Cyber Risk

Keep the Dialogue Open

As cyber threats become more sophisticated, risk managers must understand and assess evolving exposures.
By: | August 3, 2016 • 7 min read

A shut-down, or even a partial disruption, is the stuff of nightmares for risk managers and C-suites. Business interruption (BI) and contingent business interruption (CBI) policies can help organizations weather those kind of crises, but the coverage is complex, and has only become more so since cyber exposures came to the fore.

Advertisement




In order to help minimize BI and CBI losses, risk managers must establish and maintain an open dialogue with C-suite executives on a continuous basis.

Open communication will give companies the agility to respond quickly if a business is shut down or production is halted by a cyber attack, determine the best way to assess income loss, and also to protect the company’s reputation.

Prior to a loss, that open dialogue will also help everyone reach a consensus about coverage needs and whether sufficient limits are in place.

Traditional property and BI policies will typically insure against a physical loss or damage to property, however many exclude cyber attacks, even if the cyber attack causes property damage.

As cyber threats become more sophisticated, risk managers and their companies need to better understand and assess these evolving exposures, and to devise an appropriate mitigation strategy and emergency response plan.

Understanding and Measuring the Claim

Al Gier, director of global risk management and insurance at General Motors, said that BI and CBI are often the most complex form of property losses when trying to quantify the actual loss.

“They require a significant marshaling of the risk management, supply chain, finance, marketing, purchasing and distribution functions, in order to support the claim,” he said. “Added to that is the work that people are already doing behind the scenes to bring their company back on line.”

He added that one way of assessing loss is by using pre-loss production schedules, sales and growth projections, and budgets.

Rick Roberts, president and director of risk management and employee benefits, Ensign-Bickford Industries

Rick Roberts, president and director of risk management and employee benefits, Ensign-Bickford Industries

Rick Roberts, president and director of risk management and employee benefits for Ensign-Bickford Industries and immediate past president of RIMS, said there is often a sizeable difference between a company’s loss estimate and the actual loss.

“There are two approaches to BI claims — the first is a top-down approach and the second is bottom-up,” he said.

“I prefer the bottom-up approach that measures lost income plus any continuing expenses as it’s easier to understand.”

Dan Holden, manager of corporate risk and insurance for Daimler Trucks North America, said that risk managers need to explain to the C-suite how BI or CBI coverage would be triggered, what it would cover and for how long.

That allows management to focus on potential events in order to mitigate against any revenue interruption, he said.

Robert Reeves, partner at EY’s Fraud Investigation and Dispute Services (FIDS) practice, said that should a loss occur, risk managers need to help senior management understand the claim, as well as the claims process and the potential range of the claim.

“[BI and CBI] require a significant marshaling of the risk management, supply chain, finance, marketing, purchasing and distribution functions, in order to support the claim.” — Al Gier, director of global risk management and insurance, General Motors

He added that when assessing a loss, it’s also important to take into account both sales and production.

“Sales is really focused on demand and production is focused on capacity,” he said. “So no matter what industry you are in, you have to look at both factors.”

Selecting the Right Policy

Advertisement




Dave Finnis, executive vice president and national property practice leader at Willis Towers Watson, said that most property insurance policies won’t provide coverage as standard in the event of a cyber attack unless there was evidence of physical damage.

“I am seeing a lot more instances where these kinds of occurrences are becoming a reality,” he said. “In the last year, a German power plant had a cyber attack and suffered physical damage when the hackers accessed one of their furnaces, but fortunately they were covered under their property policy.”

Reeves said that it is important to read the policy’s wording first as most cyber insurance will provide coverage for a BI claim, but won’t necessarily cover a CBI claim.

Josh Gold, a cyber insurance attorney at Anderson Kill’s New York office, said that BI or CBI coverage should provide for loss of business income at a minimum, covering both lost profits and continuing expenses.

He added that it was important to build in coverage for extra expenses, such as the cost of using other facilities while your operations are down, bringing consultants in, or moving your system to a new cloud platform.

Doug Backes, FM Global’s claims manager, said that it is also important to match the coverage to the loss.

“From our perspective, we have always approached data as property and it needs to be covered as such,” he said. “Whether data is damaged in a fire or as a result of a cyber attack, there needs to be cover for that.”

Impact on Reputation

Reeves said that an often-overlooked impact of a BI or CBI claim is on a company’s reputation with its customers, employees and shareholders.

“Once the physical loss has gone away, then you have got to make sure that you manage your reputation,” he said. “So you need to let your customers know what is happening, how long you are going to be down and what your mitigation strategy is.”

Al Gier, director of global risk management and insurance, General Motors

Al Gier, director of global risk management and insurance, General Motors

Citing the example of Target’s major data breach, which has cost the company $300 million to date, Gold said that the impact of a cyber attack often runs much deeper than the initial loss, and it can damage reputation in terms of customer privacy and payment details.

“From a loss mitigation 101 standpoint, you wouldn’t want to exacerbate the problem by being less than candid about what is going on,” he said.

