Heading Off ‘Cybergeddon’
In April’s R&I cover story, Cyber: The New CAT, experts called catastrophic cyber attacks “inevitable” and the prevailing attitude in the C-Suite “denial.”
Jason Healey, director, Atlantic Council’s Cyber Statecraft Initiative, says that in order for organizations to weather the inevitable attacks, the key will be resiliency. “The organizations that fare best,” he said, “will be those that have the size, agility and resilience to bounce back as quickly as possible.” Healey is also author of Beyond Data Breaches: Global Interconnections of Cyber Risk, commissioned by Zurich Insurance Company Ltd. and published in April 2014.
Developing resilience would include conducting exercises, developing response playbooks, increasing funding and grants for large-scale crisis management and developing redundant data storage in case one is compromised.
The tangle of Internet information that companies and countries depend on to function is now so complex, Healey said, that companies and governments can’t manage the risk from within their own four walls. Beyond Data Breaches notes that Internet failures could cascade directly to Internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations.
Like superstorms such as Hurricane Sandy, cyber risks are inevitable and unstoppable, and like the financial crisis of 2008, they can’t be contained, because of organizations’ interconnection and interdependency. The worst-case scenario, stemming from the principle that everything is connected to the Internet and everything connected to the Internet can be hacked, is “Cybergeddon,” where attackers have an overwhelming, dominant and lasting advantage over defenders.
Even now, Healey said, attackers have the advantage. The Internet’s original weakness — that it was built for trust, not security — perpetuates defenders’ vulnerability. “Some ‘serious’ thinkers suggest we should start over” rather than try to retrofit an Internet so flawed by weak security as to threaten every user, he said, despite the impracticality of a do-over.
Second, Healey said, defenders have to be right every time, and attackers have to be right only once.
Third, technology evolves very quickly, and most people don’t understand it well enough to lock out intruders. “Every time we figure out what we’re supposed to be doing right, the technology has moved on and once again we don’t know how to properly secure our data,” Healey said.
Software is still poorly written and so insecure that “a couple of kids in a garage” can hack into corporate and government systems just for a naughty thrill. “Bad guys” with theft or sabotage on their minds can work their mischief behind a veil of anonymity. “The Internet almost encourages bad behavior because of the anonymity involved,” Healey said.
Companies, governments and risk managers should shift the drumbeat from resistance to resilience, and to expand cyber risk management from individual organizations to a resilient and responsive Internet system, Healey said. For systemic risk management, Beyond Data Breaches recommends:
- Putting the private sector at the center, not the periphery, of cyber risk efforts, since they have the advantage in agility and subject matter expertise.
- Using monetary or in-kind grants to fund effective but underfunded non-government groups already involved in minimizing the frequency and intensity of attacks. Governments and others with system-wide concerns (such as internet service providers and software and hardware vendors) should advocate for this research.
- Borrowing ideas from the finance sector. This could include examination of “too big to fail” issues of governance and recognition of global significantly important internet organizations.
Not a Know-It-All
Table stakes among Power Brokers is an authoritative, if not encyclopedic, knowledge of the industry.
How refreshing, then, to hear from clients that Tom Draper has no pretense to mastery in cyber risk.
In sharp contrast, they credit him with listening and learning, working collegially through his contacts, and putting his greatest efforts into keeping current in the fast-moving field.
“Tom really came to the fore for us this year,” said one risk manager. “We completely revamped our program, bought additional limits, and broadened our coverage. All of that was happening while the news was full of massive breaches at major retail operators and even government agencies.”
It would have been easy for Draper to encourage an already eager client to go as big as it could. Instead, Draper worked his industry sources and contacts, learned what was realistic and practical, and helped secure broader and deeper coverage, but not more than was necessary.
Draper placed a single policy with a $100 million limit, which is among the larger, if not the largest cyber limit placed to date. It was done on a manuscripted wording that created a global breach-response team, among other features.
Again under the aegis of learning and growing, Draper is credited with helping to craft an admitted policy through Lloyd’s syndicates that taps into broad support in the underwriter community but also risk-mitigation expertise that can flow back to the insured.
A Great Partner
Eric Long presented a broader business case for one of his clients to its incumbent carrier, enabling the client to realize over $100,000 in annual savings.
For another client that was effectively forced into moving its 1,000 employees under a co-employer arrangement,
Long advised the client on contract terms and pricing that resulted in more than $200,000 in annual savings — even though this meant a number of policies would be transitioned away from ABD Insurance & Financial Services.
“I work in a challenging industry, which is not always easy to understand,” said Chris Lowe, chief financial officer at Hansen Medical.
“Eric is an outstanding advocate to ensure underwriters are making an informed decision about our coverage. His ability to educate and facilitate the underwriting process has been by far my best experience in 20-plus years in the industry. Eric has successfully supported our risk management programs, ensuring adequate coverage from high quality underwriters, while also ensuring cost effectiveness as well.”
