6 Marine Services Risks
The Risk List is presented by:
Top Five Uninsurable Risks
Whether it’s a Sriracha hot sauce maker being threatened with closure by city council or General Motors fighting for its reputation after recalling more cars than it made in the past three years, companies face a world of complex risks.
And some of those risks cannot be transferred via insurance products.
How well are companies protected, for example, when new regulations get passed — such as the EPA’s proposed restrictions on coal burning plants that may drive some in the energy industry out of business, or the current political drumbeat against tax inversion practices?
What insurance covers a company whose rogue employee sells trade secrets to an outside company? How about when a pandemic shuts down operations?
Risk managers identify their organizational exposures as best they can and then work to manage or eliminate those risks. Sometimes, commercial insurance can be used to remove the bulk of that risk, but we’ve isolated five risks which many experts believe are uninsurable in many respects: For the time being anyway.
“For the most part, the insurance industry rises to the occasion and creates products for emerging risks that evolve over time,” said Carol Laufer, executive vice president, ACE Excess Casualty.
“For insureds, the purchase of products such as employment practices and cyber insurance eventually evolves from a discretionary spend to standard insurance coverage,” she said.
For sure there are other challenging risks — such as weak economic conditions or skilled talent shortages — that also are uninsurable, but we have selected those for which risk managers are able to play an effective role in mitigating the risk.
Part of the problem in transferring such risks is the complexity involved in the exposures. Look at tax inversion — where a U.S. company merges with a foreign company to change their tax jurisdiction and lower their tax burden.
Is that a political risk? A regulatory risk? A reputational risk? It could be any one of them, or all three of them.
“I think it’s almost uncountable the ways that a loss could occur where that loss could be tied back to reputational risk or regulatory risk,” said David White, a national actuarial leader at KPMG.
At the same time, calling a risk uninsurable has nuances to it. Coverage for criminal fines and penalties, for example, are truly uninsurable. The law forbids such coverage, said Patrick Donnelly, chief broking officer, Aon Risk Solutions.
But for other types of risks, there may be various products offered by brokers and underwriters to address some, but not all of the specific exposures faced by a company, he said. Such coverage, however, may be rare or expensive, or corporations may find risk transfer to be an ineffective way of hedging the risk.
“I’m very careful about branding something as truly uninsurable,” Donnelly said.
“It’s not black and white.”
General Motors might be the quintessential example of a company undergoing a reputational hit. It recalled nearly 30 million cars, and faces numerous lawsuits and investigations related to a delayed recall of 2.6 million cars — some manufactured more than a decade ago — with a faulty ignition switch that has been linked to 13 deaths and more than 50 accidents.
Video: As this report from the New York Times indicates, automakers have a long history of trying to maintain their reputations in the face of major recalls.
But every day brings another contender for the throne. One day, it’s American Apparel’s founder being suspended, and possibly eventually fired, for alleged sexual misconduct. Another day, it’s a viral video of a Comcast customer service representative who refuses to let a customer cancel his account.
Or it could be yet another cyber theft of customer information or a celebrity spokesman tweeting out an offensive comment.
While there are insurance products that provide coverage for crisis management/public relations costs and product recall expenses, only a limited market exists for loss of income or net profit for reputational harm, said Emily Freeman, global technology and privacy practice specialist at Lockton.
“You need to be able to wrap your arms around the risk and the value of risk before you can insure it,” said Tom Srail, senior vice president, Willis. “What a company name is worth has long been a risk to the industry.”
Freeman said Lockton has been involved in creating customized solutions for large clients that address specific threats of reputational harm. The client and underwriter negotiate the period of indemnity and loss adjustment, she said.
“The perils are not on an ‘all risk’ basis, but rather categories listed that are relevant to the client, such as disgrace of key persons or breach of sensitive data,” Freeman said.
“In my mind,” said KPMG’s White, “you can’t find policies that cover all types of reputational risk from whatever event that occurred.”
When you think of regulatory risk, many risk managers keep an eye on the rules of the Health Information Portability and Accountability Act (HIPAA), the Dodd-Frank Act or a regulatory agency such as the Food & Drug Administration.
But the threat of regulation is immense and often unpredictable. In just one year, 2012, there were 17,763 changes to laws, rules and regulations affecting the banking and financial sectors alone, according to The Network, a training and compliance company.
