Assessing Third Party Risk
The financial services industry is in “high gear” to reassess third-party risk management practices in response to regulatory guidance.
Institutions are investing in technology to improve reporting and analytics, so that third-party risks are appropriately assessed and that controls are effective, according to the Third Party/Vendor Risk Management Survey, recently released by the Risk Management Association and sponsored by MetricStream.
It’s not just about assessing the risks from vendors and their subcontractors, but also affiliates, debt buyers, agents, channel partners, and correspondent banks, to name just a few third parties that banks and credit unions work with, said Edward DeMarco, RMA’s general counsel and director of operational risk/regulatory relations/communications.
Best practices are in “an evolutionary state,” DeMarco said.
“Prudent third-party risk management requires that the third party be risk-assessed in connection with the enterprise and not simply any one individual business line.” — Edward DeMarco, general counsel, Risk Management Association
“Multiple business lines and functional units within an institution might have their own special relationship with the same third party,” he said. “Prudent third-party risk management requires that the third party be risk-assessed in connection with the enterprise and not simply any one individual business line.”
Institutions are also increasingly putting pressure on to make sure third parties assess the risks of their own contractors, DeMarco said.
“For example, a bank might hire XYZ appraisal company, and that company might sub out to appraisal companies 1, 2, 3 and 4,” he said. “While the bank won’t require a report because they are not in control of those relationships, the banking company does expect its third party to assess their risks.”
Other survey findings include:
• Nearly 50 percent of the respondents said their institution’s risk management functions were responsible for oversight of vendor risk.
• More than 50 percent said their institutions send questionnaires to vendors for risk management purposes.
• Roughly one-third said they have more than 25 “enterprise critical” suppliers that have the potential to affect their entire organization in the event of a failure.
• More than 75 percent have in place a supplier code of conduct that suppliers must acknowledge.
Negotiations with third parties and vendors can be time consuming — and cyber insurance coverage is “an integral part” of those conversations. –Michael O’Connell, managing director and financial Institutions practice leader, Aon Risk Solutions.
Peter Foster, executive vice president and one of the leaders of the cyber risk group at Willis, said that many of his financial institution clients require their vendors to complete a Statement on Standards for Attestation Engagements (SSAE) No. 16, which is a guidance from the American Institute of Certified Public Accountants.
“But this is the minimal of what a vendor should be doing to demonstrate how they are protecting their systems,” Foster said.
“That report really doesn’t get deep into the weeds whether or not the security around the data or around operational applications is really secure.
“Financial institutions should take a step further with a set of questions or a physical audit of a vendor, particularly if the application is more critical to operations or contains customers’ personally identifiable information.”
Institutions should also require third parties to have a technology errors and omissions policy with cyber insurance built into the one policy, he said.
An institution should require third parties to name it as an “additional insured” and provide it with certificates of insurance to cover any disruptions, including liability to cover unauthorized access or unauthorized use of data.
An institution should also have coverage for vicarious liability and direct liability under its own cyber policy, which would cover a data breach resulting from outsourcing, Foster said. That way, the institution will be covered if its third party doesn’t have a policy or its policy doesn’t provide such coverage.
Such is often the case with cloud computing firms, he said.
“We recommend [third parties provide coverage] because it should be the first line of dense — the vendor who causes the breach should be paying for the breach,” Foster said. “But we’re also cognizant of the fact that many vendors will not provide that coverage and that the bank needs to use that vendor.”
Negotiations with third parties and vendors can be time consuming — and cyber insurance coverage is “an integral part” of those conversations, said Michael O’Connell, managing director and financial Institutions practice leader at Aon Risk Solutions.
“Also, a critical part of these discussions centers around who is liable for what part and how much of the loss, especially when there is a breach of confidential data,” he said.
From a risk management perspective, he recommended that vendor risk assessments include answers to these questions:
• Does the insurance fully cover the liability of the insured due to an incident caused by third-party providers?
• Are regulatory investigations, fines and penalties addressed?
• Are first-party business interruption and crisis management included within the cyber policies and are there full limits or sublimits?
