Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
Jill Heald is a woman that loves to focus and hates distractions.
Heald paid close attention when an earthquake struck Japan in 2011 and a typhoon flooded Thailand that same year.
The press and the trade press laid out the gory details. Major companies; auto manufacturers, electronics companies and telecommunications companies were hit with supply chain losses they did not see coming. And the losses were big.
As the risk manager for Auto-Spire, an electronics manufacturer that makes integrated circuits used in the automotive industry, the Thailand and Japan losses made a deep impression on Heald. She vowed to herself that that sort of thing would never happen to her company.
Post-2011, shifts in Auto-Spire’s procurement process resulted in the company sourcing semi-conductors from an up and coming Malaysian manufacturer. Looking ahead to 2016, Heald in mid-2015 began thinking about and seeking approval for an ambitious contingent time element coverage insurance package.
“How big are we talking?” her broker asked her when she first sketched her plan in a phone call.
“Based on a brief meeting I had with Auto-Spire procurement folks, I believe a $25 million program should be sufficient, given the redundancy of our supply chain,” Heald told her broker.
“Well, we’re not going to get it all in one place,” the broker said. “Let me make some calls,” he said.
“How about we set up some face-to-face meetings with some of the underwriters?” Heald said.
“No need,” the broker said. “This is what you’re paying me for,” he said.
Unease gnawed at Heald after she hung up with the broker. It would make her feel a lot better to meet with the underwriters and some of their claims teams.
But the broker was who he was. Nobody had his contacts and he was a wizard with carrier relationships, or so everybody said.
Two days later the broker called her back.
“Okay I’ve got some ideas but we’ve got some work to do,” the broker said.
The nut was this: The CTE program that Heald was envisioning was going to require the participation of two, maybe three carriers. The way the broker presented the story, he’d been burning the midnight oil to connect with underwriters in the U.S. and Bermuda.
“So let me see if I’ve got this straight,” Heald said.
“We’ve got one U.S. carrier on the primary layer at $15 million.”
“Correct,” the broker said.
“And two carriers in the second layer at $5 million a pop. Both based in Bermuda,” Heald said.
“Again, correct,” the broker said.
They both agreed the premium prices were historically very good. The location of the semi-conductor maker was not a high flood risk. And the soft property market was another blessing.
Heald and her broker bound the coverage before Thanksgiving for the year 2016.
In April of 2016, Typhoon Lumba-Lumba, Malaysian for dolphin, strikes Malaysia as a CAT 4.
The morning after the typhoon strikes, Heald is online and on the phone trying to determine if the city where the Auto-Spire semi-conductor supplier is located was heavily damaged in the storm.
The good news is that it did not appear to be. The bad news comes within days when deliveries of semi-conductors from Malaysia to Auto-Spire’s U.S. factories slow to a crawl.
“Do we know what’s going on?” Heald said to an Auto-Spire executive in procurement at the end of the week.
“The communication there is horrible Jill,” the procurement executive said. “I wish I could tell you more, but right now I have next to nothing.”
“How could you have next to nothing?” Heald said to no one after she hung up with procurement. “It’s your job.”
Using her broker’s more robust international contacts, Heald pushes hard and gets some information. It’s just that the information she gets is not comforting.
The information is sketchy but it appears that several suppliers to the semi-conductor maker were knocked out by the typhoon.
Facing millions in lost sales, Heald and her broker file a claim on their CTE coverage for $20 million.
Heald is immediately descended upon by underwriters for the three carriers. The underwriters are demanding answers to a number of questions.
“We see there is no claims handling agreement associated with this program. Who’s the adjuster of record?” an underwriter for the U.S.-based carrier on the primary layer asked Heald.
“Adjuster of record? I’ve never heard of the phrase,” Jill Heald said.
With no claims handling agreement in place between Auto-Spire and the carriers on the CTE program, Heald spends weeks responding to the various carriers’ document requests.
Three weeks after the storm struck, Heald’s broker calls her with his version of good news.
“Hey, I talked to Ajax Ltd., they’re going to cut you a check for $1 million as an advance while these CTE claims get sorted out,” the broker said.
With semi-conductor shipments from Malaysia at a trickle, Heald takes little solace in this.
