An Electrifying Threat
Energy and the natural resources industry face especially grim cyber threats.
“If there is a cyber attack, you can’t see or touch that attacker so your ability to quickly respond may or may not be successful,” said Norma Krayem, a senior policy adviser at the Patton Boggs law firm and co-chair of the firm’s homeland security, defense and technology transfer practice group.
“I think the likelihood of such an attack absolutely exists,” she said. “I think the question becomes more about who, when and why.”
According to Symantec, a data security company, the energy sector “has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide.”
The threats may come from competitive spying, corporate espionage, cyber criminals, hacktivism, disgruntled employees and state-sponsored disruptions, it said.
A bad result doesn’t even necessarily have to begin with bad intent, said Cliff Lancaster, senior risk analyst at Hartford Steam Boiler Inspection and Insurance Co. (HSB).
At the Davis–Besse Nuclear Power Station in Ohio, for example, the network became infected with a worm that shut it down for five hours in 2003 because a software consultant had created a shortcut for his own convenience that bypassed the firewall, he said.
Possible Widespread Devastation
As security measures increase, employees and vendors may be ever more tempted to bypass procedures, just to more easily get their work done.
Between July 2012 and June 2013, 16 percent of all cyber attacks each day targeted companies in the energy sector, according to Symantec. Only the government or public sector had more targeted attacks.
And should the energy delivery system be disrupted, that threatens the country’s finance, transportation, health care, water supply and emergency services systems — all of which depend on reliable energy.
– Norma Krayem, senior policy adviser, Patton Boggs
Electric grid vulnerabilities that lead to power disruptions are estimated to cost the U.S. economy between $119 billion to $188 billion each year, according to a 2013 report on grid vulnerability by Rep. Edward J. Markey, D-Mass., and Rep. Henry A. Waxman, D-Calif.
“Power disruptions today generally do not lead to insured losses,” said Robert Hartwig, president of the Insurance Information Institute.
“However, it seems only a matter of time before a major cyber attack leads to the type of damage covered by standard property and liability policies,” he said.
“As we look at what hackers have been able to do in terms of infiltrating presumed secure systems — even entities like the Department of Defense — it seems there must be vulnerabilities in the systems associated with major infrastructure in this country, whether it’s electric, water, transportation or communications.”
Complex Risk Management
The degree to which computer technology and networking are integral to the energy sector in an operational sense makes it a particularly complex risk-management challenge, said John Kerns, executive managing director of Beecher Carlson Financial Services.
“There was a question posed to us by a client earlier this year: What if there were a denial-of-service attack or virus that shut down the gas pipelines coming into Chicago in the middle of winter. Homes went cold and people went to the hospital or even died. There was no physical damage, but clearly there was a serious impact, and loss,” he said.
The challenges are not confined to traditional energy markets either, said Charles Long, vice president of renewable energy and green technology at William Gallagher Associates. “Many computers are covered under a basic commercial package, and wind farms have separate coverage. If there is a lightning strike, that is surely covered. If data just failed, that can be covered by E&O, but data corruption or a virus, that kind of thing is very much still under consideration.”
Fred Podolsky, executive vice president, executive risk, Alliant Insurance Services, said that “only a small fraction,” maybe 10 percent of U.S. based utility companies have bought cover, and most of the policies that have been purchased relate to data breach exposures.
Some companies, however, have “woken up and are looking for cover” to help them repair their power-generation network and computer systems should they be damaged, or to protect them from other service interruption or customer liability issues, he said.
But many utilities refuse to provide underwriters with sufficient information to get the coverage they need, he said.
The main reason? “It’s just a pure confidentiality concern. IT folks are just so fearful to release any information to anyone having to do with their security procedures, though pressure is building from risk management and others in the C-suite to address these exposures,” Podolsky said.
While protecting the actual control systems of energy companies is a high priority that is audited by the federal government, the smart grid — that measures and creates a more efficient distribution of electricity based on use — is vulnerable, said HSB’s Lancaster.
If false data were injected into that system, it could potentially cause turbine generators to speed up when they shouldn’t. “If you can get it spinning at the wrong speed,” he said, “it can just shake itself to death.”
Once a turbine or transformer is damaged, there is a limited amount of replacement equipment.
And once a turbine or transformer is damaged, there is a limited amount of replacement equipment, he said. “If you are able to damage many pieces of equipment at once, it would take a lot of time to fix it because you have to build and rebuild lots of equipment,” Lancaster said.
