Environmental Liability

Tight Rules and Low Funding Challenge Tank Operators

Operators of underground storage tanks favor broad pollution liability and tank-only coverage over surety.
By: | February 20, 2017 • 7 min read

Late last year, Massachusetts Gov. Charlie Baker made almost $100 million in mid-year budget cuts to fill an anticipated shortfall. Of that, he cut $3 million from the program that maintains and inspects underground storage tanks (USTs) for hydrocarbons. The cut was just 3 percent above the overall budget reduction, but as the UST program was only $10 million to start, the cut is a substantial 30 percent of the funding.

Moreover, the timing could hardly be worse: The state mandated that all single-wall tanks be removed by Aug. 7. The actual removal process is only a matter of a few days for most tanks, but contractors must be booked in advance and digging is difficult in frozen ground, so the window for work is only four or five months. Also, double-walled regulatory-compliant replacement tanks must be ordered well in advance from fabricators.

And so it goes around the country. Many states are tightening rules on USTs, and some have reduced the pools of money set aside for remediation. That has thrown operators of all sizes back into the risk-transfer market. Some can put up surety bonds, but more and more are buying insurance-like limited tank-only coverage, or adding tank endorsements to their pollution legal liability (PLL) covers.

UST Coverage Trends

There are about a half-million USTs registered with the Environmental Protection Agency. That translates to an insurance market estimated to be $50 million to 60 million in annual premium, according to underwriters and brokers.

Chubb is one of the major carriers, having increased its share through its merger with ACE. Liberty and AIG are also said to have a presence, among others. Brokers report some turnover among carriers, with Zurich having left the segment in 2012.

“There are three ways to certify financial responsibility,” said Gerry Rojewski, senior vice president and chief underwriting officer for Chubb Environmental. “You can self insure. Or you can rely on state funds. Or you can purchase risk transfer.”

“Not surprisingly, the older tanks had higher rates of failure, but there are lots of variables. Larger operations have more assets to cover, but may be a better risk because they have more resources.”    — Gerry Rojewski, senior vice president, chief underwriting officer, Chubb Environmental

The decision varies with the size of the owner’s operation and the number and age of tanks. “Some owners go through agents and some go direct to the market,” said Chris Smy, environmental practice leader at Marsh. “Our clients run the gamut from a hotel that has a backup generator and a small UST for diesel fuel, to large energy companies with many tanks. The business is not just what you might think of, like a retail gas station. It could be anyone.”

Advertisement




Even in states that have funds, there are complications.

“State funds have dried up or faced delays in reimbursement,” said Jeffrey Hanneman, managing director at Aon Risk Services Southwest. “Texas and Florida, for example, no longer have state funds. Even in California, which does have a fund, there is a priority for reimbursing in order inverse to size. It is impossible to know if or when an operator will recoup UST expenses or how much. We have some clients who do not ever anticipate recouping.”

As a result of that smallest-first preference, Hanneman said, Aon’s customers tend to be larger operators in contrast to the mom-and-pop retail service centers.

The biggest challenge for USTs is age, said Rojewski.

Gerry Rojewski, senior vice president, chief underwriting officer, Chubb Environmental

“In some cases, the owner/operator may try to keep a UST in service beyond its designed lifecycle of 30 years. Replacing a UST can be a significant investment. Not all owner/operators feel the need to replace the tank at this line of demarcation especially if tightness testing results are positive.”

Rojewski added that Chubb conducted a predictive modeling study on tank exposures. The results showed that the older tanks had a higher probability of leaking, he said, but the study also revealed a host of other variables.

“Large operations with higher exposures versus small operations with less complex risk present a different set of characteristics for an insurance carrier,” he said.

“Larger risks may have more assets and may develop more comprehensive risk management programs as opposed to a smaller company, which may not have those types of resources available.”

Rojewski said that Chubb “has the ability to write tank insurance through an online portal called Tanksafe, or through our underwriting team based in Philadelphia, which can work with clients and brokers.”

Smy at Marsh suggested that the current trend within UST coverage is to broaden pollution policies with tank endorsements.

“Other clients are electing to go with above-ground tanks when they replace USTs,” he added. “And still others that have pollution liability feel comfortable retaining the risk for their tanks. In such cases where regulations mandate a demonstrated financial assurance, most owners make the choice to go with risk transfer by insurance.”

