Risk Scenario


Lack of pre-loss planning leaves a manufacturer and its supply chain vulnerable in the face of disaster.
By: | November 2, 2015 • 9 min read
Risk Scenarios are created by Risk & Insurance editors along with leading industry partners. The hypothetical, yet realistic stories, showcase emerging risks that can result in significant losses if not properly addressed.

Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.

Big Waters

Jill Heald is a woman that loves to focus and hates distractions.


Heald paid close attention when an earthquake struck Japan in 2011 and a typhoon flooded Thailand that same year.

The press and the trade press laid out the gory details. Major companies; auto manufacturers, electronics companies and telecommunications companies were hit with supply chain losses they did not see coming. And the losses were big.

As the risk manager for Auto-Spire, an electronics manufacturer that makes integrated circuits used in the automotive industry, the Thailand and Japan losses made a deep impression on Heald. She vowed to herself that that sort of thing would never happen to her company.

Post-2011, shifts in Auto-Spire’s procurement process resulted in the company sourcing semi-conductors from an up and coming Malaysian manufacturer. Looking ahead to 2016, Heald in mid-2015 began thinking about and seeking approval for an ambitious contingent time element coverage insurance package.

“How big are we talking?” her broker asked her when she first sketched her plan in a phone call.

“Based on a brief meeting I had with Auto-Spire procurement folks, I believe a $25 million program should be sufficient, given the redundancy of our supply chain,” Heald told her broker.



“Well, we’re not going to get it all in one place,” the broker said. “Let me make some calls,” he said.

“How about we set up some face-to-face meetings with some of the underwriters?” Heald said.

“No need,” the broker said. “This is what you’re paying me for,” he said.

Unease gnawed at Heald after she hung up with the broker. It would make her feel a lot better to meet with the underwriters and some of their claims teams.

But the broker was who he was. Nobody had his contacts and he was a wizard with carrier relationships, or so everybody said.

Two days later the broker called her back.

“Okay I’ve got some ideas but we’ve got some work to do,” the broker said.

The nut was this: The CTE program that Heald was envisioning was going to require the participation of two, maybe three carriers. The way the broker presented the story, he’d been burning the midnight oil to connect with underwriters in the U.S. and Bermuda.

“So let me see if I’ve got this straight,” Heald said.

“We’ve got one U.S. carrier on the primary layer at $15 million.”

“Correct,” the broker said.

“And two carriers in the second layer at $5 million a pop. Both based in Bermuda,” Heald said.

“Again, correct,” the broker said.

They both agreed the premium prices were historically very good. The location of the semi-conductor maker was not a high flood risk. And the soft property market was another blessing.

Heald and her broker bound the coverage before Thanksgiving for the year 2016.

In April of 2016, Typhoon Lumba-Lumba, Malaysian for dolphin, strikes Malaysia as a CAT 4.

Do you meet face to face with underwriters and members of their claims teams before binding coverage?

View Results

Loading ... Loading ...


The morning after the typhoon strikes, Heald is online and on the phone trying to determine if the city where the Auto-Spire semi-conductor supplier is located was heavily damaged in the storm.


The good news is that it did not appear to be. The bad news comes within days when deliveries of semi-conductors from Malaysia to Auto-Spire’s U.S. factories slow to a crawl.

“Do we know what’s going on?” Heald said to an Auto-Spire executive in procurement at the end of the week.

“The communication there is horrible Jill,” the procurement executive said. “I wish I could tell you more, but right now I have next to nothing.”

“How could you have next to nothing?” Heald said to no one after she hung up with procurement. “It’s your job.”

Using her broker’s more robust international contacts, Heald pushes hard and gets some information. It’s just that the information she gets is not comforting.

The information is sketchy but it appears that several suppliers to the semi-conductor maker were knocked out by the typhoon.

Facing millions in lost sales, Heald and her broker file a claim on their CTE coverage for $20 million.

