Risk Insider: Eamonn Cunningham

Is Stand-Alone Drone Coverage Necessary?

By: | July 6, 2015 • 3 min read
Eamonn Cunningham is Chief Risk Officer for Scentre Group. He was chief risk officer of the Westfield Group, which was restructured in 2014, when he became CRO for Scentre. A member of the board of The Risk and Insurance Management Society Australasia Limited, he can be reached at [email protected]

You see an increasing amount of comment on the very topical subject of drone cover. Some skeptics might argue that there is an element of self-interest at play here on the part of those initiating or promoting the discussion on this subject.

However, let’s just assume that this is all driven by the very best of intentions with one purpose in mind, the common good, indeed a lofty ideal!

My real issue with this development is the concept of what I call the proliferation of insurance products. The example of the commentary around the so-called drone insurance cover, is a case in point.

If the pursuit of separate policies for everything new continues, the insurance industry runs the risk of been seen as simply the provider of narrowly defined risk capital commodities.

Why do we need to go through the time consuming and expensive process of developing this supposedly fit-for-purpose insurance product, when there can be equally effective options available at a far cheaper development cost?

If something falls from the sky and someone suffers a “loss” in the form of bodily injury and/or property damage, there are existing remedies available which invariably revolve around conventional insurance products.

Why should all of this not be available when the “something” just happens to be a drone? What makes this event so particularly special that the liability arising from it cannot be covered under existing insurance products, even if minor adaption of those solutions is required?

The real point here is to try to not make our current market risk-transfer mechanisms even more complex than they already are. The better practice might be to investigate, indeed stress-test current solutions wherever possible to see if they can be utilized as new risks arise, or existing ones evolve.

There are exceptions to this, those obvious examples when that new risk is so unique that conventional solutions will just not provide the comprehensive cover required, cyber risk being a case in point.

The real point here is to try to not make our current market risk-transfer mechanisms even more complex than they already are.

If the pursuit of separate policies for everything new continues, the insurance industry runs the risk of been seen as simply the provider of narrowly defined risk capital commodities.

We should, as an industry, take a good hard look at new risks and see whether the current insurance market solutions can (even with adaption) work. Let’s not pre-empt that process by hastily imposing exclusions on an existing product which only serve to increase the impetus to buy the new product.

Good risk management leadership in 2015 adds value to the organization it serves when its response to questions raised about risks associated with new ventures or opportunities is, “Why not?” as opposed to the traditional “NO.”

Surely carriers (in fact all participants in the insurance industry) should also adopt similar thinking. Why can’t the existing solutions be made to work?

This insight covered the prospect of drone insurance now coming our way. What next? Policies for risks arising from nano-technology, solar flares or even artificial intelligence?

Share this article:

Cyber Trolls

Cyber Trolls Menace Reputation and Revenue

You can't eliminate the cyber exposure. You can bolster business continuity and recovery plans.
By: | July 6, 2015 • 5 min read
CyberDragon_700x525

Cyber attacks aren’t always the immediately quantifiable attacks of old when hackers steal customer data, sites are harried by denial of service attacks and computer networks are compromised and hijacked.

A new breed of orchestrated campaigns dubbed “troll attacks” are now in the mix.

These attacks, which feature organized disinformation campaigns augmented by social media posts, create an atmosphere of chaos and economic disruption, and can have ripple effects on a company’s reputation and a downstream impact on revenue.

A recent New York Times story by Adrian Chen details one source for such attacks. A pro-Kremlin company called the Internet Research Agency in St. Petersburg, Russia, faked a story on Sept. 11, 2014, about a chemical plant explosion in St. Mary Parish, La., which is a center for numerous chemical companies.

When word of the bogus disaster spread, there was extensive concern online, enflamed by fictional eyewitness accounts on Twitter about the plant explosion and fire.

“If the Russians want to convince the Western world that something dreadful has happened, they could pretty much hoodwink the world.” — Simon Milner, broker, Miller Insurance

According to a whitepaper published in May 2015 by Hays Cos., cyber attacks were once mostly about individuals stealing money or data but now some attacks are about “brand terrorism” that can create an environment of chaos and economic disruption.

“Our clients have seen various types of malicious or mischievous activity, although not to the extent described in the New York Times article,” said Dave Wasson, cyber liability practice leader for Hays Cos., based in Chicago.

“The Internet has provided incredible transparency for sharing information on an anonymous basis and that can often be viewed as one of the best attributes of the Internet. But that transparency cuts both ways in that the Internet provides an equal transparency for sharing misinformation.”

Simon Milner, a broker with Miller Insurance in London, began working in the cyber space nearly 20 years ago and says troll attacks have relatively low frequency but are potentially damaging “blunt instruments.”

Former Soviet Republics — Russia, Estonia, and Latvia — are behind many of these orchestrated efforts, as detailed in the New York Times investigation, he said.

“If the Russians want to convince the Western world that something dreadful has happened, they could pretty much hoodwink the world.”

“I don’t necessarily believe that reputation and revenue can be fully distinguished,” added Wasson.

“Consumers will choose companies they trust and part of that trust is the company’s security. The math underlying reputational harm is very difficult to measure.

“For public companies, we have stock prices, although that certainly doesn’t make valuation easy. It’s still more difficult to measure the financial impact of a diminished reputation for a privately held, nonprofit, or government entity.”

So what insurance solutions should risk managers look for? That depends on the potential exposure, according to James Murtaugh, managing director for BDO Consulting, based in New York City.

Coverage for any kind of cyber attack might fall under a wide variety of policies, including business interruption, GL, property, E&O, D&O and EPLI, depending on how the event affected the company’s revenue and reputation.

He noted that cyber-specific coverages have a shorter waiting period but the loss can be more substantial in a shorter period of time.

“With cyber attacks, the numbers could be too big, in the billions of exposure,” he said.

“Every cyber loss is a very complicated event.”

There are also challenges when trying to explain to the C-suite how troll attacks might impact a company financially, said Murtaugh, who specializes in calculating maximum foreseeable losses from business interruption claims, particularly related to supply chains.

“With cyber attacks, the numbers could be too big, in the billions of exposure.” —  James Murtaugh, managing director, BDO Consulting

He advises risk managers to use enterprise risk management (ERM) language to treat reputation risk the same as any property peril, and to get away from the notion that this is all IT-related, because it is not.

“We’re seeing the turning point where people are still definitely uncomfortable about their exposure but understand they have to get more comfortable about it instead of keeping their heads in the sand,” said Michael Born, vice president of global technology and privacy practice for Lockton Cos., based in Kansas City, Mo.

“They need to get their arms around it, and have discussions about what are the exposures [and] what they can do about it. It’s becoming more of a discussion because of the [overall] discomfort about the topic of cyber risks.”

Whether such attacks could harm an individual company’s reputation enough to impact revenue is the open question.

For Born, naming the perils in a troll attack could consist of a media attack (either planted stories on real media or all-out fake media sites), bogus social media posts and fake websites.

“The [cyber] exposures that we’re talking about are changing so fast that it’s hard to keep up with them even when you’re in the business 24/7,” said Born, who advises companies to look for consulting firms that provide constant vigilance over online reputation and business intelligence.

“For a company not in the business of cyber security, it’s very, very difficult to keep up with all that stuff.”

“In event that there was an attack by a Russian-backed troll organization,” Milner said, “our products would pay for a PR consultancy to rehab the image of the policyholder and should there be a significant BI loss, that would also be covered.”

Finally, how can risk managers protect against such attacks, aside from insurance?

Wasson advises high-profile companies — those that are involved in critical infrastructure or have controversial political, religious or ideological stances or activities — to plan for malicious troll attacks as they would for any business continuity, disaster recovery or incident response.

“It doesn’t currently seem that an entity can materially change their exposure to this risk, so the two main things an entity can do are prepare their response plan and, onerous as it may be, treat all information assets as mission-critical,” he said.

“There are certain tools a company can use to check if they are being mentioned on the dark web, but it’s not a given that dark web chatter will precede such an event.”

Maura Ciccarelli is a long-time freelance writer. She can be reached at [email protected]
Share this article:

Sponsored: Lexington Insurance

Pathogens, Allergens and Globalization – Oh My!

Allergens and global supply chain increases risk to food manufacturers. But new analytical approaches help quantify potential contamination exposure.
By: | June 1, 2015 • 6 min read
Lex_BrandedContent

In 2014, a particular brand of cumin was used by dozens of food manufacturers to produce everything from spice mixes, hummus and bread crumbs to seasoned beef, poultry and pork products.

Yet, unbeknownst to these manufacturers, a potentially deadly contaminant was lurking…

Peanuts.

What followed was the largest allergy-related recall since the U.S. Food Allergen Labeling and Consumer Protection Act became law in 2006. Retailers pulled 600,000 pounds of meat off the market, as well as hundreds of other products. As of May 2015, reports of peanut contaminated cumin were still being posted by FDA.

Food manufacturing executives have long known that a product contamination event is a looming risk to their business. While pathogens remain a threat, the dramatic increase in food allergen recalls coupled with distant, global supply chains creates an even more unpredictable and perilous exposure.

Recently peanut, an allergen in cumin, has joined the increasing list of unlikely contaminants, taking its place among a growing list that includes melamine, mineral oil, Sudan red and others.

Lex_BrandedContent“I have seen bacterial contaminations that are more damaging to a company’s finances than if a fire burnt down the entire plant.”

— Nicky Alexandru, global head of Crisis Management at AIG

“An event such as the cumin contamination has a domino effect in the supply chain,” said Nicky Alexandru, global head of Crisis Management at AIG, which was the first company to provide contaminated product coverage almost 30 years ago. “With an ingredient like the cumin being used in hundreds of products, the third party damages add up quickly and may bankrupt the supplier. This leaves manufacturers with no ability to recoup their losses.”

“The result is that a single contaminated ingredient may cause damage on a global scale,” added Robert Nevin, vice president at Lexington Insurance Company, an AIG company.

