Keeping the Water Flowing
It has been described as one of the most challenging tunneling projects in the world. As if the technical demands weren’t tough enough, a major city is waiting on its completion in order to avert a potential water supply crisis.
Lake Mead is the largest reservoir in the United States, fed primarily from snowfall from the Rocky Mountains. The lake is the primary water source for Las Vegas (providing 90 percent of its drinking water), but due to increasing droughts, water levels are gradually declining, putting the city’s and surrounding areas’ water supply at risk.
The lake currently feeds the valley through two intake pipes, but with water levels dropping year-on-year, it is projected that one of the existing pipes will soon find itself above the water and obsolete.
If successful, an $817 million project to build a third intake pipe under Lake Mead, sponsored by the Southern Nevada Water Authority (SNWA), will vastly improve the efficiency of water flow to Las Vegas. At present, almost half of the water piped through the existing intake routes is lost through leakage.
Video: This CBS Evening News report on the drought in Nevada and California highlights the Lake Mead construction.
However, Lake Mead Intake No. 3 has been beset with problems and delays. The ground beneath the lake has proved hazardous and unpredictable. Since construction began, the tunnel has suffered collapse, flooding and even a fatality.
SNWA declined to speak to Risk & Insurance® about the project as it was in the midst of negotiating insurance renewals. However, it did confirm that the latest setbacks — worse than expected ground conditions and damage to a major digging machine — have pushed the projected completion date back to “summer 2015.”
Mark Reagan, leader of Marsh’s Global Construction Practice, assembled the project’s insurance program on behalf of SNWA and lead contractor SA Healy (parent of Las Vegas Tunnel Constructors). It is an insurance program that has already been put to the test.
According to Reagan, the program — which is underwritten jointly by numerous leading insurers from around the world, including the major European reinsurance markets — has so far taken the various losses in its stride.
“Builders risk coverage is designed to deal with issues arising from collapses and other unforeseen events, and is responding appropriately. There is still some work to do, but a substantial portion [of the claims activity] has been agreed to,” he said.
While the Lake Mead project may be challenging, engineering underwriters suggest that collapse, flooding and even fatalities are nothing new when it comes to projects of this nature.
The safety and working conditions of the contractors, who toil in high temperatures and unpredictable conditions, are covered by a workers’ compensation policy. Sadly, one contractor was killed in 2011 when a pressure build-up behind a wall he was working on led to a lethal explosion.
“It is always tragic when there is a fatality. In this case, the workers’ compensation was effective and kicked in immediately,” said Reagan.
In addition, the program includes professional liability policies, while the various contractors and subcontractors on the project may also arrange separate property insurance for certain machines and equipment.
On revenue-generating projects, delays like those experienced at Lake Mead could cause billions of dollars of business interruption losses, which would often be insured under a delayed start-up policy. However, said Reagan, public entities with large balance sheets typically choose to absorb this risk rather than buy insurance.
Regardless, there is no potential income from the Lake Mead intake tunnel to insure; its entire purpose is to improve the water supply to Las Vegas. Yet, while the delays may not have catastrophic financial implications, they could be a disaster for the city if the project is not completed soon. One working intake pipe is simply not enough.
While the Lake Mead project may be challenging, engineering underwriters suggest that collapse, flooding and even fatalities are nothing new when it comes to projects of this nature.
“Tunneling projects all over the world have encountered problems, and it is not unusual for a tunnel project to face a delay,” said Manfred Schneider, head of engineering, North America, for Allianz.
The biggest challenge when tunneling, he said, is that it is almost impossible to predict how the ground beneath the surface will perform.
“Any tunnel project, to a degree, faces uncertainty. The problem is that you can only be 100 percent sure what you are facing when you start digging,” Schneider said.
“There are always imponderables when you start digging hundreds of meters under the earth.”
According to Marsh’s Reagan, even the most well prepared tunnel engineers can face setbacks.
“You could go to a site and drop 100 test bores, but until you put your 5- to 6-foot diameter pipe or 20-foot tunnel in the ground you just don’t know.”
“It is vital,” said Patrick Bravery, an underwriter at Lloyd’s syndicate Talbot Underwriters, “to have a system in place enabling you to react to what you find and adjust your design and processes to meet the challenges the ground throws at you.
