Sub-Zero Sucker Punch
During the cold weeks that follow the winter holidays, a low-pressure warm front moves quickly into the New England region, along with a high-pressure Arctic cold front. The two masses collide, causing heavy rains that turn to ice by the time they reach the ground.
Layers of ice blanket an area from Maine to Maryland and as far west as Ohio, making it look like a world made of pure crystal.
Northeasterners shrug and hunker down for a few days of wild weather. A thinner layer of ice reaches west to St. Louis and south to Charlotte. Southeasterners grumble about the polar vortex interfering with their routine.
By the second day, trees fall and rooftops groan under the weight of nearly 3 inches of ice. Dozens of transmission towers buckle and collapse. Local power lines fall, pulling utility poles down across roadways.
Utility companies shift into crisis mode to assess the damage, which has plunged some homes and businesses into darkness. Utility crews from Georgia and Tennessee are dispatched to help get repair work underway, which is slowed by treacherous road conditions.
The worst, though, is yet to come.
Three days after the first storm hits, a second storm arrives, about 500 miles south. It wallops the Southeast and moves on up the Eastern seaboard, dropping another 2-plus inches of ice over two days. Heavy ice puts a death grip on everything from Memphis to Atlanta and on up through Washington, D.C.
The aging utility infrastructure can’t withstand the ice and winds. The fact that at least half of the Southeast’s utility workers had been deployed north makes matters worse — far worse. Four million customers in Georgia and Alabama alone are without power.
Hartsfield-Jackson International Airport in Atlanta is virtually paralyzed, stranding travelers and causing massive delays across the country. Gas stations shut down because pumps are inoperable.
Retailers with backup generators press on as long as they can, but shelves empty quickly of food and other essential goods. Some stores operate on a cash-only basis because payment systems are down.
On the East Coast, more than 50 million people and 3 million businesses are without power. More than 200 transmission towers are badly damaged. Water supply across the entire East Coast is at risk, as treatment plants and pumping stations begin to lose backup power. Cell network circuits become congested, causing delays and weak signals. Some networks fail altogether.
Despite icy roads, millions leave their homes, seeking warmth and shelter. Some die from carbon monoxide poisoning or from blazes caused by open fires in their homes, attempting to keep warm. Many fires burn unchecked, resulting in widespread property damage.
States of emergency are declared for affected major cities. The National Guard is brought in to help clear roads, escort people to emergency shelters, and help maintain civil order among the increasingly frightened and desperate public.
Trees continue to fall for weeks, making power recovery achingly slow. It takes three to four weeks to get to 90 percent recovery for urban centers. Some outlying areas go without power for as long as three months.
Businesses struggle to reopen due to damage and lack of workers, as many have not returned to the area from wherever they sought shelter, or can’t get through to certain areas due to safety hazards.
Hundreds die from hypothermia, starvation, fires, auto accidents and small, localized riots. Tens of thousands more suffer injuries or become seriously ill. The very young, elderly and the poor are hardest hit.
National Geographic’s harrowing docudrama American Blackout depicts the catastrophic repercussions of a 10-day blackout affecting the entire country.
No Escaping Loss
This scenario was created using the Blackout Risk Model, developed through a partnership of Hartford Steam Boiler and Verisk Climate, led by Robin Luo, vice president at HSB; Clifton Lancaster, senior risk analyst at HSB; and Kyle Beatty, president of Verisk Climate.
HSB and Verisk estimate that the frequency of each individual ice storm would be one in 150 years to 200 years. The two storms combined represent a frequency of one in 1,000 years or more.
This scenario loosely resembles a juxtaposition of two historic North American blackout events.
In January 1998, ice pummeled Ontario, Quebec and New Brunswick for six straight days, destroying 130 transmission towers and leaving more than 4 million people without power — some for up to a month.
The insured losses from that storm totaled $1.6 billion, according to the Insurance Bureau of Canada. The total economic costs were estimated between $5 billion and $7 billion.
The second event occurred in August 2013, when a simple circuit overload led to cascading blackouts throughout North America, leaving 50 million people in the United States and Canada without power for up to six days. The estimated total economic cost of the outage was between $6 billion and $8 billion.