“Of course, a lot of risk mitigation can be done before a breach occurs, to ensure that you have the appropriate plan and insurance policy in place.”

Gier said that the impact of a BI or CBI loss on a business’ reputation depended largely on the cause of the loss, as well as the company’s response time.

“Companies can do a lot to minimize the risk of BI or CBI losses on their reputation by maintaining ultimate sources of supply, keeping extra inventory and having a thorough understanding of the financial impact of BI in protecting the most valuable parts of the business,” he said.

Working in Partnership

Reeves said that risk managers need to explain to senior managers how their BI and CBI policies work and to identify key areas that need to be written into the coverage based on previous claims experience.

“The C-suite needs to make sure that those resources are available and the risk manager needs to make sure that everyone has realistic expectations about the time frame for the claims process.” — Jill Dalton, managing director, Aon Global Risk Consulting

He added that it was also important to help them understand the interdependencies between the different parts of their business in the supply chain.

Jill Dalton, managing director, Aon Global Risk Consulting

Jill Dalton, managing director, Aon Global Risk Consulting

“We had a client with a very small site in the south that got hit by a tornado,” he said.

Initially they thought it wouldn’t have much of a financial impact, but they soon realized that it was the only plant that produced a small component used in all of their products.

“They dodged a real bullet, because fortunately they were able to get alternative sourcing, otherwise they would have been facing a $1 billion loss,” Reeves said.

Jill Dalton, managing director of Aon Global Risk Consulting, said that C-suites and risk managers need to work in unison.

“The C-suite needs to make sure that those resources are available and the risk manager needs to make sure that everyone has realistic expectations about the time frame for the claims process,” she said.

Carlos Moran, director of claims at Aon Global Risk Consulting, added that businesses need to develop a contingency plan in order to maintain critical operations in the event of a loss.

Advertisement




“Risk managers have a very difficult job,” FM Global’s Backes said. “Sometimes it’s very difficult for them at times to get the attention and buy-in from the C-suite.

“But when they can do that successfully, they can build out greater resiliency and redundancy into the company’s practices and procedures.” &

Alex Wright is a U.K.-based business journalist, who previously was deputy business editor at The Royal Gazette in Bermuda. You can reach him at riskletters@lrp.com.

More from Risk & Insurance

More from Risk & Insurance

High Net Worth

High Net Worth Clients Live in CAT Zones. Here’s What Their Resiliency Plan Should Include

Having a resiliency plan and practicing it can make all the difference in a disaster.
By: | September 14, 2018 • 7 min read

Packed with state-of-the-art electronics, priceless collections and high-end furnishings, and situated in scenic, often remote locations, the dwellings of high net worth individuals and families pose particular challenges when it comes to disaster resiliency. But help is on the way.

Advertisement




Armed with loss data, innovative new programs, technological advances, and a growing army of niche service-providers aimed at addressing an astonishingly diverse set of risks, insurers are increasingly determined to not just insure against their high net worth clients’ losses, but to prevent them.

Insurers have long been proactive in risk mitigation, but increasingly, after the recent surge in wildfire and storm losses, insureds are now, too.

“Before, insurance was considered the only step in risk management. Now, our client families realize it is one of the many imperative steps in an effective risk management strategy,” said Laura Sherman, founding partner at Baldwin Krystyn Sherman Partners.

And especially in the high net worth space, preventing that loss is vastly preferable to a payout, for insurers and insureds alike.

“If insurers can preserve even one house that’s 10 or 20 or 40 million dollars … whatever they have spent in a year is money well spent. Plus they’ve saved this important asset for the client,” said Bruce Gendelman, chairman and founder Bruce Gendelman Insurance Services.

High Net Worth Vulnerabilities

Laura Sherman, founding partner, Baldwin Krystyn Sherman Partners

As the number and size of luxury homes built in vulnerable areas has increased, so has the frequency and magnitude of extreme weather events, including hurricanes, harsh cold and winter storms, and wildfires.

“There is a growing desire to inhabit this riskier terrain,” said Jason Metzger, SVP Risk Management, PURE group of insurance companies. “In the western states alone, a little over a million homes are highly vulnerable to wildfires because of their proximity to forests that are fuller of fuel than they have been in years past.”

Such homes are often filled with expensive artwork and collections, from fine wine to rare books to couture to automobiles, each presenting unique challenges. The homes themselves present other vulnerabilities.

“Larger, more sophisticated homes are bristling with more technology than ever,” said Stephen Poux, SVP and head of Risk Management Services and Loss Prevention for AIG’s Private Client Group.

“A lightning strike can trash every electronic in the home.”

Niche Service Providers

A variety of niche service providers are stepping forward to help.

Secure facilities provide hurricane-proof, wildfire-proof off-site storage for artwork, antiques, and all manner of collectibles for seasonal or rotating storage, as well as ahead of impending disasters.

Other companies help manage such collections — a substantial challenge anytime, but especially during a crisis.

