6 Marine Services Risks
The Risk List is presented by:
Top Five Uninsurable Risks
Whether it’s a Sriracha hot sauce maker being threatened with closure by city council or General Motors fighting for its reputation after recalling more cars than it made in the past three years, companies face a world of complex risks.
And some of those risks cannot be transferred via insurance products.
How well are companies protected, for example, when new regulations get passed — such as the EPA’s proposed restrictions on coal burning plants that may drive some in the energy industry out of business, or the current political drumbeat against tax inversion practices?
What insurance covers a company whose rogue employee sells trade secrets to an outside company? How about when a pandemic shuts down operations?
Risk managers identify their organizational exposures as best they can and then work to manage or eliminate those risks. Sometimes, commercial insurance can be used to remove the bulk of that risk, but we’ve isolated five risks which many experts believe are uninsurable in many respects: For the time being anyway.
“For the most part, the insurance industry rises to the occasion and creates products for emerging risks that evolve over time,” said Carol Laufer, executive vice president, ACE Excess Casualty.
“For insureds, the purchase of products such as employment practices and cyber insurance eventually evolves from a discretionary spend to standard insurance coverage,” she said.
For sure there are other challenging risks — such as weak economic conditions or skilled talent shortages — that also are uninsurable, but we have selected those for which risk managers are able to play an effective role in mitigating the risk.
Part of the problem in transferring such risks is the complexity involved in the exposures. Look at tax inversion — where a U.S. company merges with a foreign company to change their tax jurisdiction and lower their tax burden.
Is that a political risk? A regulatory risk? A reputational risk? It could be any one of them, or all three of them.
“I think it’s almost uncountable the ways that a loss could occur where that loss could be tied back to reputational risk or regulatory risk,” said David White, a national actuarial leader at KPMG.
At the same time, calling a risk uninsurable has nuances to it. Coverage for criminal fines and penalties, for example, are truly uninsurable. The law forbids such coverage, said Patrick Donnelly, chief broking officer, Aon Risk Solutions.
But for other types of risks, there may be various products offered by brokers and underwriters to address some, but not all of the specific exposures faced by a company, he said. Such coverage, however, may be rare or expensive, or corporations may find risk transfer to be an ineffective way of hedging the risk.
“I’m very careful about branding something as truly uninsurable,” Donnelly said.
“It’s not black and white.”
General Motors might be the quintessential example of a company undergoing a reputational hit. It recalled nearly 30 million cars, and faces numerous lawsuits and investigations related to a delayed recall of 2.6 million cars — some manufactured more than a decade ago — with a faulty ignition switch that has been linked to 13 deaths and more than 50 accidents.
Video: As this report from the New York Times indicates, automakers have a long history of trying to maintain their reputations in the face of major recalls.
But every day brings another contender for the throne. One day, it’s American Apparel’s founder being suspended, and possibly eventually fired, for alleged sexual misconduct. Another day, it’s a viral video of a Comcast customer service representative who refuses to let a customer cancel his account.
Or it could be yet another cyber theft of customer information or a celebrity spokesman tweeting out an offensive comment.
While there are insurance products that provide coverage for crisis management/public relations costs and product recall expenses, only a limited market exists for loss of income or net profit for reputational harm, said Emily Freeman, global technology and privacy practice specialist at Lockton.
“You need to be able to wrap your arms around the risk and the value of risk before you can insure it,” said Tom Srail, senior vice president, Willis. “What a company name is worth has long been a risk to the industry.”
Freeman said Lockton has been involved in creating customized solutions for large clients that address specific threats of reputational harm. The client and underwriter negotiate the period of indemnity and loss adjustment, she said.
“The perils are not on an ‘all risk’ basis, but rather categories listed that are relevant to the client, such as disgrace of key persons or breach of sensitive data,” Freeman said.
“In my mind,” said KPMG’s White, “you can’t find policies that cover all types of reputational risk from whatever event that occurred.”
