Cyber Directors: Greater Expertise, Greater Liabilities?
The World Economic Forum places cyber security ahead of terrorism as one of the top 10 economic threats to 140 countries. Cyber security risk in the corporate arena is the responsibility of the board.
As noted by the commissioner of the SEC, “board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks.”
Boards have taken up the charge. Cyber security has moved from 11th place to third place on board agendas according to the Lloyd’s of London “Biennial Risk Index” of 2011 and 2013. The increased spending on cyber security protection by companies further supports this trend.
Will the cyber expert-director be held to a higher standard of care regarding cyber risk management?
According to Gartner Inc., companies spent $86 billion on protection efforts in 2015, which reflects an 18 percent increase from the prior year, and are expected to spend $94 billion in 2016.
The issue becomes, how can a board address cyber risk complexities and meet its duty of care?
Congress proposes mandating cyber experience on boards. The Cybersecurity Disclosure Act of 2015 requires that public companies disclose whether the company has a director with cyber security experience or expertise, or disclose what cyber security steps it has taken that mitigate against acquiring board expertise.
At the same time, boards today are addressing cyber risk in one of several different ways.
Some address cyber security as a plenary board, receiving reports, engaging in discussions and making critical decisions as a whole. This can prove challenging due to the paucity of time at a board meeting and lack of board level cyber expertise.
Alternatively, boards may delegate cyber risk management to established audit committees. A committee forum provides greater time for analysis and expert consultation. However, audit committees are more likely to have financial rather than cyber expertise, and are more attuned to financial rather than technology and innovation issues.
Other boards create a cyber security committee or seek to add a cyber expert to the board itself. Either way, the board is seeking greater cyber expertise and experience at the board level.
The issue becomes whether the cyber expert director has a higher risk of liability than fellow directors. Will the cyber expert-director be held to a higher standard of care regarding cyber risk management?
All corporate directors owe a fiduciary duty of care to the company and its shareholders. In executing their duty of care, the director must act in a manner that a reasonably prudent person would act under the circumstances. A reasonable person means one with the expertise of the director in question. If a director has a particular expertise, skill or experience, they are expected to apply it.
Accordingly, the cyber expert-director could be held to a higher standard of care and diligence in reviewing cyber-related matters than a director without cyber expertise.
While no director can turn a blind eye to negligence, and while all directors must act with diligence and care in addressing cyber matters, the cyber expert-director will tenably be expected to act in a manner that a reasonably prudent cyber expert would act under the circumstances, conducting a diligent technical review and evaluation of cyber matters that a director without cyber expertise could not undertake.
$1 Million Theft Excluded from Coverage
In July 2012, John Moon, one of the owners of Alphacare Services Inc., which performed payroll services for Construction Contractors (Contractors), told Contractors that AlphaCare did not have enough assets to pay payroll, taxes or benefits expenses for Contractors’ subscribers.
Eventually, auditors informed Contractors that Moon (who was charged in May 2016 by the U.S. Attorney’s Office and is awaiting trial for wire fraud) had wire-transferred about $930,000 from Construction Contractors’ funds to use for personal and AlphaCare expenses, leaving the company with substantial unpaid tax liabilities, according to court documents.
On Jan. 10, 2013, Contractors purchased a crime insurance policy, which included coverage for employee theft, from Federal Insurance Co. It advised the insurer there was still about $1 million that was unaccounted for.
Contractors later discovered the missing $1 million was stolen by check, and it submitted a claim for that amount with the carrier, according to court documents.
Federal Insurance denied the claim, saying all of the losses were a single loss under the policy because the insured had already discovered there was a loss prior to taking on the policy.
After a hearing in the U.S. District Court for the Northern District of Ohio at Toledo, the court agreed.
On July 11, the U.S. 6th Circuit Court of Appeals upheld the decision.
“Because Construction Contractors discovered the wire fraud prior to the policy’s execution and the check theft and wire fraud constitute a single loss, the check-theft loss is excluded from coverage under the policy,” the court ruled.
Scorecard: The insurance company does not need to pay the $1 million theft claim.
Takeaway: The insured was aware of the loss “even if ‘the exact amount or details … are unknown.’ ”
Ruling Modifies ‘Care, Custody and Control’
In January 2013, Texas Trailer Corp., under the direction of the American Bureau of Shipping (ABS), tested a container designed by EPMP Ltd. and SandCan LLC to store and deliver sand from a mine to a well site.
Applying excess weight to the container deformed the corner castings and subsequent tests deformed the container, eventually causing a crack in the corner casting weld. The crack constituted a failure of the certification test.
EPMP and SandCan sued both Texas Trailer and ABS for damages. Texas Trailer (TTC) sought a defense from National Union Fire Insurance Co., but the insurer said the policy did not cover the damage.
After a jury found that only ABS had been negligent, not Texas Trailer, TTC sued National Union for reimbursement of litigation costs in excess of its $100,000 per occurrence retained limit, and breach of contract. The carrier sought a summary judgment on the trailer company’s claims.
On June 28, the U.S. District Court in the Northern District of Texas ruled in favor of National Union.
At issue was whether an exclusion for damage of property in the “care, custody or control” of the insured excluded coverage of the claim. The insured argued the container was only within its “physical control,” and not its “care, custody or control.”
The insurer “need only show that the property was ‘under the immediate supervision of the insured and [was] a necessary element of the work involved,’ ” the court ruled. “ABS may have designed the tests, but TTC actually performed them.”
Scorecard: National Union was not required to pay Texas Trailer’s litigation costs.
Takeaway: TTC’s argument that it acted under ABS’ guidelines was not sufficient to prevent the court from ruling that TTC had “care, custody or control” of the container.
The Meaning of ‘Collapse’
In 2014, renovations at the Masters Apartments revealed “substantial structural impairment” due to decayed rim joists.
CHL LLC, owner of the Seattle apartment complex, submitted a claim to American Economy Insurance Co., which had issued commercial property insurance from 1999 to 2005. An engineer hired by the insurer said the structural damage occurred between 1999 and 2002, and that a building inspector would classify it as a “dangerous” building.
American Economy denied CHL’s claim, saying the damage did not trigger coverage, as “collapse,” as defined by the policy from 2002 to 2005, required the building to fall down or be in imminent danger of falling down for a claim to be paid. (Prior to 2002, the term “collapse” was undefined.)
The insurance company filed a lawsuit in the U.S. District Court for the Western District of Washington at Seattle seeking a judgment that it did not need to indemnify the claim.
On July 7, the court ruled in favor of the insurance company and dismissed the case.
Given that Masters Apartments remained upright for 12 years after the apparent decay occurred, the court ruled, the building did not reach a state of collapse between 1999 and 2002, when American Economy provided coverage.
Scorecard: The insurance company did not need to pay for renovations to the apartment complex.
Takeaway: Depending on the state, interpretation of “collapse” can range from a building that has a non-imminent substantial impairment of structural integrity to a building that has actually fallen down.
Why Marine Underwriters Should Master Modeling
Better understanding risk requires better exposure data and rigorous application of science and engineering. In addition, catastrophe models have grown in sophistication and become widely utilized by property insurers to assess the potential losses after a major event. Location level modeling also plays a role in helping both underwriters and buyers gain a better understanding of their exposure and sense of preparedness for the worst-case scenario. Yet, many underwriters in the marine sector don’t employ effective models.
“To improve underwriting and better serve customers, we have to ask ourselves if the knowledge around location level modeling is where it needs to be in the marine market space. We as an industry have progress to make,” said John Evans, Head of U.S. Marine, Berkshire Hathaway Specialty Insurance.
CAT Modeling Limitations
The primary reason marine underwriters forgo location level models is because marine risk often fluctuates, making it difficult to develop models that most accurately reflect a project or a location’s true exposure.
Take for example builder’s risk, an inland marine static risk whose value changes throughout the life of the project. The value of a building will increase as it nears completion, so its risk profile will evolve as work progresses. In property underwriting, sophisticated models are developed more easily because the values are fixed.
“If you know your building is worth $10 million today, you have a firm baseline to work with,” Evans said. The best way to effectively model builder’s risk, on the other hand, may be to take the worst-case scenario — or when the project is about 99 percent complete and at peak value (although this can overstate the catastrophe exposure early in the project’s lifecycle).
Warehouse storage also poses modeling challenges for similar reasons. For example, the value of stored goods can fluctuate substantially depending on the time of year. Toys and electronics shipped into the U.S. during August and September in preparation for the holiday season, for example, will decrease drastically in value come February and March. So do you model based on the average value or peak value?
“In order to produce useful models of these risks, underwriters need to ask additional questions and gather as much detail about the insured’s location and operations as possible,” Evans said. “That is necessary to determine when exposure is greatest and how large the impact of a catastrophe could be. Improved exposure data is critical.”
To assess warehouse legal liability exposure, this means finding out not only the fluctuations in the values, but what type of goods are being stored, how they’re being stored, whether the warehouse is built to local standards for wind, earthquake and flood, and whether or not the warehouse owner has implemented any other risk mitigation measures, such as alarm or sprinkler systems.
“Since most models treat all warehouses equally, even if a location doesn’t model well initially, specific measures taken to protect stored goods from damage could yield a substantially different expected loss, which then translates into a very different premium,” Evans said.
That extra information gathering requires additional time but the effort is worth it in the long run.
“Better understanding of an exposure is key to strong underwriting — and strong underwriting is key to longevity and stability in the marketplace,” Evans said.
“If a risk is not properly understood and priced, a customer can find themselves non-renewed after a catastrophe results in major losses — or be paying two or three times their original premium,” he said. Brokers have the job of educating clients about the long-term viability of their relationship with their carrier, and the value of thorough underwriting assessment.
The Model to Follow
So the question becomes: How can insurers begin to elevate location level modeling in the marine space? By taking a cue from their property counterparts and better understanding the exposure using better data, science and engineering.
For stored goods coverage, the process starts with an overview of each site’s risk based on location, the construction of the warehouse, and the type of contents stored. After analyzing a location, underwriters ascertain its average values and maximum values, which can be used to create a preliminary model. That model’s output may indicate where additional location specific information could fill in the blanks and produce a more site-specific model.
“We look at factors like the existence of a catastrophe plan, and the damage-ability of both the warehouse and the contents stored inside it,” Evans said. “This is where the expertise of our engineering team comes into play. They can get a much clearer idea of how certain structures and products will stand up to different forces.”
From there, engineers may develop a proprietary model that fits those specific details. The results may determine the exposure to be lower than originally believed — or buyers could potentially end up with higher pricing if the new model shows their risk to be greater. On the other hand, it may also alert the insured that higher limits may be required to better suit their true exposure to catastrophe losses.
Then when the worst does happen, insureds can rest assured that their carrier not only has the capacity to cover the loss, but the ability to both manage the volatility caused by the event and be in a position to offer reasonable terms when renewal rolls around.
For more information about Berkshire Hathaway Specialty Insurance’s Marine services, visit https://bhspecialty.com/us-products/us-marine/.
Berkshire Hathaway Specialty Insurance (www.bhspecialty.com) provides commercial property, casualty, healthcare professional liability, executive and professional lines, surety, travel, programs, medical stop loss and homeowners insurance. The actual and final terms of coverage for all product lines may vary. It underwrites on the paper of Berkshire Hathaway’s National Indemnity group of insurance companies, which hold financial strength ratings of A++ from AM Best and AA+ from Standard & Poor’s. Based in Boston, Berkshire Hathaway Specialty Insurance has offices in Atlanta, Boston, Chicago, Houston, Los Angeles, New York, San Francisco, San Ramon, Stevens Point, Auckland, Brisbane, Hong Kong, Melbourne, Singapore, Sydney and Toronto. For more information, contact [email protected].
The information contained herein is for general informational purposes only and does not constitute an offer to sell or a solicitation of an offer to buy any product or service. Any description set forth herein does not include all policy terms, conditions and exclusions. Please refer to the actual policy for complete details of coverage and exclusions.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Berkshire Hathaway Specialty Insurance. The editorial staff of Risk & Insurance had no role in its preparation.