Coping with Cancellations
Airlines typically can offset revenue losses for cancellations due to bad weather either by saving on fuel and salary costs or rerouting passengers on other flights, but this year’s revenue losses from the worst winter storm season in years might be too much for traditional measures.
At least one broker said the time may be right for airlines to consider crafting custom insurance programs to account for such devastating seasons.
For a good part of the country, including many parts of the Southeast, snow and ice storms have wreaked havoc on flight cancellations, with a mid-February storm being the worst of all. On Feb. 13, a snowstorm from Virginia to Maine caused airlines to scrub 7,561 U.S. flights, more than the 7,400 cancelled flights due to Hurricane Sandy, according to MasFlight, industry data tracker based in Bethesda, Md.
Roughly 100,000 flights have been canceled since Dec. 1, MasFlight said.
Just United, alone, the world’s second-largest airline, reported that it had cancelled 22,500 flights in January and February, 2014, according to Bloomberg. The airline’s completed regional flights was 87.1 percent, which was “an extraordinarily low level,” and almost 9 percentage points below its mainline operations, it reported.
And another potentially heavy snowfall was forecast for last weekend, from California to New England.
The sheer amount of cancellations this winter are likely straining airlines’ bottom lines, said Katie Connell, a spokeswoman for Airlines for America, a trade group for major U.S. airline companies.
“The airline industry’s fixed costs are high, therefore the majority of operating costs will still be incurred by airlines, even for canceled flights,” Connell wrote in an email. “If a flight is canceled due to weather, the only significant cost that the airline avoids is fuel; otherwise, it must still pay ownership costs for aircraft and ground equipment, maintenance costs and overhead and most crew costs. Extended storms and other sources of irregular operations are clear reminders of the industry’s operational and financial vulnerability to factors outside its control.”
Bob Mann, an independent airline analyst and consultant who is principal of R.W. Mann & Co. Inc. in Port Washington, N.Y., said that two-thirds of costs — fuel and labor — are short-term variable costs, but that fixed charges are “unfortunately incurred.” Airlines just typically absorb those costs.
“I am not aware of any airline that has considered taking out business interruption insurance for weather-related disruptions; it is simply a part of the business,” Mann said.
Chuck Cederroth, managing director at Aon Risk Solutions’ aviation practice, said carriers would probably not want to insure airlines against cancellations because airlines have control over whether a flight will be canceled, particularly if they don’t want to risk being fined up to $27,500 for each passenger by the Federal Aviation Administration when passengers are stuck on a tarmac for hours.
“How could an insurance product work when the insured is the one who controls the trigger?” Cederroth asked. “I think it would be a product that insurance companies would probably have a hard time providing.”
But Brad Meinhardt, U.S. aviation practice leader, for Arthur J. Gallagher & Co., said now may be the best time for airlines — and insurance carriers — to think about crafting a specialized insurance program to cover fluke years like this one.
“I would be stunned if this subject hasn’t made its way up into the C-suites of major and mid-sized airlines,” Meinhardt said. “When these events happen, people tend to look over their shoulder and ask if there is a solution for such events.”
Airlines often hedge losses from unknown variables such as varying fuel costs or interest rate fluctuations using derivatives, but those tools may not be enough for severe winters such as this year’s, he said. While products like business interruption insurance may not be used for airlines, they could look at weather-related insurance products that have very specific triggers.
For example, airlines could designate a period of time for such a “tough winter policy,” say from the period of November to March, in which they can manage cancellations due to 10 days of heavy snowfall, Meinhardt said. That amount could be designated their retention in such a policy, and anything in excess of the designated snowfall days could be a defined benefit that a carrier could pay if the policy is triggered. Possibly, the trigger would be inches of snowfall. “Custom solutions are the idea,” he said.
“Airlines are not likely buying any of these types of products now, but I think there’s probably some thinking along those lines right now as many might have to take losses as write-downs on their quarterly earnings and hope this doesn’t happen again,” he said. “There probably needs to be one airline making a trailblazing action on an insurance or derivative product — something that gets people talking about how to hedge against those losses in the future.”
Cyber: The New CAT
Superstorm Sandy. The Joplin tornado. The Japanese earthquake and tsunami. California wildfires. 9/11. Catastrophes come in many forms. It is universally understood that despite our best efforts, disaster can strike due to forces beyond our control. Cyber threats are equally dangerous and diverse — and just as unstoppable.
Yet even as catastrophe risk management matures and scores of executives join the catastrophe conversation, the dragon known as cyber risk still sits in the middle of the board room, quietly smoldering.
In every industry and at every company size, cyber risk is a foundation-level exposure that every business must confront — one that must be viewed with the same gravity as a company’s property, liability or workers’ comp risks.
As recent as a decade ago, that might have been an overstatement. But not now. Technology and business are fundamentally linked. Computers and the Internet are the primary platform for communicating with customers and vendors, managing profits and expenses, paying employees, operating the machines that produce goods and provide services, and making sure that the end product gets into customers’ hands on schedule. Mobile technology and the Internet of Things are opening new channels, making technology a physical extension of ourselves, both personally and commercially.
“The entire economy is so reliant, in ways that we don’t even see, on technology and the storage, transmission and usage of data, both personal and for analytical purposes, that it’s fundamental to almost every sector,” said Oliver Brew, vice president for professional, privacy, and technology liability at LIU Liberty International Underwriters, the specialty line division of Liberty Mutual in New York.
Video: Computer security expert Mikko Hyppönen explains how he tracked down the creators of the first PC virus, which hit the net 25 years ago, and how to stop the new viruses of today.
That reliance is only going to grow. A January report by Forrester Research described software assets as more critical to business success than financial assets over the next 20 years.
“If you take a look at the public companies’ 10-Ks and publicly disclosed statements, what are they emphasizing that’s going to differentiate them from their competitors, increase sales, decrease costs and maximize efficiency? They focus on the use of technology and the use of information assets,” said Kevin Kalinich, global practice leader for cyber and network risk at Aon Risk Solutions.
With increased technology comes increased opportunity for attack. However, that reality didn’t get a lot of traction in the C-suite until the recent Target breach splashed it across world headlines. Even now, there are still some resting easy, confident that their IT teams have everything under control. Others assume cyber attacks are a threat largely confined to industries such as retail, health care and financial services — sectors with the most data to lose.
Small businesses, in particular, downplay the risk, said Jesse Bessler, an account executive at Lacher & Associates, of Souderton, Pa. “I think it’s that they just don’t understand the risk, and they think that [a cyber policy] is an add-on item they don’t need.”
Security experts, however, are trying to break through the wall of denial. Cyber attacks, they argue, are akin to massive storms or similar to the focused destruction of a tornado — something you can prepare for, but not something you can prevent. Despite firewalls and antivirus programs, experts say, cyber punches will eventually land inside every company.
To grasp the magnitude of the threat, it’s important to recognize that the driving forces behind cyber crime are vast, varied and as uncontrollable as any atmospheric or geologic force. The threat is now ubiquitous, and experts agree that while making an effort to reduce the risk of a breach is important, it is no longer possible to completely prevent cyber attacks.
“It’s like two identical cars in a mall parking lot,” explained Kurtis Suhs, vice president and national technology and privacy product manager for Ironshore. “If one’s locked and one’s unlocked, the bad guy’s going to go to the unlocked car. But if the bad guy really wants to get into the locked car, he will — it’ll just take longer.”
And yet, organizations keep brushing off the threat. That may be because “cyber risk” has become synonymous with data theft. If an entity does not have a significant aggregation of customer financial data, executives assume they won’t be targeted. The reality is that the true exposure is no longer just about credit card or Social Security data. Hackers have expanded their target list, adopted a more patient approach and found deep-pocketed sponsors, whether private-sector or state-sponsored, security experts said.
Sophisticated hackers are conducting long-term surveillance and probing for weaknesses they can exploit for financial gain, said David Remnitz, global and Americas leader of Ernst & Young’s forensic technology and discovery services business. “The end result here is the theft of highly valuable, internal information for significant financial gain,” he said.
While that could mean outright theft of trade secrets or confidential M&A data, it could also mean corporate sabotage, as in corrupting a decade of research and development results or putting competitors out of business. Imagine a market where most of the players used one primary vendor as a source for a key ingredient. An organization could contract with a lesser-used source for that ingredient, then disrupt the operations of the primary vendor via a denial-of-service attack or other type of malware, leaving the rest of the market scrambling for suppliers.
The potential for lost business and liability claims could be devastating for the affected companies. Even those with solid business continuity plans in place could still take heavy hits from the reputational fallout.
“A large company might be able to absorb that risk. A small company can’t,” said Elissa Doroff, a vice president and senior advisory specialist in Marsh’s network security and privacy practice in New York.
To date, breaches have largely been limited to individual companies, but the potential for larger events looms. One concern centers on cloud companies, which could host data for hundreds of businesses. A data breach or network interruption, or the physical destruction of a cloud-service data center could wreak larger havoc on the economy.
“That’s a potentially catastrophic loss,” said Doroff.
The sky’s the limit at this point. Criminals are capable of disrupting a multinational corporation, a transportation or logistics network, a health care system, an entire industry or even an entire region, creating havoc and leading to economic losses in the millions or billions — in many situations even putting lives at risk.
Keep in mind that those with ill intent don’t even need to have an IT background — the proliferation of hackers-for-hire means that anyone intent on doing damage can do so if their pockets are deep enough.
That said, it probably wouldn’t take a well-funded ring of genius-level hackers and a sophisticated attack plan to paralyze the average organization. Three years ago, the U.S. subsidiary of Shionogi, a Japanese pharmaceutical firm, suffered a devastating cyber attack that deleted the contents of 88 computer servers, crippling the company’s operations for several days, disabling its email, BlackBerry servers, order-tracking system, and financial management software. The attacker? A former mid-level employee, working from a public
Wi-Fi network at a nearby McDonalds, calmly sipping coffee while bringing Shionogi to its knees.
An Enterprise Approach
Even organizations that have never been affected by a catastrophe generally do not question the need for CAT planning. At the very least, most probably have a written evacuation plan in place and enough insurance to cover the potential physical damage of a storm. The smartest also address the whole picture from a supply chain and business continuity standpoint, and may have even considered questions about how to manage any reputational damage related to interruption of service to customers.
Cyber exposure should be approached in much the same way. It starts with engineering out the risk to whatever extent possible. If your roof is old, for instance, replacing it may be a way to ensure the building is more likely to stay intact if it’s battered by a storm. The cyber equivalent might be replacing old servers or upgrading any existing automated intrusion detection system. Security experts stress, however, that cyber risk is not an IT exposure, it’s an enterprisewide exposure. Therefore vulnerabilities need to be identified across an entire organization, with policies and procedures modified accordingly.
A comprehensive, enterprisewide disaster plan can also go a long way toward helping companies minimize the damage sustained in the event of a cyber attack. For every function of an organization, management needs to ask hard questions about how a cyber attack could disrupt that function, and what kind of back-up plan each department would need. Do you have a way to contact customers and suppliers if your email goes down? Do you have a crisis communication plan for alerting the public about how you’re handling the situation? Are your records backed up and accessible through a secure third-party?
Increasingly, organizations will rely on insurance to ensure their survival after a cyber event. In a February survey by BAE Systems, nearly 30 percent of companies said they expected the cost of a cyber attack to exceed $75 million. Another 20 percent expected the cost to fall between $15 million and $75 million.
“There’s an expectation that this could have an extremely material effect on business performance, and that’s a risk they look to hedge,” said Paul Henninger, global product director for BAE Systems Applied Intelligence, a business unit of BAE Systems.
Taking a realistic approach to cyber attacks could improve underwriting of the risk, he said. Just as carriers evaluate whether clients are prepared for a CAT-5 hurricane, knowing some damage is likely, they could determine whether clients are ready for a cyber storm.
“You can’t make it go away, but you can minimize the impact on the bottom line and customers and reputation,” he said.
Complete coverage on the inevitable cyber threat:
Risk managers are waking up to the reality that the cyber risk landscape has changed. Every sector must prepare to withstand the storm.
Critical Condition. The proliferation of medical devices creates a host of scary risks for the beleaguered health care industry.
Disabled Autos. It’s alarmingly easy for a hacker to take control of a driverless vehicle, tampering with braking systems or scrambling the GPS.
Unmanned Risk. The dark side of remote-controlled drones, which have already been hacked — by students.
An Electrifying Threat. There is a very real possibility hackers could devastate the nation’s power grids — for a potentially extended period of time.
Minimize the Risks of Client Lawsuits
When a top litigator prepares a case for a trial, part of the process is mapping out a clear, written story to put in front of a jury. Professionals looking to avoid or minimize the impact of client lawsuits would be smart to follow that lead, according to Christopher Piety, underwriting counsel, Professional Lines Risk Management, Aspen Insurance.
“Just like when a talented lawyer faces a jury, the better prepared you are, the stronger your case will be and the more likely you will prevail,” Piety said. “That means being very clear when writing an email or a letter to a client. Approach these communications as if you were writing directly to a future jury.”
Piety explained that in the wake of several recent sizeable professional liability claims, lawyers and other professionals (i.e., accountants, architects and engineers) must deliver clear, concise written communications, to create a record of what happened along the way. “On some of the larger claims that I’ve been involved in, whether it is with lawyers, accountants, architects or engineers, it really boils down to managing client expectations. And to do that requires effective written documentation,” he said.
For example, Piety said that in a recent professional liability claim, a lawyer did nothing wrong other than failing to put into writing advice that the circumstances of the client’s case changed, which typically translates to an added risk that the desired outcome may not be achieved.
“When you write an email or letter, it’s critical to include specifics. It will go a long way to avoid potential trouble, especially if the situation ends up in court,” Piety said. “A good defense is a strong offense.”
– Christopher Piety, underwriting counsel, Professional Lines Risk Management, Aspen Insurance
“The attorney didn’t spell out in writing that the evidence no longer supported the client’s seven-figure expected outcome,” Piety said. The client eventually dropped the case and then sued the lawyer for malpractice, claiming that the attorney’s failures cost them a positive result. Without written documentation advising the client about the risks, the attorney could not prove the client had been advised.
Screen for Bad Apples
“Professionals need the courage to ‘fire’ a potential problem client should any serious red flags emerge,” Piety said. “Not every piece of business is a good one.” Along those lines, he offered a few bits of advice to avoid potential problems when choosing clients:
- Obvious Red Flag: A potential client that “burned through” multiple professional services firms. Worse, have they sued any of them?
- Reputation Check: After completing a credit check and/or litigation search, research the potential client’s reputation in the local business community.
- Financial Stability: Check to see if the client is financially sound. Sometimes, problem clients manage to transfer their financial problems to their professionals in the form of unpaid fees and/or malpractice claims.
- Available Staff: Make sure your firm is prepared and staffed to properly do the work requested.
Clarity is Critical
“When you write an email or letter, it’s critical to include specifics. It will go a long way to avoid potential trouble, especially if the situation ends up in court,” Piety said. “A good defense is a strong offense.”
Professionals need to carefully detail the scope of work when starting a new project or case, particularly if the client is also new. From a risk management perspective, it’s most critical to completely outline limitations and risks.
In addition, specific risks to various types of professionals may include:
- Law Firms: Never offer guarantees for specific results, and understand that silence can be interpreted by a jury as agreeing with a client’s unrealistic expectations.
- Architects and Engineers: Specify what you will and will not be responsible for. Never agree to indemnify anyone outside the firm.
- Accountants: Advise clients and others using your work that attest engagements only provide limited assurance of no material misstatement in the financials, but do not guarantee the absence of fraud or financial problems with the attest client’s business.
“Throughout the entire business relationship, it’s a good idea to document any ongoing changed circumstances, no matter how seemingly small, and advise clients of any new related risks and/or performance limitations,” Piety said. He outlined these examples:
- Accountants: Quickly advise clients in writing when the client’s own poor record-keeping is causing the audit work to be more expensive and/or creating risk of material misstatement requiring additional client action.
- Lawyers: Advise clients in writing when discovering evidence that may potentially change the value of the case.
- Architects and Engineers: Communicate in writing when change orders on a project require expensive design changes that may negatively impact the overall project budget.
“Just like when a talented lawyer faces a jury, the better prepared you are, the stronger your case will be and the more likely you will prevail. That means being very clear when writing an email or a letter to a client. Approach these communications as if you were writing directly to a future jury.”
Piety said the failure to act quickly often causes confusion, which can in turn lead to unnecessary and unforeseen problems. To stop that from occurring, he offered these insights:
- Communicate immediately, via writing, any emerging issues that affect a client’s expectations and your ability to meet them.
- Clients who fail to pay in a timely manner or seem unhappy early on in the relationship probably have an issue that should be addressed immediately.
In the end, only by having a clear written record of what actually occurred can professionals ensure they will reduce, or even prevent, the threat of a claim. Do not give your future opponent an opportunity to fill in the gaps with their own version of reality designed to sway a jury against you.
“Always focus on the fundamentals because fundamentals are what will really help a defense,” Piety concluded. “In so many cases, written communication will prove to be the critical factor between winning and losing.”