“The challenge is to weigh the technical requirements the ground imposes upon you against the commercial realities of trying to deliver the project on time and on budget — that’s where tension can arise.”
According to Bravery, a major concern for tunneling underwriters is that the cost to repair a tunnel problem is often more than the original construction cost.
“This gearing effect has caught insurers out in the past,” he said.
He added that problems and costs can be further exacerbated when tunneling under a body of water.
“It is essential to keep the tunnel bore dry and open — if you lose that position and the bore becomes inundated, the cost to recover the situation is going to climb very rapidly.”
Reagan said that, while the issues experienced at Lake Mead have caused lengthy delays, the cost could have been worse.
“It wasn’t as bad economically as some collapses have been, relative to the cost of the project,” he said, estimating that the most recent collapse equated to about 4 percent to 5 percent of the value of the tunnel.
Reagan added that only underwriters able to absorb potential catastrophic losses involve themselves in these projects.
“This is a beefy business; you don’t get hobbyists in this space,” he said.
“Tunneling is a high hazard, catastrophic loss business. Insurers need strong balance sheets, engineering expertise and appetite.”
Reagan — whose employer, Marsh, brokers the majority of the world’s major tunnels — estimated there is typically capacity of about $500 million for large tunneling projects. But according to Schneider, insurers were “scratching their heads” back in the early 2000s over whether to even continue insuring tunnels due to the high levels of uncertainty and frequency of expensive losses.
Since then, the insurance and tunneling industries jointly produced a code of practice for contractors designed to mitigate risk.
“The code of practice didn’t solve all the issues, but it did make tunneling more insurable,” Schneider said, explaining that, while not all insurers insist on contractors meeting code of practice standards as a condition of coverage, it is common practice — particularly in Europe.
“We expect contractors to demonstrate they are following a rigorous risk management program,” said Bravery, noting that Talbot benchmarks potential clients against the code. And according to Bravery, risk management standards have improved dramatically over the last 10 to 15 years.
“Insurers can take some credit, but most of the credit has to go to the contractors and client bodies who recognized that the best way to get secure funding and approvals was to demonstrate they could work underground more predictably, on time and on budget,” he said.
“Regular collapses were not helping them.”
With loss experience improving, competition to insure tunnel projects is increasing.
“The number of insurers prepared to consider tunneling projects has grown massively in the last five or six years,” said Bravery.
“The appetite for tunneling projects is sufficient and quite competitive now, compared to 10 or 12 years ago.”
Events at Lake Mead have done little to dispel the perception of tunneling as one of the riskiest construction endeavors. But there is no time to dwell on that.
Insurance is doing its job to keep the project going, and the future of Las Vegas depends on it.
Sector Under Siege
The Target data breach of 2013, in which hackers accessed 40 million credit and debit card accounts and the personal data of up to 70 million people, will likely go down as the event that piqued public awareness of the just how vulnerable their personal information is in the hands of retail organizations.
Legislation addressing how companies handle personal data goes back decades — the Song-Beverly Credit Card Act of 1971 (a California statute), for example, was amended in 1990 specifically to address the misuse of personal information by retailers for marketing purposes. Since then, the world has changed. Cyber risk touches every business sector to varying degrees, and with cyber crime an increasingly lucrative activity, data breaches are — according to media column inches at least — bigger and more common than ever.
Since the Target breach, Verizon has identified two more U.S. retailers who it said have been hacked; and in the ensuing media storm, lawmakers are scrambling to protect consumers. In March, Congress rallied retailers to support a nationwide standard for retail companies to quickly notify customers in the event of data theft in order to increase accountability in the sector.
The push for tighter laws is being played out not just in the United States but across many global economies. In this country, however, the state system means that retailers must navigate a rapidly and constantly evolving patchwork of privacy rules and regulations. Last year, the California Supreme Court ruled that the Song-Beverly Act’s privacy protections do not apply to online transactions. But in late January 2014, S.B. 383 was passed to amend the Act to fill the perceived gap in consumer identity protection.