When you think of regulatory risk, many risk managers keep an eye on the rules of the Health Information Portability and Accountability Act (HIPAA), the Dodd-Frank Act or a regulatory agency such as the Food & Drug Administration.
But the threat of regulation is immense and often unpredictable. In just one year, 2012, there were 17,763 changes to laws, rules and regulations affecting the banking and financial sectors alone, according to The Network, a training and compliance company.
“From a risk management or risk mitigation perspective, you can’t really predict regulations. You can prepare for them, but you can’t predict them or price them.” — David White, national actuarial leader, KPMG
Plus, risks can emanate from all sectors of government. One recent example is Huy Fong Foods, the manufacturer of Sriracha hot sauce, which was temporarily shut down by a judge following a lawsuit by the city council of Irwindale, Calif., after four families (one of which was related to a city councilman) complained about odors.
Eventually, the city dropped its lawsuit and its declaration that the factory was a “public nuisance,” but it took months for the situation to resolve itself.
“From a risk management or risk mitigation perspective, you can’t really predict regulations. You can prepare for them, but you can’t predict them or price them,” White said. “Regulatory risk is handled through risk mitigation, not risk transfer.”
“Even in the United States,” Srail said, “a government or state can put an industry or a company, if they want to, out of business or severely restrict their ability to operate.”
Certainly, the energy industry has been facing that threat since 2008 when President Obama noted that coal-powered plants can still be built, but at a steep regulatory cost.
“It’s just that it will bankrupt them because they are going to be charged a huge sum for all that greenhouse gas that’s being emitted,” Obama said.
While a final rule has not yet been issued by the Environmental Protection Agency, the president has recently called on it to enact new emissions regulations. The U.S. Chamber of Commerce estimated the regulations will cost the economy about $50 billion annually.
“There are some creative products underwriters have tried over the years … but there is definitely nothing off the shelf or run of the mill,” Srail said of regulatory risk.
“There’s nothing easy to do.”
Trade Secret Risk
“I find trade secrets to be one of the most dangerous areas,” said attorney Rudy Telscher, a partner at Harness Dickey & Pierce, who recently won a patent infringement case at the U.S. Supreme Court.
“There are no boundaries. It’s such a nebulous area.”
It can include anything from a disgruntled employee taking customer lists or R&D information to his next job, a foreign government stealing trade secrets or a hacker burrowing into a computer system to steal a company’s version of its special sauce.
Globalization and the expanded use of supply chain partners increase the potential exposure. Plus, even when a company is able to pursue trade secret litigation, courts consider whether reasonable precautions had been taken to secure the proprietary information.
“The violation,” said Bob Fletcher, president, Intellectual Property Insurance Services Corp., which offers insurance to litigate intellectual property cases, “is not the use [of a trade secret]. The violation is, ‘How did you get the information?’ ”
In any event, said Aon’s Donnelly, “an organization would have a very difficult time obtaining an insurance policy that adequately protects them against the theft or wrongful disclosure of their trade secrets and the potential damage that could do to the company if that trade secret got out.”
More common than industrial espionage, however, are the run-of-the-mill business discussions that revolve around synergies and potential partnerships between enterprises. Often, the nondisclosure agreements (NDAs) covering such discussions are not specific enough to protect the parties, Telscher said.
It is the party receiving the information that is most at risk, he said. If the discussions dissolve, that party may find itself accused of acting upon trade secrets because the NDA did not specify the information that was to be disclosed and held confidential.
“The more information you receive, the greater the risk there will be a lawsuit if you don’t end up doing a deal and you move forward on your own,” Telscher said.
In this era of globalization, companies establish operations all over the world, and the world is not a stable place.
Upheaval — or the increasing threat of it — is prevalent on just about every continent of the globe. Certainly, the possibilities in the Middle East, Eastern Europe, Asia and Latin America are concerning to risk managers.
While political violence and trade credit coverage is available in the majority of cases, companies continue to face uninsurable exposures.