Heald is immediately descended upon by underwriters for the three carriers. The underwriters are demanding answers to a number of questions.

“We see there is no claims handling agreement associated with this program. Who’s the adjuster of record?” an underwriter for the U.S.-based carrier on the primary layer asked Heald.

“Adjuster of record? I’ve never heard of the phrase,” Jill Heald said.


With no claims handling agreement in place between Auto-Spire and the carriers on the CTE program, Heald spends weeks responding to the various carriers’ document requests.

Three weeks after the storm struck, Heald’s broker calls her with his version of good news.

“Hey, I talked to Ajax Ltd., they’re going to cut you a check for $1 million as an advance while these CTE claims get sorted out,” the broker said.

With semi-conductor shipments from Malaysia at a trickle, Heald takes little solace in this.

“Really? I guess I’ll take it,” Heald says. But the truth is that she’s worn down to a nub in all the back and forth between the carriers.

The lack of a claims handling agreement has translated into weeks of delays in getting claims information filed and adjusted. Each carrier has a different process for adjusting the claim.

All three carriers use the services of outside forensic accountants. Unfortunately, each carrier uses a different accounting firm.

There are also different terms and conditions between the different policies. Whether there could be coverage gaps created by those differing terms and conditions is an ongoing source of stress for Heald.

“There’s got to be a better way to do this,” she told her broker on the phone one day. “We should have had transparency into this ahead of time.”

“Look Jill, I’ve been doing this a long time,” the broker said.

“I don’t care how long you’ve been doing it. You and I could have done it better,” Heald shot back.

And one million is looking like a drop in the bucket next to lost sales to the automakers that are starting to reach into the tens of millions.

It’s now six weeks after the storm hit and the Malaysian supplier is still not fully back up to speed.

Do you make sure to establish a pre-loss claims handling agreement with the carriers on your program to minimize confusion and foster cooperation in the event of a loss?

View Results

Loading ... Loading ...

A Hellish Grind

The typhoon that struck Malaysia and clipped Auto-Spire’s supply chain resulted in $45 million in lost sales.


Heald heaps the blame on herself, even though this is an organizational failure. Heald was led to believe that $25 million of CTE was sufficient but Auto-Spire’s dependence on third party suppliers was increased due to the recent shift in its procurement process.

It wasn’t that the carriers on the program didn’t pay the claim, they eventually did. But the delays caused by the lack of a claims handling agreement created serious tension between Heald and the Auto-Spire C-suites. Not to mention cash flow problems on top of the lost sales due to the crimp in Auto-Spire’s supply chain.

“A promise to pay is a promise to pay…. in a timely manner,” her CFO thundered at her when she broke the news to him that due to delays in adjusting the Malaysia claims the carriers still hadn’t cut Auto-Spire checks.

“They are going to pay Jim, it’s just that the claims process got extended more than we would like,” Heald told him.

“It’s not the carriers’ fault,” she added.

“How do you mean?” he said.

“It’s my fault actually,” Heald said.

“I should have had a pre-loss claims handling agreement in place. That would have streamlined the process much more and given all parties a clearer picture of the claims handling process.

“But you didn’t do that,” the CFO said.

“No, I didn’t,” Heald said.

“What about your broker, shouldn’t he have put something like this in place?”

“I don’t want to blame him either. The fact is that we didn’t do it,” Heald said.

“So how much time do you think that cost us, in terms of getting paid,” the CFO said.

“Hard to say,” Heald said. “Six weeks minimum,” she added.

“Do you know what it costs to borrow $20 million for six weeks?” the CFO said.

“Not off of the top of my head,” Heald said.

“A lot,” the CFO said. “A lot.”

It is also clear to Heald that she needs to develop a better channel of communication with the procurement group so that she can be in a better position to procure adequate insurance for the needs created by Auto-Spire’s supply chain.

She thought she was doing the right thing in putting together a substantial CTE program. Now it all feels like a cruel joke.

