Assessing Third Party Risk
The financial services industry is in “high gear” to reassess third-party risk management practices in response to regulatory guidance.
Institutions are investing in technology to improve reporting and analytics, so that third-party risks are appropriately assessed and that controls are effective, according to the Third Party/Vendor Risk Management Survey, recently released by the Risk Management Association and sponsored by MetricStream.
It’s not just about assessing the risks from vendors and their subcontractors, but also affiliates, debt buyers, agents, channel partners, and correspondent banks, to name just a few third parties that banks and credit unions work with, said Edward DeMarco, RMA’s general counsel and director of operational risk/regulatory relations/communications.
Best practices are in “an evolutionary state,” DeMarco said.
“Prudent third-party risk management requires that the third party be risk-assessed in connection with the enterprise and not simply any one individual business line.” — Edward DeMarco, general counsel, Risk Management Association
“Multiple business lines and functional units within an institution might have their own special relationship with the same third party,” he said. “Prudent third-party risk management requires that the third party be risk-assessed in connection with the enterprise and not simply any one individual business line.”
Institutions are also increasingly putting pressure on to make sure third parties assess the risks of their own contractors, DeMarco said.
“For example, a bank might hire XYZ appraisal company, and that company might sub out to appraisal companies 1, 2, 3 and 4,” he said. “While the bank won’t require a report because they are not in control of those relationships, the banking company does expect its third party to assess their risks.”
Other survey findings include:
• Nearly 50 percent of the respondents said their institution’s risk management functions were responsible for oversight of vendor risk.
• More than 50 percent said their institutions send questionnaires to vendors for risk management purposes.
• Roughly one-third said they have more than 25 “enterprise critical” suppliers that have the potential to affect their entire organization in the event of a failure.
• More than 75 percent have in place a supplier code of conduct that suppliers must acknowledge.
Negotiations with third parties and vendors can be time consuming — and cyber insurance coverage is “an integral part” of those conversations. –Michael O’Connell, managing director and financial Institutions practice leader, Aon Risk Solutions.
Peter Foster, executive vice president and one of the leaders of the cyber risk group at Willis, said that many of his financial institution clients require their vendors to complete a Statement on Standards for Attestation Engagements (SSAE) No. 16, which is a guidance from the American Institute of Certified Public Accountants.
“But this is the minimal of what a vendor should be doing to demonstrate how they are protecting their systems,” Foster said.
“That report really doesn’t get deep into the weeds whether or not the security around the data or around operational applications is really secure.
“Financial institutions should take a step further with a set of questions or a physical audit of a vendor, particularly if the application is more critical to operations or contains customers’ personally identifiable information.”
Institutions should also require third parties to have a technology errors and omissions policy with cyber insurance built into the one policy, he said.
An institution should require third parties to name it as an “additional insured” and provide it with certificates of insurance to cover any disruptions, including liability to cover unauthorized access or unauthorized use of data.
An institution should also have coverage for vicarious liability and direct liability under its own cyber policy, which would cover a data breach resulting from outsourcing, Foster said. That way, the institution will be covered if its third party doesn’t have a policy or its policy doesn’t provide such coverage.
Such is often the case with cloud computing firms, he said.
“We recommend [third parties provide coverage] because it should be the first line of dense — the vendor who causes the breach should be paying for the breach,” Foster said. “But we’re also cognizant of the fact that many vendors will not provide that coverage and that the bank needs to use that vendor.”
Negotiations with third parties and vendors can be time consuming — and cyber insurance coverage is “an integral part” of those conversations, said Michael O’Connell, managing director and financial Institutions practice leader at Aon Risk Solutions.
“Also, a critical part of these discussions centers around who is liable for what part and how much of the loss, especially when there is a breach of confidential data,” he said.
From a risk management perspective, he recommended that vendor risk assessments include answers to these questions:
• Does the insurance fully cover the liability of the insured due to an incident caused by third-party providers?
