Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
Jill Heald is a woman that loves to focus and hates distractions.
Heald paid close attention when an earthquake struck Japan in 2011 and a typhoon flooded Thailand that same year.
The press and the trade press laid out the gory details. Major companies; auto manufacturers, electronics companies and telecommunications companies were hit with supply chain losses they did not see coming. And the losses were big.
As the risk manager for Auto-Spire, an electronics manufacturer that makes integrated circuits used in the automotive industry, the Thailand and Japan losses made a deep impression on Heald. She vowed to herself that that sort of thing would never happen to her company.
Post-2011, shifts in Auto-Spire’s procurement process resulted in the company sourcing semi-conductors from an up and coming Malaysian manufacturer. Looking ahead to 2016, Heald in mid-2015 began thinking about and seeking approval for an ambitious contingent time element coverage insurance package.
“How big are we talking?” her broker asked her when she first sketched her plan in a phone call.
“Based on a brief meeting I had with Auto-Spire procurement folks, I believe a $25 million program should be sufficient, given the redundancy of our supply chain,” Heald told her broker.
“Well, we’re not going to get it all in one place,” the broker said. “Let me make some calls,” he said.
“How about we set up some face-to-face meetings with some of the underwriters?” Heald said.
“No need,” the broker said. “This is what you’re paying me for,” he said.
Unease gnawed at Heald after she hung up with the broker. It would make her feel a lot better to meet with the underwriters and some of their claims teams.
But the broker was who he was. Nobody had his contacts and he was a wizard with carrier relationships, or so everybody said.
Two days later the broker called her back.
“Okay I’ve got some ideas but we’ve got some work to do,” the broker said.
The nut was this: The CTE program that Heald was envisioning was going to require the participation of two, maybe three carriers. The way the broker presented the story, he’d been burning the midnight oil to connect with underwriters in the U.S. and Bermuda.
“So let me see if I’ve got this straight,” Heald said.
“We’ve got one U.S. carrier on the primary layer at $15 million.”
“Correct,” the broker said.
“And two carriers in the second layer at $5 million a pop. Both based in Bermuda,” Heald said.
“Again, correct,” the broker said.
They both agreed the premium prices were historically very good. The location of the semi-conductor maker was not a high flood risk. And the soft property market was another blessing.
Heald and her broker bound the coverage before Thanksgiving for the year 2016.
In April of 2016, Typhoon Lumba-Lumba, Malaysian for dolphin, strikes Malaysia as a CAT 4.
The morning after the typhoon strikes, Heald is online and on the phone trying to determine if the city where the Auto-Spire semi-conductor supplier is located was heavily damaged in the storm.
The good news is that it did not appear to be. The bad news comes within days when deliveries of semi-conductors from Malaysia to Auto-Spire’s U.S. factories slow to a crawl.
“Do we know what’s going on?” Heald said to an Auto-Spire executive in procurement at the end of the week.
“The communication there is horrible Jill,” the procurement executive said. “I wish I could tell you more, but right now I have next to nothing.”
“How could you have next to nothing?” Heald said to no one after she hung up with procurement. “It’s your job.”
Using her broker’s more robust international contacts, Heald pushes hard and gets some information. It’s just that the information she gets is not comforting.
The information is sketchy but it appears that several suppliers to the semi-conductor maker were knocked out by the typhoon.
Facing millions in lost sales, Heald and her broker file a claim on their CTE coverage for $20 million.
Heald is immediately descended upon by underwriters for the three carriers. The underwriters are demanding answers to a number of questions.
“We see there is no claims handling agreement associated with this program. Who’s the adjuster of record?” an underwriter for the U.S.-based carrier on the primary layer asked Heald.
“Adjuster of record? I’ve never heard of the phrase,” Jill Heald said.
With no claims handling agreement in place between Auto-Spire and the carriers on the CTE program, Heald spends weeks responding to the various carriers’ document requests.
Three weeks after the storm struck, Heald’s broker calls her with his version of good news.
“Hey, I talked to Ajax Ltd., they’re going to cut you a check for $1 million as an advance while these CTE claims get sorted out,” the broker said.
With semi-conductor shipments from Malaysia at a trickle, Heald takes little solace in this.
“Really? I guess I’ll take it,” Heald says. But the truth is that she’s worn down to a nub in all the back and forth between the carriers.
The lack of a claims handling agreement has translated into weeks of delays in getting claims information filed and adjusted. Each carrier has a different process for adjusting the claim.
All three carriers use the services of outside forensic accountants. Unfortunately, each carrier uses a different accounting firm.