“From a risk management or risk mitigation perspective, you can’t really predict regulations. You can prepare for them, but you can’t predict them or price them.” — David White, national actuarial leader, KPMG
Plus, risks can emanate from all sectors of government. One recent example is Huy Fong Foods, the manufacturer of Sriracha hot sauce, which was temporarily shut down by a judge following a lawsuit by the city council of Irwindale, Calif., after four families (one of which was related to a city councilman) complained about odors.
Eventually, the city dropped its lawsuit and its declaration that the factory was a “public nuisance,” but it took months for the situation to resolve itself.
“From a risk management or risk mitigation perspective, you can’t really predict regulations. You can prepare for them, but you can’t predict them or price them,” White said. “Regulatory risk is handled through risk mitigation, not risk transfer.”
“Even in the United States,” Srail said, “a government or state can put an industry or a company, if they want to, out of business or severely restrict their ability to operate.”
Certainly, the energy industry has been facing that threat since 2008 when President Obama noted that coal-powered plants can still be built, but at a steep regulatory cost.
“It’s just that it will bankrupt them because they are going to be charged a huge sum for all that greenhouse gas that’s being emitted,” Obama said.
While a final rule has not yet been issued by the Environmental Protection Agency, the president has recently called on it to enact new emissions regulations. The U.S. Chamber of Commerce estimated the regulations will cost the economy about $50 billion annually.
“There are some creative products underwriters have tried over the years … but there is definitely nothing off the shelf or run of the mill,” Srail said of regulatory risk.
“There’s nothing easy to do.”
Trade Secret Risk
“I find trade secrets to be one of the most dangerous areas,” said attorney Rudy Telscher, a partner at Harness Dickey & Pierce, who recently won a patent infringement case at the U.S. Supreme Court.
“There are no boundaries. It’s such a nebulous area.”
It can include anything from a disgruntled employee taking customer lists or R&D information to his next job, a foreign government stealing trade secrets or a hacker burrowing into a computer system to steal a company’s version of its special sauce.
Globalization and the expanded use of supply chain partners increase the potential exposure. Plus, even when a company is able to pursue trade secret litigation, courts consider whether reasonable precautions had been taken to secure the proprietary information.
“The violation,” said Bob Fletcher, president, Intellectual Property Insurance Services Corp., which offers insurance to litigate intellectual property cases, “is not the use [of a trade secret]. The violation is, ‘How did you get the information?’ ”
In any event, said Aon’s Donnelly, “an organization would have a very difficult time obtaining an insurance policy that adequately protects them against the theft or wrongful disclosure of their trade secrets and the potential damage that could do to the company if that trade secret got out.”
More common than industrial espionage, however, are the run-of-the-mill business discussions that revolve around synergies and potential partnerships between enterprises. Often, the nondisclosure agreements (NDAs) covering such discussions are not specific enough to protect the parties, Telscher said.
It is the party receiving the information that is most at risk, he said. If the discussions dissolve, that party may find itself accused of acting upon trade secrets because the NDA did not specify the information that was to be disclosed and held confidential.
“The more information you receive, the greater the risk there will be a lawsuit if you don’t end up doing a deal and you move forward on your own,” Telscher said.
In this era of globalization, companies establish operations all over the world, and the world is not a stable place.
Upheaval — or the increasing threat of it — is prevalent on just about every continent of the globe. Certainly, the possibilities in the Middle East, Eastern Europe, Asia and Latin America are concerning to risk managers.
While political violence and trade credit coverage is available in the majority of cases, companies continue to face uninsurable exposures.
“It’s definitely tricky,” said Mark Garbowski, a shareholder at Anderson Kill.
“Based on the policies I have seen, there will always be some aspects of it that will be fully outside the scope of what can be covered.”
And only “a minority” of companies actually buy the cover, said John Hegeman, AIG senior vice president, specialty lines-political risk.
“I think the principal reason is most risk managers view it as a self-insured business risk,” he said.
“Pretty much anything an insured thinks is really essential to their operations can be covered, but you have to identify it and understand what it is.”
Often, said Richard Maxwell, chief underwriting officer and global head of political risk and trade credit insurance for XL Group, corporations wait too long in the face of deteriorating conditions and insurers will not accept the risk.
“Buy the cover before the barn is on fire,” he said.
Generally, policies cover a host of risks, including government expropriation of an asset, destruction of an asset due to war or political violence, credit default of trade receivables, and when foreign governments block transfer and convertibility of currency.
Some countries, such as Iran, Iraq, Afghanistan and the like, are not insurable, said Jochen Duemler, CEO and head of Euler Hermes Americas Region, which offers risk coverage in nearly 200 countries.