Many retailer clients of insurance recovery lawyer Linda Kornfeld, a partner at Kasowitz Benson Torres & Friedman, would argue that traditional general liability coverages do not cut it when it comes to data privacy law violations. In 2011, many of those that operated in California faced litigation for collecting ZIP codes from credit card transactions. The state Supreme Court ruled that — despite several California court decisions to the contrary — ZIP codes counted as personally identifiable information (PII), therefore the retailers had violated the Song-Beverly Act.
Around 150 class action lawsuits were filed, and retailers got burned by their general liability insurers, who refused to pay out on the grounds that they had triggered exclusions by violating a privacy statute in the state. “This then prompted coverage litigation,” Kornfeld said.
Other Courts Follow Suit
Kornfeld said some retailers are still relying on general liability coverage rather than specialist privacy and data breach products, and may be exposed in a similar way — particularly as the California situation was mirrored in Massachusetts in March 2013. More recently, similar court rulings have been handed down in Wisconsin and Washington, D.C.
“Since the ruling last year, there has been a flurry of class action litigation being filed in Massachusetts,” she said, noting that Apple was sued there as recently as January.
“Retailers must be in strict compliance with these statutes, because the courts don’t seem to be interpreting them very favorably for the retailers.”
Kornfeld added: “Retailers that don’t have privacy and data breach cover in their insurance portfolio already should seriously consider buying it. They need to look at whether the coverage matches their risks and if the premiums match their concerns about exposure.”
If they take the decision not to buy specialist cover, she said, retailers should study the language of their traditional liability coverages to ensure it is flexible enough to cover them against privacy violation issues — both under existing law and in the instance that new legislation creates an exposure during the policy period. She also recommended working with counsel who is up to date on the various legislative changes taking place across the United States.
“If a retailer is sued with respect to the ZIP code issue, then they need to be aggressive in pursuing coverage, because insurers are taking very strong positions against coverage and I don’t agree that those positions are meritorious,” she said.
Paul Bantick, underwriter for technology, media and business at Beazley, which has insured six of the 10 largest data breaches in the world, said most retailers are up-to-speed on ZIP code collection laws and are also well protected against fines and penalties stemming from privacy violations.
“I haven’t seen any significant cases related to this for a while,” he said. “Most companies have changed their business practices — once you stop collecting the ZIP codes the exposure goes away. If a retailer is violating privacy laws and collecting ZIP codes when they shouldn’t be, that is covered by the cyber policy, which covers cyber liability and third-party claims arising from privacy violations.”
However, Kornfeld argued that while retailers adapted their business practices in California after the class action lawsuits of 2011, they may not necessarily have done the same in other states.
According to Bob Parisi, leader of the network security and privacy practice at Marsh, ZIP code collection is “the least of retailers’ worries.” He said a more relevant concern is keeping up with state and federal privacy regulations including mandatory incident response plans that first emerged on the East Coast and are now working their way west across the country. “Now if retailers hold personally identifiable information and are operating in various states, they have to have an incident response plan in place that meets a certain minimum level of efficacy,” he said.
“Retailers are also subject to nongovernmental regulations in the form of payment card industry (PCI) regulations set by card companies that require companies holding credit card information to comply with their standards,” Parisi said.
Data Breach Protection
Concerns over data privacy are intrinsically linked to the risk of data breach — after all, it is highly unlikely consumers would be aware of any violations of privacy law by a retailer or pursue litigation against them unless they were made aware that their personal information had been lost or stolen. The response required by Target to deal with the fallout from its data breach cost the company $61 million — half of its quarterly profits — in Q4 alone. And there is no indication yet of the value of class action suits the company may face when it comes to cyber liability.
Retailers are right on the front line of this evolving threat. According to Cisco Systems, the retail sector had 60 percent more malware encounters than the cross-industry median in 2013, but it was by no means the most attacked sector. By comparison, the agriculture and mining, electronics and pharmaceutical/chemical sectors all registered more than 600 percent above the median, while energy, oil and gas was 430 percent higher.
Yet, there is no denying that when it comes to personal data, retail companies offer some of the most attractive targets due to the huge number of records they possess. “The retail sector is just as exposed as banks, health care, airlines or hotels. All these companies hold the same type of information. However, retailers have a severity to them right now,” said Bantick.
