2222222222

2018 Power Broker

Finance

A True Captive Adviser

Kathryn Christensen
Senior Consultant
Aon, Los Angeles

Some brokers simply sell products; others also help their clients understand their insurance needs. Kathryn Christensen excels at the latter.

Christensen advised Katie Smart, assistant vice president, risk management, Macerich, on the process of setting up a captive as it involves big capital commitments.

“Kathryn focused on our business and what we were looking for and did not try to fit our business into a captive model,” Smart said.

“The information was very detailed and accurate. She took a complex concept and did a good job at dialing it down to a straightforward one that was very useful for us when we needed to translate it upwards in the company.”

Having access to high-quality information led to a well-made decision. In Macerich’s case, Christensen helped the client assess that the time had not come to take a step ahead after all.

Advertisement

“The changes modified our return on the captive, so in the end we decided not to set it up,” Smart said. “But the analysis and support that Kathryn provided was really instrumental to help us make the right decision.”

The reward, in this case, comes in the form of trust. Smart noted that, some years ago, the company already considered creating a captive but suffered at the hands of its then broker. If the topic comes up again, Christensen will be the go-to person.

Valuing a Hands-On Approach

Carmela Inneo
Managing Director
Marsh, New York

Not all brokers are able to make full use the services available to the benefit of risk managers. Carmela Inneo is the noticeable exception.

She is praised by risk managers for her ability to leverage the resources of a large organization and for her willingness to deploy those resources into the service of clients whenever the necessity arises.

“I know that, no matter if it is a small or large issue, I can talk to Carmela, and she will get it done,” said the risk manager of a large reinsurance and insurance company. Inneo helped them set up a D&O and professional insurance program.

“Carmela goes way above and beyond what anyone can expect from a broker,” agreed the vice president of a life insurance firm. “She is a pleasure to work with and she is always available, no matter if it is a weekend or holiday.”

She said that Inneo’s quick action proved vital, for example, when some of the company’s facilities were affected by the hurricanes that hit large swaths of the country.

“During the hurricanes, I received a call from our CEO’s chief of staff asking about our coverages,” the VP recalled.

“It was not exactly in my area of responsibility, but I decided that I should come up with an answer. The first person I contacted was Carmela, and she provided me with ideas and information to deliver an answer to queries from the higher levels of the company.”

Client Is King

Scott Kegler
Family Office Practice Leader
Aon, Philadelphia

Sure insurance brokers like to say the client is king. But how many act on those words?

Insurance buyers can testify that not all do. Pam Paladino, VP of HR, U.S. Fence Solutions Company, endured some frustrating experiences with brokers before working with Scott Kegler.

“Scott has been a godsend,” she said.

Her company is the kind of company that sometimes does not receive the best treatment from its insurance intermediaries. In Paladino’s words, it’s not a huge firm but it’s a complicated one — with a portfolio of companies with high needs in terms of HR coverages and employee benefits.

But Kegler managed to stand out from the broking crowd by doing the basics.

“He pays attention, which maybe does not sound an incredible thing, but, these days, it surely is. It is great when someone stops and listens to what your needs are,” Paladino said.

Advertisement

By listening, she added, Kegler gained enough knowledge to set up a team of brokers to meet their different needs. In 2017, he and his team helped the firm to consolidate its employee benefits program.

He also negotiated an expansion of the firm’s existing policies in order to make them valid for a recently acquired company that operates in a sector where they did not have previous experience and which included government procurement.

Paladino also praised the way that Kegler educates himself about the business and goes the extra mile to help its development.

Expert on Acquisitions

Ammad Mahmood
Senior Vice President
Aon, Glen Oaks, N.Y.

Ammad Mahmood helped a client tackle the intricacies of evaluating risks and existing coverages of an acquired company.

Ian Fitzgerald is principal and associate general counsel for the client, Ares Management. Fitzgerald said Mahmood was a key player in the optimization of insurance programs and the evaluation of potential liability legacy issues.

“Ammad helped us to go through what the appropriate go-forward policy would be, given all the ramifications of the acquisition and our growth in size. He also enabled us to negotiate the best prices, fitting the new, expanded coverages into the budget of the company,” Fitzgerald said.

For his part, Brian Smith, vice president, corporate insurance, Prudential Financial, stressed how knowledgeable Mahmood is when structuring D&O and E&O programs.

“In the last two renewal cycles, as team lead, Ammad has exceeded our service expectations related to coverage, price and insurer selection,” he said. “He used that knowledge to construct and negotiate manuscript policy terms on D&O and E&O, plus fiduciary and EPLI.”

Also, importantly, Mahmood delivers results in a timely manner — a feature that risk managers in financial companies tend to show a particular degree of appreciation for.

“Ammad is very accommodating when it comes to turning things around, be it market information or even some historical data related to our own company,” Fitzgerald said.