Krayem said the connectivity of entities that distribute electric power, for example, means there could be “cascading failures” throughout the country.
“You have this patchwork of systems that are being cobbled together, a lot of them are legacy systems, and they are not necessarily all at the same level of security,” she said.
According to KPMG, which cited data from the U.S. Department of Homeland Security, the “constant barrage of cyber attacks” on water and energy companies “usually take the form of cyber espionage or denial-of-service attacks against industrial-control systems.”
Inadequate Security Controls
The consultancy also noted that a survey by The Centre for Strategic and International Studies in 2010, found that critical infrastructure, including power grids, industrial control networks and oil refineries “are not adequately prepared to defend themselves.”
Video: Dissecting Stuxnet
The most famous of all attacks on an energy system occurred in Iran when unknown forces — believed to be the United States and Israel — created the Stuxnet worm, specially designed to target Iran’s specific industrial control system and reprogram it so that the nuclear centrifuges spun out of control and damaged themselves while the displays indicated normal functioning.
Most notably, Stuxnet spread using a USB drive, infecting networks that were unreachable by the Internet.
Another disturbing attack occurred in 2012, when a cyber attack hit Saudi Aramco, one of the largest oil producers in the world. The disruption, which continued for two weeks, disabled more than 30,000 of the company’s workstations.
The virus, later named “Shamoon,” was the first significant cyber attack on a commercial target to cause real damage. It is also the most destructive attack the private sector has experienced to date, said Malcolm Marshall, global leader for information protection at KPMG, based in London.
Marshall said that “one senior oil-industry executive to whom I spoke shortly after the Shamoon incident told me, ‘Well, there goes our worst-case scenario.’ ”
That same month, Rasgas, in Qatar, was hit by the same virus and forced to bring its entire network off line.
In 2011, hackers were able to install malware and “evidence of a sophisticated threat actor” was found in the U.S. energy sector, according to the U.S. Government Accountability Office.
An Active Market
Marshall noted that, in the aggregate, the global oil and gas industry “is effectively self-insured, but cyber security is an active and growing commercial market, especially in the U.S. It seems likely that will become an economic necessity.”
Kerns at Beecher Carlson said, “We are seeing multiple policies responding to these threats. Those include dedicated cyber policies, D&O coverage, and in the energy sector, even general liability policies are responding.”
That said, he added that “the insurance market is looking aggressively at cyber risk, and is putting on new exemptions, restrictions, and limits. The gray areas are still some GL, bodily injury, and third-party injury. Mostly, we are seeing GL carriers not willing to pick up many risks. That leaves owners and brokers to see what the cyber market is willing to do.
“There is capacity to address business interruption, but we are having to press on bodily injury and property damage as they relate to cyber,” he said.
Complete coverage on the inevitable cyber threat:
Risk managers are waking up to the reality that the cyber risk landscape has changed.
Cyber: The New CAT. It’s not a matter of if, but when. Cyber risk is a foundation-level exposure that must be viewed with the same gravity as a company’s property, liability or workers’ comp risks.
Critical Condition. The proliferation of medical devices creates a host of scary risks for the beleaguered health care industry.
Disabled Autos. It’s alarmingly easy for a hacker to take control of a driverless vehicle, tampering with braking systems or scrambling the GPS.
Unmanned Risk. The dark side of remote-controlled drones, which have already been hacked — by students.
Closing the Property Gap
A complaint is filed against your organization’s board of directors. The board did nothing wrong — but they’ll still need to be defended against the claims. The good news: You have a D&O policy in place to protect them. The bad news: It may not be enough.
Nonprofit organizations and private companies whose business is in or related to property may, in certain circumstances, be faced with the unpleasant discovery that there’s a chink in their D&O armor. That chink comes in the form of the property exclusion included in all D&O policy forms.
The property exclusion seems an innocuous enough passage. And it’s there for a valid reason: Property policies — not D&O policies — should cover property damage. D&O underwriters don’t want to get stuck paying for things they never agreed to cover. So the language used in policy forms is intended to address every possible angle. But there are instances where policy language can inadvertently go a step too far, excluding exactly the type of claims that organizations use D&O policies to protect themselves from.
The primary sticking point, as it is with any exclusion, is a matter of language. Consider this sample wording from one D&O policy form:
“Insurer shall not be liable for loss … for actual or alleged bodily injury, sickness, disease or death of any person, or damage to or destruction of any tangible property including loss of use thereof; whether or not such property is physically injured … .”
