Buying Cyber – Consider Carefully
The threat arising from cyber security is real. If it is not already, I suspect this threat will shortly be one of the most significant risks that companies face.
Given its significance, the cyber threat needs a comprehensive integrated response with risk transfer being just one element.
As a risk manager I cringed when I heard another risk manager declare at a RIMS annual conference session, “Yep, I bought cyber risk insurance last year. I did so because everybody else is doing it and also because my director thought it was a good idea. To be honest, I must admit that I am not really sure exactly what I bought.”
That risk manager may have done the right thing but definitely for the wrong reasons.
Some risk managers adopt a “risk flavor of the month” approach when considering, indeed purchasing new insurance products.
When you purchase an insurance product you are, as we all know, actually engaged in the practice, or should I say, sometimes the art form of transferring risk to the marketplace. This seems pretty clear, or is it? You should only engage in the practice of risk transfer after you have:
1. Carried out a thorough investigation of your business in order to identify all relevant original or “raw” risk(s).
2 Identified the controls that exist within your business to mitigate the risks identified. In doing so, you also need to assess the effectiveness of the controls in place to treat the identified risks.
3. Considered what other new or augmented existing controls could be established to deal with the risks on a cost effective basis.
4. Assessed the residual risks arising after applying steps 1 – 3 above and determined whether they are within your risk appetite or not.
Some risk managers adopt a “risk flavor of the month” approach when considering, indeed purchasing new insurance products. Cyber risk insurance is one such product that has been flavor of the month for quite some time.
The social/peer pressure to buy “cyber” is unrelenting. It is egged on by the myriad of studies that for example state, x percent of entities now buy cyber insurance and that this will grow to y percent within 12 months.
Do you want to be the brave insurance manager who bucks this trend? I am not suggesting that you be that person; what I do suggest is that you go about the process of evaluating whether or not this risk in your company needs to be insured against in a very disciplined, dispassionate manner.
The advantage of adopting the above is that you will end up with:
1) A very detailed description of the risks you face.
2) A comprehensive assessment of your suite of controls.
3) Absolute clarity as to which element of your risk you will seek to transfer to the insurance marketplace because by doing so, and if you do buy you will end up with a product that precisely fits your needs.
When you make that decision to buy cyber you will feel better as a risk management professional for having done so after following the above.
Will the New European Data Protection Reform Affect Us?
The European Commission voted in March, 2014, to strengthen privacy rights promised by the European Union’s 1995 Data Protection Directive. The reform will change the law from a Directive to a Regulation, meaning it will be directly applicable in all of Europe without the need to wait for national implementing legislation.
The regulation will apply to any personal data handled abroad by companies that are working with the European Union (EU) market and/or offer their services to EU citizens. That means companies need to be aware of this new update, as well as the risk of non-compliance and harsher penalties potentially imposed under law.
The reform will change the law from a Directive to a Regulation, meaning it will be directly applicable in all of Europe without the need to wait for national implementing legislation.
U.S. companies that conduct business in Europe need to ensure that they have a legitimate reason for transferring personal information within or outside of the EU. Personal information is any data concerning a person’s private, professional or public life. It may be a name, a photo, an email address, bank details; posts on social networks, medical information or even a computer’s IP address.
Assuming your company has a legitimate basis for processing and using personal data, the EU Data Protection Reform regulation sets out three avenues to make your data transfers legal:
- Certify compliance through the U.S. Department of Commerce Safe Harbor registration. The European Union still recognizes that Safe Harbor registration is compliant with the EU law. For more information, consult: http://www.export.gov/safeharbor/
- Have appropriate safeguards in place to protect personal data within your company, including for example binding corporate rules approved by EU data protection authorities.
- Complete data transfers in clearly defined, specific situations which necessitate the transfer; for example as part of a legal, tax or competition investigation.
To comply, companies will need to show that their data processing is legitimate, and that they consistently monitor, review and assess the data processing procedures in place. The aim is to minimize the retention of data and build in safeguards for processing activities.
Company leaders should ask themselves these questions:
- What information is to be collected and where?
- Why the information is being collected?
- What is the intended use of the information?
- With whom the information will be shared? Is it shared with Europe?
- Is there a collection of information IT system affecting people’s data in Europe?
- How will the information be secured? What security controls or auditing processes exist?
- Do individuals in the EU have an opportunity to decline to provide information or give consent?
And if that is not scary enough, penalties under the reform for data protection violations will rise significantly depending on the seriousness of the offense, whether it is a repeat offense, if it is intentional, and whether the violator is a company with processing data as its primary activity. Sanctions may involve:
- A simple warning for a first non-intentional offenses when only engaging in processing as an ancillary activity.
- Regular data protection audits.
- A fine of 5% percent of annual worldwide turnover for certain serious acts committed intentionally or negligently.