“Knowing where it is, is a huge part of mitigating the risk,” said Eric Kahan, founder of Collector Systems, a cloud-based collection management company that allows collectors to monitor their collections during loans to museums, transit between homes, or evacuation to secure storage.

“Before, insurance was considered the only step in risk management. Now, our client families realize it is one of the many imperative steps in an effective risk management strategy.” — Laura Sherman, founding partner, Baldwin Krystyn Sherman Partners

Insurers also employ specialists in-house. AIG employs four art curators who advise clients on how to protect and preserve their art collections.

Perhaps the best known and most striking example of this kind of direct insurer involvement are the fire teams insurers retain or employ to monitor fires and even spray retardant or water on threatened properties.

High-Level Service for High Net Worth

All high net worth carriers have programs that leverage expertise, loss data, and relationships with vendors to help clients avoid and recover from losses, employing the highest levels of customer service to accomplish this as unobtrusively as possible.

“What allows you to do your job best is when you develop that relationship with a client, where it’s the same people that are interacting with them on every front for their risk management,” said Steve Bitterman, chief risk services officer for Vault Insurance.

Site visits are an essential first step, allowing insurers to assess risks, make recommendations to reduce them, and establish plans in the event of a disaster.

“When you’re in a catastrophic situation, it’s high stress, time is of the essence, and people forget things,” said Sherman. “Having a written plan in place is paramount to success.”

Advertisement




Another important component is knowing who will execute that plan in homes that are often unoccupied.

Domestic staff may lack the knowledge or authority to protect the homeowner’s assets, and during a disaster may be distracted dealing with threats to their own homes and families. Adequate planning includes ensuring that whoever is responsible has the training and authority to execute the plan.

Evaluating New Technology

Insurers use technologies like GPS and satellite imagery to determine which homes are directly threatened by storms or wildfires. They also assess and vet technologies that can be implemented by homeowners, from impact glass to alarm and monitoring systems, to more obscure but potentially more important options.

AIG’s Poux recommends two types of vents that mitigate important, and unexpected risks.

“There’s a fantastic technology called Smart Vent, which allows water to flow in and out of the foundation,” Poux said. “… The weight of water outside a foundation can push a foundation wall in. If you equalize that water inside and out at the same level, you negate that.”

Another wildfire risk — embers getting sucked into the attic — is, according to Poux, “typically the greatest cause of the destruction of homes.” But, he said, “Special ember-resisting venting, like Brandguard Vents, can remove that exposure altogether.”

Building Smart

Many disaster resiliency technologies can be applied at any time, but often the cost is fractional if implemented during initial construction. AIG’s Smart Build is a free program for new or remodeled homes that evolved out of AIG’s construction insurance programs.

Previously available only to homes valued at $5 million and up, Smart Build recently expanded to include homes of $1 million and up. Roughly 100 homes are enrolled, with an average value of $13 million.

“In the high net worth space, sometimes it takes longer potentially to recover, simply because there are limited contractors available to do specialty work.” — Curt Goetsch, head of underwriting, Private Client Group, Ironshore

“We know what goes wrong in high net worth homes,” said Poux, citing AIG’s decades of loss data.

“We’re incenting our client and by proxy their builder, their architects and their broker, to give us a seat at the design table. … That enables us to help tweak the architectural plans in ways that are very easy to do with a pencil, as opposed to after a home is built.”

Poux cites a remote ranch property in Texas.

Curt Goetsch, head of underwriting, Private Client Group, Ironshore

“The client was rebuilding a home but also installing new roads and grading and driveways. … The property was very far from the fire department and there wasn’t any available water on the property.”

Poux’s team was able to recommend underground water storage tanks, something that would have been prohibitively expensive after construction.

“But if the ground is open and you’ve got heavy equipment, it’s a relatively minor additional expense.”

Homes that graduate from the Smart Build program may be eligible for preferred pricing due to their added resilience, Poux said.

Recovery from Loss

A major component of disaster resiliency is still recovery from loss, and preparation is key to the prompt service expected by homeowners paying six- or seven-figure premiums.

Before Irma, PURE sent contact information for pre-assigned claim adjusters to insureds in the storm’s direct path.

“In the high net worth space, sometimes it takes longer potentially to recover, simply because there are limited contractors available to do specialty work,” said Curt Goetsch, head of underwriting for Ironshore’s Private Client Group.

Advertisement




“If you’ve got custom construction or imported materials in your house, you’re not going to go down the street and just find somebody that can do that kind of work, or has those materials in stock.”

In the wake of disaster, even basic services can be scarce.

“Our claims and risk management departments have to work together in advance of the storm,” said Bitterman, “to have contractors and restoration companies and tarp and board services that are going to respond to our company’s clients, that will commit resources to us.”

And while local agents’ connections can be invaluable, Goetsch sees insurers taking more of that responsibility from the agent, to at least get the claim started.

“When there is a disaster, the agency’s staff may have to deal with personal losses,” Goetsch said. &

Jon McGoran is a novelist and magazine editor based outside of Philadelphia. He can be reached at riskletters@lrp.com.