“Really? I guess I’ll take it,” Heald says. But the truth is that she’s worn down to a nub in all the back and forth between the carriers.
The lack of a claims handling agreement has translated into weeks of delays in getting claims information filed and adjusted. Each carrier has a different process for adjusting the claim.
All three carriers use the services of outside forensic accountants. Unfortunately, each carrier uses a different accounting firm.
There are also different terms and conditions between the different policies. Whether there could be coverage gaps created by those differing terms and conditions is an ongoing source of stress for Heald.
“There’s got to be a better way to do this,” she told her broker on the phone one day. “We should have had transparency into this ahead of time.”
“Look Jill, I’ve been doing this a long time,” the broker said.
“I don’t care how long you’ve been doing it. You and I could have done it better,” Heald shot back.
And one million is looking like a drop in the bucket next to lost sales to the automakers that are starting to reach into the tens of millions.
It’s now six weeks after the storm hit and the Malaysian supplier is still not fully back up to speed.
A Hellish Grind
The typhoon that struck Malaysia and clipped Auto-Spire’s supply chain resulted in $45 million in lost sales.
Heald heaps the blame on herself, even though this is an organizational failure. Heald was led to believe that $25 million of CTE was sufficient but Auto-Spire’s dependence on third party suppliers was increased due to the recent shift in its procurement process.
It wasn’t that the carriers on the program didn’t pay the claim, they eventually did. But the delays caused by the lack of a claims handling agreement created serious tension between Heald and the Auto-Spire C-suites. Not to mention cash flow problems on top of the lost sales due to the crimp in Auto-Spire’s supply chain.
“A promise to pay is a promise to pay…. in a timely manner,” her CFO thundered at her when she broke the news to him that due to delays in adjusting the Malaysia claims the carriers still hadn’t cut Auto-Spire checks.
“They are going to pay Jim, it’s just that the claims process got extended more than we would like,” Heald told him.
“It’s not the carriers’ fault,” she added.
“How do you mean?” he said.
“It’s my fault actually,” Heald said.
“I should have had a pre-loss claims handling agreement in place. That would have streamlined the process much more and given all parties a clearer picture of the claims handling process.
“But you didn’t do that,” the CFO said.
“No, I didn’t,” Heald said.
“What about your broker, shouldn’t he have put something like this in place?”
“I don’t want to blame him either. The fact is that we didn’t do it,” Heald said.
“So how much time do you think that cost us, in terms of getting paid,” the CFO said.
“Hard to say,” Heald said. “Six weeks minimum,” she added.
“Do you know what it costs to borrow $20 million for six weeks?” the CFO said.
“Not off of the top of my head,” Heald said.
“A lot,” the CFO said. “A lot.”
It is also clear to Heald that she needs to develop a better channel of communication with the procurement group so that she can be in a better position to procure adequate insurance for the needs created by Auto-Spire’s supply chain.
She thought she was doing the right thing in putting together a substantial CTE program. Now it all feels like a cruel joke.
Risk & Insurance® partnered with FM Global to produce this scenario. Below are FM Global’s recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.
What to Do Before a Loss
In most cases, you’ll receive no warning before disaster strikes. If you experience a sizable loss, the loss itself may be your smallest issue. You might also be worried about injuries, deaths, lost market share, revenue stream, notifying shareholders or something else.
When a loss happens, it is similar to the start of a professional sports game. It is a culmination of all the practice leading up to the game, only the practice is the pre-loss planning. That’s why pre-loss planning is so important. Before a loss occurs, work with your broker and/or insurer(s) to develop a plan for loss management that is carefully tailored to meet your unique needs.
The following is a list of the key information your loss management plan should cover:
- procedures and guidelines for handling loss, including a clear delineation of who will report the loss to your insurance partner(s).
- a detailed list of names and contact information of members of your emergency response team
- key contacts at your subsidiaries and remote offices
- contingency arrangements with emergency services and critical suppliers
- tailored loss-handling and claims cooperation agreements with other program participants
- global coordination requirements
- assignment of emergency duties for local plant personnel, your corporate insurance department, your broker and others
- a designated liaison to work with the adjuster
Without pre-loss planning, there can be fear of the unknown. However, with pre-loss planning it can be reassuring to know that you just have to pick up the phone and make only one call when a loss occurs, know who is coming to your site and know how your insurer will respond.