“Are retailers becoming a greater risk, or is it just that some hackers have found a way to get through security and have been able to replicate that on several retailers? I don’t know yet if there is some kind of ‘worst class’ developing,” he said. “Clearly, it’s a bad patch for retailers. Maybe it’s another industry’s turn soon.”
Notwithstanding the coverage litigation controversies seen in California, Parisi said, the insurance market has done a decent job keeping up with the threats retailers face and continuing to provide appropriate coverage. “The market has been behaving fairly well in terms of responding to losses, and offering broad, flexible coverage,” he said.
However, he added, recent high-profile losses have put some carriers off the class. “In the last couple of months, we have seen some carriers search their souls as to whether they want to continue to insure retailers, but that’s hardly surprising,” Parisi said.
“Some carriers are aggressively pursuing the risk and asking tough questions, but when they get their answers they are more than willing to put up their capital to insure the companies. Others want nothing to do with retailers whatsoever.”
Meanwhile, Bantick said, it is naïve to think any company can completely eliminate the threat of data breach, warning retailers that it is a case of if, and not when, they will be attacked. However, with retailers accounting for about 25 percent of its cyber portfolio, it is little surprise Beazley is one of the carriers happy to provide coverage against the risk. “It’s what we do,” he said.
The Gap in the Clouds
Cloud computing is integral to modern business. According to market research firm Gartner, the global cloud service industry will be worth $180 billion by 2015, while cloudhypermarket.com estimated a third of all IT expenditures in 2013 would be on cloud computing.
The cloud network is maintained by nearly 35,000 data centers (cloud service facilities containing physical servers), about 25,000 of which are located in the United States. These facilities are extremely well protected, employing the very best physical and cyber security systems, and are usually located in secretive locations away from obvious natural perils.
However, these facilities still require traditional property coverage to insure against risks including flood, fire, storm, earthquake, sabotage, civil commotion and terrorism. If one or more major cloud service facilities were damaged, service could be disrupted and data lost, with far-reaching economic implications for businesses that rely on the service.
Last year, Superstorm Sandy shut down data centers in Manhattan, while Amazon suffered two separate power outages at its Northern Virginia cloud facility forcing many popular websites including Netflix, Instagram and Pinterest offline. But it’s not just media outlets that suffer — thousands of businesses are now actively using the cloud for business purposes, with basic data storage only accounting for 13 percent of cloud usage, according to research firm IDC.
Despite growing reliance on the cloud, Florence Levy, senior vice president and head of Lockton’s Global Technology and Privacy Practice, believes there is a gap in the insurance market that could leave cloud users uninsured for lost data or business interruption in the event of a physical event damaging a cloud facility.
“Traditionally, property policies address physical triggers and harm, while cyber and even errors and omissions policies are intended to address non-physical triggers and economic damage,” she said. “In the event of a physical trigger causing non-physical harm, property underwriters and cyber underwriters will be left pointing fingers at each other.”
According to Jim Charron, Technology Practice leader for Zurich, it is possible to insure data under a property policy, although coverage language often doesn’t capture the entire exposure. “Some [policies] are very clear that they cover computing resources and will specifically state that the coverage includes voice, data and even video, while others are not,” he said. “There are requests for this exposure to be covered and underwriters are responding, but the wording isn’t always reflective of the exposures.”
Charron added that underwriting becomes even more complicated when data is being held by a third-party on behalf of potentially millions of clients.
“Traditional property and business interruption risks already existed for insureds who maintained their computing resources within their own buildings, but with the use of the cloud those risks are subject to equipment not owned by the insured. Once the risk has been transferred to another party the insurance needs to change along with that,” he said. “I think there is an opportunity for insurers to refresh their approach.”
“People are starting to realize this may be a bigger issue than we had previously allotted for in the last couple of years. Savvy clients are asking a lot of questions,” said Levy, adding that brokers are trying to encourage insurers to develop enhanced coverage to ensure cloud users’ data is properly insured.
“The market is trying to figure out a way to address this, whether it is some sort of ‘difference in conditions’ policy that sits above the property and cyber policies, or more collaboration between the property and cyber underwriters and brokers to come up with a more effective solution,” she said.