Combining the duration, ice load and frigid temperatures of the 1998 event with the coverage footprint of the 2013 event would result in a catastrophe exponentially more devastating than any blackout in North American history.
Some experts downplay the amount of property damage typical for an ice storm, but others say the level of property damage wouldn’t be far behind Hurricane Katrina or Superstorm Sandy.
Because of the duration of the power outage and the extreme volume of ice involved, homes and businesses left abandoned would likely succumb to frozen and bursting pipes. Collapsing roofs would lead to additional damage.
Overtaxed emergency responders likely wouldn’t be able to prevent damage caused by the inevitable looting and civil unrest. Fires started by those desperate for warmth could easily burn out of control, consuming neighboring properties in the process, especially in urban centers.
Contaminated water supplies would cause lasting problems that would take months to remedy. Lack of running water would create sanitation hazards.
Industries needing refrigeration, such as restaurants, supermarkets and pharmaceutical companies would suffer heavy losses. Manufacturing would also suffer due to a dependence on power and the difficulty and expense of temporarily relocating equipment.
Of course, that only scratches the surface of business income losses for companies up and down the East Coast, as well as key suppliers and customers across the country.
“Whether you’re impacted directly from the weather or indirectly, I don’t know how anyone escapes some sort of tragedy or economic loss from this,” said Wes Dupont, executive vice president and general counsel of Allied World Assurance Co. Holdings.
Even with power mostly restored in three to four weeks, there would be several more months of clean-up before normal operations resume. Some companies would have difficulty luring back clients that had switched suppliers in the interim.
Small businesses would no doubt be hard hit.
“Small to midsize companies, those that are not able to invest [in a standby power system] … they’re going to struggle,” said Mark Madar, director of risk management and regulatory compliance at CBIZ Risk & Advisory Services. “The companies that do not have a multi-location presence, especially your mom-and-pop types of businesses, they’re the ones who are going to take the hit here.”
But Lou Gritzo, FM Global’s vice president and research manager, said it would be a mistake to downplay the vulnerability of larger companies in this scenario.
“It’s the weakest link scenario,” said Gritzo. “The bigger effects are going to be these cascading failures where one or two pieces of the operation can’t recover and then the entire company experiences the consequences.
“That in turn affects other companies all over the country and all over the world. I think that’s where the biggest impact is going to be,” he said.
Mind the Gaps
For many companies, having a solid business interruption plan will make the difference in whether they make it through such a crisis. More than two in five (43 percent) businesses that experience a disaster and have no emergency plan don’t reopen, according to The Hartford. Of those that do reopen, only 29 percent are still operating two years later.
Even the most sophisticated disaster plan, however, will not shield companies from some degree of loss in an event of this magnitude. Unfortunately for some, the claims process is unlikely to be straightforward.
“The bigger effects are going to be these cascading failures where one or two pieces of the operation can’t recover and then the entire company experiences the consequences. That in turn affects other companies all over the country and all over the world.” —Lou Gritzo, vice president and research manager, FM Global
Blackouts can be a monkey wrench in the works. Companies may assume they’re covered for business losses in the event of a power outage because they have business interruption (BI) coverage — or time element coverage — on their property policies.
But in most cases, BI must be tied to physical damage to an insured’s assets. Several commercial property policies specifically exclude coverage resulting from a utility service interruption that originates away from the insured’s premises.
Standard BI coverage won’t be triggered for businesses that don’t suffer direct physical damage but were forced to close or relocate because of lack of employees or power, or orders from civil authorities to stay away due to safety hazards.
Some larger, sophisticated insurance buyers will have policies that include the necessary extensions needed to trigger the cover, but smaller firms may be left unprotected.
“I think [utility service interruption coverage] is spotty when it comes to small commercial businesses, who would need to ask for those extensions, as well as clients who are on standard boilerplate preprinted forms as opposed to a manuscripted form,” said Duncan Ellis, U.S. property practice leader for Marsh.