• Are regulatory investigations, fines and penalties addressed?
• Are first-party business interruption and crisis management included within the cyber policies and are there full limits or sublimits?
“Additionally, the contingent business interruption component must include increased attention to the number and complexity of third-party relationships,” O’Connell said.
Firms must have a complete plan for loss mitigation, restitution, and a response to the potential reputational damage that may be caused, he said.
Remember when some Beanie Babies were fetching nearly $1 million a pop? Then they fizzled, and most are now selling for a quarter at yard sales.
Still, experts caution collectors not to ditch their seeming has-beens, as events or TV shows can propel items back into the limelight. CBS’ Big Bang Theory made comic book collecting cool again, and Star Wars memorabilia surged after Disney bought Lucasfilm last year.
Specialty insurance exists for many types of collections, backed by differing methods of authentication or “agreed value” coverage. Experts advise collectors on how to best protect items, when to restore damaged items — and when to just cut their losses.
And for those who have inherited a house full of knickknacks from their grandmother, experts recommend local experts over estate sales to spot — and sell — newly hot items.
Today’s valuables include vinyl records, rare books and pre- and post-WWII gun collections, said Orlando Morales, underwriting manager at American Collectors Insurance in Cherry Hill, N.J. Figurines, stamps, coins and sports memorabilia never go out of style.
The next hot items could be vintage Atari 2600, Nintendo and Sega consoles, but collectors should also hold on to their Christmas ornaments, Longaberger baskets and other faded items, Morales said.
“All you need is for media to put a spotlight on it or one gets sold in an auction house for a ton of money, and boom, it becomes a hot item,” he said.
American Collectors has a collectibles policy for many items, including Barbie dolls, G.I. Joe and Star Wars action figures, Coca-Cola advertising memorabilia and collector quilts. Rates range from $4 per $1,000 for some collections such as books and stamps, to $7.50 per $1,000 on fragile items like Hummel dolls and porcelain. The minimum annual policy premium is $65.
The insurer doesn’t require appraisals or certificates of authenticity to secure coverage on most items, but the company might require a bill of sale for higher-end items. Upfront underwriting is really the key to protecting against fraud.
“We’ve been doing this for a long time, so we know the telltale signs of possible fraud, such as overvalued collections, applicants who are new to the hobby, or the lack of any documentation,” Morales said. “Fortunately, this particular product performs very well from a loss standpoint, and we don’t see a lot of fraud.”
American Collectors recommends that collectors inventory and photograph items, and store those documents offsite in a bank vault or a relative’s house, to be accessed in the event of a loss.
The Operation Bullpen sting operation in 1999 by the Federal Bureau of Investigation and the Internal Revenue Service seized over $500,000 in cash and roughly $10 million in forged memorabilia, from 60 individuals and businesses across five states.
Baseball memorabilia is especially hot, said Keith McConnell, vice president, business development at MiniCo Insurance Agency LLC in Phoenix.
A Honus Wagner baseball card, for example, sold for $2.3 million and Mark McGwire’s 70th home run ball sold for $3 million.
MiniCo offers annual blanket coverage starting at $75 for a no-deductible, all-risk policy that also covers losses during transportation, accidental breakage and “mysterious disappearances,” McConnell said.
If there is a claim, the insurer works with the collector to determine the current value, typically relying on appraisers or purchase receipts. However, for older or unappraised collections, MiniCo may research recent transaction prices on the secondary market for similar items.
McConnell recommends appraisals for higher-priced items every three to five years, “as sometimes items such as fine art can double or triple in value within a year.”
Collectors should minimize handling of their items, as just touching with bare hands can lower their value, he said.
Put pictures or cards in hermetically sealed protective plastic cases to avoid creasing or wrinkling, and use tinted glass for display cases to keep direct sunlight from damaging items.
Storage room temperatures should not be too hot, cold or damp. Some collectors have alarms that indicate temperature changes.