In crafting contingent time element coverage, how confident are you that you have the necessary transparency into your supply chains to gauge any possible losses?

View Results

Loading ... Loading ...

Risk & Insurance® partnered with FM Global to produce this scenario. Below are FM Global’s recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.

What to Do Before a Loss

In most cases, you’ll receive no warning before disaster strikes. If you experience a sizable loss, the loss itself may be your smallest issue. You might also be worried about injuries, deaths, lost market share, revenue stream, notifying shareholders or something else.

When a loss happens, it is similar to the start of a professional sports game. It is a culmination of all the practice leading up to the game, only the practice is the pre-loss planning. That’s why pre-loss planning is so important. Before a loss occurs, work with your broker and/or insurer(s) to develop a plan for loss management that is carefully tailored to meet your unique needs.

The following is a list of the key information your loss management plan should cover:

  • procedures and guidelines for handling loss, including a clear delineation of who will report the loss to your insurance partner(s).
  • a detailed list of names and contact information of members of your emergency response team
  • key contacts at your subsidiaries and remote offices
  • contingency arrangements with emergency services and critical suppliers
  • tailored loss-handling and claims cooperation agreements with other program participants
  • global coordination requirements
  • assignment of emergency duties for local plant personnel, your corporate insurance department, your broker and others
  • a designated liaison to work with the adjuster

Without pre-loss planning, there can be fear of the unknown. However, with pre-loss planning it can be reassuring to know that you just have to pick up the phone and make only one call when a loss occurs, know who is coming to your site and know how your insurer will respond.

Many emotions come with an actual loss. Pre-loss planning can provide you that much needed level of confidence when you need it most in your job.


Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]
Share this article:

Risk Scenario


A social engineering cyber attack results in a massive loss of medical records, a reputational hit and a merger gone bad.
By: | October 20, 2015 • 7 min read
Risk Scenarios are created by Risk & Insurance editors along with leading industry partners. The hypothetical, yet realistic stories, showcase emerging risks that can result in significant losses if not properly addressed.

Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.

Engineer This

This was so much easier than hacking a system by harnessing software technology and using multiple computers and proxy servers. Still, it took a little bit of phone work.


A member of SubPrime OverKill, a group of financially motivated hackers going by the acronym SPOK, called the headquarters of Atlas Health Systems on the morning of Monday, July 1.

“Hi,” the hacker said in a friendly voice, when an operator answered the phone. “Can I please have the name of your head of Information Technology?”

“I’m not authorized to give that out,” the national hospital system operator said.

“OK,” the hacker said and hung up before the operator could ask him why he was calling.

It took him six more calls to get what he needed. He didn’t get the name of the head of IT, but he finally got the name of someone else in that department.

The hacker’s next call was to that office.

“Keith Duvall, please,” the hacker said in a much sterner voice when Duvall’s assistant answered.

“Who may I say is calling please?” Duvall’s assistant said.



“This is Special Agent Frank Dermont of the Federal Bureau of Investigation’s Cyber Security Bureau. We’ve confirmed that your computer system has been hacked and we need to access it immediately,” the hacker said.

The ruse was working so far. The assistant got flustered.

“Well, Keith’s not in right now, he’s…he’s in Kansas City,” she said.

“We need his username and password! Your system is under attack right now and crucial life-saving machinery in your hospitals’ neo-natal and intensive care units could be shut off within minutes,” the hacker said.

“Give me the username and password now or face obstruction of justice charges!” the hacker said.

“Wait, wait just a second, I have it here,” the assistant said, the thought of infants and the critically ill dying by the dozens overwhelming her.

The flustered assistant then gave the phony FBI agent a super administrator password and username.

And SPOK was in the hen house.

Over the next four months, unknown to hospital administrators, the hackers siphoned off hundreds of thousands of medical records from the large hospital system’s computer system.

