2222222222

2017 Power Broker

Energy, Traditional

Improving Coverage and Rates

William Barnett
Managing Director
Marsh, Philadelphia

William Barnett was instrumental in several significant positive developments to one client’s insurance program this year, said its global director of risk management. For starters, he was able to engineer an 8 percent premium decrease on a program that was already reduced by 12 percent the prior year.

“As our program premiums are in the multimillions, this was a considerable savings again this year,” the client said.

Significant policy improvements were also achieved, including the implementation of product recall coverage as well as a newly obtained cyber policy.

“Considering the size of our company and the already broad coverage prior to this renewal year, he still delivered these savings and improvements,” the client said.

Advertisement




Another client was in the process of evaluating its business model after a spin-out from a larger company. The company had significant legacy pollution liability risks to be managed, particularly as the company looked to convert some non-core assets to cash.

It is often the case in the energy and process industries that undesirable situations, either financial or physical liabilities, are fobbed off onto a spin-out entity.

To protect the balance sheet and satisfy creditors, Barnett and his team developed a surety bond program to encompass all environmental liabilities. During the process of divesting certain assets, the client developed a portfolio environmental program to cover certain environmental risks. That adaptation in turn made divestitures easier.

Making Spin-Outs Smoother

Bobby Bierley
Senior Vice President
Lockton, Houston

During the course of a complex spin-out for one of Bobby Bierley’s clients, “the decision was made that we needed to switch to occurrence cover for each company,” said the company’s manager of risk and insurance.

The budget was set at $1 million.

Bierley suggested splitting the program in two and having two occurrence-based towers. To cover each company’s historical liability, there was a sunrise endorsement covering all occurrences from 1986 until the present, making this first year of coverage very important.

“We liked that because run-off policies have a limited reporting period,” said the client.

Bierley was able to negotiate this for no additional premium.

Advertisement




In another situation, a client spun off about half of its business and drastically changed the company’s risk profile.

“We faced challenges with our casualty-fronting carrier, which sets the table for the entire excess-liability program,” said the chief risk officer. “Bobby quarterbacked the effort with his London colleagues to broker a brand new market for us.”

He did so while improving the terms, conditions and price. That effort was following up another great effort during the company’s spin-out in 2015 where they converted the GL/XS program to occurrence from claims-made without losing any historical coverage and for minimal price.

A Better Bankruptcy

Michele Cowen
Vice President
Aon, Los Angeles

A client of Michele Cowen’s was going through difficult times, eventually filing Chapter 11. That created significantly higher risk in the D&O and fiduciary coverage lines. Cowen not only renewed the existing program, but put together a “tail policy” for when the company emerges from bankruptcy.

“Even in better times, Michele never ceased to surprise us with excellent results on our executive risk programs,” said the company’s director of insurance and ERM. His wasn’t the only company Cowen helped through tough times.

“We made the difficult decision to file Chapter 11,” said one director of risk management. “Michele was able to pre-negotiate a run-off for the program in place, and get the carriers to commit to an extension even though no one knew at that time the date of the filing.”

Advertisement




It all worked smoothly, and the feedback the client got from outside coverage counsel was that it was the best coverage they had ever seen. The client added that once the smaller company emerged from bankruptcy with an all-new board, Cowen was able to keep all the major incumbent underwriters in the program.

“Until we switched our business to Michele, our D&O program had been managed by another broker for over a dozen years,” said one CFO. “She was able to deliver significant improvements to our endorsements, which was our primary objective.”

In addition, Cowen took a policy “that was already priced in the top quartile relative to our peers and reduced our cost by more than 25 percent.”

Serious About Finding Savings

Paul Finnett
Managing Director
Aon, Houston

Paul Finnett helped one client achieve a $1 million savings in their 2016 renewal during difficult times in the oil and gas industry.

“The renewal was further complicated by significant reductions in insured values, which underwriters were not happy about,” said the director of risk management. “Nevertheless, Paul was able to help obtain coverage enhancements to our program.”

That kind of a home run seems to have been par for the course for Finnett.

“Paul has been a value-driver for us,” said a CFO. “Paul has helped us reduce our brokerage fees and our insurance premiums, both important as we reduce costs in a down market.”

Specifically, the client was able to eliminate a dual system with an administrative broker in Houston, where it is based, and a market broker in London and consolidate with Finnett.

Advertisement




Notably, Finnett helped the client revise its cyber coverage, “becoming the first in our industry to achieve some asset coverage where it has historically been excluded,” said the CFO.

For another client, pollution liability was a serious concern. There were issues with wording in a very gray area in the policy, said the risk and insurance manager.

“Paul was able to get new wording, not just a clarification, but a full amendment at the first layer.”

He then got the rest of the tower to accept the same wording as in the primary layer.

“That sounds like common sense but it was something we didn’t have for eight years,” the client said.