“Additionally, the contingent business interruption component must include increased attention to the number and complexity of third-party relationships,” O’Connell said.
Firms must have a complete plan for loss mitigation, restitution, and a response to the potential reputational damage that may be caused, he said.
Firms Given More Control Over Independent Counsel
Signal Products Inc. manufactured handbags and luggage using a design known as the “Quattro G Pattern executive in brown/beige colorways,” in accordance with its license from Guess? Inc.
In 2009, Gucci America Inc. filed suit against Guess?, Signal and others, claiming the design “infringed on a distinctive Gucci trade dress known as the ‘Diamond Motif Trade Dress.’ ” Signal’s share of the infringement claim was $1.8 million.
Signal filed suit in U.S. District Court in California after its insurers — American Zurich Insurance Co., which had issued a primary commercial general liability policy, and American Guarantee and Liability Insurance Co., which had issued an umbrella liability policy — refused to pay $1.9 million in defense costs.
Zurich countersued, seeking a summary judgment that it was not required to reimburse Signal for a $750,000 interim legal payment to the primary legal firm retained by Guess? (of a total $1.9 million in fees for Signal) or for $1.2 million in legal fees for a second law firm that represented Signal in the action.
The insurers argued they were not required to pay fees to the second law firm because Signal had already retained another law firm to represent it, and that the fees were not incurred in connection with Signal’s defense.
U.S. Judge Christina Snyder in August rejected requests from both sides for summary judgment, ruling more information was needed to determine reasonableness of legal fees and other “genuine issues of disputed material fact.”
However, she did rule, in this case of first impression, that Signal could use more than one law firm as independent counsel when there is a potential conflict of interest in insurance cases.
“Having accepted that multiple attorneys may serve as … counsel, there does not appear to be any principled grounds for requiring as a matter of law that all of those attorneys need to be employed at the same law firm,” she wrote.
Scorecard: The insurers may have to pay up to $1.2 million to the second of two law firms, in addition to possibly having to pay up to $1.9 million in litigation costs to the primary firm.
Takeaway: California law allows an insured to retain more than one law firm as independent counsel in an insurance dispute.
Attorneys’ Fees Not Included in Damages Exclusion
Both actions were settled by PNC: One in 2010 for $12 million — which included $3 million in attorneys’ fees, $77,857 in costs and expenses, and $15,000 toward incentive fees for the representative plaintiffs — and one in 2012 for $90 million, including $27 million for attorneys’ fees, $183,302 for reimbursement of costs, and $30,000 in plaintiffs’ incentive awards.
On May 21, a U.S. judge in the Western District of Pennsylvania recommended that the insurers cover the settlement costs. Both Houston Casualty Co. and Axis Insurance Co. had issued policies with a $25 million liability limit, subject to a $25 million retention.
In June, U.S. Judge Cathy Bissoon in that district disagreed. She ruled that the insurers were not responsible for the part of the settlements that returned overdraft fees to customers — since fees were excluded from the definition of “damages” in the policy.
Attorneys’ fees and costs totaling $30.3 million, she ruled, were not excluded. She ordered more proceedings on the claims expenses and damages.
Scorecard: Two insurers are responsible to cover up to $30.3 million for attorneys’ fees and costs that were included in settlements of two class-action lawsuits.
Takeaway: The fee exception to damages does not extend to the entirety of settlement costs, particularly attorneys’ fees, costs and incentive awards.
Underwriters Must Pay Recall Costs
When Abbott Laboratories agreed in December 2000 to acquire the global operations of Knoll Pharmaceutical Co., it notified its Lloyd’s of London carriers, in accordance with its product recall insurance coverage. That coverage stated the new entity would automatically be covered, but additional premiums would have to be negotiated.
As part of the negotiation with a group of underwriters led by Beazley and American Specialty Underwriters, Abbott indicated there was no “current situation, fact or circumstance” that would lead to a claim under the Accidental Contamination policy (which would include any government drug recalls).
