2016 Power Broker

Power Brokers of Negotiation

In a record year for M&As, the 2016 Power Brokers excelled at marrying risk management cultures and firming up carrier relationships.
By: | February 22, 2016 • 7 min read

Spurred on by low interest rates and an appetite for scale, business leaders in 2015 sought to create market heft through mergers and acquisitions.

Advertisement




Winners of the 2016 Risk & Insurance® Power Broker® award were right there with them; marrying risk management cultures, ironing out coverage gaps and redundancies, and getting the insurance carriers to behave on price.

Alex Michon, a Sacramento, Calif.-based senior vice president with Aon, is a 2016 Power Broker® in the health care category. In a health care system merger that came out of the gate as a fire drill and then dragged on for months, Michon was reminded of a key M&A consideration: the human cost in acquisitions is often underestimated.

That’s something commercial insurance brokers need to keep in mind if they are going to build productive relationships and achieve the goals of both the buyer and the seller. Many times the risk manager for the acquired company is losing his or her job. Yet they still have to perform at the top of their game to bring off the deal.

“I think the human cost is usually under-represented in terms of the stress that these people are going through,” Michon said.

In these cases the broker can be a friend to the risk manager, who might not be first in the thoughts of finance executives or other company leadership. The risk manager might be driving in to work every day, knowing that a merger is underway and be unable to tell colleagues about it; even though hundreds of jobs may soon be on the chopping block.

“We are one of the few people who can openly talk to them,” Michon said.

In most cases, Michon said, the risk manager will perform admirably, giving the brokers and carriers all the information they need to be able to write the risk of the combined companies.

But Michon has seen cases where risk managers became so concerned with their futures that they put most of their energy into job hunting.

That tension can also impact dialogues with brokers who are working on a target company account, according to Arthur J. Gallagher’s Amy Sinclair, a 2016 Power Broker® in the pharmaceutical category and a veteran of many merger deals.

Advertisement




“Employees of the target company are concerned about redundancy at the acquisition partner,” Sinclair said.

“There is a good chance they may no longer have a job once the transaction closes,” she said.

Smaller brokerages that don’t have a lot of experience with M&As may dig in their heels a little bit.

“Generally speaking, brokers for the target and acquisition partner work well together,” Sinclair said.

“Regardless of what side of the transaction you are on, you still want to provide the best service to your client. It is not in anyone’s best interest to withhold information or to be uncooperative,” she said.

Carrier Relationships

The broker’s burden of relationship maintenance in the case of an acquisition also extends to those that underwrite the risks — the carriers. There is a lot of work to be done to convince the carrier that the risk they know won’t change when one company acquires another.

Herman Brito Jr., assistant vice president, Marsh

Herman Brito Jr., assistant vice president, Marsh

Marsh’s Herman Brito Jr.,  a 2016 Power Broker® in the marine category who places cargo and inland marine policies, played a part in two blockbuster deals in 2015; the acquisition by General Electric of the French electric railcar maker Alstom and the marriage of global food giants Kraft and Heinz.

Marsh was new to the Heinz account when the Kraft merger loomed. Pre-merger, Brito convinced Heinz to ditch its captive for global cargo exposures and transfer the risk to AIG. Even though Marsh wound up with both accounts, the rules of broker-client confidentiality meant that Brito couldn’t call his colleagues in Chicago — where Kraft is based — and check up on Kraft’s loss history.

Brito is a big fan of AIG’s multinational placements, calling them “best in class.” His challenge was to make sure that Kraft benefitted from the same aggressive terms he was getting for Heinz post-merger. As the cargo broker, Brito knew that the carriers had bigger concerns about things such as combined property exposures than what he was placing.

Advertisement




“Not only am I asking you to make it clear and concise for Heinz/Kraft, let’s make it easy on ourselves by implementing a mergers and acquisitions clause and a multi-year rate agreement,” Brito told the underwriters.

“It took a tremendous effort to change the structure that was in place in August 2014, and to obtain the coverages implemented in May 2015, but when claims occurred they started to see the benefits in certain coverages and why we pursued those,” Brito said.

“I think the human cost is usually under-represented in terms of the stress that these people are going through.” — Alex Michon, senior vice president, Aon

The General Electric/Alstom merger was another kettle of fish.

“GE’s acquisition of  Alstom was the hardest acquisition I have ever done,” Brito said.

The reason?

