2222222222

Specialty Insurance

Event Cancellation Insurance is Pricey: But Oh-So Necessary

Music festivals are high-profit, high-risk events. Mistakes can sink an entire show and put lives in danger.
By: | August 29, 2017 • 8 min read

It should have been idyllic. A private Bahamian island playground for the young and posh, for celebrity influencers, supermodels and thought leaders. Two fantasy weekends filled with music, art installations, five-star cuisine, chartered yachts and luxe tents as well-appointed as any upscale hotel room. Oh, and $1 million in treasure and jewels hidden throughout the island.

The marketing push for the Fyre Festival promised an experience like no other. To be fair, that part turned out to be true.

Advertisement




Festival attendees, some of whom had paid up to $125K for VIP ticket and accommodation packages, arrived at the island of Great Exuma to behold utter chaos. Trash-filled grounds, feral dogs, FEMA disaster-relief tents, bloodstained mattresses, no electricity, processed cheese sandwiches— and not a stage or a musical act in sight.

The festival actually collapsed weeks before it ever began. But not until the day of the event did organizers admit defeat — taking to Twitter to announce the cancellation, while frantic teens and 20-somethings tweeted frantically for hours, begging authorities to rescue them from the island.

The first class-action lawsuit was inked before all the festival-goers made it back home. Five more followed, as well as suits from an investor, a financing company and an event management company that was hired to provide medical services. Ticket vendor Tablelist filed suit for the $3.5 million it says it needs to refund ticketholders. Lawsuit demands to date are far in excess of $100 million.

Festival organizer Billy McFarland was arrested on a charge of wire fraud. Prosecutors say he used false documents to secure $1.2 million in funding for the event. Some say the entire thing was a scam from the start. Some say it was just an ambitious idea without the level of knowledge or experience to support it. The FBI will weigh in eventually.

The demise of Fyre Festival could be dismissed as a fluke. But only three weeks later, it was announced suddenly that Canada’s Pemberton Music Festival would be cancelled and organizers were declaring bankruptcy. Most were appalled that in lieu of refunds, ticket-holders would have to file a proof of claim form as unsecured creditors.

Experience Matters

These very public festival implosions serve as a reminder that music festivals are intensely complicated to orchestrate. There are countless ways that a misfire could put an entire event at risk. Which is why the insurers that write coverage for festivals dig deep into the details before taking them on.

There’s evidence that Fyre Festival’s organizers shopped around for insurance, but found no takers. That’s no surprise, because first-time festivals have no proven track record, and an untested promoter would do little to instill confidence.

“From an insurance perspective, you want a reputable promoter who has done festivals successfully in the past,” said Susan McGuirl, Head of North America Entertainment, Entertainment Division, with Allianz Global Corporate & Specialty.

Even so, an untested promoter could likely still find appropriate coverage if they chose to partner with reputable and experienced entities.

Peter Tempkins, managing director of entertainment, HUB International

“What I look for when I get involved in a festival is who the actual people are with what I call the feet on the ground,” said Peter Tempkins, managing director of entertainment for HUB International.

“I’m not quite as concerned [with] who owns it; it’s who’s running it — who’s the site manager? Who’s the production manager? Who’s the security director? Who’s the medical director? Because that’s where the important stuff really comes from.”

Underwriters typically know all of the players and their reputations, said Tempkins.

“The festival world, as big as it is, is a very small world, and a lot of the same people or the same companies work on a majority of the festivals.”

That’s why it was worth noting, he said, that of the companies involved with the Fyre Festival, he recognized only one name. Having unknowns on board would prompt a deeper level of research.

“If they say, ‘Oh, John Doe is going to be our security director,’ then I’ll ask people who do festivals what do you know about John Doe? And what do you think about John Doe being a security director for a festival? These are people who I trust, who will be honest with me,” he said.

“If they say they’re going to use Doe Staging, I’m going to research Doe Staging. And if it turns out that it’s something John’s building in his backyard out of old plywood, then I’ll probably walk away at that point,” he explained.