A premium was eventually paid and accepted in July 2001, even after the company advised the underwriters that the U.S. Food and Drug Administration may pull Knoll’s popular thyroid drug Synthroid from the market.
The company and its underwriters did execute in October 2001 a “tolling agreement … that would allow the parties to preserve their rights with respect to any Synthroid-related claims.”
On March 6, 2002, the Italian Ministry of Health suspended all sales and marketing of sibutramine (manufactured by Knoll as Meridia).
Abbott filed a claim under the policy, and on May 16, 2003, the underwriters informed Abbott the tolling agreement was cancelled because Abbott “had not fully responded to their document and information request.” When it asked what information was needed, Abbott received no response.
On June 2, 2003, the underwriters filed suit to rescind the policy, while Abbott countersued for a declaratory judgment for coverage, breach of contract and “vexatious delay damages.”
A judge rejected the underwriters’ claim for recission, noting that the insurers had accepted the additional premium and that the Synthroid situation had been disclosed in a timely manner.
For damages, the court put the company’s losses at $155.2 million. Minus a deductible and 10 percent coinsurance, the underwriters were told to pay $84.5 million, plus about $2.8 million in costs and interest.
A three-judge panel on the Appellate Court of Illinois, First Judicial District, upheld that decision on appeal on July 28.
Scorecard: The underwriters have to pay $84.5 million plus $2.8 million in costs and interest.
Takeaway: By accepting the premium and failing to pursue issues of due diligence, the underwriters undercut their argument for a “material misrepresentation” by the company.
The Promise of Technology
The field of workers’ compensation claims management seems ideally suited as a proving place for the power of technology.
Predictive analytics in the hands of pharmacy and medical management experts can give claims managers the data they need to intervene in troublesome claims. Wearables and other mobile technologies have the potential to give healthcare providers “real-time” reports on the medical condition of injured workers.
Never before have the goals of quick turnaround and transparency in managing claims appeared so tantalizingly achievable.
In the effort to learn more about technology’s potential, in September, Risk & Insurance® partnered with Duluth, Ga.-based Healthcare Solutions to convene an information technology executive roundtable in Philadelphia.
The goal of the roundtable was to explore technology’s promise and to gauge how advancements are serving the industry’s ultimate purpose, getting injured workers safely back to work.
Big Data, Transparency and the Economies of Scale
Integration is a word often heard in connection with workers’ compensation claims management. On one hand, it refers to industry consolidation, as investors and larger service providers seek to combine a host of services through mergers and acquisitions.
In another way, integration applies to workers’ compensation data management. As companies merge, technology is allowing previously siloed stores of data to be combined. Access to these new supersets of data, which technology professionals like to call “Big Data,” present a host of opportunities for payers and service providers.
Through accessible exchange systems that give both providers and payers better access to the internal processes of vendors, a service provider can show the payer the status of the claim across a much broader spectrum of services.
“One of the things I see with all of this data starting to exchange is the ability to use analytics to predict outcomes, and to implement workflows to intervene.”
–Matthew Landon, Vice President of Analytics, Bunch CareSolutions.
“Any time that we can integrate with a payer across multiple products such as pharmacy, specialty and PPO services, what it does is gives us a better picture of the claim and that helps us to drive better outcomes,” said roundtable participant Chuck Cavaness, chief information officer for Healthcare Solutions.
Integration across multiple product lines also produces economies of scale for the payer, he said.
Big Data, according to the roundtable participants, also provides claims managers an unparalleled perspective on the cases they manage.
“One of the things that excites us as more data is exchanged is the ability to use analytics to predict outcomes, and to implement workflows to intervene,” said roundtable participant Matthew Landon, vice president of analytics with Lakeland, Fla.-based Bunch CareSolutions, A Xerox Company.
Philadelphia roundtable participant Mike Cwynar, vice president of Irvine, Calif.-based Mitchell International, agrees with Landon.
“We are utilizing technology to consolidate all of the data, to automate as many tasks as we can, and to provide exception-based processing to flag unusual activity where claims professionals can add value,” Cwynar said.