There are also different terms and conditions between the different policies. Whether there could be coverage gaps created by those differing terms and conditions is an ongoing source of stress for Heald.
“There’s got to be a better way to do this,” she told her broker on the phone one day. “We should have had transparency into this ahead of time.”
“Look Jill, I’ve been doing this a long time,” the broker said.
“I don’t care how long you’ve been doing it. You and I could have done it better,” Heald shot back.
And one million is looking like a drop in the bucket next to lost sales to the automakers that are starting to reach into the tens of millions.
It’s now six weeks after the storm hit and the Malaysian supplier is still not fully back up to speed.
A Hellish Grind
The typhoon that struck Malaysia and clipped Auto-Spire’s supply chain resulted in $45 million in lost sales.
Heald heaps the blame on herself, even though this is an organizational failure. Heald was led to believe that $25 million of CTE was sufficient but Auto-Spire’s dependence on third party suppliers was increased due to the recent shift in its procurement process.
It wasn’t that the carriers on the program didn’t pay the claim, they eventually did. But the delays caused by the lack of a claims handling agreement created serious tension between Heald and the Auto-Spire C-suites. Not to mention cash flow problems on top of the lost sales due to the crimp in Auto-Spire’s supply chain.
“A promise to pay is a promise to pay…. in a timely manner,” her CFO thundered at her when she broke the news to him that due to delays in adjusting the Malaysia claims the carriers still hadn’t cut Auto-Spire checks.
“They are going to pay Jim, it’s just that the claims process got extended more than we would like,” Heald told him.
“It’s not the carriers’ fault,” she added.
“How do you mean?” he said.
“It’s my fault actually,” Heald said.
“I should have had a pre-loss claims handling agreement in place. That would have streamlined the process much more and given all parties a clearer picture of the claims handling process.
“But you didn’t do that,” the CFO said.
“No, I didn’t,” Heald said.
“What about your broker, shouldn’t he have put something like this in place?”
“I don’t want to blame him either. The fact is that we didn’t do it,” Heald said.
“So how much time do you think that cost us, in terms of getting paid,” the CFO said.
“Hard to say,” Heald said. “Six weeks minimum,” she added.
“Do you know what it costs to borrow $20 million for six weeks?” the CFO said.
“Not off of the top of my head,” Heald said.
“A lot,” the CFO said. “A lot.”
It is also clear to Heald that she needs to develop a better channel of communication with the procurement group so that she can be in a better position to procure adequate insurance for the needs created by Auto-Spire’s supply chain.
She thought she was doing the right thing in putting together a substantial CTE program. Now it all feels like a cruel joke.
Risk & Insurance® partnered with FM Global to produce this scenario. Below are FM Global’s recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.
What to Do Before a Loss
In most cases, you’ll receive no warning before disaster strikes. If you experience a sizable loss, the loss itself may be your smallest issue. You might also be worried about injuries, deaths, lost market share, revenue stream, notifying shareholders or something else.
When a loss happens, it is similar to the start of a professional sports game. It is a culmination of all the practice leading up to the game, only the practice is the pre-loss planning. That’s why pre-loss planning is so important. Before a loss occurs, work with your broker and/or insurer(s) to develop a plan for loss management that is carefully tailored to meet your unique needs.
The following is a list of the key information your loss management plan should cover:
- procedures and guidelines for handling loss, including a clear delineation of who will report the loss to your insurance partner(s).
- a detailed list of names and contact information of members of your emergency response team
- key contacts at your subsidiaries and remote offices
- contingency arrangements with emergency services and critical suppliers
- tailored loss-handling and claims cooperation agreements with other program participants
- global coordination requirements
- assignment of emergency duties for local plant personnel, your corporate insurance department, your broker and others
- a designated liaison to work with the adjuster
Without pre-loss planning, there can be fear of the unknown. However, with pre-loss planning it can be reassuring to know that you just have to pick up the phone and make only one call when a loss occurs, know who is coming to your site and know how your insurer will respond.
Many emotions come with an actual loss. Pre-loss planning can provide you that much needed level of confidence when you need it most in your job.
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
This was so much easier than hacking a system by harnessing software technology and using multiple computers and proxy servers. Still, it took a little bit of phone work.
A member of SubPrime OverKill, a group of financially motivated hackers going by the acronym SPOK, called the headquarters of Atlas Health Systems on the morning of Monday, July 1.
“Hi,” the hacker said in a friendly voice, when an operator answered the phone. “Can I please have the name of your head of Information Technology?”