At $80 per medical record, the thieves were making millions selling the records on the black market. And no one within the Atlas Health System administration had any notion of what they were up to.

Does your company have a two-factor authorization system in place to block unauthorized access to your IT system?

View Results

Loading ... Loading ...

Merging Blind

Two months after the hack, Dale Reed, director of risk management for a smaller hospital system, The Magnolia Group, received information that Atlas was planning to buy Magnolia and merge the two hospital systems.


There was already plenty on Reed’s plate. The demands of the Affordable Care Act and the escalating number of cyber attacks on not only health insurers, but health care providers, was causing him great concern.

“Now this,” Reed said as he looked over an email from the Magnolia Group CFO, outlining the ways in which the terms of the Atlas deal were projected to impact various departments.

The good news for Reed was that it appeared his job was safe.

The challenge for Reed was that he was going to have to work hand in hand with the IT professionals and risk management team at Atlas in building a secure information technology system.

The deal was set to close in November and the C-suites with both hospital groups were expecting the systems to be fully integrated and secure by the end of the year.

“Don’t expect to see much of me,” Reed told his wife. “I’ve got some long work days ahead of me.”

In mid-October, as the merger moved closer to becoming a reality, Reed sought clearance for and obtained permission from higher-ups to begin conversations with the IT and risk management departments at Atlas to discuss systems integration and security.


In conversations with Atlas officials, Reed took away two things that concerned him. One, it appeared Atlas did not use a two-factor authorization system to gain access to the hospital’s IT system.

If a hacker chose to target Atlas, Reed thought, all they’d have to do is get an IT administrator’s username and a password and they were in.

Two, in discussions with Atlas’ risk management department, it appeared that a cyber-attack incident response plan, while being developed, was not yet in place at Atlas.

Working late one night in the office, Reed deduced that he couldn’t be passive. He needed to take steps to make sure the combined hospital system’s IT system was not only integrated but secure.

The Atlas/Magnolia merger closed as expected Nov. 16. The Magnolia name would go away and the system would keep the name Atlas.

The following day Reed asked for and received permission to hire an IT audit firm that he’d worked with before to examine the Atlas system, which was now in the process of being integrated with the Magnolia system.

The audit team was two days into its three-month contract when Reed got a call from the audit team’s chief examiner.

“The Atlas Health System network was breached back in July,” the examiner said.

“What?” was all Reed could say.

“We estimate hundreds of thousands of medical records have been stolen by a group that goes by the acronym SPOK. They might have taken as many as a million records.”

“You’ve got to be kidding me,” Reed said.

“We’re not kidding you, Dale,” the examiner said. “And it looks like some former Magnolia Group records might already have been lifted,” the examiner said.

The news that Atlas was four months into a massive cyber attack and that close to a million records were pilfered was of course very painful for Keith Duvall and his superiors in the IT department and treasury.

When it became known that it was the IT department’s very own super administrator username and password that were used to breach the system, the head of Atlas IT resigned.

Dale Reed had taken the initiative and hired the IT audit team that found the breach. Now he would have the added responsibility of cleaning up the mess. Or trying to.

Does your company have a cyber-breach incident response plan?

View Results

Loading ... Loading ...

Pain. No Gain.

The next day, Reed was back on the phone, this time with the IT audit team’s chief examiner and his insurance broker.


“These aren’t like credit card numbers,” the broker was saying, as Reed felt sharp anxiety pains in his abdomen.

“It could take months to figure out what services, pharmaceutical, whatever, are being ordered with this stolen information. This medical information can go for $80 per record on the black market, it’s much more valuable than a credit card number and much harder to shut down,” the broker said.

The next morning’s newspaper told Reed and the rest of the Atlas executives a story they never thought they would read and would never want to read again.

SPOK sold information about the embarrassing medical conditions of a number of regional business, political and other public sector leaders to unscrupulous bloggers and those details were published online.