To that point, Smy stressed that broad pollution covers “are not a catch-all for USTs. They have to be scheduled. The only tanks covered without a schedule are so-called phantom tanks, ones that are not known until found.”

Challenges with Aging Tanks

Chris Smy, environmental practice leader, Marsh

Brokers say that while the sector is stable, and even has some growth potential as state funding dwindles, there are challenges.

“The longer you go insuring, the more likely you are to have to pay out,” says Smy.

“Carriers are pushing back on covering tanks of a certain age regardless of whether or not they have passed tests. There is just less and less appetite for aging tanks. Operators are going to have to start replacing them.”

Testing is part of all state regulatory requirements.

“Even self-insureds have to pass their tank tests,” said Hanneman at Aon.

He added that there are tanks that can pass the structural test, but small operators that struggle to demonstrate financial responsibility, and also the reverse.

“Because there is a strong correlation between age and loss, owners have to test every year. And most underwriters want to see those integrity test results. The age and condition of tanks, or anticipated replacement costs, are often figured into the price of any sale of assets.”

It bears mentioning that while most retail fuel operations have national brand names, only about 3 percent of the gas stations are actually owned by the big oil companies.

The other 97 percent are owned either by the operator, or are franchises of a regional or national chain. There is a slow but steady cycle of stations being sold both to and from larger and smaller owners.

“Most policies have a $1 million limit with $2 million aggregate,” said Hanneman. “A simple leak cleanup will run in that range, $1 million to $2 million. If the leak gets into the ground water it can be more.”

Given that oil floats on water, the water table in the region and the permeability of soil are big factors. That is why southern states tend to see more spill migration than do northern states, even with their freeze-thaw cycles.

Research from the EPA also implicates metal corrosion as a growing problem with USTs. A 2016 study of 42 operational diesel tanks concluded that 35 of them, or 83 percent, exhibited moderate or severe corrosion.

Advertisement




While this can lead to vapors escaping into the surrounding soil, corrosion can also lead to equipment failure, including the failure of release and detection systems. While the issue is not widespread among non-diesel tanks, the likelihood of corrosion increases with age and presents another factor to consider.

Brokers also note that larger clients tend to keep tanks on their policies even after sites have been sold. For them the incremental costs of a few more tanks on the schedule is not daunting.

And even though buyers become owners with full responsibility, with indemnification for sellers, that does not stop lawsuits from being filed if current owners go bankrupt and lawyers follow the deed back. &

Gregory DL Morris is an independent business journalist based in New York with 25 years’ experience in industry, energy, finance and transportation. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Cyber Liability

Fresh Worries for Boards of Directors

New cyber security regulations increase exposure for directors and officers at financial institutions.
By: | June 1, 2017 • 6 min read

Boards of directors could face a fresh wave of directors and officers (D&O) claims following the introduction of tough new cybersecurity rules for financial institutions by The New York State Department of Financial Services (DFS).

Advertisement




Prompted by recent high profile cyber attacks on JPMorgan Chase, Sony, Target, and others, the state regulations are the first of their kind and went into effect on March 1.

The new rules require banks, insurers and other financial institutions to establish an enterprise-wide cybersecurity program and adopt a written policy that must be reviewed by the board and approved by a senior officer annually.

The regulation also requires the more than 3,000 financial services firms operating in the state to appoint a chief information security officer to oversee the program, to report possible breaches within 72 hours, and to ensure that third-party vendors meet the new standards.

Companies will have until September 1 to comply with most of the new requirements, and beginning February 15, 2018, they will have to submit an annual certification of compliance.

The responsibility for cybersecurity will now fall squarely on the board and senior management actively overseeing the entity’s overall program. Some experts fear that the D&O insurance market is far from prepared to absorb this risk.

“The new rules could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters,” warned Fitch Ratings in a statement. “If management and directors of financial institutions that experience future cyber incidents are subsequently found to be noncompliant with the New York regulations, then they will be more exposed to litigation that would be covered under professional liability policies.”

D&O Challenge

Judy Selby, managing director in BDO Consulting’s technology advisory services practice, said that while many directors and officers rely on a CISO to deal with cybersecurity, under the new rules the buck stops with the board.