“I’m not authorized to give that out,” the national hospital system operator said.
“OK,” the hacker said and hung up before the operator could ask him why he was calling.
It took him six more calls to get what he needed. He didn’t get the name of the head of IT, but he finally got the name of someone else in that department.
The hacker’s next call was to that office.
“Keith Duvall, please,” the hacker said in a much sterner voice when Duvall’s assistant answered.
“Who may I say is calling please?” Duvall’s assistant said.
“This is Special Agent Frank Dermont of the Federal Bureau of Investigation’s Cyber Security Bureau. We’ve confirmed that your computer system has been hacked and we need to access it immediately,” the hacker said.
The ruse was working so far. The assistant got flustered.
“Well, Keith’s not in right now, he’s…he’s in Kansas City,” she said.
“We need his username and password! Your system is under attack right now and crucial life-saving machinery in your hospitals’ neo-natal and intensive care units could be shut off within minutes,” the hacker said.
“Give me the username and password now or face obstruction of justice charges!” the hacker said.
“Wait, wait just a second, I have it here,” the assistant said, the thought of infants and the critically ill dying by the dozens overwhelming her.
The flustered assistant then gave the phony FBI agent a super administrator password and username.
And SPOK was in the hen house.
Over the next four months, unknown to hospital administrators, the hackers siphoned off hundreds of thousands of medical records from the large hospital system’s computer system.
At $80 per medical record, the thieves were making millions selling the records on the black market. And no one within the Atlas Health System administration had any notion of what they were up to.
Two months after the hack, Dale Reed, director of risk management for a smaller hospital system, The Magnolia Group, received information that Atlas was planning to buy Magnolia and merge the two hospital systems.
There was already plenty on Reed’s plate. The demands of the Affordable Care Act and the escalating number of cyber attacks on not only health insurers, but health care providers, was causing him great concern.
“Now this,” Reed said as he looked over an email from the Magnolia Group CFO, outlining the ways in which the terms of the Atlas deal were projected to impact various departments.
The good news for Reed was that it appeared his job was safe.
The challenge for Reed was that he was going to have to work hand in hand with the IT professionals and risk management team at Atlas in building a secure information technology system.
The deal was set to close in November and the C-suites with both hospital groups were expecting the systems to be fully integrated and secure by the end of the year.
“Don’t expect to see much of me,” Reed told his wife. “I’ve got some long work days ahead of me.”
In mid-October, as the merger moved closer to becoming a reality, Reed sought clearance for and obtained permission from higher-ups to begin conversations with the IT and risk management departments at Atlas to discuss systems integration and security.
In conversations with Atlas officials, Reed took away two things that concerned him. One, it appeared Atlas did not use a two-factor authorization system to gain access to the hospital’s IT system.
If a hacker chose to target Atlas, Reed thought, all they’d have to do is get an IT administrator’s username and a password and they were in.
Two, in discussions with Atlas’ risk management department, it appeared that a cyber-attack incident response plan, while being developed, was not yet in place at Atlas.
Working late one night in the office, Reed deduced that he couldn’t be passive. He needed to take steps to make sure the combined hospital system’s IT system was not only integrated but secure.
The Atlas/Magnolia merger closed as expected Nov. 16. The Magnolia name would go away and the system would keep the name Atlas.
The following day Reed asked for and received permission to hire an IT audit firm that he’d worked with before to examine the Atlas system, which was now in the process of being integrated with the Magnolia system.
The audit team was two days into its three-month contract when Reed got a call from the audit team’s chief examiner.
“The Atlas Health System network was breached back in July,” the examiner said.
“What?” was all Reed could say.
“We estimate hundreds of thousands of medical records have been stolen by a group that goes by the acronym SPOK. They might have taken as many as a million records.”
“You’ve got to be kidding me,” Reed said.
“We’re not kidding you, Dale,” the examiner said. “And it looks like some former Magnolia Group records might already have been lifted,” the examiner said.
The news that Atlas was four months into a massive cyber attack and that close to a million records were pilfered was of course very painful for Keith Duvall and his superiors in the IT department and treasury.
When it became known that it was the IT department’s very own super administrator username and password that were used to breach the system, the head of Atlas IT resigned.
Dale Reed had taken the initiative and hired the IT audit team that found the breach. Now he would have the added responsibility of cleaning up the mess. Or trying to.
Pain. No Gain.
The next day, Reed was back on the phone, this time with the IT audit team’s chief examiner and his insurance broker.