Technology is also enabling the claims management industry to have more productive interactions with medical providers, long considered one of the Holy Grails of better case management.
Philadelphia roundtable participant Jerry Poole, president and CEO of Malvern, Pa-based claims management company Acrometis, said more uniform and accessible information exchange systems are giving medical providers access to see how bills are moving through the claims manager’s process.
“The technology is enabling providers to call in or to visit a portal to figure out what’s happening in the process,” Poole said.
Another area where technology is moving the industry forward, according to the Philadelphia technology roundtable participants, is mobile technology, which is being used to support adjustors and case managers and is also contributing to quicker return to work and lower costs for payers.
The ability to take a digital tablet to a meeting with an injured worker or a health care provider is allowing case managers to enter data and give feedback on a patient’s condition in real time.
“Our field-based case managers have mobile connectivity to our claims systems that they use while they’re out of the office attending doctor’s appointments, and can enter the data right there into the system, so they’re not having to wait until they are back at the office to enter critical clinical documentation,” said Landon.
Injured workers that use social media, e-mail and the texting function on their mobile phones are staying in better touch with those that are charged with insuring that they are in compliance with their treatment plans.
Wearable devices that provide in-the-moment information about an injured workers’ condition have the potential to recreate what is known in aviation as the “black box,” a device that will record and store the precise physical state of an employee when they were injured. Such a device could also monitor their recovery process.
But as with many technologies, worker and patient privacy also needs to be observed.
“At the end of the day, we need to make sure that we approach technology enhancement that demonstrates value to the client, while ensuring patient advocacy,” Landon said.
As payers and claims managers set out to harness the power of computing in assessing an injured worker’s condition and response to treatment, the cycle of investment in companies that serve the workers’ compensation space is currently playing a significant role.
The trend of private equity investing in companies that can establish one-stop shopping for such services as medical case management, bill review, pharmacy benefit management and fraud forensics has huge potential.
“Any time that we can integrate with a payer across multiple products such as pharmacy, specialty and PPO services, what it does is gives us a better picture of the claim and that helps us to drive better outcomes.”
— Chuck Cavaness, Chief Information Officer, Healthcare Solutions.
The challenge now facing the industry, one the information technology roundtable participants are confident it can meet, is integrating those systems. But doing so won’t happen overnight.
“There’s a lot of specialization in the industry today,” said Jerry Poole of Acrometis.
Years ago there was a PT network. Now there’s a surgical implant guy, there’s specialized negotiations, there’s special investigations, said Poole.
The various data needs to be integrated into an overall data set to be used by the carriers to help lower the cost of risk.
Securing Sensitive Information
Long before hackers turned the cyber defenses of major national retailers inside out, claims management professionals have focused increased attention on the protection of data shared across multiple partners.
Information security safeguards are changing and apply to what technology pros refer to “data at rest,” data that is stored on a particular company’s servers, and “data in flight,” data that is transferred from one user to another.
Mitchell’s Cwynar said carriers want certification that every company their data is being sent to needs to have that information and that both data at rest and data in flight is encrypted.
The roundtable participants agreed that the industry is in a conundrum. Carriers want more help in predictive analytics but are less willing to share the data needed to make those predictions.
And as crucial as avoiding cyber exposures and the corresponding reputational damage is for large, multinational corporations, it is even more acute for smaller companies in the workers’ compensation industry.
Healthcare Solutions’ Cavaness said the millions in loss notification and credit monitoring costs that impact a Target or a Home Depot in the case of a large data theft would devastate many a workers’ compensation service vendor.
“They’d be done in a minute,” Cavaness said.
The barriers to entry in this space are higher now than ever before, continued Cavaness, and companies wishing to do business with large carriers have the burden of proving that its security standards are uncompromising.
Workers’ compensation risk management in the United States is by its very nature, complex and demanding. But keep in mind that those charged with managing that risk get better results year after year.
Technology has a proven capability to iron out the system’s inherent complications and take its more mundane tasks off of the shoulders of case adjustors.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Healthcare Solutions. The editorial staff of Risk & Insurance had no role in its preparation.