“It’s definitely tricky,” said Mark Garbowski, a shareholder at Anderson Kill.
“Based on the policies I have seen, there will always be some aspects of it that will be fully outside the scope of what can be covered.”
And only “a minority” of companies actually buy the cover, said John Hegeman, AIG senior vice president, specialty lines-political risk.
“I think the principal reason is most risk managers view it as a self-insured business risk,” he said.
“Pretty much anything an insured thinks is really essential to their operations can be covered, but you have to identify it and understand what it is.”
Often, said Richard Maxwell, chief underwriting officer and global head of political risk and trade credit insurance for XL Group, corporations wait too long in the face of deteriorating conditions and insurers will not accept the risk.
“Buy the cover before the barn is on fire,” he said.
Generally, policies cover a host of risks, including government expropriation of an asset, destruction of an asset due to war or political violence, credit default of trade receivables, and when foreign governments block transfer and convertibility of currency.
Some countries, such as Iran, Iraq, Afghanistan and the like, are not insurable, said Jochen Duemler, CEO and head of Euler Hermes Americas Region, which offers risk coverage in nearly 200 countries.
Argentina is a recurring problem, and as for Venezuela, it’s not uninsurable, he said, “but we would say we pretty much have no exposure there and are very, very reluctant” to offer coverage.
Overall, policies exclude losses that occur when currency is devalued, losses that occur as a result of a nuclear incident and non-payment of premium, or any losses to suppliers or partners as a result of political violence, except for trade receivables.
Policies also require insureds to make certain warranties and representations that are included in the insurance contract.
Policy disputes can arise when property is expropriated or licenses are cancelled due to what a foreign government says are reasonable or legally justified regulatory actions, according to an article on political risk coverage by Robert C. Leventhal, an attorney with Foley and Lardner.
Another area of dispute emerges when assets are jeopardized by “creeping expropriations,” such as a series of actions by the government as opposed to a single act, he said.
Many risk managers aren’t too worried about the Ebola pandemic in West Africa that has already killed more than 900 people. And they probably aren’t all that worried — if they even know — about the four cases of pneumonic plague in Colorado that are life-threatening.
But who among them can forget the H1N1 pandemic influenza virus known as the swine flu, that in 2009 killed more than 250,000 people worldwide, including more than 3,600 in North America.
At one point, the U.S. Centers for Disease Control and Prevention estimated that as many as two in five workers might become infected or have to stay home to care for an ill family member.
Video: Researchers at the Massachusetts Institute of Technology studied the role airports play in spreading disease and pandemics, according to this report by Voice of America.
A pandemic flu is something all risk managers should worry about. And there’s no coverage for it.
“A pandemic is a very difficult exposure to insure in any meaningful way. You can do some work around it, but it’s a very, very difficult risk to insure and no one really insures it,” said John McLaughlin, managing director of the higher education practice at Arthur J. Gallagher & Co.
For schools or universities, his specialty, there may be some loss of tuition coverage available, but “it’s not very cost effective.”
For business, supply-chain insurance may offer some protection, but that coverage still has a limited take-up.
Companies may also be able to craft special wording for property or D&O policies, he said.
“You never say never. There’s always some solution that you can work up,” he said.
But, McLaughlin said, a healthier perspective for a risk manager is to analyze how the risk would impact the organization and to devise solutions that are not insurance-related.
Hot Hacks That Leave You Cold
Thousands of dollars lost at the blink of an eye, and systems shut down for weeks. It might sound like something out of a movie, but it’s becoming more and more of a reality thanks to modern hackers. As technology evolves and becomes more sophisticated, so do the occurrence of cyber breaches.
“The more we rely on technology, the more everything becomes interconnected,” said Jackie Lee, associate vice president, Cyber Liability at Nationwide. “We are in an age where our car is a giant computer, and we can turn on our air conditioners with our phones. Everyone holds data. It’s everywhere.”