“These aren’t like credit card numbers,” the broker was saying, as Reed felt sharp anxiety pains in his abdomen.
“It could take months to figure out what services, pharmaceutical, whatever, are being ordered with this stolen information. This medical information can go for $80 per record on the black market, it’s much more valuable than a credit card number and much harder to shut down,” the broker said.
The next morning’s newspaper told Reed and the rest of the Atlas executives a story they never thought they would read and would never want to read again.
SPOK sold information about the embarrassing medical conditions of a number of regional business, political and other public sector leaders to unscrupulous bloggers and those details were published online.
Examples included a local school superintendent with a sexually transmitted disease, the CEO of a local company who had bariatric surgery but didn’t want the information publicly disclosed, and the wife of a local pastor who was suffering from complications from breast implants.
“Did you see this?” came the panicked email from the Atlas CFO, including a link to the story.
“Saw it,” was Reed’s only response.
A class action lawsuit soon followed. The plaintiffs alleged that the combined company failed to conduct ample due diligence into the vulnerabilities of its IT system.
The reputational damage from the lost and sold medical records spurred Atlas executives to accelerate planned upgrades to their IT system. Millions in IT expenditures they’d expected to spread over 10 years were compressed to a two-year spend.
Add to that the notification costs and legal expenses connected to the breach and the defense of the class actions, and it became painfully clear that Magnolia and Atlas should never have merged at all.
Risk & Insurance® partnered with Swiss Re Corporate Solutions to produce this scenario. Below are Swiss Re Corporate Solutions’ recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.
Even the best-trained employees click on 2% of spam phishing emails. Once a hacker has access to your network, the ramifications are endless. The monetary costs of a breach can be in the billions of dollars, but losses aren’t just financial. After a cyber attack, companies face reputational and legal consequences, as well.
In our increasingly digitized world, computer hacks aren’t just the stuff of fiction. They’re a very real part of doing business. And almost all companies – large or small, public or private – are at risk. So when an attack does occur, you don’t want to be alone. You want a teammate you can depend on to mitigate your losses.
Swiss Re Corporate Solutions understands the threats you’re facing. That’s why we’ve enlisted the very best partners to help you protect your business after a breach. Our on-call vendors are elite forensics firms, law firms, breach notification firms, and call centers, so you can rest easy when the worst happens.
Swiss Re Corporate Solutions means knowledge, experience, financial and global reach. Let our experts create customized solutions that are right for your business. Visit www.swissre.com/cyber.
7 Questions to Answer before Choosing a Captive Insurance Domicile
Risk managers: Do your due diligence!
It seems as if every state in America, as well as many offshore locations, believes that they can pass captive legislation and declare, “We are open for business!”
In fact, nearly 40 states and dozens of offshore locations have enabling captive insurance legislation to do just that.
With so many choices how do you decide who is experienced enough to support the myriad of fiscal and regulatory requirements needed to ensure the long term success of your captive insurance company?
“There are certainly a lot of choices,” said Mike Meehan, a consultant with Milliman, an actuarial firm based out of Boston, Massachusetts, “but not all domiciles are created equal.”
Among the crowd, there are several long-standing domiciles that offer the legislative, regulatory and infrastructure support that makes captive ownership not only a successful risk management tool but also an efficient entity to manage and operate.
Selecting a domicile depends on many factors, but answering these seven questions will help focus your selection process on the domiciles that best fit your needs.
1. Is the domicile stable, proven and committed to the industry for the long term?
The more economic impact that the captive industry has on the domicile, the more likely it is that captives will receive ongoing regulatory and legislative support. The insurance industry moves very quickly and a domicile needs to be constantly adapting to stay up to date. How long has the domicile been operating and have they been consistent in their activity over the long term?
The number of active captive licenses, amount of gross premium written in a domicile and the tax revenue and fees collected can indicate how important the industry is to the jurisdiction’s bottom line. The strength of the infrastructure and the number of jobs created by the captive industry are also very relevant to a domicile’s commitment.
“It needs to be a win – win situation between the captives and the jurisdiction because if not, the domicile is often not committed for the long term,” said Dan Kusalia, Partner with Crowe Hortwath LLP focused on insurance company tax.
Vermont, for example, has been licensing captives since 1981 and had 589 active captives at the end of 2015, making it the largest domestic domicile and third largest in the world. Its captive insurance companies wrote over $25 billion in gross written premiums. The Vermont State Legislature actively supports an industry that creates significant tax revenue, jobs and tourist activity.