Another wording nuance to be aware of, he said, is that some language may provide for damage caused by a power outage, as in the case of a critical manufacturing load destroyed by loss of power in the middle of the process. But the BI side of the policy still may not have an extension for loss of income incurred after the outage.
Even for companies with the right coverage extensions, time durations vary. Some policies may not cover losses related to a service interruption that goes beyond a week or two. In general, many companies could find that their BI losses far exceed limits.
Insurers would see a high volume of contingent business interruption claims from those whose key customers or suppliers were compromised by the event. But the wording of CBI policies is similar to BI policies, and many insureds will find their coverage declaimed.
Companies with a regional base also may face push back from carriers on business income claims, said Mike LoGiudice, managing director of insurance and litigation support for CBIZ Valuation Group. “I might say, ‘I should have done [this amount of business] but for the property loss.’ ”
But the carriers may argue that regardless of damage, your customers would still be out of business themselves, so you wouldn’t have had any income. “They would take into effect the negative impact on your customers,” he said. “It would be a battle.”
Additional 2014 black swan stories:
When the 8.5 magnitude earthquake hits, sea water will devastate much of Los Angeles and San Francisco, and a million destroyed homes will create a failed mortgage and public sector revenue tsunami.
When a nuclear reactor melts down due to a powerful tornado, deadly contamination rains down on a metropolitan area.
7 Emerging Technology Risks
The Risk List is presented by:
To Keep Cool in a Crisis, Companies Need a Comprehensive Solution
Threats against corporate security come in many forms, from intentional acts of violence to civil unrest to cyber-attacks. The perpetrators don’t discriminate by company size or sector, and the consequences can range from several thousand dollars lost to several lives lost.
The recent shooting in an Orlando nightclub that killed 49, for example, or last year’s San Bernardino shooting that killed 14, are somber reminders that terrorism and violence can erupt anywhere and in any type of business. In addition to loss of life, violence can translate into business interruption and property damage. In Ferguson, Mo., riots lead to over $4 million in property damage.
Cyber-attacks have also become commonplace, with hackers infiltrating private networks to steal data or hold it ransom.
Is your organization prepared for these risks?
“A lot of companies have a crisis response plan on paper, but they don’t have outside resources to come to their aid if there is an incident,” said Reggie Gibbs, Underwriter and Product Manager, Starr Companies.
Mid-size companies especially tend to lack comprehensive insurance coverage and crisis management services for a variety of security events due either to limited resources or an underestimation of their exposure.
Starr Companies’ Cyber and Terror Response (CTR) solution provides three coverages as well as crisis response services tailored to meet the needs of these companies. Each of its components addresses a common security threat.
“We don’t just want to indemnify the security risks our clients face; we want to help them actively manage them.”
— Reggie Gibbs, Underwriter & Product Manager, Starr Companies
Terror and Political Violence
“Political violence can be defined as a strike, riot, protest, or any type of unrest that gets out of hand and turns violent,” said Gibbs, who specializes in terrorism and political violence, workplace violence, and crisis management.
In the case of the Ferguson protests, any first party property damage or third party liability incurred by the disruption would be covered under the terrorism and political violence segment of the CTR solution.
In the case of a terror attack, organizations cannot necessarily rely on TRIA to pick up property losses. In the case of the Orlando shooting, for example, the likelihood of TRIA being invoked is low because property damage will not meet the threshold for coverage to kick in.
TRIA, reauthorized in 2015, provides a federal insurance backstop in the event of a terror attack. The U.S. Secretary of the Treasury, U.S. Attorney General, and U.S. Secretary of Homeland Security must declare an attack to be an act of terrorism, and property damage must exceed $5 million to trigger TRIA.
“We would still view the Orlando shooting as an act of terror, however, because of who the shooter claimed he was working for regardless if the ties to terror groups are clear or not. Therefore, our coverage would apply,” Gibbs said. Even if TRIA was enacted, however, companies would still have a lot of pieces to pick up following an attack. They may have injured or deceased employees, or face legal action from third parties.
For these situations, and any other incident of violence not driven by terrorism, the workplace violence component of Starr’s CTR solution would act as an umbrella to cover other liabilities such as legal liability, loss of life benefits, psychiatric care, and other crisis response services.