Organizers typically work with insurers well in advance. Major festivals require numerous types of coverage in addition to cancellation insurance, including general liability, workers’ compensation, commercial auto, umbrella policies, and typically terrorism coverage as well. Some event organizers will also opt for E&O and D&O coverage, and possibly crime coverage.

Advertisement




The costs involved are quite high. Cancellation insurance alone will typically cost 1 percent to 1.5 percent of the overall cost of an event. General liability is priced per head, and will vary depending upon a variety of factors including whether it’s an overnight event. The total bill for insurance can be quite steep.

Some, however, say it still isn’t pricey enough. In a blog post written six weeks before the Fyre debacle, David Boyle, contingency class underwriter for Argo Insurance, explained that Argo as well as a number of its peers decided to stop providing coverage for festivals “at least until something gives.”

“Failure of festival organizers to better implement proven risk mitigation procedures and of insurers to charge a genuinely risk-reflective price will lead to further losses and more insurers with loss-making books of festival insurance business will decide that enough is enough,” he said.

Boyle cites numerous reasons why festivals are so risky to insure, but experts say drugs and alcohol are at the top of the list, and, of course, all of the shenanigans you might expect when those substances are free-flowing.

A December 2016 Canadian study found that alcohol and drugs were a factor in 13 percent of all reported music festival deaths between 1999 and 2014, and the majority of all non-traumatic deaths.

California’s Hard Summer festival, produced by a division of concert giant Live Nation, had four fatalities between 2013 and 2015. The earliest was ruled to be death by natural causes, although MDMA (Ecstasy) was involved. The other three were directly related to MDMA overdose.

“You get past the underwriting, you get past the insurance, you get past everything else … to me, it’s all about safety. ” — Peter Tempkins, Managing Director of Entertainment, HUB International

In May 2016, two people died of MDMA toxicity and 57 more were hospitalized after attending the Sunset Music Festival in Tampa.

Two months later, tragedy struck the Hard Summer festival yet again, claiming the lives of three more young people, despite the copious warnings and a white “amnesty” box set out for people to place illegal drugs in before going inside the venue.

Drugs are the problem that organizers and insurers can’t get ahead of, despite warning flyers, safety messages, bag searches and drug-sniffing dogs. That’s one reason that staffing levels and on-site personnel are scrutinized by insurers, as well as every other issue that could put people at risk.

Allianz utilizes risk services professionals with a keen eye for potential problems, said McGuirl.

“Our crew is pretty seasoned, they literally walk around and look at all the components of the festival, with the utmost focus on safety,” she said.

That means looking closely at weather planning, evacuation planning, medical facilities, parking structures, campsites, communication systems and more.

The focus, she said, “is always on the safety of the patrons — those people who are buying tickets and going to the event to have a good time … making sure that they are treated well, that they’re safe and then they can go home.”

“You get past the underwriting, you get past the insurance, you get past everything else … to me, it’s all about safety,” agreed Tempkins.

“My daughter’s 25. She’s going to shows, and I want her coming home at night.”

The Price of Mistakes

Even established, respected organizers struggle with the risks. The Fyre Festival is far from the most shocking example of under-prepared promoters.

Woodstock ’99 – the second reboot – was an organizer’s worst nightmare, which had a lot to do with judgement missteps of the organizers themselves, one of whom happened to be legendary promoter John Scher.

Advertisement




Mistakes were made. Toilets overflowed. Garbage collection ceased. Overwhelmed security staff gave up and walked away. Add drugs and alcohol, 100-degree temperatures, grossly overpriced concessions and the rage-filled music of hardcore rock bands. It was a powder keg. Aggression and violence were rampant. Assaults and rapes in the mosh pit were reported.

And then a sponsor made the baffling decision to hand out 100,000 candles near the close of the event.

The powder keg was lit, quite literally.

The festival culminated in a riot. People used the candles to set ablaze the overflowing garbage, then began destroying structures to add fuel to the fires. Everything burned, including tents and merch stands. A 50-foot speaker tower was toppled. Trucks exploded.

“From an insurance perspective, you want a reputable promoter who has done festivals successfully in the past.” — Susan McGuirl, Head of North America Entertainment, Entertainment Division, Allianz Global Corporate & Specialty

The final tally exceeded $2 million in damages (counting both structure damage and the cost of stolen or destroyed merchandise.) Forty four rioters were arrested.

All things considered, it’s actually a bit mystifying that insurers didn’t turn their backs on the festival industry altogether right then and there.

But the bands play on.

As for the Fyre Festival, its earlier promise to come back and get it right in 2018 is highly questionable, particularly now that a group of investors have filed a petition to force the company into bankruptcy.

“The music industry is a very small industry,” said Tempkins. “If you make a mistake, depending on the mistake, sometimes you can recuperate from it and sometimes you can’t.

“When they come back — or try to come back — people remember.” &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Cyber Resilience

No, Seriously. You Need a Comprehensive Cyber Incident Response Plan Before It’s Too Late.

Awareness of cyber risk is increasing, but some companies may be neglecting to prepare adequate response plans that could save them millions. 
By: | June 1, 2018 • 7 min read

To minimize the financial and reputational damage from a cyber attack, it is absolutely critical that businesses have a cyber incident response plan.

“Sadly, not all yet do,” said David Legassick, head of life sciences, tech and cyber, CNA Hardy.

Advertisement




In the event of a breach, a company must be able to quickly identify and contain the problem, assess the level of impact, communicate internally and externally, recover where possible any lost data or functionality needed to resume business operations and act quickly to manage potential reputational risk.

This can only be achieved with help from the right external experts and the design and practice of a well-honed internal response.

The first step a company must take, said Legassick, is to understand its cyber exposures through asset identification, classification, risk assessment and protection measures, both technological and human.

According to Raf Sanchez, international breach response manager, Beazley, cyber-response plans should be flexible and applicable to a wide range of incidents, “not just a list of consecutive steps.”

They also should bring together key stakeholders and specify end goals.

Jason J. Hogg, CEO, Aon Cyber Solutions

With bad actors becoming increasingly sophisticated and often acting in groups, attack vectors can hit companies from multiple angles simultaneously, meaning a holistic approach is essential, agreed Jason J. Hogg, CEO, Aon Cyber Solutions.

“Collaboration is key — you have to take silos down and work in a cross-functional manner.”

This means assembling a response team including individuals from IT, legal, operations, risk management, HR, finance and the board — each of whom must be well drilled in their responsibilities in the event of a breach.

“You can’t pick your players on the day of the game,” said Hogg. “Response times are critical, so speed and timing are of the essence. You should also have a very clear communication plan to keep the CEO and board of directors informed of recommended courses of action and timing expectations.”

People on the incident response team must have sufficient technical skills and access to critical third parties to be able to make decisions and move to contain incidents fast. Knowledge of the company’s data and network topology is also key, said Legassick.

“Perhaps most important of all,” he added, “is to capture in detail how, when, where and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defense stronger.”

Cyber insurance can play a key role by providing a range of experts such as forensic analysts to help manage a cyber breach quickly and effectively (as well as PR and legal help). However, the learning process should begin before a breach occurs.

Practice Makes Perfect

“Any incident response plan is only as strong as the practice that goes into it,” explained Mike Peters, vice president, IT, RIMS — who also conducts stress testing through his firm Sentinel Cyber Defense Advisors.

Advertisement




Unless companies have an ethical hacker or certified information security officer on board who can conduct sophisticated simulated attacks, Peters recommended they hire third-party experts to test their networks for weaknesses, remediate these issues and retest again for vulnerabilities that haven’t been patched or have newly appeared.

“You need to plan for every type of threat that’s out there,” he added.

Hogg agreed that bringing third parties in to conduct tests brings “fresh thinking, best practice and cross-pollination of learnings from testing plans across a multitude of industries and enterprises.”

“Collaboration is key — you have to take silos down and work in a cross-functional manner.” — Jason J. Hogg, CEO, Aon Cyber Solutions

Legassick added that companies should test their plans at least annually, updating procedures whenever there is a significant change in business activity, technology or location.

