Risk Insider: Kevin Kalinich

Lights Out! Can Insurance Help?

By: | January 25, 2016 • 3 min read
Kevin Kalinich is the global cyber risk practice leader for Aon Risk Solutions, focusing on identifying exposures and developing insurance solutions. He can be reached at [email protected]

In “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,” author Ted Koppel suggests that a catastrophic cyber attack on America’s power grid is likely and that we’re unprepared.

Advertisement




Let’s examine his assertions from a risk management perspective.

• Power Grid Attack Likely?

Clients tell us that they are hacked more frequently than is reported. A Dec. 21, 2015 article, “Biggest U.S. Electric Company Battles Off Steady Cyberattacks,” reported that Duke Energy’s computer systems that manage dams, nuclear power plants and other types of generating plants are under constant attack. A reported cyber attack last month caused one-half of Western Ukraine to lose power.

• U.S. Unprepared?

Opinions differ on whether we have seen improved prevention, mitigation, response and resiliency since the Northeast power outage of 2003. Mr. Koppel described a bureaucracy that is moving slowly and with poor focus against a dynamic threat.

For example, the National Protection and Programs Directorate at the Department of Homeland Security, responsible for coordinating risk reduction to critical American infrastructure, is divided in two separate and distinct parts –- one physical and one cyber-related.

We are, however, seeing certain governmental actions and changes. The Cybersecurity Information Sharing Act of 2015, signed into law December 2015, provides immunity from liability to participating organizations that share certain cyber-threat information with the federal government and vice versa.

Federal and state agencies such as the Federal Energy Regulatory Commission may consider increased fines for grid failures that have ranged from $50,000 to $350,000. By way of example, Florida Power and Light Company was fined $25 million in 2009 for a February 2008 blackout.

However, most reported cases of cyber damage and regulatory action to date relate to protection of personally identifiable information, such as the Federal Communications Commission’s $25 million fine against AT&T and $100 million fine against Lifelock.

• Catastrophic?

According to search engine Shodan, the U.S. has more than 57,000 industrial controls systems connected to the internet. But how do we quantify potential losses? Information on how companies and the government respond to hacks is often protected and sometimes classified, which can defeat transparency.

Untitled-1

A 2015 Lloyd’s of London/University of Cambridge report, “Business Blackout,” sets forth the insurance implications of a cyber attack on the U.S. power grid. The report estimated a hypothetical worst case scenario of $243 billion to $1,024 trillion in direct and indirect losses, with between $21.398 billion and $71.109 billion in estimated insurance industry losses.

Currently there are not enough stand-alone cyber limits to pay for such losses.

Many property and general liability insurers are inconsistent and/or hesitant to cover cyber exposures likely because there’s insufficient actuarial data. Since we don’t have sufficient actuarial data for cyber exposures, we should borrow from other complex modeling situations like typhoons, earthquakes and hurricanes — relatively rare events that could have catastrophic impacts.

Advertisement




We’ve come to the conclusion that we need to break down the silos between the insurance company property/GL groups and cyber groups, and develop a combined all-risk policy that combines the actuarial data of property losses with cyber experts to identify and quantify frequency and severity. To analogize, a similar approach is used to build terrorism insurance programs, with mixed success (see graphic).

By combining an objective risk management context based on data analytics, we can learn from natural weather incidents and terrorism threats to develop robust public-private partnerships to help improve our preparedness and reduce losses stemming from a cyber attack.

2017 Teddy Awards

The Era of Engagement

The very best workers’ compensation programs are the ones where workers aren’t just the subject of the program, they’re a part of it.
By: | November 1, 2017 • 5 min read

Employee engagement, employee advocacy, employee participation — these are common threads running through the programs we honor this year in the 2017 Theodore Roosevelt Workers’ Compensation and Disability Management Awards, sponsored by PMA Companies.

A panel of judges — including workers’ comp executives who actively engage their own employees — selected this year’s winners on the basis of performance, sustainability, innovation and teamwork. The winners hail from different industries and regions, but all make people part of the solution to unique challenges.

Advertisement




Valley Health System is all-too keenly aware of the risk of violence in health care settings, running the gamut from disruptive patients to grieving, overwrought family members to mentally unstable active shooters.

Valley Health employs a proactive and comprehensive plan to respond to violent scenarios, involving its Code Atlas Team — 50 members of the clinical staff and security departments who undergo specialized training. Valley Health drills regularly, including intense annual active shooter drills that involve participation from local law enforcement.

The drills are unnerving for many, but the program is making a difference — the health system cut its workplace violence injuries in half in the course of just one year.

“We’re looking at patient safety and employee safety like never before,” said Barbara Schultz, director of employee health and wellness.

At Rochester Regional Health’s five hospitals and six long-term care facilities, a key loss driver was slips and falls. The system’s mandatory safety shoe program saw only moderate take-up, but the reason wasn’t clear.

Rather than force managers to write up non-compliant employees, senior manager of workers’ compensation and employee safety Monica Manske got proactive, using a survey as well as one-on-one communication to suss out the obstacles. After making changes based on the feedback, shoe compliance shot up from 35 percent to 85 percent, contributing to a 42 percent reduction in lost-time claims and a 46 percent reduction in injuries.

For the shoe program, as well as every RRH safety initiative, Manske’s team takes the same approach: engaging employees to teach and encourage safe behaviors rather than punishing them for lapses.

For some of this year’s Teddy winners, success was born of the company’s willingness to make dramatic program changes.

Advertisement




Delta Air Lines made two ambitious program changes since 2013. First it adopted an employee advocacy model for its disability and leave of absence programs. After tasting success, the company transitioned all lines including workers’ compensation to an integrated absence management program bundled under a single TPA.

While skeptics assume “employee advocacy” means more claims and higher costs, Delta answers with a reality that’s quite the opposite. A year after the transition, Delta reduced open claims from 3,479 to 1,367, with its total incurred amount decreased by $50.1 million — head and shoulders above its projected goals.

For the Massachusetts Port Authority, change meant ending the era of having a self-administered program and partnering with a TPA. It also meant switching from a guaranteed cost program to a self-insured program for a significant segment of its workforce.

Massport’s results make a great argument for embracing change: The organization saved $21 million over the past six years. Freeing up resources allowed Massport to increase focus on safety as well as medical management and chopped its medical costs per claim in half — even while allowing employees to choose their own health care providers.

Risk & Insurance® congratulates the 2017 Teddy Award winners and holds them in high esteem for their tireless commitment to a safe workforce that’s fully engaged in its own care. &

_______________________________________________________

More coverage of the 2017 Teddy Award Winners and Honorable Mentions:

Advocacy Takes Off: At Delta Air Lines, putting employees first is the right thing to do, for employees and employer alike.

 

Proactive Approach to Employee SafetyThe Valley Health System shifted its philosophy on workers’ compensation, putting employee and patient safety at the forefront.

 

Getting It Right: Better coordination of workers’ compensation risk management spelled success for the Massachusetts Port Authority.

 

Carrots: Not SticksAt Rochester Regional Health, the workers’ comp and safety team champion employee engagement and positive reinforcement.

 

Fit for Duty: Recognizing parallels between athletes and public safety officials, the city of Denver made tailored fitness training part of its safety plan.

 

Triage, Transparency and TeamworkWhen the City of Surprise, Ariz. got proactive about reining in its claims, it also took steps to get employees engaged in making things better for everyone.

A Lesson in Leadership: Shared responsibility, data analysis and a commitment to employees are the hallmarks of Benco Dental’s workers’ comp program.

 

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]