Many emotions come with an actual loss. Pre-loss planning can provide you that much needed level of confidence when you need it most in your job.
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
This was so much easier than hacking a system by harnessing software technology and using multiple computers and proxy servers. Still, it took a little bit of phone work.
A member of SubPrime OverKill, a group of financially motivated hackers going by the acronym SPOK, called the headquarters of Atlas Health Systems on the morning of Monday, July 1.
“Hi,” the hacker said in a friendly voice, when an operator answered the phone. “Can I please have the name of your head of Information Technology?”
“I’m not authorized to give that out,” the national hospital system operator said.
“OK,” the hacker said and hung up before the operator could ask him why he was calling.
It took him six more calls to get what he needed. He didn’t get the name of the head of IT, but he finally got the name of someone else in that department.
The hacker’s next call was to that office.
“Keith Duvall, please,” the hacker said in a much sterner voice when Duvall’s assistant answered.
“Who may I say is calling please?” Duvall’s assistant said.
“This is Special Agent Frank Dermont of the Federal Bureau of Investigation’s Cyber Security Bureau. We’ve confirmed that your computer system has been hacked and we need to access it immediately,” the hacker said.
The ruse was working so far. The assistant got flustered.
“Well, Keith’s not in right now, he’s…he’s in Kansas City,” she said.
“We need his username and password! Your system is under attack right now and crucial life-saving machinery in your hospitals’ neo-natal and intensive care units could be shut off within minutes,” the hacker said.
“Give me the username and password now or face obstruction of justice charges!” the hacker said.
“Wait, wait just a second, I have it here,” the assistant said, the thought of infants and the critically ill dying by the dozens overwhelming her.
The flustered assistant then gave the phony FBI agent a super administrator password and username.
And SPOK was in the hen house.
Over the next four months, unknown to hospital administrators, the hackers siphoned off hundreds of thousands of medical records from the large hospital system’s computer system.
At $80 per medical record, the thieves were making millions selling the records on the black market. And no one within the Atlas Health System administration had any notion of what they were up to.
Two months after the hack, Dale Reed, director of risk management for a smaller hospital system, The Magnolia Group, received information that Atlas was planning to buy Magnolia and merge the two hospital systems.
There was already plenty on Reed’s plate. The demands of the Affordable Care Act and the escalating number of cyber attacks on not only health insurers, but health care providers, was causing him great concern.
“Now this,” Reed said as he looked over an email from the Magnolia Group CFO, outlining the ways in which the terms of the Atlas deal were projected to impact various departments.
The good news for Reed was that it appeared his job was safe.
The challenge for Reed was that he was going to have to work hand in hand with the IT professionals and risk management team at Atlas in building a secure information technology system.
The deal was set to close in November and the C-suites with both hospital groups were expecting the systems to be fully integrated and secure by the end of the year.
“Don’t expect to see much of me,” Reed told his wife. “I’ve got some long work days ahead of me.”
In mid-October, as the merger moved closer to becoming a reality, Reed sought clearance for and obtained permission from higher-ups to begin conversations with the IT and risk management departments at Atlas to discuss systems integration and security.
In conversations with Atlas officials, Reed took away two things that concerned him. One, it appeared Atlas did not use a two-factor authorization system to gain access to the hospital’s IT system.
If a hacker chose to target Atlas, Reed thought, all they’d have to do is get an IT administrator’s username and a password and they were in.
Two, in discussions with Atlas’ risk management department, it appeared that a cyber-attack incident response plan, while being developed, was not yet in place at Atlas.
Working late one night in the office, Reed deduced that he couldn’t be passive. He needed to take steps to make sure the combined hospital system’s IT system was not only integrated but secure.
The Atlas/Magnolia merger closed as expected Nov. 16. The Magnolia name would go away and the system would keep the name Atlas.
The following day Reed asked for and received permission to hire an IT audit firm that he’d worked with before to examine the Atlas system, which was now in the process of being integrated with the Magnolia system.
The audit team was two days into its three-month contract when Reed got a call from the audit team’s chief examiner.
“The Atlas Health System network was breached back in July,” the examiner said.
“What?” was all Reed could say.