Foresight and Fortitude

Jeremy Gayser, OTA
Senior Vice President
Aon, Houston

The struggles of companies in the energy sector have caused some underwriters to reduce their exposure. Jeremy Gayser saw the writing on the wall and advised one of his clients that the lead carrier on its tower was likely to pull back. In the end, it happened sooner than expected. But fortunately the groundwork had already been laid for securing a new lead.

“The replacement of our international lead required good relationships with a lot of markets and extra effort,” said the company’s director of risk management.

A new lead was secured, at terms favorable to the client. Gayser also negotiated policy form provisions that were important to the client into the lead’s forms.

At the other end of the scale, it can be a steep challenge to secure savings or improvements in terms for clients without precipitating departures.

“This year, our property renewal was quite complicated,” said a director of insurance.

Advertisement




The company went into the renewal with a very aggressive pricing structure. Many of the underwriters pushed back on the pricing originally, but Gayser was able to fight for his client and ended up with premium savings greater than expected.

“His negotiation skills and knowledge of our industry enabled him to produce an excellent outcome for my company,” the director said.

With all the shuffling around, Gayser was also able to land a big new client, with more than $3 billion in project values, by winning a good, old-fashioned request for proposal.

Directing the Pipeline Business

Brian Tanner, CIC
Principal
EPIC, Birmingham, Ala.

Take all the dangers of the oil and gas industry — the hydrocarbons, the extremes of temperature and pressure, the heavy equipment and the constant motion — and put them out in the field many miles from any resources or help, and that is the pipeline business.

“We had a serious, life-threatening injury at a location where we were working,” said the safety manager of one client. “The person eventually had a full recovery, but Brian was instrumental in making sure that a situation that could have been a huge problem for us, even could have cost us a major client, was handled smoothly and without fuss.”

Tanner had experts on site the next day and helped create a comprehensive report. His attention to detail helped establish that it was not, in fact, a workplace injury, the client said.

Advertisement




Another client suffered a different kind of loss, the sudden death of a senior executive. As family, friends and colleagues grappled with the loss, management relied upon Tanner to support other executives through an urgent succession, including a renewal complicated by underwriters reducing exposures in the energy business.

Those declines also imperiled the very existence of another client.

“Brian and his team helped us significantly by working with the carriers on what seemed like a daily basis, helping us work through the cash flow and other issues,” said the CFO.

“That allowed us to remain in business and continue working our contracts,” he said.

Finalists:

Heidi Bauermeister
Managing Director
Marsh, New York

Logan Couch
Vice President
Aon Risk Solutions, Houston

Cara McGrath
Account Manager
Alliant Insurance Services, Boston

Christina Murphy
Vice President
Marsh, Houston

David Robinson
Managing Director
Aon Risk Solutions, Houston

More from Risk & Insurance

More from Risk & Insurance

Cyber Resilience

No, Seriously. You Need a Comprehensive Cyber Incident Response Plan Before It’s Too Late.

Awareness of cyber risk is increasing, but some companies may be neglecting to prepare adequate response plans that could save them millions. 
By: | June 1, 2018 • 7 min read

To minimize the financial and reputational damage from a cyber attack, it is absolutely critical that businesses have a cyber incident response plan.

“Sadly, not all yet do,” said David Legassick, head of life sciences, tech and cyber, CNA Hardy.

Advertisement




In the event of a breach, a company must be able to quickly identify and contain the problem, assess the level of impact, communicate internally and externally, recover where possible any lost data or functionality needed to resume business operations and act quickly to manage potential reputational risk.

This can only be achieved with help from the right external experts and the design and practice of a well-honed internal response.

The first step a company must take, said Legassick, is to understand its cyber exposures through asset identification, classification, risk assessment and protection measures, both technological and human.

According to Raf Sanchez, international breach response manager, Beazley, cyber-response plans should be flexible and applicable to a wide range of incidents, “not just a list of consecutive steps.”

They also should bring together key stakeholders and specify end goals.

Jason J. Hogg, CEO, Aon Cyber Solutions

With bad actors becoming increasingly sophisticated and often acting in groups, attack vectors can hit companies from multiple angles simultaneously, meaning a holistic approach is essential, agreed Jason J. Hogg, CEO, Aon Cyber Solutions.

“Collaboration is key — you have to take silos down and work in a cross-functional manner.”

This means assembling a response team including individuals from IT, legal, operations, risk management, HR, finance and the board — each of whom must be well drilled in their responsibilities in the event of a breach.

“You can’t pick your players on the day of the game,” said Hogg. “Response times are critical, so speed and timing are of the essence. You should also have a very clear communication plan to keep the CEO and board of directors informed of recommended courses of action and timing expectations.”

People on the incident response team must have sufficient technical skills and access to critical third parties to be able to make decisions and move to contain incidents fast. Knowledge of the company’s data and network topology is also key, said Legassick.

“Perhaps most important of all,” he added, “is to capture in detail how, when, where and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defense stronger.”

Cyber insurance can play a key role by providing a range of experts such as forensic analysts to help manage a cyber breach quickly and effectively (as well as PR and legal help). However, the learning process should begin before a breach occurs.