Kenny Davis, co-owner of Worthridge Inc., an online auction and retail company in Kernersville, N.C., said that his company works with “well-respected companies” to authenticate sports memorabilia, as forgeries are on the rise — even after the 1999 Operation Bullpen sting operation by the Federal Bureau of Investigation and the Internal Revenue Service, which seized over $500,000 in cash and roughly $10 million in forged memorabilia, from 60 individuals and businesses across five states.
Worthridge hosted its first sports memorabilia online auction this summer. The offerings included San Antonio Spurs NBA Championship rings from 1999 and 2003, an unused ticket from Babe Ruth’s first World Series in 1915 and an oversized boxing glove signed by Muhammad Ali.
Some jewelry and stamp collections have appreciated more than 100 percent in the last several years, said Julie Sherlock, fine arts practice leader at ACE Private Risk Services in New York City. Certain genres of art, such as Chinese, Eastern and contemporary art, have significantly appreciated, and in those cases collectors should reappraise even more frequently, “as records are being broken in auction houses.”
Such appreciation might catch collectors off guard. ACE recently conducted research that found many wealthy homeowners are under-insured for their personal property by an average of $415,000. The carrier reported that wealthy individuals tend to have a “blind spot” in managing their valuable collections.
ACE will schedule items for full cover in an “all perils policy” that does not have a deductible, and also has blanket coverage, Sherlock said. The insurer provides coverage for market value appreciation, and will pay the market value of an item just prior to loss up to 150 percent of the scheduled amount. ACE also provides coverage for similar items that have been newly acquired but not yet scheduled.
The insurer also offers risk management consulting, and recommends that artwork not be placed over fireplaces close to soot, smoke and other damaging debris, she said.
Mid-century furniture is especially hot right now, said Laura Murphy, eastern territory fine art and collectibles specialist at Chubb Personal Insurance in New York City. Sofas or chairs bought for $1,000 in the 1950s might be selling for more than $100,000 today, if they are true design pieces by a mid-century modern designer, such as Arne Jacobsen or George Nakashima.
“A lot of museums are also now collecting mid-century design, which really validates these pieces as artwork,” Murphy said.
Chubb provides valuable articles coverage with agreed value, but the insurer requires appraisals for fine and decorative art items valued over $250,000 and for jewelry valued over $100,000,
For certain items, such as jewelry with three or more carats of diamonds, appraisals may be needed every two to three years to keep up with market fluctuations, she said. For many collections such as stamps, wine or porcelain, Chubb offers blanket coverage.
Rick Drewry, collector car claims specialist at American Modern Insurance Group in Cincinnati, said his unit specializes in insuring collector cars and motorcycles, especially those made before the 1980s.
Some car values are exploding: an early 1970s Camaro Z28 that sold for $5,000 or $10,000 a decade ago, might be selling for more than $50,000 now.
Video: The original Batmobile from the 1960s TV show sold for $4.62 million in January 2013.
“We have weekend warriors who have one or two cars, mainly for fun, and many of their cars are not that high in value because of their condition or because they lack originality,” Drewry said. “Then we have investors who are collecting and maintaining cars as an investment. In fact, a lot of people started investing in cars when the stock market crashed.”
American Modern gives discounts for collections valued at over $250,000, as well as mileage discounts for driving less than 3,000 miles a year, and a larger discount for driving less than 1,000 miles.
When acquiring a collector vehicle, buyers should document that the car is either in its original state or has been restored back to its original specs, he said. Some older cars have build sheets under the rear seat that list the options that came with the car when it was built.
American Modern provides agreed value coverage, and when claims arise, determines book value using numerous sources, including auction houses and private sales. “Having the original engine, transmission and rear end, and having documentation like the build sheet makes a car a lot more valuable,” Drewry said. “If a person doesn’t have the original drivetrain, then that’s probably a 40- percent hit.”
The insurer recommends climate-controlled garages and for vehicles to be driven periodically.