“We estimate hundreds of thousands of medical records have been stolen by a group that goes by the acronym SPOK. They might have taken as many as a million records.”
“You’ve got to be kidding me,” Reed said.
“We’re not kidding you, Dale,” the examiner said. “And it looks like some former Magnolia Group records might already have been lifted,” the examiner said.
The news that Atlas was four months into a massive cyber attack and that close to a million records were pilfered was of course very painful for Keith Duvall and his superiors in the IT department and treasury.
When it became known that it was the IT department’s very own super administrator username and password that were used to breach the system, the head of Atlas IT resigned.
Dale Reed had taken the initiative and hired the IT audit team that found the breach. Now he would have the added responsibility of cleaning up the mess. Or trying to.
Pain. No Gain.
The next day, Reed was back on the phone, this time with the IT audit team’s chief examiner and his insurance broker.
“These aren’t like credit card numbers,” the broker was saying, as Reed felt sharp anxiety pains in his abdomen.
“It could take months to figure out what services, pharmaceutical, whatever, are being ordered with this stolen information. This medical information can go for $80 per record on the black market, it’s much more valuable than a credit card number and much harder to shut down,” the broker said.
The next morning’s newspaper told Reed and the rest of the Atlas executives a story they never thought they would read and would never want to read again.
SPOK sold information about the embarrassing medical conditions of a number of regional business, political and other public sector leaders to unscrupulous bloggers and those details were published online.
Examples included a local school superintendent with a sexually transmitted disease, the CEO of a local company who had bariatric surgery but didn’t want the information publicly disclosed, and the wife of a local pastor who was suffering from complications from breast implants.
“Did you see this?” came the panicked email from the Atlas CFO, including a link to the story.
“Saw it,” was Reed’s only response.
A class action lawsuit soon followed. The plaintiffs alleged that the combined company failed to conduct ample due diligence into the vulnerabilities of its IT system.
The reputational damage from the lost and sold medical records spurred Atlas executives to accelerate planned upgrades to their IT system. Millions in IT expenditures they’d expected to spread over 10 years were compressed to a two-year spend.
Add to that the notification costs and legal expenses connected to the breach and the defense of the class actions, and it became painfully clear that Magnolia and Atlas should never have merged at all.
Risk & Insurance® partnered with Swiss Re Corporate Solutions to produce this scenario. Below are Swiss Re Corporate Solutions’ recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.
Even the best-trained employees click on 2% of spam phishing emails. Once a hacker has access to your network, the ramifications are endless. The monetary costs of a breach can be in the billions of dollars, but losses aren’t just financial. After a cyber attack, companies face reputational and legal consequences, as well.
In our increasingly digitized world, computer hacks aren’t just the stuff of fiction. They’re a very real part of doing business. And almost all companies – large or small, public or private – are at risk. So when an attack does occur, you don’t want to be alone. You want a teammate you can depend on to mitigate your losses.
Swiss Re Corporate Solutions understands the threats you’re facing. That’s why we’ve enlisted the very best partners to help you protect your business after a breach. Our on-call vendors are elite forensics firms, law firms, breach notification firms, and call centers, so you can rest easy when the worst happens.
Swiss Re Corporate Solutions means knowledge, experience, financial and global reach. Let our experts create customized solutions that are right for your business. Visit www.swissre.com/cyber.
Managing Construction’s True Risk Exposure
When it comes to the construction industry, the path to success is never easy.
After a long, deep recession of historic proportions, the sector is finally on the mend. But as opportunities to win new projects grow, experience shows that more contractors go out of business during a recovery than during a recession.
Skilled labor shortages, legal rulings in various states that push construction defects onto general liability policies, and New York state’s labor laws that assign full liability to project owners and contractors for falls from elevations that injure workers are just some of the established issues that are making it ever harder for firms to succeed.
And now, there are new emerging risks, such as the potential for more expensive capital, should the Federal Reserve increase its rates. This would tighten already stressed margins, perhaps making it harder for contractors and project owners to invest in safety and quality assurance, and raising the cost of treating injured workers.
Liberty Mutual’s Doug Cauti reviews the top three risks facing contractors and project owners.
“Our customers are very clear about the challenges they are facing in the market,” said Doug Cauti, the Boston-based chief underwriting officer for Liberty Mutual’s construction practice.