“As companies expand, cyber security is not always front of mind, but new operations and territories all expose a company to new risks.”

For smaller companies that might not have the resources or the expertise to develop an internal cyber response plan from whole cloth, some carriers offer their own cyber risk resources online.

Evan Fenaroli, an underwriting product manager with the Philadelphia Insurance Companies (PHLY), said his company hosts an eRiskHub, which gives PHLY clients a place to start looking for cyber event response answers.

That includes access to a pool of attorneys who can guide company executives in creating a plan.

“It’s something at the highest level that needs to be a priority,” Fenaroli said. For those just getting started, Fenaroli provided a checklist for consideration:

  • Purchase cyber insurance, read the policy and understand its notice requirements.
  • Work with an attorney to develop a cyber event response plan that you can customize to your business.
  • Identify stakeholders within the company who will own the plan and its execution.
  • Find outside forensics experts that the company can call in an emergency.
  • Identify a public relations expert who can be called in the case of an event that could be leaked to the press or otherwise become newsworthy.

“When all of these things fall into place, the outcome is far better in that there isn’t a panic,” said Fenaroli, who, like others, recommends the plan be tested at least annually.

Cyber’s Physical Threat

With the digital and physical worlds converging due to the rise of the Internet of Things, Hogg reminded companies: “You can’t just test in the virtual world — testing physical end-point security is critical too.”

Advertisement




How that testing is communicated to underwriters should also be a key focus, said Rich DePiero, head of cyber, North America, Swiss Re Corporate Solutions.

Don’t just report on what went well; it’s far more believable for an underwriter to hear what didn’t go well, he said.

“If I hear a client say it is perfect and then I look at some of the results of the responses to breaches last year, there is a disconnect. Help us understand what you learned and what you worked out. You want things to fail during these incident response tests, because that is how we learn,” he explained.

“Bringing in these outside firms, detailing what they learned and defining roles and responsibilities in the event of an incident is really the best practice, and we are seeing more and more companies do that.”

Support from the Board

Good cyber protection is built around a combination of process, technology, learning and people. While not every cyber incident needs to be reported to the boardroom, senior management has a key role in creating a culture of planning and risk awareness.

David Legassick, head of life sciences, tech and cyber, CNA Hardy

“Cyber is a boardroom risk. If it is not taken seriously at boardroom level, you are more than likely to suffer a network breach,” Legassick said.

However, getting board buy-in or buy-in from the C-suite is not always easy.

“C-suite executives often put off testing crisis plans as they get in the way of the day job. The irony here is obvious given how disruptive an incident can be,” said Sanchez.

“The C-suite must demonstrate its support for incident response planning and that it expects staff at all levels of the organization to play their part in recovering from serious incidents.”

“What these people need from the board is support,” said Jill Salmon, New York-based vice president, head of cyber/tech/MPL, Berkshire Hathaway Specialty Insurance.

“I don’t know that the information security folks are looking for direction from the board as much as they are looking for support from a resources standpoint and a visibility standpoint.

“They’ve got to be aware of what they need and they need to have the money to be able to build it up to that level,” she said.

Without that support, according to Legassick, failure to empower and encourage the IT team to manage cyber threats holistically through integration with the rest of the organization, particularly risk managers, becomes a common mistake.

He also warned that “blame culture” can prevent staff from escalating problems to management in a timely manner.

Collaboration and Communication

Given that cyber incident response truly is a team effort, it is therefore essential that a culture of collaboration, preparation and practice is embedded from the top down.

Advertisement




One of the biggest tripping points for companies — and an area that has done the most damage from a reputational perspective — is in how quickly and effectively the company communicates to the public in the aftermath of a cyber event.

Salmon said of all the cyber incident response plans she has seen, the companies that have impressed her most are those that have written mock press releases and rehearsed how they are going to respond to the media in the aftermath of an event.

“We have seen so many companies trip up in that regard,” she said. “There have been examples of companies taking too long and then not explaining why it took them so long. It’s like any other crisis — the way that you are communicating it to the public is really important.” &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected] Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]