An Eye on the Chain
Supply chain risk had been steadily escalating for the last few decades, but it took natural disasters in Japan and Thailand in 2011 to bring the true extent of the risk to the surface.
In addition to the enormous financial and human losses suffered in those countries, businesses around the globe faced major disruption as key suppliers were wiped out and supply chains ground to a halt.
It was a harsh wake-up call.
“The events in Japan and Thailand really gave rise to a realization of how much greater the risk in people’s supply chains is today than 10 or 20 years ago,” said David Shillingford, senior vice president, supply chain solutions for Verisk Analytics.
“Supply chains have become more efficient — thinner, longer — but in many ways less resilient.”
Video: Supply chain risk management as discussed at the University of Bath.
In the automotive industry, for example, there are significant interdependencies regarding raw materials and parts. The Japanese tsunami wiped out essential component manufacturers and halted car production around the globe.
Meanwhile, added Shillingford: “Supply chain disruption in the pharmaceutical industry can be very costly because of the value of the ingredients, and in both pharmaceuticals and food there are evolving compliance risks to consider too.”
In fact, in today’s interconnected world, almost all industries are affected by supply chain risk. And as an increasing amount of production is farmed out to specialist manufacturers — often in emerging markets — risk is becoming more concentrated.
Sid Feagin, director, enterprise risk management, Aon Risk Solutions, noted that it is now common for firms across many industries to farm out 85 percent or more of their core product to a long chain of suppliers.
“In many cases the risks associated with this are uninsurable, which makes the management of supply chain risk paramount to the success of an organization,” he said.
A Lack of Visbility
However, gaining visibility into the risks of suppliers deep into a complex supply chain is extremely difficult, and many companies have turned to analytic software for help.
“A lot of businesses have a pretty good grip on their direct suppliers, but it’s the second, third, fourth tiers in their supply chains where there is a gap in knowledge and information and an accumulation of risk,” said Caroline Woolley, leader of Marsh’s global business interruption center of excellence.
Computer manufacturer Lenovo uses suppliers from all around the world. According to Mick Jones, the firm’s vice president of supply chain strategy worldwide, analytics have become an essential risk management tool in addition to improving business efficiency. So much so that the firm has created a role akin to a “chief analytics officer,” running analytics teams stationed around the world, he said.
“Analytics offers massive value to the business. We are at a start of the journey of using analytics to help us focus on risk. We are investing a lot of time in getting product visibility and order visibility along the entire supply chain, which is an area we can always improve on,” said Jones.
Jones explained that analytics have become essential given the volatile environment of the last five years characterized by natural disasters, socio-economic unrest and financial instability.
“The algorithms in the software are becoming more intuitive and intelligent, so you are able to do more with data and analytics,” he said.
“In four years, we’ve moved from a very ‘descriptive’ analytics approach — reporting, scorecards, dashboards — through to a more ‘prescriptive’ approach, using simulation and optimization tools to almost predict what is going to happen going forward.”
However, meaningful data on supply chain risk is patchy because a great deal of supply chain risk is not insured and companies typically don’t keep detailed records of their losses. Such risk historically fell between the cracks as far as insurers were concerned, but the last decade has seen a number of specialist products emerge to protect companies against these risks.
“These losses were treated almost as operational risk, which was something companies had to deal with on daily basis, so they weren’t recorded,” said Woolley.
“As we are seeing more of these incidents and getting more data on the impact of supply chain risk, we are seeing a lot more interest in alternative supply chain policies.”
Shillingford said that analytics being developed by Verisk could make it easier for both companies and insurers to identify and calculate the impact of supplier risks more accurately.
“We want to encourage ‘risk-adjusted supply chain optimization.’ Often, supply chain optimization focuses only on efficiency, but we rarely hear people talk about risk and resiliency. In order to do that you have to put a value against the risk,” he said.
“The events in Japan and Thailand really gave rise to a realization of how much greater the risk in people’s supply chains is today than 10 or 20 years ago.” — David Shillingford, senior vice president, supply chain solutions, Verisk Analytics.