The language is pretty straightforward, and does what it sets out to do — it excludes any claim that alleges the directors and officers’ actions caused damage to property. Got damage? Look to your property policy. Case closed.
By contrast, consider the exact same exclusion as written on another D&O policy form:
“This insurance does not apply to any ‘loss’ or ‘defense costs’ in connection with any claim made against an insured, arising out of, directly or indirectly resulting from, or in consequence of, or in any way involving any actual or alleged bodily injury, sickness … damage to or destruction of any tangible property including any loss of use or slander of title … .”
On its face, that wording could be used to exclude just about anything related to property damage in any way, including common complaints that should trigger coverage, such as failure to set adequate reserves or failure to have adequate insurance. If those acts can be tied to property damage in any peripheral way, the carrier can refuse to defend the board.
Explained Mark Weintraub, insurance and claims counsel for Lockton’s southeast region: “If the board makes a decision — ‘OK, an elevator broke and we’re going to repair it’ — they know that’s part of the property damage exclusion. They’re not worried about that. But if it’s ‘we’re going to make a global decision about reserving funds … or a decision based on disclosures or assessments,’ that’s something that the property damage exclusion shouldn’t reach.
“There’s that danger for anyone who deals with property on a regular basis that the property exclusion could reach out and steal away coverage for basic fiduciary acts,” said Weintraub. “It’s not something that I think anyone intends, but it can happen, especially as claims get larger. Carriers will look at their policies to try and see what they can do to restrict coverage — that’s just human nature.”
Court Rulings Clash
A handful of cases brought the property exclusion debate to the courts in 2013, with mixed results.
In a Florida case, Commodore Plaza Condominium Association vs. QBE Insurance Corp., a building suffered damage during Hurricane Wilma. The property managers allegedly made multiple missteps after the fact, causing additional damage to the property.
The court held that all claims related to that damage were subject to the property damage exclusion — not a surprise. But the court also held that the exclusion applied to other alleged acts such as failing to provide security; breaching the duty to not interfere with peaceful possession of property; failing to follow all valid laws, zoning ordinances, and regulations; hiring unlicensed and unqualified workers; and failing to perform repairs in accordance with the Florida Building Code.
The court determined that the damage from the hurricane was the underlying cause of all of these alleged breaches and, therefore, they all fell under the property exclusion. And while there’s arguably some gray area, the court’s decision amounts to this: Not only are breaches of duty that result in property damage excluded, but so are breaches of duty caused by property damage.
The following month, an Illinois court offered a particularly troublesome decision in Hess vs. Travelers Casualty and Surety Co. The court, as might be expected, upheld an exclusion of coverage for an alleged breach of a duty to make repairs related to a construction defect. However, the court also excluded coverage for the failure to establish a reserve fund for repairs — an occurrence that took place years before the issue of property damage would even be raised.
“If a board is going to be second-guessed by its carrier for claims saying the board breached its fiduciary duty by levying an assessment, really — what are they paying for? What is going to be covered in the end?” —Mark Weintraub, insurance and claims counsel, Lockton
The decision whether or not to establish a reserve fund is clearly and wholly a fiduciary matter, and one related to economic harm independent from property damage. Put another way — the lack of a reserve fund cannot cause property damage. As such, it might seem that it should be cut and dried that a carrier would have a duty to defend an insured against a complaint that its negligent reserving decision led to economic harm. That is, after all, one of the points of having a D&O policy.
However, the court in Hess didn’t see it that way. It reasoned that the claim for breach of fiduciary duty arose out of, or originated from, the construction defect. Therefore, it fell under the policy’s exclusion language. The board, in this case, was left squarely between a rock and hard place. The complaint didn’t fall under the organization’s D&O policy — but it didn’t fall under the property policy either. Board members were left to their own devices.
A later case, Pulliam vs. Travelers Indemnity Co., also involved multiple complaints including failure to establish a reserve fund and failure to disclose conflicts of interest in a developer-controlled property owner’s association. In this case, however, the court diverged from the Illinois court’s interpretation in Hess, making a clear distinction between property and economic damage:
“The duty to establish a reserve fund, while related to the property damage, did not result in physical damage to tangible property as required by the policy. The failure to establish a reserve fund resulted in respondents having to expend more from their own pockets to make the repairs than they might have otherwise had to expend — economic damage. Likewise, allegations that [the board] breached its fiduciary duty … do not allege a physical injury to tangible property constituting property damage.”