Levy admitted, however, that creating some kind of hybrid product would be very challenging for insurers. “Cyber and property are two very different coverages with different profitability standards and historical data sets. The most likely solution is an umbrella or difference in conditions policy rather than stretching either set of underwriters beyond their comfort zone,” she said.
Another major challenge is aggregation of risk, with tens of thousands of businesses potentially facing disruption if any of the leading cloud providers went down.
“What is the aggregated business interruption and property damage exposure of one or several of these facilities if they were attacked all at once or there was a large weather event?” asked Charron. “If a major facility is taken down it could have a dramatic impact on the insurance industry.”
When in Doubt, Sue
Cloud users may have another form of protection. Robert Parisi, Network Security and Privacy Practice leader at Marsh, who places E&O and professional liability (PL) risks for cloud service providers, believes providers are vulnerable to PL claims, even if interruption or loss of data was caused by a physical risk rather than negligence.
“I don’t think there are gaps in coverage. If a cloud provider is unable to provide their service, it is going to come back at them as a PL claim. The end user is not going to care one whit why the cloud provider wasn’t there when they needed them — they just know they have a contract and the provider didn’t honor it,” he said.
Accordingly, cloud providers have to ensure their E&O and PL policy wordings are airtight in their response to ‘act of God’ type risks or even deliberate physical sabotage and terrorism risks.
“From an end user’s perspective, the principal recovery vehicle is going to be that PL policy, so the cloud providers and their brokers need to look under the hood of their policies,” said Parisi. “The market has evolved and is getting better at providing solutions, and the coverage is fairly broad. It is up to the broker to be aware those solutions exist and stitch them together for [the cloud provider].”
Parisi said PL claims against cloud providers are common, particularly in the litigious United States where cloud users also have very high expectations — anything less than 24-hour service at optimal speed could result in a PL claim, particularly from users whose businesses rely on real-time data feeds, he said.
“Tech companies are regularly sued for failing to provide service or failing to render the service non-negligently. Tech is not perfect, and when it goes wrong, usually the first thing a client of a tech company is going to do is assume the tech provider must have done something wrong,” he said.
“Not only is the cloud provider going to be held to rendering the service and having the service functioning as intended, there is also an element of latency risk; clients want their service working now, on demand, and without any delays.”
In order for the cloud providers to ensure they get adequate coverage against such claims, they must demonstrate high levels of risk management including building redundancies into their systems so that if one facility is damaged, the data can be switched rapidly to another network or facility without being lost.
“One of the large tech companies runs an entirely parallel network right next to their production network so if anything happens they can switch their customers from the day-to-day network to the parallel redundant network in the blink of an eye,” said Parisi.
“That’s an extreme example – most providers don’t have a parallel network. But if they are going to guarantee 100 percent up-time they need to make sure they have the facilities that can do that — and if that means geographically separating their data centers then that is what must be done.”
When it comes to liability for data loss or service downtime, much hinges on the service level agreement between the two parties.
“This agreement defines what level of liability the provider assumes. In that contracting process the provider can say they will deliver their service but there are things outside of their control, and if those things prevent the service the user will have to live with that,” said Parisi. “That won’t always necessarily fly in the negotiation process — in which case the provider may put liquidated damages or limitations of liability clauses with pre-agreed settlements or caps on liability into the contract.”
Parisi added that one of the best things a cloud provider can do to limit their liability is to manage the expectations of the cloud user.
“The quickest way for someone to think the provider did something wrong is for the provider to overpromise,” he said, noting that startup cloud providers are most susceptible to this as they aggressively compete for business.
Ultimately, though, cloud users must take responsibility for their own data — particularly if it is critical to their business. “Cloud users should take it as incumbent upon them as part of their risk management policy to ensure they have their data backed up, and most of them probably do,” said Zurich’s Charron. “The rub is if they are creating new data all the time and there is value in the creation of this new data being generated. Identifying whether data is confidential or mission-critical can help the user understand how often they should back up their data.”
Parisi said cloud use should be treated with the same common sense as any other enterprise risk.
“If you’re relying solely on a third party for the sanctity and security of your data, you are probably making a lot of other mistakes in your business,” he said.