“The chasm between the amount of risk not insured at the present time and the amount of capital available to be deployed to insure supply chain risk [results from a] lack of visibility into the risk. If we are able to provide that visibility it could be the biggest risk transfer opportunity of the next 10 years.”
Tracking Insolvency Risk
While data on weather or catastrophe-related supply chain losses is increasingly abundant, it is far more difficult to track the risk of insolvency within a supply chain in real time. The financial data of companies is released sporadically and can be incomplete. Given the precarious nature of the economy since 2008, the risk of suppliers going bust is very real.
“Insolvency is a significant risk but it may be near impossible to fully understand,” said Feagin. “The key to understanding whether a supplier is solvent or not comes down to access of information.
“I see companies relying on various sources of information which may be too old or inaccurate to draw relevant conclusions from.”
According to Shillingford, while there are a variety of companies that offer services to assess financial strength, “each has a different methodology, usually expressed as a score, and all face similar challenges obtaining financial data for suppliers to their client’s suppliers.”
Indeed, the software industry has yet to develop an approach that can map solvency risk in real time.
Jones said that analytics play virtually no role in mitigating insolvency risk in Lenovo’s supply chain. “We deal with global suppliers who are based in many parts of the world and the data is difficult to get, but we do have a very sound supplier management approach that allows us to identify issues earlier and more collaboratively.”
Feagin said it’s crucial for companies to focus on their relationships with their suppliers, rather than just crunching numbers.
“In order to get these numbers you need to build up a relationship and trust with the suppliers. Without a strong relationship, you don’t have much power to gain information.
“There is not a piece of software out there that can tell you whether or not to do business with a particular vendor — it comes down to taking a strategic and focused approach to managing supply chain risk.”
He also noted that companies add uncertainty to their supply chains by failing to pay their suppliers promptly.
“The greatest insurance [against insolvency risk in the supply chain] is being a prompt payer and having a good relationship with suppliers,” he said.
Keeping the Water Flowing
It has been described as one of the most challenging tunneling projects in the world. As if the technical demands weren’t tough enough, a major city is waiting on its completion in order to avert a potential water supply crisis.
Lake Mead is the largest reservoir in the United States, fed primarily from snowfall from the Rocky Mountains. The lake is the primary water source for Las Vegas (providing 90 percent of its drinking water), but due to increasing droughts, water levels are gradually declining, putting the city’s and surrounding areas’ water supply at risk.
The lake currently feeds the valley through two intake pipes, but with water levels dropping year-on-year, it is projected that one of the existing pipes will soon find itself above the water and obsolete.
If successful, an $817 million project to build a third intake pipe under Lake Mead, sponsored by the Southern Nevada Water Authority (SNWA), will vastly improve the efficiency of water flow to Las Vegas. At present, almost half of the water piped through the existing intake routes is lost through leakage.
Video: This CBS Evening News report on the drought in Nevada and California highlights the Lake Mead construction.
However, Lake Mead Intake No. 3 has been beset with problems and delays. The ground beneath the lake has proved hazardous and unpredictable. Since construction began, the tunnel has suffered collapse, flooding and even a fatality.
SNWA declined to speak to Risk & Insurance® about the project as it was in the midst of negotiating insurance renewals. However, it did confirm that the latest setbacks — worse than expected ground conditions and damage to a major digging machine — have pushed the projected completion date back to “summer 2015.”
Mark Reagan, leader of Marsh’s Global Construction Practice, assembled the project’s insurance program on behalf of SNWA and lead contractor SA Healy (parent of Las Vegas Tunnel Constructors). It is an insurance program that has already been put to the test.
According to Reagan, the program — which is underwritten jointly by numerous leading insurers from around the world, including the major European reinsurance markets — has so far taken the various losses in its stride.
“Builders risk coverage is designed to deal with issues arising from collapses and other unforeseen events, and is responding appropriately. There is still some work to do, but a substantial portion [of the claims activity] has been agreed to,” he said.