If collections are damaged, insurers may pay third parties to restore items at a lesser value, said Tracy Bachtell, senior vice president, business development at Paul Davis Restoration Inc. in Jacksonville, Fla. Policyholders either keep the restored items and receive a check making up for the lesser value, or insurers pay them full value and then take ownership of the items for salvage. For items that may not be restorable, such as baseball cards recovered from a flood, insurers typically pay policyholders full value and salvage the items.
“The challenge to the property owner is proving what they had and their condition as the time of loss,” Bachtell said. “Appraisals, photographs, purchase receipts and videos are always a good idea.”
Terry Kovel of Kovels.com, a publisher of collection price guides and other collector information, said that people who inherit older furnishings may want to think twice about having an estate sale. They might have a hot item like mid- century furniture on their hands and not know it.
Other household items that are trendy include Hot Wheels and reverse-painted glass advertising signs, as the average sign is currently fetching $3,000 to $4,000.
“It’s better to get an expert who knows about specific items to advise on the value or sell themselves,” she said. “Find a local dealer who has been in business for a long time, rather than someone who sets up a show in a hotel, so you can find them six months later if there is a problem.”
Brokers think they are offering clients the types of value-added services they want, but many employers apparently don’t agree.
Slightly more than half (53 percent) of 3,275 employers surveyed earlier this year by Zywave, a Milwaukee-based software vendor, said they are not satisfied with the information their broker provides them on regulatory and legislative updates.
Nearly all (92 percent) of employers said they wanted those updates, according to the Zywave 2014 Broker Services Survey.
Additionally, 88 percent said they wanted assistance with workplace wellness programs, but 56 percent said their broker was “not delivering to their expectations.” And, while 65 percent of employers want brokers to help them develop employee handbooks, 85 percent said their broker is not doing a satisfactory job.
There is a disconnect between how the brokers believe service distinguishes them and the way that employers feel they are being serviced, said Dave O’Brien, Zywave’s chief executive officer.
“That speaks to the discovery process many brokers have when they are courting prospective clients,” O’Brien said. “They tell them about the history of the firm and about their people, but in reality, they should be asking employers about their own histories, problems, and what they may need from the broker.”
The brokers that ask these kinds of questions up-front, and then periodically check with clients to see if they are meeting their needs, stand to beat out competitors as employers increasingly seek greater guidance, he said.
Smaller brokers may not be able to provide these additional services on their own, but they can leverage technology to offer services similar to those of larger brokers, he said.
Kelly Hagan, director of operations, employee benefits at Assured Neace Lukens in Louisville, Ky., said that brokers “should be making a concerted effort to get information” to employers.
“For smaller employers, the person handling benefits is often wearing multiple hats and has limited time to work on benefits on a day-to-day basis,” Hagan said. “So I do think it’s incumbent upon us to make sure that clients understand that we can provide resources to them, though sometimes with time constraints or business priorities, they may not always avail themselves to those services.”
Some clients don’t know how to ask for what they need, said Denise Ashford, vice president at Sweet & Baker Insurance Brokers in San Francisco.
“Sometimes brokers have the best intentions, but in fact, we don’t take the time to actually speak with the clients to diagnose what they are lacking, and that can send us down that rabbit hole of offering services they don’t need or care about,” said Ashford, who has surveyed clients to better target their needs.
Other survey results include:
• Nearly six in 10 (59 percent) employers are unsatisfied with the information they receive that could help reduce the frequency and expense of claims.
• Nearly two-thirds (63 percent) of employers are unsatisfied with their current broker’s assistance in creating benefit statements.
According to the survey, employers listed their top three risk management challenges as keeping up-to-date on regulatory changes, controlling workers’ compensation costs and educating employees about safety.
They ranked their top three employee benefit challenges as managing health care costs; keeping in compliance and up-to-date on changing legislation, including health care reform; and benefits administration and employee benefits education.