2. Are the domicile’s captives made up of your peer group?
The demographics of a domicile’s captive companies also indicate how well-suited the location may be for a business in a particular industry sector. Making sure that the jurisdiction has experience in the type and form of captive you are looking to establish is critical.
“Be among your peer group. Look around and ask, ‘Who else is like me?’” said Meehan. “Does the jurisdiction have experience licensing and regulating the lines of coverage for other businesses in your industry sector?”
3. Are the regulators experienced and consistent?
It takes captive-specific expertise and broad experience to be an effective regulator.
A domicile with a stable and long-term, top-tier regulator is able to create a regulatory environment that is consistent and predictable. Simply put, quality regulation and longevity matter a lot.
“If domicile regulators are inexperienced, turnaround time will be slower with more hurdles. More experience means it is much easier operating your business, especially as your captive grows over time,” said Kusalia.
For example, over the past 35 years, only three leaders have helmed Vermont’s captive regulatory team. Current Deputy Commissioner David Provost is one of the longest tenured chief regulators and is a 25-year veteran in the captive insurance industry. That experienced and consistent leadership enables the domicile to not only attract quality companies, but also to provide expert guidance on the formation process and keep the daily operations running smoothly.
4. Are there world-class support services available to help manage your captive?
The quality of advisors and managers available to assist you will have a large impact on the success of your captive as well as the ease of managing the ongoing operations.
“Most companies don’t have the expertise to operate an insurance company when you form a captive, so you need to help build them a team,” Jeffrey Kenneson, a Senior Vice President with R&Q Quest Management Services Limited.
Vermont boasts arguably the most stable and experienced captive infrastructure in the world. Many of the leading captive management companies have their headquarters for their Global, North America and U.S. operations based in Vermont. Experienced options for captive managers, accountants, auditors, actuaries, bankers, lawyers, and investment professionals are abundant in Vermont.
5. Can the domicile both efficiently license and provide on-going support to your captive as it grows to cover new lines of coverage and risks?
Licensing a new captive is just the beginning. Find out how long it takes for the application to get approved and how long it takes for an approval of a plan change of your captive’s operations.
A company’s risks will inevitably change over time. The captive will need to make plan changes which can include adding new lines of business. The speed with which your domicile’s regulatory branch reviews and approves these plan changes can make a critical difference in your captive’s growth and success.
The size of a captive division’s staff plays a big role in its speed and efficiency. Complex feasibility studies and actuarial analyses required for an application can take a lot of expertise and resources. A larger regulatory team will handle those examinations more efficiently. A 35-person staff like Vermont’s, for example, typically licenses a completed application within 30 days and reviews plan changes in a matter of days.
6. What are the real costs to establishing and managing your captive?
It is important to factor in travel costs, the local costs of service providers, operating fees, and examination fees. Some states that do not impose a premium tax make up for it in high exam fees, which captives must be prepared for. Though Vermont does charge a premium tax, its examination fees are considered some of the least expensive options in the marketplace.
It is also important to consider the ease and professionalism of doing business with a domicile in the ongoing operations of your captive insurance company.
“The cost of doing business in a domicile goes far beyond simply the fixed cost required. If you can’t efficiently operate due to slow turn-around time or added obstacles, chances are you have made the wrong choice,” said Kenneson.
7. What is the domicile’s reputation?
Make sure to ask around and see what industry experts with experience in multiple domiciles have to say about the jurisdiction. Make sure the domicile isn’t known for only licensing certain types of captives that don’t fit your profile. Will it matter to your board of directors if your local newspaper decides to print a story announcing your new insurance subsidiary licensed in some far away location?
Are companies leaving the jurisdiction in high numbers and if so, why? Is the domicile actively licensing redomestications — when an existing captive moves from one domicile to another? This type of movement can often be a positive indicator to trends in a domicile. If companies of a particular size or sector are consistently moving to one state, it may indicate that the domicile has expertise particularly suited to that sector.
Redomestications made up 11 of the 33 new captives in Vermont in 2015. This trend is a positive one as it speaks to the strength of Vermont. It reinforces why Vermont is known throughout the world as the ‘Gold Standard’ of domiciles.
Asking the right questions and choosing a domicile that meets your needs both today and for the long term is vital to your overall success. As a risk manager you do not want surprises or headaches because you did not ask the right questions. Do the due diligence today so that you can ensure your peace of mind by choosing the right domicile to meet your needs.
For more information about the State of Vermont’s Captive Insurance, visit their website: VermontCaptive.com.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with the State of Vermont. The editorial staff of Risk & Insurance had no role in its preparation.