While the Lake Mead project may be challenging, engineering underwriters suggest that collapse, flooding and even fatalities are nothing new when it comes to projects of this nature.
The safety and working conditions of the contractors, who toil in high temperatures and unpredictable conditions, are covered by a workers’ compensation policy. Sadly, one contractor was killed in 2011 when a pressure build-up behind a wall he was working on led to a lethal explosion.
“It is always tragic when there is a fatality. In this case, the workers’ compensation was effective and kicked in immediately,” said Reagan.
In addition, the program includes professional liability policies, while the various contractors and subcontractors on the project may also arrange separate property insurance for certain machines and equipment.
On revenue-generating projects, delays like those experienced at Lake Mead could cause billions of dollars of business interruption losses, which would often be insured under a delayed start-up policy. However, said Reagan, public entities with large balance sheets typically choose to absorb this risk rather than buy insurance.
Regardless, there is no potential income from the Lake Mead intake tunnel to insure; its entire purpose is to improve the water supply to Las Vegas. Yet, while the delays may not have catastrophic financial implications, they could be a disaster for the city if the project is not completed soon. One working intake pipe is simply not enough.
While the Lake Mead project may be challenging, engineering underwriters suggest that collapse, flooding and even fatalities are nothing new when it comes to projects of this nature.
“Tunneling projects all over the world have encountered problems, and it is not unusual for a tunnel project to face a delay,” said Manfred Schneider, head of engineering, North America, for Allianz.
The biggest challenge when tunneling, he said, is that it is almost impossible to predict how the ground beneath the surface will perform.
“Any tunnel project, to a degree, faces uncertainty. The problem is that you can only be 100 percent sure what you are facing when you start digging,” Schneider said.
“There are always imponderables when you start digging hundreds of meters under the earth.”
According to Marsh’s Reagan, even the most well prepared tunnel engineers can face setbacks.
“You could go to a site and drop 100 test bores, but until you put your 5- to 6-foot diameter pipe or 20-foot tunnel in the ground you just don’t know.”
“It is vital,” said Patrick Bravery, an underwriter at Lloyd’s syndicate Talbot Underwriters, “to have a system in place enabling you to react to what you find and adjust your design and processes to meet the challenges the ground throws at you.
“The challenge is to weigh the technical requirements the ground imposes upon you against the commercial realities of trying to deliver the project on time and on budget — that’s where tension can arise.”
According to Bravery, a major concern for tunneling underwriters is that the cost to repair a tunnel problem is often more than the original construction cost.
“This gearing effect has caught insurers out in the past,” he said.
He added that problems and costs can be further exacerbated when tunneling under a body of water.
“It is essential to keep the tunnel bore dry and open — if you lose that position and the bore becomes inundated, the cost to recover the situation is going to climb very rapidly.”
Reagan said that, while the issues experienced at Lake Mead have caused lengthy delays, the cost could have been worse.
“It wasn’t as bad economically as some collapses have been, relative to the cost of the project,” he said, estimating that the most recent collapse equated to about 4 percent to 5 percent of the value of the tunnel.
Reagan added that only underwriters able to absorb potential catastrophic losses involve themselves in these projects.
“This is a beefy business; you don’t get hobbyists in this space,” he said.
“Tunneling is a high hazard, catastrophic loss business. Insurers need strong balance sheets, engineering expertise and appetite.”
Reagan — whose employer, Marsh, brokers the majority of the world’s major tunnels — estimated there is typically capacity of about $500 million for large tunneling projects. But according to Schneider, insurers were “scratching their heads” back in the early 2000s over whether to even continue insuring tunnels due to the high levels of uncertainty and frequency of expensive losses.
Since then, the insurance and tunneling industries jointly produced a code of practice for contractors designed to mitigate risk.
“The code of practice didn’t solve all the issues, but it did make tunneling more insurable,” Schneider said, explaining that, while not all insurers insist on contractors meeting code of practice standards as a condition of coverage, it is common practice — particularly in Europe.