“We’ve worked with a number of brokers over the years and Eric Long is the best risk management partner we’ve ever had,” said Doug Farrell, senior vice president, investment relations, corporate communications and treasury at Affymetrix. “He’s helped us to strengthen our coverage every year and he has done this in a consistently cost-effective manner.”
“With the problems I try to solve, I don’t have time for insurance, so Eric looks out for me — like turning around a 500-page document,” said a client at a flash storage solutions company. “He also understands my risks.”
Just the Right Touch
Sometimes there is nothing fancy to being a Power Broker®. Nothing more than getting down and grappling with a complex claim.
“Phil has worked on several claims for us in the past,” said one corporate insurance manager of a major technology firm.
“It had been a while, but we recently had a claim that was going nowhere fast. And there was no light at the end of the tunnel. We asked Phil to step in, to see what he could do.”
Norton spent time with the people he determined could help resolve the stalemate.
“Among the people he met with were the person who was in charge of all claims, the team who was directly managing our claim, the person the team reported to, other senior claims professionals providing input, and finally the outside counsel to determine common legal ground where the two sides could meet.”
The client concluded, “When you have argued all of the valid legal aspects of the policy and there doesn’t seem to be a way out, a broker’s personal touch is and can be critical to ensure the best possible outcome.”
That said, Norton is not afraid to be gentle. Several clients are large consumer operations, but not technology driven.
As those firms expand their presence online, they encounter new exposures, and laud Norton for providing tech-savvy insight without being condescending to their legacy operations.
Quick and Effective
Many Power Brokers have handled a big acquisition or divestiture for a client. Often, large acquisitions involve expanding the acquirer’s program to accommodate new, larger exposures.
In contrast, Aon’s Jason Peery had to tackle the more ticklish task of integrating two programs, the extant one for an existing client, and one that came with a nearly half-billion-dollar acquisition.
The client said that the answer was a combined approach that integrated much of the existing two programs, supplemented by independent run-offs.
The plan saved the combined company a third of a million dollars over the pro-forma programs.
In another situation, a client’s perils extended beyond cyber threats to physical threats to employees in another country. The incident involved a complex claim, issues of physical security of people and property, and litigation in addition to the claims process for a loss that ran close to a million dollars.
“Jason is a true extension of our risk management department — which otherwise is just me,” said one client with a laugh.
That risk manager detailed how Peery won a large portion of the client’s business, but not casualty. The broker trying to place that business got two extensions, but could not find coverage that included electromagnetic frequency.
Peery’s team stepped in. Given just a month to place the casualty coverage, they did so, including the frequency cover on better terms than had originally been sought.
Wise Beyond His Years
Stepping in as a new broker on an existing account can be daunting, but Brent Rieth’s fresh eye yielded big benefits.
“It was my first time working with Brent this year as he took over for a colleague who left the firm,” said one risk manager.
“We were able to increase our limits significantly this year working with new markets in an accelerated timeline and staying within budget. Also being new on our account, Brent performed a detailed review of our policy wording in collaboration with coverage counsel and achieved various coverage enhancements.”
Rieth is credited with being “wise beyond his years,” by a client for whom he handled a simultaneous claim and renewal.
“He went over and beyond for us this year, placing an existing coverage with an incumbent while in the midst of a possible high-dollar claim. I placed this line of coverage with him for the first time this year, and he hit the ground running. This was one of the smoothest renewals with a nominal increase due to possible claims activity.”
Another client is a cloud-based firm that handles customers’ confidential information.
“E&O is an important coverage for us as it is our primary source of cyber risk coverage particularly as it relates to data breaches,” said the company’s director of enterprise risk management.
“We hear from Brent frequently outside the renewal cycle. Only a few weeks ago, Brent took the initiative to reach out with some industry cost and remediation data.”
Setting the Pace in Cyber
“Robert was instrumental in helping us assess the correct coverage for our growing technology firm which acts as a pass-through for client revenue,” said a vice president for business affairs.
“We needed a consultative approach, and he was able to give this to us, which prompted us to leave our prior broker. Robert is especially knowledgeable in the area of errors and omissions — a coverage area in which we had minimal understanding, especially given the recent data breaches in multiple industries.
“I am impressed that he understood our business without a lot of explanation. Our relationship is still new, and I expect that we will receive excellent direction from now on. I finally feel that we’re in good hands.”
Expanding on that theme, other clients recognized Rosenzweig for his ability to customize and manuscript coverage to keep pace with the rapidly changing exposures in the high-tech sector. Clients said that responses that they get from the market are often different from what they believe their risks to be, especially in E&O, cyber liability, and professional services.
“Up to this year,” said one client, “we relied upon our media clients to provide wrap insurance [for completion of a show or film].
“Clients would have to provide us with proof of that coverage, but we would have to pay for it, and we would have to take their word that it was sufficient. Sometimes it was, sometimes not. Robert was able to secure wrap insurance for us directly, increasing our security and cutting our costs.”
A Modern Claims Philosophy: Proactive and Integrated
According to some experts, “The best claim is the one that never happens.”
But is that even remotely realistic?
Experienced risk professionals know that in the real world, claims and losses are inevitable. After all, it’s called Risk Management, not Risk Avoidance.