Weintraub said he’s seeing a slight uptick in this type of friction with D&O policies. “I’m not saying this is some growing, dangerous trend, but I have seen it coming up more, and I see that these cases could give it additional steam because they have case law to rely on.”
Closing the Gap
In these cases, as with any related cases, the underlying truth is that none of the insureds ever expected to find themselves battling their policy coverage in court. They assumed they could rest easy knowing they had protected their directors and officers with a D&O policy if a complaint arose.
But sometimes just a few key words can get in the way. And that can have deeper implications for those whose lifeblood depends upon property. Consider this scenario: A property management group fails to maintain a roof on one of its buildings. The roof begins to leak and massive property losses follow. There’s no occurrence, so the property policy isn’t triggered. So the occupants turn to the board for relief and discover there are inadequate reserves set aside for repairs.
“That’s exactly what happens in the gap,” said Steve Shappell, managing director of Aon Risk Solutions’ financial services group. “We didn’t have an occurrence so we can’t go to our CGL, we can’t go to our property insurer because we didn’t trigger the cover, but [the claim] is clearly related to and arising out of property damage.
It’s not all that hard to see how the lines could blur further.
“If you take this out to the extreme, let’s say … a decision in the assessment world; that’s always unpopular in a condominium,” said Weintraub. “If an assessment is levied, usually your residents are going to be up in arms because it’s going to cost them money, so that usually leads to claims. And if a board is going to be second-guessed by its carrier for claims saying the board breached its fiduciary duty by levying an assessment, really — what are they paying for? What is going to be covered in the end?”
It’s How You Write It
On the surface, the solution is in the language.
“If you want to trigger defense, what you need to do with that policy language is strike the ‘alleged, arising from’ language and use the words ‘for,’ ‘from’ or other soft words that don’t have that kind of restrictive component to them,” said Monica Minkel, senior vice president of executive protection at Poms & Associates Insurance Brokers Inc.
But Minkel and others acknowledged that may be easier said than done.
“The quick answer is to say get rid of that language,” said Weintraub. “But sometimes that can simply be impossible.”
“The devil’s in the details,” said Shappell. “Can you get rid of it completely? If you buy an A side only policy — which is not very popular with the nonprofts and the private companies — you probably can get rid of the property exclusion, but it doesn’t make a whole lot of sense because it only covers non-indemnifiable scenarios and you’ve got to have a lot of cash to operate that way.”
Whether or not the language can be negotiated — deciding which elements of the policy are make-or-break — is a judgment call that brokers and insureds need to work out together.
“You could check 100 components, but are you going to move the business if eight of those components don’t match what you had before or they’re not the best you can get? Some carriers will negotiate and some won’t,” said Minkel.
That said, there are other considerations that will help ensure that a D&O policy responds, Minkel said. The first is whether a duty to defend policy form is used and the other is the cost allocation language.
“We’re looking for 100 percent predetermined defense cost allocation. What that means is if you get a claim in the door that has five causes of action and two of them are in a gray area or clearly shouldn’t be covered under the policy … they’re going to defend you for 100 percent of the claim, they’re not going to allocate the defense expenses based on covered and uncovered loss.”
Weintraub said it’s up to brokers to make sure that insureds understand what the property exclusion is and how it can lead carriers to deny defense.
“Awareness is half the battle. If they know a property damage exclusion could leap up and bite them when they’re not expecting it, then the key is to just keep that in mind when they’re making their decisions — especially with clients who are property managers,” he said.
That also means documenting decisions to make it clear that they’re not property related, he added.
“Directors and officers should be free to make fiduciary decisions and they should know what’s on the table and what isn’t as far as coverage goes ahead of time,” said Weintraub. “You don’t want it to be something of a gotcha.”
Passionate About Technology
If you overheard the passion and enthusiasm that Brit Waters uses to describe his most important business technology, you would immediately assume it was the latest smartphone or tablet. But it’s not Apple or Google that generates so much enthusiasm, it’s the Riskonnect risk management platform.
“Riskonnect revolutionized how our department does business. This system changed the way we gather, analyze and communicate information. It’s made us more efficient, effective and reliable,” said Waters, Manager, Risk Management at Avery Dennison Corporation. “These are not bandages, but complete solutions.”