“We expect contractors to demonstrate they are following a rigorous risk management program,” said Bravery, noting that Talbot benchmarks potential clients against the code. And according to Bravery, risk management standards have improved dramatically over the last 10 to 15 years.
“Insurers can take some credit, but most of the credit has to go to the contractors and client bodies who recognized that the best way to get secure funding and approvals was to demonstrate they could work underground more predictably, on time and on budget,” he said.
“Regular collapses were not helping them.”
With loss experience improving, competition to insure tunnel projects is increasing.
“The number of insurers prepared to consider tunneling projects has grown massively in the last five or six years,” said Bravery.
“The appetite for tunneling projects is sufficient and quite competitive now, compared to 10 or 12 years ago.”
Events at Lake Mead have done little to dispel the perception of tunneling as one of the riskiest construction endeavors. But there is no time to dwell on that.
Insurance is doing its job to keep the project going, and the future of Las Vegas depends on it.
Sector Under Siege
The Target data breach of 2013, in which hackers accessed 40 million credit and debit card accounts and the personal data of up to 70 million people, will likely go down as the event that piqued public awareness of the just how vulnerable their personal information is in the hands of retail organizations.
Legislation addressing how companies handle personal data goes back decades — the Song-Beverly Credit Card Act of 1971 (a California statute), for example, was amended in 1990 specifically to address the misuse of personal information by retailers for marketing purposes. Since then, the world has changed. Cyber risk touches every business sector to varying degrees, and with cyber crime an increasingly lucrative activity, data breaches are — according to media column inches at least — bigger and more common than ever.
Since the Target breach, Verizon has identified two more U.S. retailers who it said have been hacked; and in the ensuing media storm, lawmakers are scrambling to protect consumers. In March, Congress rallied retailers to support a nationwide standard for retail companies to quickly notify customers in the event of data theft in order to increase accountability in the sector.
The push for tighter laws is being played out not just in the United States but across many global economies. In this country, however, the state system means that retailers must navigate a rapidly and constantly evolving patchwork of privacy rules and regulations. Last year, the California Supreme Court ruled that the Song-Beverly Act’s privacy protections do not apply to online transactions. But in late January 2014, S.B. 383 was passed to amend the Act to fill the perceived gap in consumer identity protection.
Many retailer clients of insurance recovery lawyer Linda Kornfeld, a partner at Kasowitz Benson Torres & Friedman, would argue that traditional general liability coverages do not cut it when it comes to data privacy law violations. In 2011, many of those that operated in California faced litigation for collecting ZIP codes from credit card transactions. The state Supreme Court ruled that — despite several California court decisions to the contrary — ZIP codes counted as personally identifiable information (PII), therefore the retailers had violated the Song-Beverly Act.
Around 150 class action lawsuits were filed, and retailers got burned by their general liability insurers, who refused to pay out on the grounds that they had triggered exclusions by violating a privacy statute in the state. “This then prompted coverage litigation,” Kornfeld said.
Other Courts Follow Suit
Kornfeld said some retailers are still relying on general liability coverage rather than specialist privacy and data breach products, and may be exposed in a similar way — particularly as the California situation was mirrored in Massachusetts in March 2013. More recently, similar court rulings have been handed down in Wisconsin and Washington, D.C.
“Since the ruling last year, there has been a flurry of class action litigation being filed in Massachusetts,” she said, noting that Apple was sued there as recently as January.
“Retailers must be in strict compliance with these statutes, because the courts don’t seem to be interpreting them very favorably for the retailers.”
Kornfeld added: “Retailers that don’t have privacy and data breach cover in their insurance portfolio already should seriously consider buying it. They need to look at whether the coverage matches their risks and if the premiums match their concerns about exposure.”