E&O and D&O Master

Shawn Walsh
Senior Vice President
Aon, New York

Asset management is a globalized business where complex, multinational financial structures can provide a decisive advantage for companies in a very competitive environment. It also creates risks for executives who are exposed to different kinds of legislation and sometimes aggressive regulators.

Setting up D&O and E&O coverages in such circumstances is a tricky job, and Shawn Walsh aids his clients in dealing with that challenge.

Such was the case of Neal Wilson, chief operating officer, EJF Capital, who called Walsh to arrange professional coverages related to a new closed-end fund. It was the first time that the company employed this fund structure for one of its investment vehicles.

“We had to think through how the D&O and E&O coverages would be different from our other funds, and Shawn handled that in a quick, impeccable and professional way.”

Advertisement

With Walsh’s help, EJF also revamped its general D&O and E&O programs in 2017, obtaining better coverages and similar rates, even though the company had grown.

Walsh was also praised by the chief risk officer of a U.S.-listed, Bermuda-based reinsurer for supporting the company as it looked for directors’ coverages in the market. He said the company employs a strategy similar to a hedge fund and, as such, presents some particularities regarding their D&O and E&O needs.

“Shawn helped us to find the coverages we needed, and rates and conditions were better than expected,” the CRO said.

Music to an Investors’ Ears

Barry Weiner
Managing Director
Aon, Philadelphia

In the world of private equity, any dollar saved by the companies in an investment portfolio matters. Barry Weiner helped one of the titans achieve significant savings by bringing together the cyber insurance programs of several of its companies.

For Thomas Kim, director and global risk manager, KKR, this is how a broker can leverage resources to the benefit of clients.

“Barry was directly responsible for bringing innovative cyber insurance solutions into the company,” he said. “He single-handedly leveraged a team of a dozen Aon experts that ultimately won the business.”

Weiner also implemented cyber risk solutions and other improvements to the risk management program at health care company Avalon, according to CFO Anne Stuart.

“We did not have cyber insurance, even though we are an IT-centric company,” Stuart said. “Barry and his team helped us to look at different kinds of exposure, and we are underwriting the policy right now.”

Other solutions Weiner helped implement at Avalon include a system to monitor and analyze workers’ comp losses and updated insurance accounting procedures to optimize the risk management structure.

With a focus on the private equity market, Weiner claims that the efficient insurance programs help not only to improve the company’s bottom line but also increase its market value, which sounds like music to investors’ ears.

Finalists:

Bryan Pritchet, ARM, CIC
Senior Broker
Aon, Clayton, Mo.

Graig Vicidomino
Associate Director
Crystal & Company, New York

More from Risk & Insurance

More from Risk & Insurance

Cyber Resilience

No, Seriously. You Need a Comprehensive Cyber Incident Response Plan Before It’s Too Late.

Awareness of cyber risk is increasing, but some companies may be neglecting to prepare adequate response plans that could save them millions. 
By: | June 1, 2018 • 7 min read

To minimize the financial and reputational damage from a cyber attack, it is absolutely critical that businesses have a cyber incident response plan.

“Sadly, not all yet do,” said David Legassick, head of life sciences, tech and cyber, CNA Hardy.

Advertisement




In the event of a breach, a company must be able to quickly identify and contain the problem, assess the level of impact, communicate internally and externally, recover where possible any lost data or functionality needed to resume business operations and act quickly to manage potential reputational risk.

This can only be achieved with help from the right external experts and the design and practice of a well-honed internal response.

The first step a company must take, said Legassick, is to understand its cyber exposures through asset identification, classification, risk assessment and protection measures, both technological and human.

According to Raf Sanchez, international breach response manager, Beazley, cyber-response plans should be flexible and applicable to a wide range of incidents, “not just a list of consecutive steps.”

They also should bring together key stakeholders and specify end goals.

Jason J. Hogg, CEO, Aon Cyber Solutions

With bad actors becoming increasingly sophisticated and often acting in groups, attack vectors can hit companies from multiple angles simultaneously, meaning a holistic approach is essential, agreed Jason J. Hogg, CEO, Aon Cyber Solutions.

“Collaboration is key — you have to take silos down and work in a cross-functional manner.”

This means assembling a response team including individuals from IT, legal, operations, risk management, HR, finance and the board — each of whom must be well drilled in their responsibilities in the event of a breach.

“You can’t pick your players on the day of the game,” said Hogg. “Response times are critical, so speed and timing are of the essence. You should also have a very clear communication plan to keep the CEO and board of directors informed of recommended courses of action and timing expectations.”

People on the incident response team must have sufficient technical skills and access to critical third parties to be able to make decisions and move to contain incidents fast. Knowledge of the company’s data and network topology is also key, said Legassick.

“Perhaps most important of all,” he added, “is to capture in detail how, when, where and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defense stronger.”

Cyber insurance can play a key role by providing a range of experts such as forensic analysts to help manage a cyber breach quickly and effectively (as well as PR and legal help). However, the learning process should begin before a breach occurs.