General Electric has a highly centralized risk management department, four risk managers handling the entire global program. Alstom had up to 30 risk managers, many of them with local authority.

Another difference was that General Electric has a huge retention and Alstom had more of a “trading dollars” philosophy, spending so much on premium against so much in expected losses.

Advertisement




Brito needed to convince the carrier that when GE bought Alstom, the cargo risk management programs would become one. Initially, the insurer wasn’t buying it. But eventually Brito convinced the underwriters that once the companies were married, Alstom’s standards would come up to GE’s.

Part of Brito’s job was to make sure he was available at any hour of the day to answer questions from Alstom risk managers around the globe and help them buy into the GE program.

“If you demonstrate that you are willing to have conference calls at a time that is most convenient in India, people are more willing to do what you are asking them to do,” Brito said.

The GE/Alstom deal closed in November of 2015. Brito was still spending a lot of time on it when we spoke to him in January.

Odd Couples

Marrying risk management cultures in a merger is a must; having the tools and the drive to convince carriers to take on the combined risk is crucial; and so is conducting enough due diligence to manage risk and provide adequate employee benefits when two very different company cultures get together.

Consider the challenges faced by Eric Wittenmyer, a 2016 Power Broker® in the health care category.

Eric Wittenmyer, senior vice president, Aon

Eric Wittenmyer, senior vice president, Aon

Wittenmyer, a senior vice president with Aon based in Chicago, was tasked with ironing out employee benefits for a large hospital system merger involving thousands of employees. One of the organizations classified hundreds of their employees as executives, eligible for a special category of benefits. The other organization counted slightly more than a dozen executives in a similar category.

“What we did was a tremendous amount of benchmarking, and an awful lot of cost modeling,” Wittenmyer said. That science determined that the hospital with the smaller group of employees classified as executives was closer to the norm.

Then came the art. That was figuring out how different employees perceived the value of certain ancillary benefits, such as life insurance and disability benefits.

Once that was determined, the in-house benefits team, with Wittenmyer’s guidance, offered one-time cash payments to employees who felt they were having a guaranteed benefit taken away, while still offering them access to an employer supported program; just not one in which the employer paid for the whole nut.

Advertisement




“So once we had done all of the plan design work, we had to manage significant transitional coordination issues,” Wittenmyer said.

Because coverage of certain benefits for the merged entities was taking effect on a staggered schedule, with some benefits being in place Jan. 1, for example, and others March 1, Wittenmyer had to earn the trust of underwriters who were being asked to stay on certain programs for a few months — some of them involving high potential life insurance pay-outs — without the corresponding premium income.

In the end, Wittenmyer was able to convince the carriers to work with him, with no price increases, because of the attractive size of the merged accounts.

“I think everything was as transparent as it could be and the vendors understood that,” Wittenmyer said.

See the complete list of 2016 Power Broker® winners.

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Black Swan: Cloud Attack

Breaking Clouds

A combination of physical and cyber attacks on multiple data centers for cloud service providers causes economic havoc. Even the most well-prepared companies are thrown into paralyzing coverage confusion.
By: | July 27, 2017 • 10 min read

Scenario

By month 16 of the new presidential administration, the Sunshine Brigade is more than ready to act.

Stoked by their anger over rampant economic inequality, the mostly college-educated group of what might best be called upper-middle-class anarchists — many of them from California, Oregon and Washington State — put in motion the gears of a plan more than two years in the making.

Their logic, to them at least, is unimpeachable. Continued consolidation of economic power into the hands of fewer and fewer corporations is creating a world where the rich increasingly exploit and shut out the poor.

Advertisement




The rise of the techno giants is accelerating this trend, according to the Sunshine Brigade’s de facto leader Emily Brookes, an All-American rugby player and a graduate of Reed College in Oregon.

With a new presidential administration seemingly bent on increasing the economic advantages of the rich with no end in sight, nothing to do then but break things up; and in so doing break the hold of this technology oligarchy.

As Emily Brookes so forcefully put in her instant messages to the other members of the brigade: Break the Cloud.

With more than 500 members, many of them with ample financial and technical resources, the Sunshine Brigade is very capable of delivering on its plan for a two-pronged attack.

It is also radicalized enough to justify the loss of some human life, even its own countrymen, to “save” — in its collective logic — the tens of millions of global citizens that are living as virtual slaves in this callous, exploitative global economy.

With websites and digitally connected services large and small down for days, irritation turns to fear.

The first wave in the attack is an attempt to infect and shut down the data centers for the top three cloud service providers. It takes months to set up this offensive.

Rather than rely on a phishing scam from outside the firewalls of the service providers, The Sunshine Brigade uses its social and business connections to place three members on each of the cloud provider’s payrolls. An infected link from someone you know, someone in the cubicle right next to you, seems like an unstoppable play.

It only partially works. Only one of the cloud service providers is harmed when an unsuspecting employee clicks on a link from their traitorous co-worker. The released malware manages to cripple a major cloud service provider for 12 hours.

With millions of users affected, the act creates substantial disruption and garners global headlines. Insured losses are around $1.5 billion. But this is just the beginning.

The morning after, the Sunshine Brigade unleashes a far more devastating and far more ruthless Round Two.

Using self-driving trucks, the Sunshine Brigade smashes into five data centers; three on the West Coast, and two in the Midwest. Fourteen employees of those cloud servers are killed and another 23 injured; some of them critically.

This time the Brigade gets what it wanted. The physical damage to the data centers is substantial enough that it significantly affects three of the top four cloud service providers for five days.

With websites and digitally connected services large and small down for days, irritation turns to fear.

Small and mid-sized banks, which host their applications on clouds, are shut down. Small business owners and consumer banking customers immediately feel the brunt. Retailers that depend on clouds to host their inventory and transaction information are also hit hard.

But really, the blow falls everywhere.

In the U.S., transportation, financial, health, government and other crucial services grind to a halt in many cases.

Not everyone is disrupted. Some of the larger corporations are sophisticated enough in their risk management, those that used back-up clouds and had steadfast business resiliency plans suffer minimal disruption.

Many small to mid-size companies, though, cannot operate. Their employees can’t get to work and when they can, they sit idly in front of blank computer screens connected to useless servers.

For the man on the street, this is hell.

Advertisement




Long lines blossom at the likes of gas stations, banks and grocery stores. A population already on edge from a steady diet of social media provocation becomes even more inflamed.

By nightfall of Day Five, the three major cloud service providers are recovered, and digital “normalcy” begins to creep back. But for many small and medium-sized businesses, the recovery comes way too late.

Economic losses promise to register in the tens of billions. It’s not being too imaginative to think that losses could hit the $100 billion mark.

Two multinational insurers based in the U.S., three Lloyd’s syndicates and a Bermuda insurer signal to regulators that their aggregate cyber-related losses are so great that they will most likely become insolvent.

Emily Brookes and her cohorts were willing to kill more than a dozen people to promote their worldview. In their youthful naiveté, they could not know just how much suffering they would cause.

Observations

For some commercial insurance carriers, the aggregated losses from a prolonged disruption of cloud computing services could be catastrophic, or close to it.

“It’s on a par with any earthquake or hurricane or tornado,” said Scott Stransky, an associate vice president and principal scientist with the modeling firm AIR Worldwide.

AIR modeled the insured losses for the Fortune 1,000 were Amazon’s cloud service to go down for one day. They came up with a figure of $3 billion.

Now consider that most businesses in this country are small businesses, with not nearly the risk management sophistication of the Fortune 1000. Then consider a cloud interruption of five days or more.

Mark Greisiger, president, NetDiligence

“Almost any company you talk about today would rely to some extent on the cloud, either to host their website, to do invoicing, inventory, you name it — the cloud is being used across the board,” Stransky said.

“It’s a significant issue for insurers and one we think about a lot,” said Nick Economidis, an underwriter with specialty carrier Beazley.

“Should a cloud service provider go down, everybody who is working with that cloud service provider is impacted by that,” he said.

“Now, pretty much every software maker is on the cloud,” said Mark Greisiger, president of NetDiligence.

“In the old days, someone would come in and install software on your servers and come in annually for maintenance. That’s all gone bye-bye. Everybody who makes software is forcing you onto their private cloud,” Greisiger said.

The aggregation risk for carriers is complicated by the degree of transparency they have into which insured’s applications are hosted on which cloud provider.

Now here’s the even trickier part. Clouds outsource to other clouds.

“It’s almost becoming a spider’s web of interdependencies on who has access to what in terms of upstream and downstream providers,” Greisiger said.

Determining which of their insureds is hosted on which cloud, and in turn, where that cloud is outsourcing to other clouds can be very difficult for carriers to determine.