If they take the decision not to buy specialist cover, she said, retailers should study the language of their traditional liability coverages to ensure it is flexible enough to cover them against privacy violation issues — both under existing law and in the instance that new legislation creates an exposure during the policy period. She also recommended working with counsel who is up to date on the various legislative changes taking place across the United States.
“If a retailer is sued with respect to the ZIP code issue, then they need to be aggressive in pursuing coverage, because insurers are taking very strong positions against coverage and I don’t agree that those positions are meritorious,” she said.
Paul Bantick, underwriter for technology, media and business at Beazley, which has insured six of the 10 largest data breaches in the world, said most retailers are up-to-speed on ZIP code collection laws and are also well protected against fines and penalties stemming from privacy violations.
“I haven’t seen any significant cases related to this for a while,” he said. “Most companies have changed their business practices — once you stop collecting the ZIP codes the exposure goes away. If a retailer is violating privacy laws and collecting ZIP codes when they shouldn’t be, that is covered by the cyber policy, which covers cyber liability and third-party claims arising from privacy violations.”
However, Kornfeld argued that while retailers adapted their business practices in California after the class action lawsuits of 2011, they may not necessarily have done the same in other states.
According to Bob Parisi, leader of the network security and privacy practice at Marsh, ZIP code collection is “the least of retailers’ worries.” He said a more relevant concern is keeping up with state and federal privacy regulations including mandatory incident response plans that first emerged on the East Coast and are now working their way west across the country. “Now if retailers hold personally identifiable information and are operating in various states, they have to have an incident response plan in place that meets a certain minimum level of efficacy,” he said.
“Retailers are also subject to nongovernmental regulations in the form of payment card industry (PCI) regulations set by card companies that require companies holding credit card information to comply with their standards,” Parisi said.
Data Breach Protection
Concerns over data privacy are intrinsically linked to the risk of data breach — after all, it is highly unlikely consumers would be aware of any violations of privacy law by a retailer or pursue litigation against them unless they were made aware that their personal information had been lost or stolen. The response required by Target to deal with the fallout from its data breach cost the company $61 million — half of its quarterly profits — in Q4 alone. And there is no indication yet of the value of class action suits the company may face when it comes to cyber liability.
Retailers are right on the front line of this evolving threat. According to Cisco Systems, the retail sector had 60 percent more malware encounters than the cross-industry median in 2013, but it was by no means the most attacked sector. By comparison, the agriculture and mining, electronics and pharmaceutical/chemical sectors all registered more than 600 percent above the median, while energy, oil and gas was 430 percent higher.
Yet, there is no denying that when it comes to personal data, retail companies offer some of the most attractive targets due to the huge number of records they possess. “The retail sector is just as exposed as banks, health care, airlines or hotels. All these companies hold the same type of information. However, retailers have a severity to them right now,” said Bantick.
“Are retailers becoming a greater risk, or is it just that some hackers have found a way to get through security and have been able to replicate that on several retailers? I don’t know yet if there is some kind of ‘worst class’ developing,” he said. “Clearly, it’s a bad patch for retailers. Maybe it’s another industry’s turn soon.”
Notwithstanding the coverage litigation controversies seen in California, Parisi said, the insurance market has done a decent job keeping up with the threats retailers face and continuing to provide appropriate coverage. “The market has been behaving fairly well in terms of responding to losses, and offering broad, flexible coverage,” he said.
However, he added, recent high-profile losses have put some carriers off the class. “In the last couple of months, we have seen some carriers search their souls as to whether they want to continue to insure retailers, but that’s hardly surprising,” Parisi said.
“Some carriers are aggressively pursuing the risk and asking tough questions, but when they get their answers they are more than willing to put up their capital to insure the companies. Others want nothing to do with retailers whatsoever.”
Meanwhile, Bantick said, it is naïve to think any company can completely eliminate the threat of data breach, warning retailers that it is a case of if, and not when, they will be attacked. However, with retailers accounting for about 25 percent of its cyber portfolio, it is little surprise Beazley is one of the carriers happy to provide coverage against the risk. “It’s what we do,” he said.