Argentina is a recurring problem, and as for Venezuela, it’s not uninsurable, he said, “but we would say we pretty much have no exposure there and are very, very reluctant” to offer coverage.
Overall, policies exclude losses that occur when currency is devalued, losses that occur as a result of a nuclear incident and non-payment of premium, or any losses to suppliers or partners as a result of political violence, except for trade receivables.
Policies also require insureds to make certain warranties and representations that are included in the insurance contract.
Policy disputes can arise when property is expropriated or licenses are cancelled due to what a foreign government says are reasonable or legally justified regulatory actions, according to an article on political risk coverage by Robert C. Leventhal, an attorney with Foley and Lardner.
Another area of dispute emerges when assets are jeopardized by “creeping expropriations,” such as a series of actions by the government as opposed to a single act, he said.
Many risk managers aren’t too worried about the Ebola pandemic in West Africa that has already killed more than 900 people. And they probably aren’t all that worried — if they even know — about the four cases of pneumonic plague in Colorado that are life-threatening.
But who among them can forget the H1N1 pandemic influenza virus known as the swine flu, that in 2009 killed more than 250,000 people worldwide, including more than 3,600 in North America.
At one point, the U.S. Centers for Disease Control and Prevention estimated that as many as two in five workers might become infected or have to stay home to care for an ill family member.
Video: Researchers at the Massachusetts Institute of Technology studied the role airports play in spreading disease and pandemics, according to this report by Voice of America.
A pandemic flu is something all risk managers should worry about. And there’s no coverage for it.
“A pandemic is a very difficult exposure to insure in any meaningful way. You can do some work around it, but it’s a very, very difficult risk to insure and no one really insures it,” said John McLaughlin, managing director of the higher education practice at Arthur J. Gallagher & Co.
For schools or universities, his specialty, there may be some loss of tuition coverage available, but “it’s not very cost effective.”
For business, supply-chain insurance may offer some protection, but that coverage still has a limited take-up.
Companies may also be able to craft special wording for property or D&O policies, he said.
“You never say never. There’s always some solution that you can work up,” he said.
But, McLaughlin said, a healthier perspective for a risk manager is to analyze how the risk would impact the organization and to devise solutions that are not insurance-related.
To Keep Cool in a Crisis, Companies Need a Comprehensive Solution
Threats against corporate security come in many forms, from intentional acts of violence to civil unrest to cyber-attacks. The perpetrators don’t discriminate by company size or sector, and the consequences can range from several thousand dollars lost to several lives lost.
The recent shooting in an Orlando nightclub that killed 49, for example, or last year’s San Bernardino shooting that killed 14, are somber reminders that terrorism and violence can erupt anywhere and in any type of business. In addition to loss of life, violence can translate into business interruption and property damage. In Ferguson, Mo., riots lead to over $4 million in property damage.
Cyber-attacks have also become commonplace, with hackers infiltrating private networks to steal data or hold it ransom.
Is your organization prepared for these risks?
“A lot of companies have a crisis response plan on paper, but they don’t have outside resources to come to their aid if there is an incident,” said Reggie Gibbs, Underwriter and Product Manager, Starr Companies.
Mid-size companies especially tend to lack comprehensive insurance coverage and crisis management services for a variety of security events due either to limited resources or an underestimation of their exposure.
Starr Companies’ Cyber and Terror Response (CTR) solution provides three coverages as well as crisis response services tailored to meet the needs of these companies. Each of its components addresses a common security threat.
“We don’t just want to indemnify the security risks our clients face; we want to help them actively manage them.”
— Reggie Gibbs, Underwriter & Product Manager, Starr Companies
Terror and Political Violence
“Political violence can be defined as a strike, riot, protest, or any type of unrest that gets out of hand and turns violent,” said Gibbs, who specializes in terrorism and political violence, workplace violence, and crisis management.
In the case of the Ferguson protests, any first party property damage or third party liability incurred by the disruption would be covered under the terrorism and political violence segment of the CTR solution.
In the case of a terror attack, organizations cannot necessarily rely on TRIA to pick up property losses. In the case of the Orlando shooting, for example, the likelihood of TRIA being invoked is low because property damage will not meet the threshold for coverage to kick in.
TRIA, reauthorized in 2015, provides a federal insurance backstop in the event of a terror attack. The U.S. Secretary of the Treasury, U.S. Attorney General, and U.S. Secretary of Homeland Security must declare an attack to be an act of terrorism, and property damage must exceed $5 million to trigger TRIA.