Avery Dennison is a multinational company offering labeling and packaging materials and solutions whose applications and technologies are an integral part of products used in every major market and industry. The company operates in more than 50 countries with over 26,000 employees and $6 billion in revenues in 2013.
“Riskonnect revolutionized how our department does business. This system changed the way we gather, analyze and communicate information. It’s made us more efficient, effective and reliable. These are not bandages, but complete solutions.”
– Brit Waters, Manager, Risk Management, Avery Dennison Corporation
The company partnered with Riskonnect, the provider of premier, enterprise-class technology platforms. In just 18 months, the system not only revolutionized the department but also delivered wide-ranging value for plenty of other parts of the organization. Those departments utilize the system to manage financial assets, keep track of vehicles and will soon oversee facilities requests.
‘The Simplicity is Unreal’
For global property insurance renewals, Riskonnect changed the way Avery Dennison collects data on its 300 manufacturing facilities, warehouses and other properties around the world. Gone are the days of sorting through hundreds of separate emails with information about the properties and merging hundreds of separate spreadsheets into one.
Not only was the old process cumbersome, it left lots of room for error.
With Riskonnect, the process is automated. It sends emails to the more than 100 individual contacts and the users insert the information into the Riskonnect portal themselves — something that makes Waters’ life a whole lot easier.
“I hit a button once and it runs the report for me. The simplicity is unreal,” he said. “Plus, it gives us better information that we can communicate to our insurance carriers, and gives them increased confidence about the risks they’re insuring.”
Waters said it’s a big time-saver. “Before, the process could take up to three months, and now we get it done in less than a month.”
One thing he’s particularly excited about is the configurability of the portal. If he wants to customize it, he can easily do so without going through a computer programmer or contacting an account executive.
“It gives you the power to set up the system as you need it, not as someone else envisions you need it,” said Waters.
The Riskonnect portal is also the primary source for reporting workers’ compensation claims. Again, the Riskonnect system simplified the process. Before, employees had to call a 1-800 number or fill out a long form and fax it to the Third Party Claims Administrator (TPA). Now they just log on and use the claims reporting portal, which is equipped with drop-down menus and other efficiencies that help expedite the process.
“We take the guessing game out of their hands,” said Waters. “In a matter of minutes, they get a confirmation email that the claim has been submitted to the TPA.”
Through the Riskonnect dashboard tools, Waters and his department can learn a lot about trends in workers’ comp claims. The system tracks claims year-to-date, costs, causes of injury and even the top body parts that are hurt. Then risk management communicates that information to local managers to make sure that safety-and-prevention programs are appropriate and will help reduce the amount of claims and their costs.
“The Riskonnect dashboards layout all this valuable information in easy-to-use tables and charts, making it simple for us to study the data and implement necessary safety changes,” said Waters.
ROI on a Values Collection Module
At the start of the process, Waters never imagined just how many other departments would use the tool. The finance department uses the system for asset management. The fleet administrator uses it to have drivers sign off on its manuals. Even the facilities department is jumping on board, using the Riskonnect system to identify when properties need repairs to big-ticket items like roofs or windows.
The company is also looking to report global property claims, transit claims and employers’ liability claims through the platform. It’s even evaluating if it can use it on the shop floor with health-and-safety team members having easy access to the system via iPads.
”The Riskonnect platform can help many different departments with a wide variety of tasks,” said Waters. “It’s really making risk management a much more strategic contributor to the company.”
“I hit a button once and it runs the report for me. The simplicity is unreal,” Waters said. “Plus, it gives us better information that we can communicate to our insurance carriers, and gives them increased confidence about the risks they’re insuring. Before, the process could take up to three months, and now we get it done in less than a month.”
Waters’ enthusiasm for the product is clear, but he’s not alone. End-users are raving about how easy, intuitive and customizable it is. For example, training end-users used to consist of holding approximately 15 different webinars to walk everyone through the process. Now, it’s accomplished in one easy-to-understand mass communication through the Riskonnect portal.
The end users even helped Waters and the Avery Dennison team add efficiencies that improve the entire process. On the property reporting side, they suggested adding an attachment tool for adding spreadsheets – so the information is easy to find the following year.
“It’s amazing when you give the end users a product and you see how they come back to you with advice that you never even thought of,” said Waters. “That speaks volumes for the system.”
In just 18 months, Riskonnect changed the way Avery Dennison does business — something Waters can’t hide his enthusiasm about.
“I don’t consider them just a vendor,” said Waters. “I consider them a long-term strategic partner.”