is really where our model can be very helpful.”

The purpose of having this model is to make the world more resilient … that’s really the goal.”Scott Stransky, assistant vice president and principal scientist, AIR Worldwide

AIR has run the Dyn incident through its model, with the parameters of a single day of downtime impacting the Fortune 1000. Then it did the same with the AWS event.

When we run Fortune 1000 for Dyn for one day, we get a half a billion dollars of loss,” said Stransky. “Taking it one step further – we’ve run the same exercise for AWS for one day, through the Fortune 1000 only, and the losses are about $3 billion.”

So once you expand it out to millions of businesses, the losses would be much higher,” he added.

The ARC platform allows insurers to assess cyber exposures including “silent cyber,” across the spectrum of business, be it D&O, E&O, general liability or property. There are 18 scenarios that can be modeled, with the capability to adjust variables broadly for a better handle on events of varying severity and scope.

Looking ahead, AIR is taking a closer look at what Stransky calls “silent silent cyber,” the complex indirect and difficult to assess or insure potential impacts of any given cyber event.

Stransky cites the 2014 hack of the National Weather Service website as an example. For several days after the hack, no satellite weather imagery was available to be fed into weather models.

Imagine there was a hurricane happening during the time there was no weather service imagery,” he said. “[So] the models wouldn’t have been as accurate; people wouldn’t have had as much advance warning; they wouldn’t have evacuated as quickly or boarded up their homes.”

It’s possible that the losses would be significantly higher in such a scenario, but there would be no way to quantify how much of it could be attributed to the cyber attack and how much was strictly the result of the hurricane itself.

It’s very, very indirect,” said Stransky, citing the recent hack of the Dallas tornado sirens as another example. Not only did the situation jam up the 911 system, potentially exacerbating any number of crisis events, but such a false alarm could lead to increased losses in the future.

The next time if there’s a real tornado, people make think, ‘Oh, its just some hack,’ ” he said. “So if there’s a real tornado, who knows what’s going to happen.”

Modeling for “silent silent cyber” remains elusive. But platforms like ARC are a step in the right direction for ensuring the continued health and strength of the insurance industry in the face of the ever-changing specter of cyber exposure.

Because we have this model, insurers are now able to manage the risks better, to be more resilient against cyber attacks, to really understand their portfolios,” said Stransky. “So when it does happen, they’ll be able to respond, they’ll be able to pay out the claims properly, they’ll be prepared.

The purpose of having this model is to make the world more resilient … that’s really the goal.”

Additional stories from RIMS 2017:

Blockchain Pros and Cons

If barriers to implementation are brought down, blockchain offers potential for financial institutions.

Embrace the Internet of Things

Risk managers can use IoT for data analytics and other risk mitigation needs, but connected devices also offer a multitude of exposures.

Feeling Unprepared to Deal With Risks

Damage to brand and reputation ranked as the top risk concern of risk managers throughout the world.

Reviewing Medical Marijuana Claims

Liberty Mutual appears to be the first carrier to create a workflow process for evaluating medical marijuana expense reimbursement requests.

Cyber Threat Will Get More Difficult

Companies should focus on response, resiliency and recovery when it comes to cyber risks.

RIMS Conference Held in Birthplace of Insurance in US

Carriers continue their vital role of helping insureds mitigate risks and promote safety.

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]