“We would still view the Orlando shooting as an act of terror, however, because of who the shooter claimed he was working for regardless if the ties to terror groups are clear or not. Therefore, our coverage would apply,” Gibbs said. Even if TRIA was enacted, however, companies would still have a lot of pieces to pick up following an attack. They may have injured or deceased employees, or face legal action from third parties.
For these situations, and any other incident of violence not driven by terrorism, the workplace violence component of Starr’s CTR solution would act as an umbrella to cover other liabilities such as legal liability, loss of life benefits, psychiatric care, and other crisis response services.
One such incident struck a Boston-area Bertucci’s in early May. An attacker wielding a knife drove his car into a Boston shopping mall before making his way into the nearby restaurant. He killed five, including restaurant workers and patrons.
“There was no ideological or political motivation behind it. He was just deranged.” Gibbs said. “Our workplace violence coverage can handle the loss of life benefits for both the employees and patrons killed in situations like this one.”
In the best cases, though, violence can be prevented altogether.
“If an employee reports a stalking threat, the policy would cover the expense of security guards,” Gibbs said. “In this case, it’s more of a pre-workplace violence coverage. It would de-escalate the situation.”
Attacks can also be non-physical.
Cyber extortion in particular is on the rise. Phishing scams lead employees to click on malicious links, unknowingly downloading ransomware onto their internal networks. The cyber criminals then hold companies’ networks ransom, asking for a sum of money in return for the release of data or to prevent a business interruption. The ransoms can be low — amounts that organizations can afford to pay.
“The hackers don’t want to attract the attention of law enforcement or regulatory agencies,” said Annamaria Landaverde, National Cyber Practice Leader & Professional Liability Underwriting Manager, Starr Companies. Landaverde specializes in the cyber component of the CTR coverage. “The FBI may not get involved if someone asks for $5,000. They are more likely to get involved if someone asks for $5 million.”
Since companies are not required by law to report cyber extortion —like they are for data breaches — many choose simply to pay the ransom and move on without generating any negative news headlines.
“The hackers don’t want to attract the attention of any law enforcement or regulatory agencies. The F.B.I. won’t get involved if someone asks for $5,000. They will get involved if someone asks for $5 million.”
— Annamaria Landaverde, National Cyber Practice Leader & Underwriting Manager, Professional Liability Division, Starr Companies
“A California medical center recently had an incident like this where the hackers asked for $17,000 in ransom,” Landaverde said,” but the amounts can vary.”
While the ransom itself may seem manageable, many companies fail to recognize other costs associated with the identification and removal of the malware from their system. There may also be costs associated with forensics investigations, legal experts, public relations firms, third party lawsuits, and notification and credit monitoring.
“The cyber arm of the CTR coverage extends to liability that an organization would suffer as a result of a breach, or failure of security of the insured’s network,” Landaverde said. That includes not just cyber extortion, but outright data theft or denial-of-service attacks.
Crisis Management Services
“We don’t just want to indemnify the security risks our clients face; we want to help them actively manage them,” Gibbs said.
The fourth component of Starr’s CTR solution – crisis response — provides two outside consultants to insureds, with one specializing in “hard” security services like guards or instances of cyber extortion, and another focusing on crisis communications.
Without these outside services, there is only so much insurance can do in the aftermath of a crisis. Experienced consultants provide a range of security preparedness and response services to complement coverage and help insureds recover from an episode of violence or cyber event.
“From a communications perspective, our consultants can manage the public relations front to create clear and consistent messaging, but they can also stay in touch with families after a terror or other violent attack to make sure everyone stays informed,” Gibbs said.
They also serve as a first point of contact for insureds immediately after an event. If they need guidance quickly, consultants await at the ready.
“When a client purchases the product, they get a 24-hour hotline set up with one of our consultancies,” he said. “They can report an incident at any time, and our consultant will help either resolve a situation or deal with the aftermath in whatever way they can.”
While the Cyber and Terror Response package provides a comprehensive solution tailored for mid-size companies, Starr also offers standalone cyber liability and crisis management coverage on a primary and excess basis.
“For companies with greater exposure to a particular type of risk, or who simply want higher limits or greater customization, we have those standalone polices.” Landaverde said.
For more information on Starr Companies’ Cyber and Terror Response solution, visit https://www.starrcompanies.com/Insurance/CyberAndTerrorResponse.
Starr Companies is the worldwide marketing name for the operating insurance and travel assistance companies and subsidiaries of Starr International Company, Inc. and for the investment business of C. V. Starr & Co., Inc. and its subsidiaries.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Starr Companies. The editorial staff of Risk & Insurance had no role in its preparation.