Quality and food safety professionals are able to drive product safety in their own manufacturing operations utilizing processes like kill steps and foreign material detection. But such measures are ineffective against an unexpected contaminant. “Food and beverage manufacturers are constantly challenged to anticipate and foresee unlikely sources of potential contamination leading to product recall,” said Alexandru. “They understandably have more control over their own manufacturing environment but can’t always predict a distant supply chain failure.”

And while companies of various sizes are impacted by a contamination, small to medium size manufacturers are at particular risk. With less of a capital cushion, many of these companies could be forced out of business.

Historically, manufacturing executives were hindered in their risk mitigation efforts by a perceived inability to quantify the exposure. After all, one can’t manage what one can’t measure. But AIG has developed a new approach to calculate the monetary exposure for the individual analysis of the three major elements of a product contamination event: product recall and replacement, restoring a safe manufacturing environment and loss of market. With this more precise cost calculation in hand, risk managers and brokers can pursue more successful risk mitigation and management strategies.


Product Recall and Replacement

Lex_BrandedContentWhether the contamination is a microorganism or an allergen, the immediate steps are always the same. The affected products are identified, recalled and destroyed. New product has to be manufactured and shipped to fill the void created by the recall.

The recall and replacement element can be estimated using company data or models, such as NOVI. Most companies can estimate the maximum amount of product available in the stream of commerce at any point in time. NOVI, a free online tool provided by AIG, estimates the recall exposures associated with a contamination event.


Restore a Safe Manufacturing Environment

Once the recall is underway, concurrent resources are focused on removing the contamination from the manufacturing process, and restarting production.

“Unfortunately, this phase often results in shell-shocked managers,” said Nevin. “Most contingency planning focuses on the costs associated with the recall but fail to adequately plan for cleanup and downtime.”

“The losses associated with this phase can be similar to a fire or other property loss that causes the operation to shut down. The consequential financial loss is the same whether the plant is shut down due to a fire or a pathogen contamination.” added Alexandru. “And then you have to factor in the clean-up costs.”

Lex_BrandedContentLocating the source of pathogen contamination can make disinfecting a plant after a contamination event more difficult. A single microorganism living in a pipe or in a crevice can create an ongoing contamination.

“I have seen microbial contaminations that are more damaging to a company’s finances than if a fire burnt down the entire plant,” observed Alexandru.

Handling an allergen contamination can be more straightforward because it may be restricted to a single batch. That is, unless there is ingredient used across multiple batches and products that contains an unknown allergen, like peanut residual in cumin.

Supply chain investigation and testing associated with identifying a cross-contaminated ingredient is complicated, costly and time consuming. Again, the supplier can be rendered bankrupt leaving them unable to provide financial reimbursement to client manufacturers.

Lex_BrandedContent“Until companies recognize the true magnitude of the financial risk and account for each of three components of a contamination, they can’t effectively protect their balance sheet. Businesses can end up buying too little or no coverage at all, and before they know it, their business is gone.”

— Robert Nevin, vice president at Lexington Insurance, an AIG company


Loss of Market

Lex_BrandedContent

While the manufacturer is focused on recall and cleanup, the world of commerce continues without them. Customers shift to new suppliers or brands, often resulting in permanent damage to the manufacturer’s market share.

For manufacturers providing private label products to large retailers or grocers, the loss of a single client can be catastrophic.

“Often the customer will deem continuing the relationship as too risky and will switch to another supplier, or redistribute the business to existing suppliers” said Alexandru. “The manufacturer simply cannot find a replacement client; after all, there are a limited number of national retailers.”

On the consumer front, buyers may decide to switch brands based on the negative publicity or simply shift allegiance to another product. Given the competitiveness of the food business, it’s very difficult and costly to get consumers to come back.

“It’s a sad fact that by the time a manufacturer completes a recall, cleans up the plant and gets the product back on the shelf, some people may be hesitant to buy it.” said Nevin.

A complicating factor not always planned for by small and mid-sized companies, is publicity.

The recent incident surrounding a serious ice cream contamination forced both regulatory agencies and the manufacturer to be aggressive in remedial actions. The details of this incident and other contamination events were swiftly and highly publicized. This can be as damaging as the contamination itself and may exacerbate any or all of the three elements discussed above.


Estimating the Financial Risk May Save Your Company

“In our experience, most companies retain product contamination losses within their own balance sheet.” Nevin said. “But in reality, they rarely do a thorough evaluation of the financial risk and sometimes the company simply cannot absorb the financial consequences of a contamination. Potential for loss is much greater when factoring in all three components of a contamination event.”

This brief video provides a concise overview of the three elements of the product contamination event and the NOVI tool and benefits:

Lex_BrandedContent

“Until companies recognize the true magnitude of the financial risk and account for each of three components of a contamination, they can’t effectively protect their balance sheet,” he said. “Businesses can end up buying too little or no coverage at all, and before they know it, their business is gone.”

SponsoredContent
BrandStudioLogo
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Lexington Insurance. The editorial staff of Risk & Insurance had no role in its preparation.




Lexington Insurance Company, an AIG Company, is the leading U.S.-based surplus lines insurer.
Share this article: