Risk Insider: Kevin Kalinich

Lights Out! Can Insurance Help?

By: | January 25, 2016 • 3 min read
Kevin Kalinich is the global cyberrisk practice leader for Aon Risk Solutions, focusing on identifying exposures and developing insurance solutions. He can be reached at riskletters@lrp.com.

In “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,” author Ted Koppel suggests that a catastrophic cyber attack on America’s power grid is likely and that we’re unprepared.

Advertisement




Let’s examine his assertions from a risk management perspective.

• Power Grid Attack Likely?

Clients tell us that they are hacked more frequently than is reported. A Dec. 21, 2015 article, “Biggest U.S. Electric Company Battles Off Steady Cyberattacks,” reported that Duke Energy’s computer systems that manage dams, nuclear power plants and other types of generating plants are under constant attack. A reported cyber attack last month caused one-half of Western Ukraine to lose power.

• U.S. Unprepared?

Opinions differ on whether we have seen improved prevention, mitigation, response and resiliency since the Northeast power outage of 2003. Mr. Koppel described a bureaucracy that is moving slowly and with poor focus against a dynamic threat.

For example, the National Protection and Programs Directorate at the Department of Homeland Security, responsible for coordinating risk reduction to critical American infrastructure, is divided in two separate and distinct parts –- one physical and one cyber-related.

We are, however, seeing certain governmental actions and changes. The Cybersecurity Information Sharing Act of 2015, signed into law December 2015, provides immunity from liability to participating organizations that share certain cyber-threat information with the federal government and vice versa.

Federal and state agencies such as the Federal Energy Regulatory Commission may consider increased fines for grid failures that have ranged from $50,000 to $350,000. By way of example, Florida Power and Light Company was fined $25 million in 2009 for a February 2008 blackout.

However, most reported cases of cyber damage and regulatory action to date relate to protection of personally identifiable information, such as the Federal Communications Commission’s $25 million fine against AT&T and $100 million fine against Lifelock.

• Catastrophic?

According to search engine Shodan, the U.S. has more than 57,000 industrial controls systems connected to the internet. But how do we quantify potential losses? Information on how companies and the government respond to hacks is often protected and sometimes classified, which can defeat transparency.

Untitled-1

A 2015 Lloyd’s of London/University of Cambridge report, “Business Blackout,” sets forth the insurance implications of a cyber attack on the U.S. power grid. The report estimated a hypothetical worst case scenario of $243 billion to $1,024 trillion in direct and indirect losses, with between $21.398 billion and $71.109 billion in estimated insurance industry losses.

Currently there are not enough stand-alone cyber limits to pay for such losses.

Many property and general liability insurers are inconsistent and/or hesitant to cover cyber exposures likely because there’s insufficient actuarial data. Since we don’t have sufficient actuarial data for cyber exposures, we should borrow from other complex modeling situations like typhoons, earthquakes and hurricanes — relatively rare events that could have catastrophic impacts.

Advertisement




We’ve come to the conclusion that we need to break down the silos between the insurance company property/GL groups and cyber groups, and develop a combined all-risk policy that combines the actuarial data of property losses with cyber experts to identify and quantify frequency and severity. To analogize, a similar approach is used to build terrorism insurance programs, with mixed success (see graphic).

By combining an objective risk management context based on data analytics, we can learn from natural weather incidents and terrorism threats to develop robust public-private partnerships to help improve our preparedness and reduce losses stemming from a cyber attack.

Share this article:

Risk Insider: Phil Norton

Twenty Four Towers Burning

By: | January 4, 2016 • 2 min read
Phil Norton is President, Professional Liability for the retail brokerage division of Arthur J. Gallagher & Co., and is regarded as one of the world’s leading authorities in his field. He has been named a Risk and Insurance® Power Broker® seven times. He can be reached at phil_norton@ajg.com.

In the early 1990s, I had access to good D&O data for a while as the head of the D&O practice for a global consulting firm.

Advertisement




We developed benchmarking techniques for D&O based on a firm’s ownership structure, industry and size.  But problems quickly emerged.

Specifically, all the companies in certain market segments were under-insured. The reason was they were benchmarking against each other and buying inadequate limits.

I went to work on modeling D&O risk as an alternative to benchmarking.  Fast forward and D&O modeling is the rage.  But what is now equally important is the modeling of cyber risk.

When I visited the top cyber insurance carriers earlier in 2015, we discussed the marketplace as one of “24 Towers Burning.”   We were not referring to a sequel to the Lord of the Rings.

We were describing the number of cyber breaches where the company suffering the breach purchased a layered tower of cyber insurance and the claim was burning through every layer.

This led to higher prices in 2015, especially in the excess layers.   Modeling cyber has thus become exceptionally important in evaluating both limits and viable excess pricing.

One big contrast between modeling D&O and cyber is the consideration of industry.   For D&O modeling, industry is fairly insignificant. It does not correlate with severity.

For cyber modeling, industry is hugely important.  Studies show certain industries to be higher risk than others.  Carriers apparently agree, as they very carefully underwrite health care, retail, financial institutions and higher education.

Once we combine industry with the number of employees and revenues, we can model cyber risk quite accurately. Regardless of industry, cyber risk needs to be diligently reviewed.

One big contrast between modeling D&O and cyber is the consideration of industry.   For D&O modeling, industry is fairly insignificant. It does not correlate with severity.

The goals are simple:  get the right amount of cyber protection via risk management practices and procedures, buy appropriate limits of insurance (for the right price) and take all other steps to ensure against the possibility of a D&O derivative action.

Modeling can help you determine what cyber limits to buy, but for a successful renewal, your IT department must operate with tough security measures, end-to-end encryption of sensitive data, incident response preparedness and Payment Card Industry (PCI) compliance as applicable.

The D&O policy is a proven tool for reducing risk, and is designed to cover many types of claims, including derivative actions.  Derivative actions are considered especially dangerous.

Settlements of derivative actions are generally covered only by the Side-A insuring clause of a D&O policy, as indemnification for such settlements is not permitted.

Advertisement




A typical derivative action is brought by shareholders on behalf of the corporation against the individual directors and officers.   It would be against public policy to indemnify individuals with corporate monies when the settlement is for individuals to pay back the corporation.

Thus, derivative actions have dramatic significance because they threaten personal assets. Insurance becomes the first line of defense.

There have been two recent trends pertaining to this subject:  1) the increase in the cost or severity of derivative actions; and 2) the increase in frequency of derivative actions that allege the mismanagement of corporate cyber protections.

The best defense against this dangerous subset of D&O claims is to employ effective cyber security practices and to purchase adequate cyber insurance limits.

Share this article:

Sponsored: State of Vermont

7 Questions to Answer before Choosing a Captive Insurance Domicile

Ask the right questions and choose a domicile for your immediate and long-term needs.
By: | February 5, 2016 • 7 min read
Vermont_SponsoredContent

Risk managers: Do your due diligence!

It seems as if every state in America, as well as many offshore locations, believes that they can pass captive legislation and declare, “We are open for business!”

In fact, nearly 40 states and dozens of offshore locations have enabling captive insurance legislation to do just that.

With so many choices how do you decide who is experienced enough to support the myriad of fiscal and regulatory requirements needed to ensure the long term success of your captive insurance company?

“There are certainly a lot of choices,” said Mike Meehan, a consultant with Milliman, an actuarial firm based out of Boston, Massachusetts, “but not all domiciles are created equal.”

Among the crowd, there are several long-standing domiciles that offer the legislative, regulatory and infrastructure support that makes captive ownership not only a successful risk management tool but also an efficient entity to manage and operate.

Selecting a domicile depends on many factors, but answering these seven questions will help focus your selection process on the domiciles that best fit your needs.

 

1. Is the domicile stable, proven and committed to the industry for the long term?

ThinkstockPhotos-139679578_700The more economic impact that the captive industry has on the domicile, the more likely it is that captives will receive ongoing regulatory and legislative support. The insurance industry moves very quickly and a domicile needs to be constantly adapting to stay up to date. How long has the domicile been operating and have they been consistent in their activity over the long term?

The number of active captive licenses, amount of gross premium written in a domicile and the tax revenue and fees collected can indicate how important the industry is to the jurisdiction’s bottom line. The strength of the infrastructure and the number of jobs created by the captive industry are also very relevant to a domicile’s commitment.

“It needs to be a win – win situation between the captives and the jurisdiction because if not, the domicile is often not committed for the long term,” said Dan Kusalia, Partner with Crowe Hortwath LLP focused on insurance company tax.

Vermont, for example, has been licensing captives since 1981 and had 589 active captives at the end of 2015, making it the largest domestic domicile and third largest in the world. Its captive insurance companies wrote over $25 billion in gross written premiums. The Vermont State Legislature actively supports an industry that creates significant tax revenue, jobs and tourist activity.

 

2. Are the domicile’s captives made up of your peer group?

The demographics of a domicile’s captive companies also indicate how well-suited the location may be for a business in a particular industry sector. Making sure that the jurisdiction has experience in the type and form of captive you are looking to establish is critical.

“Be among your peer group. Look around and ask, ‘Who else is like me?’” said Meehan. “Does the jurisdiction have experience licensing and regulating the lines of coverage for other businesses in your industry sector?”

 

3. Are the regulators experienced and consistent?

Vermont_SponsoredContentIt takes captive-specific expertise and broad experience to be an effective regulator.

A domicile with a stable and long-term, top-tier regulator is able to create a regulatory environment that is consistent and predictable. Simply put, quality regulation and longevity matter a lot.

“If domicile regulators are inexperienced, turnaround time will be slower with more hurdles. More experience means it is much easier operating your business, especially as your captive grows over time,” said Kusalia.

For example, over the past 35 years, only three leaders have helmed Vermont’s captive regulatory team. Current Deputy Commissioner David Provost is one of the longest tenured chief regulators and is a 25-year veteran in the captive insurance industry. That experienced and consistent leadership enables the domicile to not only attract quality companies, but also to provide expert guidance on the formation process and keep the daily operations running smoothly.

 

4. Are there world-class support services available to help manage your captive?

Vermont_SponsoredContentThe quality of advisors and managers available to assist you will have a large impact on the success of your captive as well as the ease of managing the ongoing operations.

“Most companies don’t have the expertise to operate an insurance company when you form a captive, so you need to help build them a team,” Jeffrey Kenneson, a Senior Vice President with R&Q Quest Management Services Limited.

Vermont boasts arguably the most stable and experienced captive infrastructure in the world. Many of the leading captive management companies have their headquarters for their Global, North America and U.S. operations based in Vermont. Experienced options for captive managers, accountants, auditors, actuaries, bankers, lawyers, and investment professionals are abundant in Vermont.

 

5. Can the domicile both efficiently license and provide on-going support to your captive as it grows to cover new lines of coverage and risks?

Vermont_SponsoredContentLicensing a new captive is just the beginning. Find out how long it takes for the application to get approved and how long it takes for an approval of a plan change of your captive’s operations.

A company’s risks will inevitably change over time. The captive will need to make plan changes which can include adding new lines of business. The speed with which your domicile’s regulatory branch reviews and approves these plan changes can make a critical difference in your captive’s growth and success.

The size of a captive division’s staff plays a big role in its speed and efficiency. Complex feasibility studies and actuarial analyses required for an application can take a lot of expertise and resources. A larger regulatory team will handle those examinations more efficiently. A 35-person staff like Vermont’s, for example, typically licenses a completed application within 30 days and reviews plan changes in a matter of days.

 

6. What are the real costs to establishing and managing your captive?

Vermont_SponsoredContentIt is important to factor in travel costs, the local costs of service providers, operating fees, and examination fees. Some states that do not impose a premium tax make up for it in high exam fees, which captives must be prepared for. Though Vermont does charge a premium tax, its examination fees are considered some of the least expensive options in the marketplace.

It is also important to consider the ease and professionalism of doing business with a domicile in the ongoing operations of your captive insurance company.

“The cost of doing business in a domicile goes far beyond simply the fixed cost required. If you can’t efficiently operate due to slow turn-around time or added obstacles, chances are you have made the wrong choice,” said Kenneson.

 

7. What is the domicile’s reputation?

Vermont_SponsoredContentMake sure to ask around and see what industry experts with experience in multiple domiciles have to say about the jurisdiction. Make sure the domicile isn’t known for only licensing certain types of captives that don’t fit your profile. Will it matter to your board of directors if your local newspaper decides to print a story announcing your new insurance subsidiary licensed in some far away location?

Are companies leaving the jurisdiction in high numbers and if so, why? Is the domicile actively licensing redomestications — when an existing captive moves from one domicile to another? This type of movement can often be a positive indicator to trends in a domicile. If companies of a particular size or sector are consistently moving to one state, it may indicate that the domicile has expertise particularly suited to that sector.

Redomestications made up 11 of the 33 new captives in Vermont in 2015. This trend is a positive one as it speaks to the strength of Vermont. It reinforces why Vermont is known throughout the world as the ‘Gold Standard’ of domiciles.

Asking the right questions and choosing a domicile that meets your needs both today and for the long term is vital to your overall success. As a risk manager you do not want surprises or headaches because you did not ask the right questions. Do the due diligence today so that you can ensure your peace of mind by choosing the right domicile to meet your needs.

For more information about the State of Vermont’s Captive Insurance, visit their website: VermontCaptive.com.

 

SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with the State of Vermont. The editorial staff of Risk & Insurance had no role in its preparation.




The State of Vermont, known as the “Gold Standard” of captive domiciles, is the leading onshore captive insurance domicile, with over 1,000 licensed captive insurance companies, including 48 of the Fortune 100 and 18 of the companies that make up the Dow 30.
Share this article: