Excess Follow Form? The Problem
Imagine a $100 million D&O (or E&O, EPL, Cyber) program made up of 10 insurance companies each providing a $10 million limit. The market standard dictates that each insurer use its own “excess follow form.”
Shortly after the CEO is briefed that his company has secured $100 million “state of the art” D&O program, a securities class action is filed, followed by parallel derivative litigation. The litigation progresses and ultimately the Insured resolves the litigation costing $70 million (defense and settlement).
During the litigation process, the insurance companies on the program reserved their rights each referencing provisions of their excess policies. Now that the insured seeks to collect on the insurance, one by one each Insurer sites a provision that is different than the primary and underlying Insurers. It may be the definition of Insureds, or different Reporting Provisions, or even differences in the Insuring Clauses.
Reality sets in and the CEO finds out that the “state of the art” $100 million D&O program Is not state of the art and has inherited numerous obstacles.
This scenario is not imagined. Despite the name, “excess follow form” policies do not completely follow the primary policy’s wording. Although the differences might seem small at the time of binding they can have significant consequences at the time of a claim.
Qualcomm, Inc. v. Certain underwriters at Lloyd’s London, 161 Cal. App. 4th 184, 73 Cal. Rptr. 3d 770 (ct.App, 4th Dist. 2008) is a clear example why it is necessary to have true follow form excess wording.
AIG wrote Qualcomm’s primary D&O policy with $20 million limit, followed by a Lloyd’s excess “follow form” policy. After incurring $28 million in defense and indemnity, Qualcomm sought insurance recovery for the loss.
Despite the name, “excess follow form” policies do not completely follow the primary policy’s wording. Although the differences might seem small at the time of binding they can have significant consequences at the time of a claim.
Qualcomm settled a coverage dispute with AIG for $16 million (AIG’s policy has a $20 million limit). Lloyd’s refused to pay anything towards the $28 million because Lloyd’s “excess follow form” policy included a provision stating: “underwriter shall be liable only after Insurer(s) under each Underlying Policies have paid or been held liable to pay the full amount of the Underlying Limit of Liability”. Qualcomm sued and the court held in favor of Lloyd’s.
This is a clear example how “excess follow form” policies are not. Or as some would say “Excess Policies Matter.”
Another example of an “excess follow form” myth, is the arbitration provision that is in each policy.
Most D&O (E&O, EPL, and Cyber) policies require coverage disputes to be resolved by arbitration. Remember our $100 million D&O program with 10 insurers? The primary policy requires AAA arbitration in the laws of New York, the first excess may require that resolution be in London under the Arbitration Act of 1996, the next layer require may require arbitration under the laws of Bermuda, and so on.
Not only do these inconsistencies require different venues for resolution, but it is also likely that each arbitration location could have different results, thus compounding an already serious problem.
Hopefully, we can all agree that “excess follow form” policies are not excess follow form policies. Insureds need to recognize that not all excess programs are the same and there is a need to place significant importance on all the contractual wordings, not simply the primary.
I’ve now presented you with the problem. In my next post I’ll discuss the solution.
The New World of Global D&O Insurance – Part 2
Note: This is the second of a two-part Risk Insider look at D&O.
As indicated in my previous Risk Insider post on Aug. 16, it’s been 10 years since the advent of the first local foreign D&O policies. Since then, many carriers have fine-tuned their process for underwriting and issuing local policies in foreign countries.
So, how should companies determine what countries have significant risk for them, and what are the key factors that should be examined in assessing the local exposure to D&O risk – whether from claims or from regulatory or tax concerns?
Not surprisingly, many multinationals have no interest in acquiring foreign local D&O coverage in countries where they believe their D&O exposure is negligible. After all, no exposure should translate into no premium allocation from the carrier, and thus no taxes or other compliance issues.
Therefore, when determining which countries are candidates for a foreign local D&O policy, it is critical to at least consider the following:
- Local exposures based on size, stock ownership, and brand.
- Types of local operations or business activities and status of the local management.
- Local regulations, including whether local non-admitted D&O coverage is permitted and recognized in country, and any potential taxes or penalties.
- Potential indemnification constraints for each country of concern.
- An assessment of local market conditions, purchasing patterns and claims activity.
Ultimately, each multinational client company [in the U.S., for example] should prioritize its international D&O risks from both a claims and compliance perspective. By assessing “regulatory risks,” such as compulsory requirements, admitted paper, indemnification constraints, tax, regulatory, local market viability, enforcement and local D&O claims history, we have built a “Regulatory Score” for each country.
Not surprisingly, many multinationals have no interest in acquiring foreign local D&O coverage in countries where they believe their D&O exposure is negligible.
Against that very substantial analysis, we have also created a simple “Business Trends” score for each country by measuring how often multinationals do business in these countries, and the extent of such business in each country in terms of the size (revenues or assets) and complexity of their operations.
By substituting your own data on country by country exposures, a customized heat map can be drawn that will help you prioritize the countries which require the most attention from a D&O insurance perspective. A sample graphic for some of the more popular countries follows:
Implementing International D&O coverage through the use of locally issued D&O policies is both important and challenging. Brexit does not help. Although “Freedom of Services” (FOS) policies were never very popular, it was helpful in some cases to place a single U.K. policy to obtain coverage for all European Union countries. And while innovative responses to Brexit have already emerged, we continue to favor local policies in each of your countries of interest.
Finally, we recognize that implementing a strong International D&O strategy puts a large administrative burden on the corporate risk manager and corporate offices in general. A large amount of information is required, which may include the collection of application materials from local operations.
However, the trade-offs are worth the trouble in high-risk countries. Sound advice, patience and persistence are critical to a successful process.
See Part I here.
To Keep Cool in a Crisis, Companies Need a Comprehensive Solution
Threats against corporate security come in many forms, from intentional acts of violence to civil unrest to cyber-attacks. The perpetrators don’t discriminate by company size or sector, and the consequences can range from several thousand dollars lost to several lives lost.
The recent shooting in an Orlando nightclub that killed 49, for example, or last year’s San Bernardino shooting that killed 14, are somber reminders that terrorism and violence can erupt anywhere and in any type of business. In addition to loss of life, violence can translate into business interruption and property damage. In Ferguson, Mo., riots lead to over $4 million in property damage.
Cyber-attacks have also become commonplace, with hackers infiltrating private networks to steal data or hold it ransom.
Is your organization prepared for these risks?
“A lot of companies have a crisis response plan on paper, but they don’t have outside resources to come to their aid if there is an incident,” said Reggie Gibbs, Underwriter and Product Manager, Starr Companies.
Mid-size companies especially tend to lack comprehensive insurance coverage and crisis management services for a variety of security events due either to limited resources or an underestimation of their exposure.
Starr Companies’ Cyber and Terror Response (CTR) solution provides three coverages as well as crisis response services tailored to meet the needs of these companies. Each of its components addresses a common security threat.
“We don’t just want to indemnify the security risks our clients face; we want to help them actively manage them.”
— Reggie Gibbs, Underwriter & Product Manager, Starr Companies
Terror and Political Violence
“Political violence can be defined as a strike, riot, protest, or any type of unrest that gets out of hand and turns violent,” said Gibbs, who specializes in terrorism and political violence, workplace violence, and crisis management.
In the case of the Ferguson protests, any first party property damage or third party liability incurred by the disruption would be covered under the terrorism and political violence segment of the CTR solution.
In the case of a terror attack, organizations cannot necessarily rely on TRIA to pick up property losses. In the case of the Orlando shooting, for example, the likelihood of TRIA being invoked is low because property damage will not meet the threshold for coverage to kick in.
TRIA, reauthorized in 2015, provides a federal insurance backstop in the event of a terror attack. The U.S. Secretary of the Treasury, U.S. Attorney General, and U.S. Secretary of Homeland Security must declare an attack to be an act of terrorism, and property damage must exceed $5 million to trigger TRIA.
“We would still view the Orlando shooting as an act of terror, however, because of who the shooter claimed he was working for regardless if the ties to terror groups are clear or not. Therefore, our coverage would apply,” Gibbs said. Even if TRIA was enacted, however, companies would still have a lot of pieces to pick up following an attack. They may have injured or deceased employees, or face legal action from third parties.
For these situations, and any other incident of violence not driven by terrorism, the workplace violence component of Starr’s CTR solution would act as an umbrella to cover other liabilities such as legal liability, loss of life benefits, psychiatric care, and other crisis response services.
One such incident struck a Boston-area Bertucci’s in early May. An attacker wielding a knife drove his car into a Boston shopping mall before making his way into the nearby restaurant. He killed five, including restaurant workers and patrons.
“There was no ideological or political motivation behind it. He was just deranged.” Gibbs said. “Our workplace violence coverage can handle the loss of life benefits for both the employees and patrons killed in situations like this one.”
In the best cases, though, violence can be prevented altogether.
“If an employee reports a stalking threat, the policy would cover the expense of security guards,” Gibbs said. “In this case, it’s more of a pre-workplace violence coverage. It would de-escalate the situation.”
Attacks can also be non-physical.
Cyber extortion in particular is on the rise. Phishing scams lead employees to click on malicious links, unknowingly downloading ransomware onto their internal networks. The cyber criminals then hold companies’ networks ransom, asking for a sum of money in return for the release of data or to prevent a business interruption. The ransoms can be low — amounts that organizations can afford to pay.
“The hackers don’t want to attract the attention of law enforcement or regulatory agencies,” said Annamaria Landaverde, National Cyber Practice Leader & Professional Liability Underwriting Manager, Starr Companies. Landaverde specializes in the cyber component of the CTR coverage. “The FBI may not get involved if someone asks for $5,000. They are more likely to get involved if someone asks for $5 million.”
Since companies are not required by law to report cyber extortion —like they are for data breaches — many choose simply to pay the ransom and move on without generating any negative news headlines.
“The hackers don’t want to attract the attention of any law enforcement or regulatory agencies. The F.B.I. won’t get involved if someone asks for $5,000. They will get involved if someone asks for $5 million.”
— Annamaria Landaverde, National Cyber Practice Leader & Underwriting Manager, Professional Liability Division, Starr Companies
“A California medical center recently had an incident like this where the hackers asked for $17,000 in ransom,” Landaverde said,” but the amounts can vary.”
While the ransom itself may seem manageable, many companies fail to recognize other costs associated with the identification and removal of the malware from their system. There may also be costs associated with forensics investigations, legal experts, public relations firms, third party lawsuits, and notification and credit monitoring.
“The cyber arm of the CTR coverage extends to liability that an organization would suffer as a result of a breach, or failure of security of the insured’s network,” Landaverde said. That includes not just cyber extortion, but outright data theft or denial-of-service attacks.
Crisis Management Services
“We don’t just want to indemnify the security risks our clients face; we want to help them actively manage them,” Gibbs said.
The fourth component of Starr’s CTR solution – crisis response — provides two outside consultants to insureds, with one specializing in “hard” security services like guards or instances of cyber extortion, and another focusing on crisis communications.
Without these outside services, there is only so much insurance can do in the aftermath of a crisis. Experienced consultants provide a range of security preparedness and response services to complement coverage and help insureds recover from an episode of violence or cyber event.
“From a communications perspective, our consultants can manage the public relations front to create clear and consistent messaging, but they can also stay in touch with families after a terror or other violent attack to make sure everyone stays informed,” Gibbs said.
They also serve as a first point of contact for insureds immediately after an event. If they need guidance quickly, consultants await at the ready.
“When a client purchases the product, they get a 24-hour hotline set up with one of our consultancies,” he said. “They can report an incident at any time, and our consultant will help either resolve a situation or deal with the aftermath in whatever way they can.”
While the Cyber and Terror Response package provides a comprehensive solution tailored for mid-size companies, Starr also offers standalone cyber liability and crisis management coverage on a primary and excess basis.
“For companies with greater exposure to a particular type of risk, or who simply want higher limits or greater customization, we have those standalone polices.” Landaverde said.
For more information on Starr Companies’ Cyber and Terror Response solution, visit https://www.starrcompanies.com/Insurance/CyberAndTerrorResponse.
Starr Companies is the worldwide marketing name for the operating insurance and travel assistance companies and subsidiaries of Starr International Company, Inc. and for the investment business of C. V. Starr & Co., Inc. and its subsidiaries.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Starr Companies. The editorial staff of Risk & Insurance had no role in its preparation.