Examples included a local school superintendent with a sexually transmitted disease, the CEO of a local company who had bariatric surgery but didn’t want the information publicly disclosed, and the wife of a local pastor who was suffering from complications from breast implants.

“Did you see this?” came the panicked email from the Atlas CFO, including a link to the story.

“Saw it,” was Reed’s only response.

A class action lawsuit soon followed. The plaintiffs alleged that the combined company failed to conduct ample due diligence into the vulnerabilities of its IT system.

The reputational damage from the lost and sold medical records spurred Atlas executives to accelerate planned upgrades to their IT system. Millions in IT expenditures they’d expected to spread over 10 years were compressed to a two-year spend.

Add to that the notification costs and legal expenses connected to the breach and the defense of the class actions, and it became painfully clear that Magnolia and Atlas should never have merged at all.

Are you comfortable that you have adequate insurance policies in place to cover not only the notification expenses but the legal and crisis response expenses that would stem from a cyber breach?

View Results

Loading ... Loading ...


Risk & Insurance® partnered with Swiss Re Corporate Solutions to produce this scenario. Below are Swiss Re Corporate Solutions’ recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.

Even the best-trained employees click on 2% of spam phishing emails. Once a hacker has access to your network, the ramifications are endless. The monetary costs of a breach can be in the billions of dollars, but losses aren’t just financial. After a cyber attack, companies face reputational and legal consequences, as well.

In our increasingly digitized world, computer hacks aren’t just the stuff of fiction. They’re a very real part of doing business. And almost all companies – large or small, public or private – are at risk. So when an attack does occur, you don’t want to be alone. You want a teammate you can depend on to mitigate your losses.

Swiss Re Corporate Solutions understands the threats you’re facing. That’s why we’ve enlisted the very best partners to help you protect your business after a breach. Our on-call vendors are elite forensics firms, law firms, breach notification firms, and call centers, so you can rest easy when the worst happens.

Swiss Re Corporate Solutions means knowledge, experience, financial and global reach. Let our experts create customized solutions that are right for your business. Visit www.swissre.com/cyber.

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]
Share this article:

Sponsored Content by CorVel

Telehealth: The Wait is Over

Telehealth delivers access to the work comp industry.
By: | November 2, 2015 • 5 min read


From Early Intervention To Immediate Intervention

Reducing medical lag times and initiating early intervention are some of the cornerstones to a successful claims management program. A key element in refining those metrics is improving access to appropriate care.

Telehealth is the use of electronic communications to facilitate interaction between a patient and a physician. With today’s technology and mass presence of mobile devices, injured workers can be connected to providers instantaneously via virtual visits. Early intervention offers time and cost saving benefits, and emerging technology presents the capability for immediate intervention.

Telehealth creates an opportunity to reduce overall claim duration by putting an injured worker in touch with a doctor including a prescription or referral to physical therapy when needed. On demand, secure and cost efficient, telehealth offers significant benefits to both payors and patients.

The Doctor Will See You Now

Major healthcare players like Aetna and Blue Cross Blue Shield are adding telehealth as part of their program standards. This comes as no surprise as multiple studies have found a correlation between improved outcomes and patients taking responsibility for their treatment with communications outside of the doctor’s office. CorVel has launched the new technology within the workers’ compensation industry as part of their service offering.

“Telehealth is an exciting enhancement for the Workers’ Compensation industry and our program. By piloting this new technology with CorVel, we hope to impact our program by streamlining communication and facilitating injured worker care more efficiently,” said one of CorVel’s clients.

SponsoredContent_Corvel“We expect to add convenience for the injured worker while significantly reducing lag times from the injury to initiating treatment. The goal is to continue to merge the ecosystems of providers, injured workers and payors.”

— David Lupinsky, Vice President, Medical Review Services, CorVel Corporation

As with all new solutions, there are some questions about telehealth. Regarding privacy concerns, telehealth is held to the same standards of HIPAA and all similar rules and regulations regarding health information technology and patients’ personal information. Telehealth offers secure, one on one interactions between the doctor and the injured worker, maintaining patient confidentiality.