Even if a company is careful to diversify the risks they’re taking, they might not realize that a high percentage of insureds are even with the same cloud provider. They could be hit with devastating losses across their entire portfolio of business, said an executive with BDO consulting.

AIR’s Stransky said his company launched a product in April, ARC, which stands for Analytics of Risk from Cyber, which is designed to help carriers gain that much needed transparency.

Among insureds, surviving an event of this magnitude will depend not only on the sophistication of their risk management department, but on the company’s overall ability to negotiate contracts with vendors and suppliers that will indemnify the company in the case of a cloud outage of this duration.

It will also depend on organization’s understanding that there is no off-the-shelf solution that will prevent an event like this or make a company whole after it.

Shiraz Saeed, national practice leader, cyber, Starr Companies

Experts say contracts with cloud service providers, customers and suppliers must be structured so that a company is defended should it lose cloud access for as much as five days or more.

Best practices also include modeling just what your losses would look like in this area, and vetting your full portfolio of insurance policies to understand how each would respond.

One broker said buyers can’t be blamed if the complexities of the coverage issues at stake here are initially hard to grasp.

“It’s becoming a spider’s web of interdependencies on who has access to what.” —Mark Greisiger, president, NetDiligence

“I think it’s the broker’s job to inform the client of this exposure,” said Doug Friel, a vice president with JKJ Commercial Insurance, based in Newtown, Pa.

“You may have business interruption coverage for direct physical damage to your building. But have you ever thought about your business income if your IT structure goes down?” Friel said.

He said many buyers might not realize there is a difference.

Advertisement




Large businesses should have the resources to demand from their cloud service providers that they be indemnified for the entirety of a cloud failure event. There will be a fee for that, but it will be well worth paying, Friel said.

“You have to push,” Friel said. “They are going to say, ‘Here is our standard contract, sign it.’ ”

Don’t settle for that, he said, although many do in ignorance, he added.

“Where possible, we would look for clients to negotiate their contracts. These business relationships should be mutually beneficial, even if one of these events occur,” said Shiraz Saeed, national practice leader, cyber, for the Starr Companies.

It’s a partnership, he said.

“It shouldn’t be a zero sum game on either side. I think there should be an understanding of what the potential loss might be and then designing a contract around that,” he said.

While cloud service providers are known for having high grade security systems, most average organizations don’t have the means for that. But no matter what a company’s resources, the first step is modeling where your digital assets are, and what you and your customers stand to lose if you lose access to them.

“Most insureds don’t seem to understand the amount of individual loss that you could be subject to,” said Jim Evans, leader of insurance advisory services at BDO Consulting. “Usually this stuff is measured in hours,” he said. “But what if a cloud provider is out for three or four days?” he said.

“Trying to quantify what you did lose in an event is hard enough. Trying to do a modeling exercise about what you could lose? It’s something that just doesn’t get done enough,” he said.

Once you have an understanding of what you own and what you stand to lose, the next step is prioritizing the protection of the assets you have. That means drilling into your contract with your cloud service providers to get the maximum indemnification.

It also means spreading your risk so that if at all possible, not all of your assets or your customers’ assets are housed by one cloud service provider. Cloud platforms can be public, private, or a hybrid of the two.

Understanding where your assets are in that architecture is crucial. Spending the money to insure that they are protected behind a diverse menu of firewalls is highly advisable.

Navigating the different iterations of business interruption coverage in property, cyber and kidnap and ransom policies is also important.

Make sure your broker can provide clarity on the different types of coverages and tailor them to your needs, experts said.

The concept of design thinking is really what’s in play here. Organizations have to work with vendors in every aspect of their operations to design a risk management system that can sustain this kind of hit.

“Build a better mousetrap to protect yourself,” said JKJ’s Friel.

“Depending on your service, you need to have the best and the brightest designing this stuff. Spread the risk.”

“Don’t be afraid to ask for more,” he said.

Postscript

In engineering an attack on the cloud, Emily Brookes and her cohorts accomplished the opposite of what they set out to do.

Advertisement




Only the largest corporations with the most sophisticated risk management programs were able to survive the attempt to break the cloud with manageable losses.

Small businesses, the true backbone of the U.S. economy, suffered terribly. Entrepreneurs who put their life’s work into their business lost it in many cases.

Those on the lowest part of the economic scale, the working poor, lost their jobs and their ability to cover their rent and grocery bills. They joined the ranks of those subsidized by the government by the millions.  The attempt to break the cloud resulted in an even more polarized society. &

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]