And while no one likes losses, there are rich lessons to be gleaned from the claims management process. Through careful tracking and analysis of losses, risk professionals spot gaps in their risk control programs and identify new or emerging risks.
Aspen Insurance embraces this philosophy by viewing the data and expertise of their claims operation as a valuable asset. Unlike more traditional carriers, Aspen Insurance integrates their claims professionals into all of their client work – from the initial risk assessment and underwriting process through ongoing risk management consulting and loss control.
This proactive and integrated approach results in meaningful reductions to the frequency and severity of client losses. But when the inevitable does happen, Aspen Insurance claims professionals utilize their established understanding of client risks and operations to produce some truly amazing solutions.
“I worked at several of the most well known and respected insurance companies in my many years as a claims executive. But few of them utilize an approach that is as innovative as Aspen Insurance,” said Stephen Perrella, senior vice president, casualty claims, at Aspen Insurance.
“We do a lot of trending and data analysis to provide as much information as possible to our clients. Our analytics can help clients improve upon their own risk management procedures.”
— Stephen Perrella, Senior Vice President, Casualty Claims, Aspen Insurance
Utilizing claims expertise to improve underwriting
Acting as adviser and advocate, Aspen integrates the entire process under a coverage coordinator who ensures that the underwriters, claims and insureds agree on consistent, clear definitions and protocols. With claims professionals involved in the initial account review and the development of form language, Aspen’s underwriters have a full sense of risks so they can provide more specific and meaningful coverage, and identify risks and exclusions that the underwriter might not consider during a routine underwriting process.
“Most insurers don’t ever want to talk about claims and underwriting in the same sentence,” said Perrella. “That archaic view can potentially hurt the insurance company as well as their business partners.”
Aspen Insurance considered a company working on a large bridge refurbishment project on the West Coast as a potential insured, posing the array of generally anticipated construction-related risks. During underwriting, its claims managers discovered there was a large oil storage facility underneath the bridge. If a worker didn’t properly tether his or her tools, or a piece of steel fell onto a tank and fractured it, the consequences would be severe. Shutting down a widely used waterway channel for an oil cleanup would be devastating. The business interruption claims alone would be astronomical.
“We narrowed the opportunity for possible claims that the underwriter was unaware existed at the outset,” said Perrella.
Risk management improved
Claims professionals help Aspen Insurance’s clients with their risk management programs. When data analysis reveals high numbers of claims in a particular area, Aspen readily shares that information with the client. The Aspen team then works with the client to determine if there are better ways to handle certain processes.
“We do a lot of trending and data analysis to provide as much information as possible to our clients,” said Perrella. “Our analytics can help clients improve upon their own risk management procedures.”
For a large restaurant-and-entertainment group with locations in New York and Las Vegas, Aspen’s consultative approach has been critical. After meeting with risk managers and using analytics to study trends in the client’s portfolio, Aspen learned that the sheer size and volume of customers at each location led to disparate profiles of patron injuries.
Specifically, the organization had a high number of glass-related incidents across its multiple venues. So Aspen’s claims and underwriting professionals helped the organization implement new reporting protocols and risk-prevention strategies that led to a significant drop in glass-related claims over the following two years. Where one location would experience a disproportionate level of security assault or slip & fall claims, the possible genesis for those claims was discussed with the insured and corrective steps explored in response. Aspen’s proactive management of the account and working relationship with its principals led the organization to make changes that not only lowered the company’s exposures, but also kept patrons safer.
World-class claims management
Despite expert planning and careful prevention, losses and claims are inevitable. With Aspen’s claims department involved from the earliest stages of risk assessment, the department has developed world-class claims-processing capability.
“When a claim does arrive, everyone knows exactly how to operate,” said Perrella. “By understanding the perspectives of both the underwriters and the actuaries, our claims folks have grown to be better business people.
“We have dramatically reduced the potential for any problematic communication breakdown between our claims team, broker and the client,” said Perrella.
A fire ripped through an office building rendering it unusable by its seven tenants. An investigation revealed that an employee of the client intentionally set the fire. The client had not purchased business interruption insurance, and instead only had coverage for the physical damage to the building.
The Aspen claims team researched a way to assist the client in filing a third-party claim through secondary insurance that covered the business interruption portion of the loss. The attention, knowledge and creativity of the claims team saved the client from possible insurmountable losses.
Modernize your carrier relationship
Aspen Insurance’s claims philosophy is a great example of how this carrier’s innovative perspective is redefining the underwriter-client relationship. Learn more about how Aspen Insurance can benefit your risk management program at http://www.aspen.co/insurance/.
Stephen Perrella, Senior Vice President, Casualty, can be reached at Stephen.email@example.com.
This article is provided for news and information purposes only and does not necessarily represent Aspen’s views and does constitute legal advice. This article reflects the opinion of the author at the time it was written taking into account market, regulatory and other conditions at the time of writing which may change over time. Aspen does not undertake a duty to update the article.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Aspen Insurance. The editorial staff of Risk & Insurance had no role in its preparation.