The integrity of the patient-physician relationship often fuels debates against technology in healthcare. Conversely, telehealth may facilitate the undivided attention patients seek. In office physicians’ actual facetime with patients is continually decreasing, citing an average of eight minutes per patient, according to a 2013 New York Times article. Telehealth may offer an alternative.

Virtual visits last about 10 to 15 minutes, offering more one on one time with physicians than a standard visit. Patients also can physically participate in the physician examination. When consulting with a telehealth physician, the patient can enter their vital signs like heart rate, blood pressure, and temperature and follow physical cues from the doctor to help determine the diagnosis. This gives patients an active role in their treatment.

Additionally, a 2010 BioMed Central Health Services Research Report is helping to dispel any questions regarding telehealth quality of care, stating “91% of health outcomes were as good or better via telehealth.”

Care: On Demand

By leveraging technology, claims professionals can enhance an already proactive claims model. Mobile phones and tablets provide access anywhere an injured worker may be and break previous barriers set by after hours injuries, incidents occurring in rural areas, or being out of a familiar place (i.e. employees in the transportation industry).

With telehealth, CorVel eliminates travel and wait times. The injured worker meets virtually with an in-network physician via his or her computer, smart phone or tablet device.

As most injuries reported in workers’ compensation are musculoskeletal injuries – soft tissue injuries that may not need escalation – the industry can benefit from telehealth since many times the initial physician visit ends with either a pharmacy or physical therapy script.

In CorVel’s model, because all communication is conducted electronically, the physician receives the patient’s information transmitted from the triage nurse via email and/or electronic data feeds. This saves time and eliminates the patient having to sit in a crowded waiting room trying to fill out a form with information they may not know.

Through electronic correspondence, the physician will also be alerted that the injured worker is a workers’ compensation patient with the goal of returning to work, helping to dictate treatment just as it would for an in office doctor.

In the scope of workers’ compensation, active participation in telehealth examinations, accompanied by convenience, is beneficial for payors. As the physician understands return to work goals, they can ensure follow up care like physical therapy is channeled within the network and can also help determine modified duty and other means to assist the patient to return to work quickly.


Convenience Costs Less

Today, convenience can often be synonymous with costly. While it may be believed that an on demand, physician’s visit would cost more than seeing your regular physician; perceptions can be deceiving. One of the goals of telehealth is to provide quality care with convenience and a fair cost.

Telehealth virtual visits cost on average 30% less than brick and mortar doctor’s office visits, according to California state fee schedule. In addition, “health plans and employers see telehealth as a significant cost savings since as many as 10% of virtual visits replace emergency room visits which cost hundreds, if not thousands, of dollars for relatively minor complaints” according to a study by American Well.

“Telehealth is an exciting enhancement for the Workers’ Compensation industry and our program. By piloting this new technology with CorVel, we hope to impact our program by streamlining communication and facilitating injured worker care more efficiently,” said one of CorVel’s clients.

Benefits For All

Substantial evidence supports that better outcomes are produced the sooner an injured worker seeks care. Layered into CorVel’s proactive claims and medical management model, telehealth can upgrade early intervention to immediate intervention and is crucial for program success.

“We expect to add convenience for the injured worker while significantly reducing lag times from the injury to initiating treatment,” said David Lupinsky, Vice President, Medical Review Services.

“The goal is to continue to merge the ecosystems of providers, injured workers and payors.”

With a people first philosophy and an emphasis on immediacy, CorVel’s telehealth services reduce lag time and connect patients to convenient, quality care. It’s a win-win.

This article was produced by CorVel Corporation and not the Risk & Insurance® editorial team.

CorVel is a national provider of risk management solutions for employers, third party administrators, insurance companies and government agencies seeking to control costs and promote positive outcomes.
Share this article: