Corporations Unite to Lower Health Care Costs
A new agreement to share health care coverage information among some of the largest U.S. corporations – a sweeping effort to reduce surging medical costs – may potentially alter how administration service providers, such as brokers and pharmacy benefit managers, operate.
Known as the Health Transformation Alliance (HTA), the collective seeks to improve how companies provide health coverage and make the current multilayered supply chain more efficient.
The 20 companies involved include Macy’s Inc., American Express Co., and The Coca-Cola Co. Between them, they spend more than $14 billion annually on combined health care for 4 million people, including employees, their dependents and retirees, according to the HTA website.
The HTA’s first pilot projects are expected to launch in 2017 and will help employees obtain more affordable prescription medications. The rest of the major initiatives are planned for 2018 or later. The alliance has not yet indicated how they expect to reduce costs for prescriptions.
“This isn’t necessarily a totally new concept; it’s one that is timely and probably pretty smart,” said Chris Duncan, chief growth officer at EPIC Insurance Brokers and Consultants.
Duncan was a casualty analyst at Ford Motor Co. in the mid-1980s when the automotive company formed an alliance with dozens of other large corporations to help solve the U.S. liability insurance crisis. The companies in the alliance eventually formed XL Group plc. and ACE to provide product liability and D&O coverage.
“This is a continuation of what large employers have been doing for some time; consolidating purchasing powers and business driver insights,” Duncan said.
“I think it’s doable to bind together 20 companies and probably get a better deal than having the PBM in the middle.”
Since the inititative is still in preliminary stages, it is uncertain what changes the collaboration may bring to the corporations or the administration companies serving them.
“We are looking for innovators in the supply chain, the pioneers who want to break from the status quo and work with the group of pioneering employers who want to build a better way.” — The Health Transformation Alliance
“We hope to hear from the supply chain about how it can work with us to recast a system that everyone agrees needs to be improved,” the HTA said.
“We are looking for innovators in the supply chain, the pioneers who want to break from the status quo and work with the group of pioneering employers who want to build a better way.”
Suppliers are also trying to understand how the alliance may change their roles.
“This could be a revenue generating opportunity for Aon, but it will likely take revenue out of the market for smaller brokerage firms,” said Alex Michon, senior vice president with Aon Risk Solutions.
If corporations decide to cut out insurance buying, they may save broker commissions and that could reduce fees, Michon said. But large brokers usually play a dual role in helping obtain insurance plans as well as offering risk and compliance consulting services.
“With the right data and right analysis you could do some interesting things,” said EPIC’s Duncan.
For example, the companies could negotiate a national disease management program for diabetes or cardiac care.
“Literally 20 percent of your employee population will drive 70 percent of your costs so you can concentrate that intervention in a fewer number of partner or vendor intervention points,” Duncan said.
According to its website htahealth.com, the HTA plans to “facilitate contracting opportunities between members of the Alliance and service providers.”
Members will then contract directly with the service provider. The Alliance said it will not receive funds from these contracts or bear legal responsibility for the service provider’s performance under the contract.
“We have considerable work to do, and we expect this will take years to fully implement,” said
Bill Allen, the CHRO of Macy’s Inc. said, in announcing the Alliance.
“This is a major undertaking for each of us, but if we don’t do it now, the growth in health care costs will overwhelm all of us. We are proud to be pioneers who seek to transform and improve the way health care benefits are provided for millions of working Americans.”
“There’s a crisis in medical care and the biggest companies are bringing together their purchasing power to find solutions,” Duncan said.
“I wish them a whole lot of luck because what we’re doing now just isn’t working. We should all watch them carefully.”
The members of the Alliance are:
American Express Co.
BNSF Railway Co.
The Coca-Cola Co.
E.I. du Pont de Nemours & Co.
The Hartford Financial Services Group Inc.
IBM Corp. Ingersoll Rand
International Paper Co.
Lincoln Financial Group
Marriott International Inc.
NextEra Energy Inc.
Pitney Bowes Inc.
Shell Oil Co.
Verizon Communications Inc.
Health, Higher Ed Most Vulnerable to Cyber Attacks
As cyber risk management comes of age, more data and better analysis are leading to new realizations. One is that health care and higher education are the most vulnerable sectors, followed closely by financial services.
Another is that the vast majority of security breaches could be forestalled using simple measures, such as ensuring all updates and patches to software are installed and tested.
However, studies are starting to show that cheap, low-tech email attacks remain stubbornly effective despite expensive, high-tech protections.
All of those ideas were advanced and detailed at a fast-moving panel discussion May 11 in New York, sponsored by brokerage Crystal & Company.
Actuarial data is still thin in cyber, but Christopher Liu, head of cyber risk in the financial institutions group at AIG, said that “institutions in health care and higher education are the most hazardous classes of insureds. That is because they have the most sensitive information and that there is high turnover. Also, they usually do not have big budgets, so security is often not well supported.”
Financial institutions, especially asset managers, are the second-most hazardous class, Liu added.
“They have the same attractive information, plus they have money.”
Mitigating that, they also tend to have better funded and supported security, and they have heavy government regulation. That both keeps them on their toes, and also means greater external surveillance. Several panel members noted that firms became aware of breaches when regulators noticed unusual activity.
“We find that we deal primarily with three areas,” said Austin Berglas, senior managing director at K2 Intelligence.
“Those are: unpatched vulnerabilities in software, misconfiguration of internal systems, and misplaced trust by employees. We get called in to handle a breach, and 99 percent of the time we find the vulnerability is unpatched.”
Berglas explained that the software companies race each other to send out new versions that often are not completely functional or secure. So they send out patches. “Windows does it every week on ‘patch Tuesday.’ But users don’t have any regular schedule or system for installing and testing patches. We find unpatched vulnerabilities dating back as far as 1999.”
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.” — John F. Mullen, managing partner, Lewis Brisbois Bisgaard & Smith
The challenge of unsecured configurations between systems was dramatically demonstrated with the infamous attack on retailer Target, which came through the air-conditioning vendor. But Berglas emphasized the persistent and pernicious problem of simple phishing.
“It is estimated that 30 percent of individuals within a company will open an email, and 13 percent will click on an attachment, even if they have been warned not to,” Berglas warned.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing email by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense. Now they are inside, with credentials, and you can’t detect them.”
The quickest and easiest thing that any company can do, “is to look for unpatched vulnerabilities in public-facing systems,” Berglas urged.
On the same theme, John F. Mullen, managing partner of the law firm Lewis Brisbois Bisgaard & Smith, stressed that “security goes way beyond IT.
“This is not just about the tech guys. Cyber security tends to get pushed downhill.” And that tends to mean lack of coordination on all fronts.
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.”
Similarly, “insureds have to know the coverage that they have bought. Is there a mandated forensics group? Outside counsel? If so, go meet with them. If you have options, vet them,” Mullen exhorted.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing e-mail by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense.” — Austin Berglas, senior managing director, K2 Intelligence
He expects the cyber insurance business to triple or quadruple in the next five years, in terms of premium spending.
Cycling back to the theme of internal responsibility, Paul Miskovich, senior vice president and global practice leader of cyber and technology errors and omissions coverage at Axis, said that 67 percent of cyber claims presented to his firm involved insider activity of some kind: clicking on a phishing email or failing to install a patch or use a firewall. Further, 25 percent of claims involved third parties such as vendors.
For all the focus on the breach itself, Miskovich added that “regulatory costs can be more than the costs of the breach, especially if you don’t have documentation of your security policies and protocols.” That includes documentation that the policies are in place and are rehearsed.
Noting previous comments that many losses are traced to breaches that have gone undetected for years, Miskovich said that a new area within cyber insurance is full coverage for prior acts.
Electronic Waste Risks Piling Up
The latest electronic devices today may be obsolete by tomorrow. Outdated electronics pose a rapidly growing problem for risk managers. Telecommunications equipment, computers, printers, copiers, mobile devices and other electronics often contain toxic metals such as mercury and lead. Improper disposal of this electronic waste not only harms the environment, it can lead to heavy fines and reputation-damaging publicity.
Federal and state regulators are increasingly concerned about e-waste. Settlements in improper disposal cases have reached into the millions of dollars. Fines aren’t the only risk. Sensitive data inadvertently left on discarded equipment can lead to data breaches.
To avoid potentially serious claims and legal action, risk managers need to understand the risks of e-waste and to develop a strategy for recycling and disposal that complies with local, state and federal regulations.
The Risks Are Rising
E-waste has been piling up at a rate that’s two to three times faster than any other waste stream, according to U.S Environmental Protection Agency estimates. Any product that contains electronic circuitry can eventually become e-waste, and the range of products with embedded electronics grows every day. Because of the toxic materials involved, special care must be taken in disposing of unwanted equipment. Broken devices can leach hazardous materials into the ground and water, creating health risks on the site and neighboring properties.
Despite the environmental dangers, much of our outdated electronics still end up in landfills. Only about 40 percent of consumer electronics were recycled in 2013, according to the EPA. Yet for every million cellphones that are recycled, the EPA estimates that about 35,000 pounds of copper, 772 pounds of silver, 75 pounds of gold and 33 pounds of palladium can be recovered.
While consumers may bring unwanted electronics to local collection sites, corporations must comply with stringent guidelines. The waste must be disposed of properly using vendors with the requisite expertise, certifications and permits. The risk doesn’t end when e-waste is turned over to a disposal vendor. Liabilities for contamination can extend back from the disposal site to the company that discarded the equipment.
Reuse and Recycle
To cut down on e-waste, more companies are seeking to adapt older equipment for reuse. New products feature designs that make it easier to recycle materials and to remove heavy metals for reuse. These strategies conserve valuable resources, reduce the amount of waste and lessen the amount of new equipment that must be purchased.
Effective risk management should focus on minimizing waste, reusing and recycling electronics, managing disposal and complying with regulations at all levels.
For equipment that cannot be reused, companies should work with a disposal vendor that can make sure that their data is protected and that all the applicable environmental regulations are met. Vendors should present evidence of the required permits and certifications. Companies seeking disposal vendors may want to look for two voluntary certifications: the Responsible Recycling (R2) Standard, and the e-Stewards certification.
The U.S. EPA also provides guidance and technical support for firms seeking to implement best practices for e-waste. Under EPA rules for the disposal of items such as batteries, mercury-containing equipment and lamps, e-waste waste typically falls under the category of “universal waste.”
About half the states have enacted their own e-waste laws, and companies that do business in multiple states may have to comply with varying regulations that cover a wider list of materials. Some materials may require handling as hazardous waste according to federal, state and local requirements. U.S. businesses may also be subject to international treaties.
Developing E-Waste Strategies
Companies of all sizes and in all industries should implement e-waste strategies. Effective risk management should focus on minimizing waste, reusing and recycling electronics, managing disposal and complying with regulations at all levels. That’s a complex task that requires understanding which laws and treaties apply to a particular type of waste, keeping proper records and meeting permitting requirements. As part of their insurance program, companies may want to work with an insurer that offers auditing, training and other risk management services tailored for e-waste.
Insurance is an essential part of e-waste risk management. Premises pollution liability policies can provide coverage for environmental risks on a particular site, including remediation when necessary, as well as for exposures arising from transportation of e-waste and disposal at third-party sites. Companies may want to consider policies that provide coverage for their entire business operations, whether on their own premises or at third-party locations. Firms involved in e-waste management may want to consider contractor’s pollution liability coverage for environmental risks at project sites owned by other entities.
The growing challenges of managing e-waste are not only financial but also reputational. Companies that operate in a sustainable manner lower the risks of pollution and associated liabilities, avoid negative publicity stemming from missteps, while building reputations as responsible environmental stewards. Effective electronic waste management strategies help to protect the environment and the company.
This article is an annotated version of the new Chubb advisory, “Electronic Waste: Managing the Environmental and Regulatory Challenges.” To learn more about how to manage and prioritize e-waste risks, download the full advisory on the Chubb website.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Chubb. The editorial staff of Risk & Insurance had no role in its preparation.