“Now more than ever, construction risk buyers – and the brokers who serve them – are leveraging our team’s deep expertise to find solutions for complicated risks. This goes way beyond what many consider the traditional role of an insurance carrier.”
Other leading risks facing contractors and project owners.
Given the current risk environment, firms that simply seek out the cheapest coverage could leave themselves exposed to these emerging risks. And that could result in them becoming just another failed statistic.
So what is the best way to approach your risk management program?
Understanding the Emerging Picture
Construction firms have been dealing with multiple challenges over the last several years. Now, several new emerging risks could further complicate the business.
After an extended period of historically low interest rates, the Federal Reserve is indicating that rates could rise in late 2015 or sometime in 2016. That would surely impact construction firms’ cost of capital.
“At the end of the day, an increased cost of capital is going to impact many construction firm’s margins, which are already thin,” Cauti said.
“The trickle-down effect is that less money may be available for other operational activities, including safety and quality programs. Firms may need to underbid and/or place low bids just to get jobs and keep the cash flow going,” Cauti said.
“Now more than ever, construction risk buyers – and the brokers who serve them – are leveraging our team’s deep expertise to find solutions for complicated risks.”
— Doug Cauti, Chief Underwriting Officer, Liberty Mutual National Insurance Specialty Construction
“Experience shows us that shortcuts in safety and quality often lead to more construction defect claims, general liability claims and workers’ compensation claims,” Cauti said.
Currently, the frequency of worker injuries is down on a national basis but the severity of injuries is on the rise. If those frequencies start creeping up due to less robust safety programs, the costs could grow fast.
And if this possible trend is not cause enough for concern, the growing costs associated with medical care should have the attention of all risk managers.
“Five years ago medical costs represented 56 percent of a claim,” said Jack Probolus, a Boston-based manager of construction risk financing programs for Liberty Mutual.
“By 2020, that medical cost will likely grow to 76 percent of an injured worker’s claim, according to industry experts,” Probolus said.
Rising interest rates and rising medical costs could form a perfect storm.
Focusing on the Total Cost of Risk
For risk managers, the approach they utilize to mitigate the myriad of existing and emerging risks is more important than ever. The ideal insurance partner will be one that can integrate claims management, quality assurance and loss control solutions to better manage the total cost of construction risk, and do it for the long term.
Liberty Mutual’s Doug Cauti reviews the partnership between buyers, brokers and insureds that helps better manage the total cost of insurance.
In the case of rising medical costs, that means using claims management tools and workflows that help eliminate the runaway expense of things such as duplicate billings, inappropriate prescriptions for powerful painkillers, and over-utilization of costly medical procedures.
“We’re committed to making sure that the client isn’t burdened in unnecessary costs, while working to ensure that injured employees return to productive lives in the best possible health,” Probolus said.
The right partner will also have the construction industry expertise and the willingness to work with a project owner or contractor from the very beginning of a project. That enables them to analyze risk on the front end and devise the best risk management program for the project or contractor, thereby protecting the policyholder’s vulnerable margins.
“We want to be there from the very beginning,” Liberty Mutual’s Cauti said.
“This isn’t merely a transaction with us,” he added. “It’s a partnership that extends for years, from binding coverage, through the life of the project and deeper as claims come in and are resolved over time,” he said.
In other words, it’s a relationship focused on value.
Today’s construction insurance market – with an abundance of capacity – can lead to new carriers entering the market and/or insurers seeking to gain market share by underpricing policies.
“We see it all the time,” Liberty Mutual’s Cauti said.
Where does this leave insureds? Frustrated at pricing instability, or by the need to find a new carrier. And wiser, having learned the wisdom of focusing on value, that is the ability to better control the total cost of risk.
“Premium is always important,” notes Liberty Mutual’s Cauti. “But smart buyers also understand the importance of value, the ability of an insurer to partner with a buyer and their broker to develop a custom blend of coverages and services that better protect a project’s or contractor’s bottom line and reputation. This is the approach our dedicated construction practice takes.
Why Liberty Mutual?
For more information on how Liberty Mutual Insurance can help assess your construction risk exposure, contact your broker or Doug Cauti at [email protected].
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty Mutual Insurance. The editorial staff of Risk & Insurance had no role in its preparation.