Practice Makes Perfect

“Any incident response plan is only as strong as the practice that goes into it,” explained Mike Peters, vice president, IT, RIMS — who also conducts stress testing through his firm Sentinel Cyber Defense Advisors.

Advertisement




Unless companies have an ethical hacker or certified information security officer on board who can conduct sophisticated simulated attacks, Peters recommended they hire third-party experts to test their networks for weaknesses, remediate these issues and retest again for vulnerabilities that haven’t been patched or have newly appeared.

“You need to plan for every type of threat that’s out there,” he added.

Hogg agreed that bringing third parties in to conduct tests brings “fresh thinking, best practice and cross-pollination of learnings from testing plans across a multitude of industries and enterprises.”

“Collaboration is key — you have to take silos down and work in a cross-functional manner.” — Jason J. Hogg, CEO, Aon Cyber Solutions

Legassick added that companies should test their plans at least annually, updating procedures whenever there is a significant change in business activity, technology or location.

“As companies expand, cyber security is not always front of mind, but new operations and territories all expose a company to new risks.”

For smaller companies that might not have the resources or the expertise to develop an internal cyber response plan from whole cloth, some carriers offer their own cyber risk resources online.

Evan Fenaroli, an underwriting product manager with the Philadelphia Insurance Companies (PHLY), said his company hosts an eRiskHub, which gives PHLY clients a place to start looking for cyber event response answers.

That includes access to a pool of attorneys who can guide company executives in creating a plan.

“It’s something at the highest level that needs to be a priority,” Fenaroli said. For those just getting started, Fenaroli provided a checklist for consideration:

  • Purchase cyber insurance, read the policy and understand its notice requirements.
  • Work with an attorney to develop a cyber event response plan that you can customize to your business.
  • Identify stakeholders within the company who will own the plan and its execution.
  • Find outside forensics experts that the company can call in an emergency.
  • Identify a public relations expert who can be called in the case of an event that could be leaked to the press or otherwise become newsworthy.

“When all of these things fall into place, the outcome is far better in that there isn’t a panic,” said Fenaroli, who, like others, recommends the plan be tested at least annually.

Cyber’s Physical Threat

With the digital and physical worlds converging due to the rise of the Internet of Things, Hogg reminded companies: “You can’t just test in the virtual world — testing physical end-point security is critical too.”

Advertisement




How that testing is communicated to underwriters should also be a key focus, said Rich DePiero, head of cyber, North America, Swiss Re Corporate Solutions.

Don’t just report on what went well; it’s far more believable for an underwriter to hear what didn’t go well, he said.

“If I hear a client say it is perfect and then I look at some of the results of the responses to breaches last year, there is a disconnect. Help us understand what you learned and what you worked out. You want things to fail during these incident response tests, because that is how we learn,” he explained.

“Bringing in these outside firms, detailing what they learned and defining roles and responsibilities in the event of an incident is really the best practice, and we are seeing more and more companies do that.”

Support from the Board

Good cyber protection is built around a combination of process, technology, learning and people. While not every cyber incident needs to be reported to the boardroom, senior management has a key role in creating a culture of planning and risk awareness.

David Legassick, head of life sciences, tech and cyber, CNA Hardy

“Cyber is a boardroom risk. If it is not taken seriously at boardroom level, you are more than likely to suffer a network breach,” Legassick said.

However, getting board buy-in or buy-in from the C-suite is not always easy.

“C-suite executives often put off testing crisis plans as they get in the way of the day job. The irony here is obvious given how disruptive an incident can be,” said Sanchez.

“The C-suite must demonstrate its support for incident response planning and that it expects staff at all levels of the organization to play their part in recovering from serious incidents.”

“What these people need from the board is support,” said Jill Salmon, New York-based vice president, head of cyber/tech/MPL, Berkshire Hathaway Specialty Insurance.

“I don’t know that the information security folks are looking for direction from the board as much as they are looking for support from a resources standpoint and a visibility standpoint.

“They’ve got to be aware of what they need and they need to have the money to be able to build it up to that level,” she said.

Without that support, according to Legassick, failure to empower and encourage the IT team to manage cyber threats holistically through integration with the rest of the organization, particularly risk managers, becomes a common mistake.

He also warned that “blame culture” can prevent staff from escalating problems to management in a timely manner.

Collaboration and Communication

Given that cyber incident response truly is a team effort, it is therefore essential that a culture of collaboration, preparation and practice is embedded from the top down.

Advertisement




One of the biggest tripping points for companies — and an area that has done the most damage from a reputational perspective — is in how quickly and effectively the company communicates to the public in the aftermath of a cyber event.

Salmon said of all the cyber incident response plans she has seen, the companies that have impressed her most are those that have written mock press releases and rehearsed how they are going to respond to the media in the aftermath of an event.

“We have seen so many companies trip up in that regard,” she said. “There have been examples of companies taking too long and then not explaining why it took them so long. It’s like any other crisis — the way that you are communicating it to the public is really important.” &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected] Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]