Your System or Mine? A Coordinated Cyber Solution for a Fragmented Risk
A popular franchisor had a cyber program in place. But when a data breach hit, the limitations of that program became all too clear.
The crux of the problem: Traditionally structured cyber policies aren’t designed for the unique challenges of a franchise system.
The franchisor’s existing program encompassed its company-operated locations and systems. Independent franchisees, however, purchased cyber coverage according to their own needs. But that left the franchise in a difficult position for a scenario where both the franchisor and franchisee locations were impacted because of shared systems.
Explained the company’s broker, Sou Ford, Atlantic/SE cyber team leader with Willis Towers Watson: “If you have a slip and fall, you have a slip and fall in one location and that location’s policy takes care of it. With this, the data compromise can go across however many locations.”
With every independent franchisee buying its own cyber coverage, that could mean multiple cyber policies would be in place to respond to the incident, causing confusion, said Ford.
“Let’s say … Somebody has an AIG policy, somebody has a Beazley policy, somebody has a Chubb policy. Now everybody’s trying to respond to the same problem. Everybody’s got their own set of vendors. Everybody’s got their own retentions and limits, etc., and it’s a big mess.”
After the breach, said the company’s risk manager, there was a realization surrounding “what does this look like when we’re attempting to respond to something of this nature independently of one another, every entity for itself, according to its own interests or exposure? Can we make heads or tails of that? And is it inefficient and ineffective and maybe even harmful to each of the entities that should be aligned at this moment in time?”
The breach, the risk manager said, “brought to light the reality of our enterprise and the manner in which this risk presented or manifested itself to the brand.”
Building in Flexibility
Finding a solution was never going to be an easy process.
“You’re dealing with an entire franchisee system,” Ford explained. “Everybody has their own desire for limits and retentions and what they’re willing to spend. The fee is the big deal — all of these franchisees don’t want to spend another nickel unless they absolutely have to.
“So how do we meet the needs of the various-sized franchise owners from the kind that owns one location to the corporation that owns 300 locations? Their needs are very different, and their sophistication is different.”
The company and the WTW team put extensive effort into developing a program that would be effective and franchisees would be willing to sign on to. The resulting structure is tiered for individual franchisees of varying sizes and can be triggered differently depending upon whether an incident impacts a single franchisee, a group of franchisees or the entire system at once.
“If you are going to be, as a franchisor, absolutely hands-on 100 percent in control of that incident response to protect the brand, then I would think that you would want to consider a program like this, because it takes the uncertainty out of what’s covered and what’s not covered,” said Ford.
Added the risk manager: “This answers a natural and inherent challenge with a collective, consistent and unified response. If I’ve got 100 different entities with 100 different insurance policies, then one can only imagine how difficult that becomes in terms of a collective response.”
Once the new program was fleshed out, finding carriers willing to understand it was the next hurdle. They did face push-back domestically, said Ford, prompting the decision to work with a London lead on the program.
“We ended up placing half of the capacity — the lower half — in London and the top [half] domestically, because at that point the domestic carriers were more comfortable with following the program at a much higher attachment point,” Ford explained.
“There’s a uniquely client-driven aspect to this,” said the risk manager. “While mostly it’s carriers designing the products and insureds accepting them, this is the insured saying, ‘This is what we want’ and Sou had to figure out how to translate that back to underwriters and then translate back to [us].”
Pushing It Forward
What Ford and her client have created has the potential to upend the insurance market for franchise clients far beyond cyber exposure. The team is now working on ways to flex the muscles of their new strategy and deploy it for other insurance lines.
“The great thing about working with a very bright, innovative client is that they don’t stop at one thing,” said Ford, who was named a 2019 Power Broker® in the Cyber category.
“We’re in the works on something that has nothing to do with cyber but is equally as exciting. I’m hoping that in 2020 we’ll have a very exciting program that, again, would be applicable to many, many franchisor models. It will be the first of its kind,” she said.
“This answers a natural and inherent challenge with a collective, consistent and unified response. If I’ve got 100 different entities with 100 different insurance policies, then one can only imagine how difficult that becomes in terms of a collective response.”
“It is unique with regard to each and every line of insurance and probably within each organization,” added the risk manager. “For us to attempt to think along these lines would be entirely different than any other [franchise in our industry] let alone somebody outside of our sector or industry.
“It becomes a unique proposition as it relates to each line of insurance. You have to start out back in left field where you were before, then go … what’s different? What considerations and interests and risks are unique to each entity, which might be shared within its collective? Where are the affinities and then where are the similarities?”
Engaging in this process has been an exercise in disruption, said the risk manager.
“This was and still is, in some ways, a bit of radical thinking — thinking over the horizon, thinking beyond us as an individual entity, really thinking in terms of the collective system … related parties who may hold or share a similar risk profile but who don’t necessarily share identical risk profiles and who are distinct in and of themselves.”
He offers some advice for other risk managers embarking on a challenging project that’s constructively disruptive.
“Think before you act and then go back and think 100 more times before you actually act. I say that not as a result of failure or a lesson learned from a negative perspective but because, in some ways, that would represent the way we ultimately came to approach what we did.
“We thought and then we thought again and then we iterated. Then we went all the way back to square one and thought about something slightly different and worked that all the way through the model.” &