One such incident struck a Boston-area Bertucci’s in early May. An attacker wielding a knife drove his car into a Boston shopping mall before making his way into the nearby restaurant. He killed five, including restaurant workers and patrons.
“There was no ideological or political motivation behind it. He was just deranged.” Gibbs said. “Our workplace violence coverage can handle the loss of life benefits for both the employees and patrons killed in situations like this one.”
In the best cases, though, violence can be prevented altogether.
“If an employee reports a stalking threat, the policy would cover the expense of security guards,” Gibbs said. “In this case, it’s more of a pre-workplace violence coverage. It would de-escalate the situation.”
Attacks can also be non-physical.
Cyber extortion in particular is on the rise. Phishing scams lead employees to click on malicious links, unknowingly downloading ransomware onto their internal networks. The cyber criminals then hold companies’ networks ransom, asking for a sum of money in return for the release of data or to prevent a business interruption. The ransoms can be low — amounts that organizations can afford to pay.
“The hackers don’t want to attract the attention of law enforcement or regulatory agencies,” said Annamaria Landaverde, National Cyber Practice Leader & Professional Liability Underwriting Manager, Starr Companies. Landaverde specializes in the cyber component of the CTR coverage. “The FBI may not get involved if someone asks for $5,000. They are more likely to get involved if someone asks for $5 million.”
Since companies are not required by law to report cyber extortion —like they are for data breaches — many choose simply to pay the ransom and move on without generating any negative news headlines.
“The hackers don’t want to attract the attention of any law enforcement or regulatory agencies. The F.B.I. won’t get involved if someone asks for $5,000. They will get involved if someone asks for $5 million.”
— Annamaria Landaverde, National Cyber Practice Leader & Underwriting Manager, Professional Liability Division, Starr Companies
“A California medical center recently had an incident like this where the hackers asked for $17,000 in ransom,” Landaverde said,” but the amounts can vary.”
While the ransom itself may seem manageable, many companies fail to recognize other costs associated with the identification and removal of the malware from their system. There may also be costs associated with forensics investigations, legal experts, public relations firms, third party lawsuits, and notification and credit monitoring.
“The cyber arm of the CTR coverage extends to liability that an organization would suffer as a result of a breach, or failure of security of the insured’s network,” Landaverde said. That includes not just cyber extortion, but outright data theft or denial-of-service attacks.
Crisis Management Services
“We don’t just want to indemnify the security risks our clients face; we want to help them actively manage them,” Gibbs said.
The fourth component of Starr’s CTR solution – crisis response — provides two outside consultants to insureds, with one specializing in “hard” security services like guards or instances of cyber extortion, and another focusing on crisis communications.
Without these outside services, there is only so much insurance can do in the aftermath of a crisis. Experienced consultants provide a range of security preparedness and response services to complement coverage and help insureds recover from an episode of violence or cyber event.
“From a communications perspective, our consultants can manage the public relations front to create clear and consistent messaging, but they can also stay in touch with families after a terror or other violent attack to make sure everyone stays informed,” Gibbs said.
They also serve as a first point of contact for insureds immediately after an event. If they need guidance quickly, consultants await at the ready.
“When a client purchases the product, they get a 24-hour hotline set up with one of our consultancies,” he said. “They can report an incident at any time, and our consultant will help either resolve a situation or deal with the aftermath in whatever way they can.”
While the Cyber and Terror Response package provides a comprehensive solution tailored for mid-size companies, Starr also offers standalone cyber liability and crisis management coverage on a primary and excess basis.
“For companies with greater exposure to a particular type of risk, or who simply want higher limits or greater customization, we have those standalone polices.” Landaverde said.
For more information on Starr Companies’ Cyber and Terror Response solution, visit https://www.starrcompanies.com/Insurance/CyberAndTerrorResponse.
Starr Companies is the worldwide marketing name for the operating insurance and travel assistance companies and subsidiaries of Starr International Company, Inc. and for the investment business of C. V. Starr & Co., Inc. and its subsidiaries.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Starr Companies. The editorial staff of Risk & Insurance had no role in its preparation.