Global Program Premium Allocation: Why It Matters More Than You Think
Ten years after starting her medium-sized Greek yogurt manufacturing and distribution business in Chicago, Nancy is looking to open new facilities in Frankfurt, Germany and Seoul, South Korea. She has determined the company needs to have separate insurance policies for each location. Enter “premium allocation,” the process through which insurance premiums, fees and other charges are properly allocated among participants and geographies.
Experts say that the ideal premium allocation strategy is about balance. On one hand, it needs to appropriately reflect the risk being insured. On the other, it must satisfy the client’s objectives, as well as those of regulators, local subsidiaries, insurers and brokers., Ensuring that premium allocation is done appropriately and on a timely basis can make a multinational program run much smoother for everyone.
At first blush, premium allocation for a global insurance program is hardly buzzworthy. But as with our expanding hypothetical company, accurate, equitable premium allocation is a critical starting point. All parties have a vested interest in seeing that the allocation is done correctly and efficiently.
“This rather prosaic topic affects everyone … brokers, clients and carriers. Many risk managers with global experience understand how critical it is to get the premium allocation right. But for those new to foreign markets, they may not understand the intricacies of why it matters.”
– Marty Scherzer, President of Global Risk Solutions, AIG
Basic goals of key players include:
- Buyer – corporate office: Wants to ensure that the organization is adequately covered while engineering an optimal financial structure. The optimized structure is dependent on balancing local regulatory, tax and market conditions while providing for the appropriate premium to cover the risk.
- Buyer – local offices: Needs to have justification that the internal allocations of the premium expense fairly represent the local office’s risk exposure.
- Broker: The resources that are assigned to manage the program in a local country need to be appropriately compensated. Their compensation is often determined by the premium allocated to their country. A premium allocation that does not effectively correlate to the needs of the local office has the potential to under- or over-compensate these resources.
- Insurer: Needs to satisfy regulators that oversee the insurer’s local insurance operations that the premiums are fair, reasonable and commensurate with the risks being covered.
According to Marty Scherzer, President of Global Risk Solutions at AIG, as globalization continues to drive U.S. companies of varying sizes to expand their markets beyond domestic borders, premium allocation “needs to be done appropriately and timely; delay or get it wrong and it could prove costly.”
“This rather prosaic topic affects everyone … brokers, clients and carriers,” Scherzer says. “Many risk managers with global experience understand how critical it is to get the premium allocation right. But for those new to foreign markets, they may not understand the intricacies of why it matters.”
There are four critical challenges that need to be balanced if an allocation is to satisfy all parties, he says:
Across the globe, tax rates for insurance premiums vary widely. While a company will want to structure allocations to attain its financial objectives, the methodology employed needs to be reasonable and appropriate in the eyes of the carrier, broker, insured and regulator. Similarly, and in conjunction with tax and transfer pricing considerations, companies need to make sure that their premiums properly reflect the risk in each country. Even companies with the best intentions to allocate premiums appropriately are facing greater scrutiny. To properly address this issue, Scherzer recommends that companies maintain a well documented and justifiable rationale for their premium allocation in the event of a regulatory inquiry.
Insurance regulators worldwide seek to ensure that the carriers in their countries have both the capital and the ability to pay losses. Accordingly, they don’t want a premium being allocated to their country to be too low relative to the corresponding level of risk.
Without accurate data, premium allocation can be difficult, at best. Choosing to allocate premium based on sales in a given country or in a given time period, for example, can work. But if you don’t have that data for every subsidiary in a given country, the allocation will not be accurate. The key to appropriately allocating premium is to gather the required data well in advance of the program’s inception and scrub it for accuracy.
When creating an optimal multinational insurance program, premium allocation needs to be done quickly, but accurately. Without careful attention and planning, the process can easily become derailed.
Scherzer compares it to getting a little bit off course at the beginning of a long journey. A small deviation at the outset will have a magnified effect later on, landing you even farther away from your intended destination.
Figuring it all out
AIG has created the award-winning Multinational Program Design Tool to help companies decide whether (and where) to place local policies. The tool uses information that covers more than 200 countries, and provides results after answers to a few basic questions.
This interactive tool — iPad and PC-ready — requires just 10-15 minutes to complete in one of four languages (English, Spanish, Chinese and Japanese). The tool evaluates user feedback on exposures, geographies, risk sensitivities, preferences and needs against AIG’s knowledge of local regulatory, business and market factors and trends to produce a detailed report that can be used in the next level of discussion with brokers and AIG on a global insurance strategy, including premium allocation.
“The hope is that decision-makers partner with their broker and carrier to get premium allocation done early, accurately and right the first time,” Scherzer says.
For more information about AIG and its award-winning application, visit aig.com/multinational.