Practice Makes Perfect

“Any incident response plan is only as strong as the practice that goes into it,” explained Mike Peters, vice president, IT, RIMS — who also conducts stress testing through his firm Sentinel Cyber Defense Advisors.

Advertisement




Unless companies have an ethical hacker or certified information security officer on board who can conduct sophisticated simulated attacks, Peters recommended they hire third-party experts to test their networks for weaknesses, remediate these issues and retest again for vulnerabilities that haven’t been patched or have newly appeared.

“You need to plan for every type of threat that’s out there,” he added.

Hogg agreed that bringing third parties in to conduct tests brings “fresh thinking, best practice and cross-pollination of learnings from testing plans across a multitude of industries and enterprises.”

“Collaboration is key — you have to take silos down and work in a cross-functional manner.” — Jason J. Hogg, CEO, Aon Cyber Solutions

Legassick added that companies should test their plans at least annually, updating procedures whenever there is a significant change in business activity, technology or location.

“As companies expand, cyber security is not always front of mind, but new operations and territories all expose a company to new risks.”

For smaller companies that might not have the resources or the expertise to develop an internal cyber response plan from whole cloth, some carriers offer their own cyber risk resources online.

Evan Fenaroli, an underwriting product manager with the Philadelphia Insurance Companies (PHLY), said his company hosts an eRiskHub, which gives PHLY clients a place to start looking for cyber event response answers.

That includes access to a pool of attorneys who can guide company executives in creating a plan.

“It’s something at the highest level that needs to be a priority,” Fenaroli said. For those just getting started, Fenaroli provided a checklist for consideration:

  • Purchase cyber insurance, read the policy and understand its notice requirements.
  • Work with an attorney to develop a cyber event response plan that you can customize to your business.
  • Identify stakeholders within the company who will own the plan and its execution.
  • Find outside forensics experts that the company can call in an emergency.
  • Identify a public relations expert who can be called in the case of an event that could be leaked to the press or otherwise become newsworthy.

“When all of these things fall into place, the outcome is far better in that there isn’t a panic,” said Fenaroli, who, like others, recommends the plan be tested at least annually.

Cyber’s Physical Threat

With the digital and physical worlds converging due to the rise of the Internet of Things, Hogg reminded companies: “You can’t just test in the virtual world — testing physical end-point security is critical too.”

Advertisement




How that testing is communicated to underwriters should also be a key focus, said Rich DePiero, head of cyber, North America, Swiss Re Corporate Solutions.

Don’t just report on what went well; it’s far more believable for an underwriter to hear what didn’t go well, he said.

“If I hear a client say it is perfect and then I look at some of the results of the responses to breaches last year, there is a disconnect. Help us understand what you learned and what you worked out. You want things to fail during these incident response tests, because that is how we learn,” he explained.

“Bringing in these outside firms, detailing what they learned and defining roles and responsibilities in the event of an incident is really the best practice, and we are seeing more and more companies do that.”

Support from the Board

Good cyber protection is built around a combination of process, technology, learning and people. While not every cyber incident needs to be reported to the boardroom, senior management has a key role in creating a culture of planning and risk awareness.

David Legassick, head of life sciences, tech and cyber, CNA Hardy

“Cyber is a boardroom risk. If it is not taken seriously at boardroom level, you are more than likely to suffer a network breach,” Legassick said.

However, getting board buy-in or buy-in from the C-suite is not always easy.

“C-suite executives often put off testing crisis plans as they get in the way of the day job. The irony here is obvious given how disruptive an incident can be,” said Sanchez.

“The C-suite must demonstrate its support for incident response planning and that it expects staff at all levels of the organization to play their part in recovering from serious incidents.”

“What these people need from the board is support,” said Jill Salmon, New York-based vice president, head of cyber/tech/MPL, Berkshire Hathaway Specialty Insurance.

“I don’t know that the information security folks are looking for direction from the board as much as they are looking for support from a resources standpoint and a visibility standpoint.

“They’ve got to be aware of what they need and they need to have the money to be able to build it up to that level,” she said.

Without that support, according to Legassick, failure to empower and encourage the IT team to manage cyber threats holistically through integration with the rest of the organization, particularly risk managers, becomes a common mistake.

He also warned that “blame culture” can prevent staff from escalating problems to management in a timely manner.

Collaboration and Communication

Given that cyber incident response truly is a team effort, it is therefore essential that a culture of collaboration, preparation and practice is embedded from the top down.

Advertisement




One of the biggest tripping points for companies — and an area that has done the most damage from a reputational perspective — is in how quickly and effectively the company communicates to the public in the aftermath of a cyber event.

Salmon said of all the cyber incident response plans she has seen, the companies that have impressed her most are those that have written mock press releases and rehearsed how they are going to respond to the media in the aftermath of an event.

“We have seen so many companies trip up in that regard,” she said. “There have been examples of companies taking too long and then not explaining why it took them so long. It’s like any other crisis — the way that you are communicating it to the public is really important.” &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected] Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]