“The common refrain I hear from directors and officers is ‘we have a great IT guy or CIO,’ and while it’s important to have them in place, as the board, they are ultimately responsible for cybersecurity oversight,” she said.

William Kelly, senior vice president, underwriting, Argo Pro

William Kelly, senior vice president, underwriting at Argo Pro, said that unknown cyber threats, untested policy language and developing case laws would all make it more difficult for the D&O market to respond accurately to any such new claims.

“Insurers will need to account for the increased exposures presented by these new regulations and charge appropriately for such added exposure,” he said.

Going forward, said Larry Hamilton, partner at Mayer Brown, D&O underwriters also need to scrutinize a company’s compliance with the regulations.

“To the extent that this risk was not adequately taken into account in the first place in the underwriting of in-force D&O policies, there could be unanticipated additional exposure for the D&O insurers,” he said.

Michelle Lopilato, Hub International’s director of cyber and technology solutions, added that some carriers may offer more coverage, while others may pull back.

“How the markets react will evolve as we see how involved the department becomes in investigating and fining financial institutions for noncompliance and its result on the balance sheet and dividends,” she said.

Christopher Keegan, senior managing director at Beecher Carlson, said that by setting a benchmark, the new rules would make it easier for claimants to make a case that the company had been negligent.

“If stock prices drop, then this makes it easier for class action lawyers to make their cases in D&O situations,” he said. “As a result, D&O carriers may see an uptick in cases against their insureds and an easier path for plaintiffs to show that the company did not meet its duty of care.”

Advertisement




One area that regulators and plaintiffs might seize upon is the certification compliance requirement, according to Rob Yellen, executive vice president, D&O and fiduciary liability product leader, FINEX at Willis Towers Watson.

“A mere inaccuracy in a certification could result in criminal enforcement, in which case it would then become a boardroom issue,” he said.

A big grey area, however, said Shiraz Saeed, national practice leader for cyber risk at Starr Companies, is determining if a violation is a cyber or management liability issue in the first place.

“The complication arises when a company only has D&O coverage, but it doesn’t have a cyber policy and then they have to try and push all the claims down the D&O route, irrespective of their nature,” he said.

“Insurers, on their part, will need to account for the increased exposures presented by these new regulations and charge appropriately for such added exposure.” — William Kelly, senior vice president, underwriting, Argo Pro

Jim McCue, managing director at Aon’s financial services group, said many small and mid-size businesses may struggle to comply with the new rules in time.

“It’s going to be a steep learning curve and a lot of work in terms of preparedness and the implementation of a highly detailed cyber security program, risk assessment and response plan, all by September 2017,” he said.

The new regulation also has the potential to impact third parties including accounting, law, IT and even maintenance and repair firms who have access to a company’s information systems and personal data, said Keegan.

“That can include everyone from IT vendors to the people who maintain the building’s air conditioning,” he said.

New Models

Others have followed New York’s lead, with similar regulations being considered across federal, state and non-governmental regulators.

The National Association of Insurance Commissioners’ Cyber-security Taskforce has proposed an insurance data security model law that establishes exclusive standards for data security and investigation, and notification of a breach of data security for insurance providers.

Once enacted, each state would be free to adopt the new law, however, “our main concern is if regulators in different states start to adopt different standards from each other,” said Alex Hageli, director, personal lines policy at the Property Casualty Insurers Association of America.

“It would only serve to make compliance harder, increase the cost of burden on companies, and at the end of the day it doesn’t really help anybody.”

Advertisement




Richard Morris, partner at law firm Herrick, Feinstein LLP, said companies need to review their current cybersecurity program with their chief technology officer or IT provider.

“Companies should assess whether their current technology budget is adequate and consider what investments will be required in 2017 to keep up with regulatory and market expectations,” he said. “They should also review and assess the adequacy of insurance policies with respect to coverages, deductibles and other limitations.”

Adam Hamm, former NAIC chair and MD of Protiviti’s risk and compliance practice, added: “With New York’s new cyber regulation, this is a sea change from where we were a couple of years ago and it’s soon going to become the new norm for regulating cyber security.” &

Alex Wright is a U.K.-based business journalist, who previously was deputy business editor at The Royal Gazette in Bermuda. You can reach him at [email protected]