Phishing Out Fraud
According to Lee, phishing is on the rise as one of the most common forms of cyber attacks. What used to be easy to identify as fraudulent has become harder to distinguish. Gone are the days of the emails from the Nigerian prince, which have been replaced with much more sophisticated—and tricky—techniques that could extort millions.
“A typical phishing email is much more legitimate and plausible,” Lee said. “It could be an email appearing to be from human resources at annual benefits enrollment or it could be a seemingly authentic message from the CFO asking to release an invoice.”
According to Lee, the root of phishing is behavior and analytics. “Hackers can pick out so much from a person’s behavior, whether it’s a key word in an engagement survey or certain times when they are logging onto VPN.”
On the flip side, behavior also helps determine the best course of action to prevent phishing.
“When we send an exercise email to test how associates respond to phishing, we monitor who has clicked the first round, then a second round,” she said. “We look at repeat offenders and also determine if there is one exercise that is more susceptible. Once we understand that, we can take the right steps to make sure employees are trained to be more aware and recognize a potentially fraudulent email.”
Lee stressed that phishing can affect employees at all levels.
“When the exercise is sent out, we find that 20 percent of the opens are from employees at the executive level,” she said. “It’s just as important they are taking the right steps to ensure they are practicing what they are preaching.”
Locking Down Ransomware
Another hot hacking ploy is ransomware, a type of property-related cyber attack that prevents or limits users from accessing their system unless a ransom is paid. The average ransom request for a business is around $10,000. According to the FBI, there were 2,400 ransomware complaints in 2015, resulting in total estimated losses of more than $24 million. These threats are expected to increase by 300% this year alone.
“These events are happening, and businesses aren’t reporting them,” Lee said.
In the last five years, government entities saw the largest amount of ransomware attacks. Lee added that another popular target is hospitals.
After a recent cyber attack, a hospital in Los Angeles was without its crucial computer programs until it paid the hackers $17,000 to restore its systems.
Lee said there is beginning to be more industry-wide awareness around ransomware, and many healthcare organizations are starting to buy cyber insurance and are taking steps to safeguard their electronic files.
“A hospital holds an enormous amount of data, but there is so much more at stake than just the computer systems,” Lee said. “All their medical systems are technology-based. To lose those would be catastrophic.”
And though not all situations are life-or-death, Lee does emphasize that any kind of property loss could be crippling. “On a granular scale, you look at everything from your car to your security system. All data storage points could be controlled and compromised at some point.”
The Future of Cyber Liability
According to Lee, the Cyber product, which is still in its infancy, is poised to affect every line of business. She foresees underwriting offering more expertise in crime and becoming more segmented into areas of engineering, property, and automotive to address ongoing growing concerns.”
“Cyber coverage will become more than a one-dimensional product,” she said. “I see a large gap in coverage. Consistency is evolving, and as technology evolves, we are beginning to touch other lines. It’s no longer about if a breach will happen. It’s when.”
About Nationwide’s Cyber Solutions
Nationwide’s cyber liability coverage includes a service-based solution that helps mitigate losses. Whether it’s loss prevention resources, breach response and remediation expertise, or an experienced claim team, Nationwide’s comprehensive package of services will complement and enhance an organization’s cyber risk profile.
Nationwide currently offers up to $15 million in limits for Network Security, Data Privacy, Technology E&O, and First Party Business Interruption.
Products underwritten by Nationwide Mutual Insurance Company and Affiliated Companies. Not all Nationwide affiliated companies are mutual companies, and not all Nationwide members are insured by a mutual company. Subject to underwriting guidelines, review, and approval. Products and discounts not available to all persons in all states. Home Office: One Nationwide Plaza, Columbus, OH. Nationwide, the Nationwide N and Eagle, and other marks displayed on this page are service marks of Nationwide Mutual Insurance Company, unless otherwise disclosed. © 2016 Nationwide Mutual Insurance Company.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Nationwide. The editorial staff of Risk & Insurance had no role in its preparation.