The Best Laid Plans
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
Hale Everson disliked silence and wasn’t bothered by visible distractions. A natural multitasker, he liked to keep D.C. Span, the 24-hour news channel devoted to Washington politics, on his office TV.
As the Human Resources director for the Southern operations of Fuego Motors, a leading European car maker, Hale had been working for years to create a state-of-the-art health care monitoring system for the automobile manufacturing plant’s employees.
On the computer monitor in front of him, there were no less than 10 open spreadsheets.
Hale loved data and along with the auto plant’s risk manager, he had compiled plenty of it.
Hale paused at his keyboard and shifted his attention to his TV set. The U.S. Senate was voting on the passage of the Patient Protection and Affordable Care Act.
“Come on boys, come on,” he said, as he watched the “yes” votes pile up. Hale wasn’t worried about the outcome of the vote. He’d been preparing for this day for years.
When it came to what he required to work well, Brady Heller, the CFO for Apex Care, a regional hospital, was a door-shut type, even though he had a corner office. Brady hated any sort of distraction.
It wasn’t until he got home late that night and watched the 11 o’clock news that Brady found out the Affordable Care Act had passed. Brady watched impassively as his wife sat next to him.
Always keeping his cards close to his vest, Brady quietly calculated what Apex Care had spent over the past four years to acquire numerous specialty practices to build a state-of-the art Accountable Care Organization.
Brady wasn’t worried about the outcome of the vote either. He’d also been preparing for this day for years.
Brady and Hale, friends since college, were walking down the fourth fairway at the local country club when the two community leaders, key members of the local chamber of commerce, put their well-disciplined heads together.
“Nice job picking up Neil Zane’s cardiac practice buddy,” Hale said to his friend with a smile.
“Thanks,” Brady said, as he scanned the grassy rise for his golf ball.
“From what I can tell, you’ve got all the pieces in place,” Hale said.
“I sure hope I do. Cost us enough,” Brady said as he turned to set up a 2-iron shot.
“Brady, hold on just second,” Hale said. Brady turned and looked soberly at Hale, alert to the business-like tone Hale had switched to.
“I think I’ve got all my pieces in place too, and I don’t want to wait ‘til the wind changes. I want to bring my entire workforce to Apex on a direct contract. I’ve got all the data…”
“I bet you do,” Brady said.
“And with my documentation we can get this done sooner rather than later,” Hale said.
“You got everybody ready?” Brady asked.
“I’ve got everybody on board, from Turin to where we’re standing right here,” Hale said, and Brady could tell that Hale meant every word.
Within three weeks, the local business weekly ran a story under the following headline and subhead.
“Fuego and Apex Ink Healthcare Pact”
“Savings and better quality of care in focus in multi-million-dollar arrangement”
The story featured a picture of Brady and Hale shaking hands over a conference table.
Under the direct contract with Apex, Fuego’s workers and their dependents would receive exclusive health care at the regional health giant for three years. The contract was set to renew as long as costs didn’t deviate more than five percent on an annual basis from projections.
Seven months after the direct contract deal was announced, Serge Bernstein, head of Apex’s high-profile bariatric medicine and weight loss clinic, requested a face-to-face meeting with Brady.
“I have to ask you, did you have access to Fuego’s health care data before you agreed to this deal?” Dr. Bernstein asked Brady.
“I know as a matter of fact that the company keeps excellent records,” Brady said as an opening defense.
“Well, I keep pretty good data on my end as well,” Dr. Bernstein said, as he expertly swiped his digital tablet to bring ups some figures.
“The contract with Fuego says costs can’t deviate more than five percent from projections,” he said.
“That’s correct,” Brady said.
“What would you say if I told you that I am seeing instances of diabetes in that population at about 250 percent of projections?” Dr. Bernstein said.
“I’d be very concerned,” Brady said.
“Then you should be very concerned,” Dr. Bernstein said.
Two weeks later it was the hospital system’s head of orthopedics, Krishnan Gilani, who was sitting in Brady’s office.
“I’ve got a four-week waiting list for initial non-emergency evaluations,” Dr. Gilani said.
“Why?” Brady said.
“Have you heard of the Affordable Care Act? This autoworker population requires a lot of care. Many of them are overweight, which complicates treatment. I’ve also got a threefold increase in overall caseload due to all the previously uninsureds coming on board under the new law,” Dr. Gilani said.
“Wow,” Brady said.
“Wow indeed, Mr. Heller,” Dr. Gilani said. “These are substantially out of whack figures and of great concern,” Dr. Gilani said.
Hale and Brady were mostly silent as Hale lined up a putt and the two of them digested the information that the increased number of insureds coming in for treatment was threatening to broadside their direct contracting arrangement.
“It’s the first year of the program,” Hale said after his putt lipped out. “I’m sure the numbers will settle down in years two and three.”
“You’re probably right,” Brady said as he stood over his putt.
“You’re probably right.”
Hale’s view of his in-office television screen is obscured by the bulk of the autoworkers’ union vice president. To the vice president’s left is the union president. Neither of them looks healthy and neither of them looks especially pleased.
“Eighteen months ago you sold this hospital deal to us, saying it would be better for the workers and their families. You said we’d get better treatment, cheaper, and better access to treatment,” the union president said.
“I did say that, that’s true,” Hale said
“None of that was true,” the vice president said.
“We got a guy on the line, he twists his back trying to keep an engine compartment bonnet in place. You know how long it takes him to see a back specialist?”
“I don’t…” Hale begins.
“How about five weeks?” the vice president said. “Five weeks!”
“And this is the only hospital we can go to,” the president said.
“I thought health care reform was about choice. You know what? We have no choice,” the union president said.
“Am I in Russia now because I feel like I’m in Russia,” the union vice president says to the union president.
The quarterly meetings between hospital management and the medical team leaders have become so fraught with tension for Brady Heller that they begin to feel like out-of-body experiences.
Dr. Bernstein, Dr. Gilani and Dr. Helen Beers, chair of the cardiac unit, have Brady in their cross-hairs.
“When you brought my practice into your system, I was assured that I could maintain my care standards, that my cost of risk would be reduced by 20 percent and that my revenues would increase by 30 percent,” Dr. Beers begins.
“None of that has happened,” she said, fixing formidable steel blue eyes on Brady through her titanium eyeglass frames.
“Instead I’m seeing delays in payment. I am seeing care standards that I never would have tolerated independently, and I am seeing this across a number of departments, not just my own,” she said.
“We want access to full financial documentation under the terms of our contracts or we are walking, I am not kidding you,” Dr. Bernstein said.
Brady looked from Dr. Bernstein to Dr. Gilani to Dr. Beers. Nowhere was there mercy or understanding.
Hale has a board meeting of his own to attend.
“If we pay them this $3 million that they’re asking for,” the CFO for North America says to Hale.
“On top of the contracted amount,” he says, looking around the table for emphasis, to make sure everyone is getting his point.
“On top of the contracted amount,” he says yet again, unmercifully.
“What assurances do we have that we’re not going to be shelling out another $3 million in six months to a year from now?” the CFO asks.
“I’m not sure that I can offer you any assurances,” Hale says.
“We’re seeing treatment delays and co-morbidities that are beyond the scope of our projections,” he adds.
“I thought this was the best health care money could buy,” the CFO says.
“It may be,” says the North American CEO, who has made a special point to be at this meeting.
“The issue is we didn’t know it would take this much money to buy it.”
The CEO fires Hale Everson that very evening.
A sizable regional employer and a large health care system come to grief when their directly contracted health care arrangement is blind-sided by health care reform implementation. The planners of the deal fail to take into account the delays in treatment that large numbers of previously uninsured patients coming into the system will create. Contrary to their promises, standards of health care deteriorate and key stakeholders become alienated.
1. The importance of good data: Data is only actionable if it is good data. Fuego Motors thought it had adequately measured the health care risks inherent in its employee population, but events proved it to be woefully wrong. The advent of the Affordable Care Act is going to impact medical treatment and loss projections are going to have to be altered.
2. Assess your contract: Direct contracts to provide health care services to employers might make a lot of strategic sense, but they can turn into straightjackets if not written with enough flexibility to account for increasing health care costs and the unknowns of health care reform.
3. Medical practice acquisition is fraught with perils: Bigger is not necessarily better when it comes to health care business management. Conflicting work cultures and compensation and quality of care expectations can lead to disagreements, litigation or worse if contractual provisions aren’t spelled out adequately.
4. Health care regulation is in conflict: Federal health care reform is not the only wind sweeping the waters. There are numerous federal and state entities regulating health care and their missions and mandates are not in step with each other. Understanding the full lay of the land moving forward is a must.
5. Move with measured steps: There is so much going on in health care practice and regulation right now that the unknowns outnumber the knowns. Look at acquisition targets with more caution than ever before.
6. Be fully transparent: Both sides thought they had all the data they needed. But in the end, their failure to completely share with their data with their respective teams created unpleasant surprises. Being fully candid about all risks is the best strategy in this unsure environment.
The issues covered in this scenario were in part based on the impact of health care reform. This follow-up webinar focused on specific changes to the health care market in the wake of Affordable Care Act implementation and presented actions insureds can take to prepare themselves moving forward.
An Insatiable Beast
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
Part One: Who Kicked the Door In?
Executives with Sweet Life are in a self-congratulatory mode.
Having just plunked down $15 million for a new, just-in-time processing and shipping system, the company leadership feels poised for even greater success.
Starting with a then-unknown Kombucha product, the company grew, selling Kombucha, coconut water and a menu of flavored sparkling water sourced from unquestionably pure springs.
Walk into almost any tony yoga studio along the Atlantic seaboard and you would see some bottle or can with the Sweet Life label on it.
“I want to congratulate everyone involved in this effort,” Saltwood tells his assembled leadership team during a celebratory, well-lubricated meal at one of the best vino-centric restaurants in the Finger Lakes.
Smiles all around, except for Anne Margate, the company’s chief risk officer. Saltwood notices her mood and lifts a wine bottle in her direction as if to offer her more.
She waves the bottle off, and bends her head back down to her BlackBerry, typing feverishly.
Saltwood just shakes his head.
“She worries too much,” he says to himself.
Two days later comes a jolt of reality for Saltwood in the form of a phone call from his CIO.
“We’ve got a breach. Doesn’t look too extensive but we’re moving to identify any lost data and isolate the problem,” the CIO says.
“Alright, keep me posted if you think it’s going to get uglier. I especially want to know if any customer data gets compromised,” Saltwood says.
“Roger, Wilco,” says the CIO.
It’s uglier than either Saltwood or his CIO could possibly know.
What’s hit Sweet Life is a cyber worm that goes by the name of “Purple Moray.” The name of the worm reveals its intent.
The worm carries a payload that is designed to search out and destroy — just like its ravenous sea eel namesake — programmable logic computers that control machine processes, the very thing that Sweet Life just purchased as part of its $15 million manufacturing upgrade.
Purple Moray is also equipped with a rootkit component, making its passage through Sweet Life’s information technology systems virtually impossible to detect. Try as they might, Sweet Life’s IT team feels like it is not seeing the whole picture.
Sweet Life’s CIO picks up the phone and calls a forensics team he knows in Rochester.
“Yep,” says the CEO of the forensics team when he picks up the phone. He’s eating potato chips as he talks.
“Yeah, hi Mark,” says the CIO, who has known the forensics CEO since high school.
“Whatcha’ got?” Mark says, crunching a chip.
“Are you eating?” the CIO says agitatedly.
“I’m hungry. What is it?” Mark says.
The CIO shakes off his irritation.
“We need you to come down here. We’ve had a breach and we’re not sure of the extent of it,” the CIO says.
“We’ll be there this afternoon.”
Part Two: Gut-Wrenching Pain
The CIO initially fails to tell Anne Margate what’s going on. Sweet Life is a bit of an old boy’s club — though all the top brass is under 40 — and Anne is not a member of the club.
But she makes a point of finding out what’s going on within the company regardless. It’s when the Rochester forensics team shows up that she gets wind of what’s happened.
“When were you going to tell me about this?” she asks the CIO.
“I … ,” he manages to get out before she cuts him off.
“We need to tell our insurance broker,” she says. “I’ll send you an invite.”
“Which is more than you did for me,” she says to herself under her breath as she walks away.
“OK to summarize,” the broker says on the call, “we need a full list of any customers affected, then move to notify those customers. And keep the forensic work going.”
“I’ll let the cyber policy carrier and the crime policy carrier know that we might have a claim coming,” the broker says.
The next day the chief of operations comes into work to find that Sweet Life’s spanking new manufacturing system is down, all the way down.
“All the computers are dead, boss,” says one of the line foremen.
Anne Margate, who is now fully engaged in the recovery attempt, barges into the company lunch room.
There she finds Mark, the forensics guy, and two of his teammates settling down to a lunch of pepperoni pizza and a very large meatball sub.
“What’s going on?” she says.
“We’re having lunch,” Mark says.
“I know that, I mean with our manufacturing process,” she says.
Mark pauses to wipe some red sauce off of his chin.
“You’re, who again?” he says.
“I’m the risk manager,” she says, trying to control her anger.
“Oh,” he says. “What’s happened is that your operations have been attacked by a cyber worm. It’s called Purple Moray. It’s disabled the programmable logic computers that control your machine processes,” he says.
“Are they merely disabled or destroyed?” she says.
“We’re getting to that,” says Mark. “As soon as we finish lunch.”
Sweet Life’s broker, exercising an abundance of caution, contacts the company’s property carrier to notify it that Sweet Life may have a claim against this policy as well.
“It looks like the damages are far more extensive than we thought,” Anne Margate says on a call with Saltwood and the company’s property underwriters.
After she gets off the phone with her property underwriters, Anne Margate has the sickening feeling that in the event of the damages caused by a computer worm of this nature, her cyber, crime and property policies might not be all that well aligned.
Part Three: All Gone
“Can anybody in this company tell me what’s going on with this Purple Moray worm?” Josh Saltwood thunders into the phone from his vacation home in the Hamptons.
“All we’ve been able to do is identify it, we can’t stop it,” says the exhausted CIO.
Sweet Life’s situation is weakening day by day.
In addition to disabling or damaging key pieces of manufacturing equipment, the worm, through a second payload, did access and steal customer data; much more data than the company’s IT department initially understood to be taken.
The company has to inform customers, including the largest natural foods retailer in the country, that although it thought it hadn’t lost their data, it turns out they had.
“We know we told you a week ago that your information was OK, but it’s not OK,” the CIO and Margate tell the retailer on yet another painful call.
“This thing is like some kind of insatiable beast,” says Mark, the forensics guy, as he sits at an in-house Sweet Life computer, an open bag of peppermint bark on the desk.
“You want some bark?” he says to Margate, who is sitting beside him trying to learn as much as she can about cyber hack forensics.
“No thanks,” she says.
“I’ve never seen anything like this,” says Mark.
Over time, the forensics team, working in congress with Sweet Life’s IT team, is able to isolate the Purple Moray malware and remediate some of the damage done to the company’s computer-controlled manufacturing system.
Anne Margate, who worries about everything, finds that her concerns about her insurance policies were somewhat unfounded.
The cyber, crime and property policies all respond, although not to the degree that every loss is covered.
The company’s property coverage was inadequate to cover all of the damage done to the company’s new manufacturing system. The uninsured loss there is more than $5 million.
Sweet Life is facing a daunting task as it deals with a bruised image in the marketplace and strained relationships with its once loyal customers.
Now it also has to improve its cyber security and convince its insurers that it is a good risk going forward. When Josh Saltwood founded Sweet Life, he was one of three licensed retailers selling Kombucha. When Purple Moray struck, there were more than two dozen U.S.-based producers. The burgeoning coconut water market reflects a similar reality.
As Sweet Life tries to claw back to some semblance of success, it faces an initial market share loss of some $10 million annually, and there is no policy that can insure that.
Risk & Insurance® partnered with FM Global to produce this scenario. Below are FM Global’s recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.
While one could argue whether cyber risk is still “emerging,” it’s the new reality, and should be dealt with like any other hazard. So, let’s examine this scenario using a traditional risk management approach. Although cyber is a relatively new exposure, traditional risk management concepts apply: risk identification, assessment and mitigation.
Essentially, any organization is subject to a cyber attack, and it’s not a matter of if, but when it happens. In this case, Sweet Life had just upgraded its processing and shipping system, when a data breach occurred. How the breach actually occurred is not clear, but we do know that it did cause some major damage to the industrial system control computers. Serious business interruption ensued, which had a deleterious affect on the company’s supply chain and market share.
Just how aware was Sweet Life that its IT systems were at risk? Did Anne Margate, the chief risk officer, fully understand the potential exposure? Had she and the chief information officer had any discussions about business risk impact if the systems were compromised? Today’s risk manager has to think well beyond insurance procurement. In this new digital era, the CIO becomes a new and important ally in managing risk.
Potential questions to ask:
- To what extent are your business operations tied to computers, and how reliant are you on these systems to keep your operations running? Do you have a back up plan?
- How secure is your network? How resilient are your email spam filters and malware protection devices?
- Have employees received proper network security training?
- Are measures in place to keep potential intruders from gaining access to your network—internally and externally?
Some pre-emptive actions to consider:
- Determine what information security standard applies to your industry and base your cybersecurity framework on standardized practices.
- Identify and classify data based on business criticality, as well as sensitivity/confidentiality of data.
- Identify critical assets and physical/logical network access points at your facility and determine how access is controlled. Prioritize improvement activities.
- Create and maintain a documented incident response team to respond to cyber events. The plan should be part of a holistic risk management program.
- Test the plan. Tabletop simulation exercises can test the plan and identify restoration timeframes.
Multiple policies, various coverage: In terms of insurance coverage, cyber losses tend to involve multiple carriers. In this case, Sweet Life had three separate policies for cyber, crime and property. Unfortunately, how these policies would respond in the event of a cyber attack had never been fully vetted. As is the case with any insurance coverage, the time to learn about what is covered is an exercise best conducted before the loss actually occurs. If you have multiple carriers, be sure that you and your broker meet with them in advance to understand how the policies will respond and iron out any discrepancies.
Hot Hacks That Leave You Cold
Thousands of dollars lost at the blink of an eye, and systems shut down for weeks. It might sound like something out of a movie, but it’s becoming more and more of a reality thanks to modern hackers. As technology evolves and becomes more sophisticated, so do the occurrence of cyber breaches.
“The more we rely on technology, the more everything becomes interconnected,” said Jackie Lee, associate vice president, Cyber Liability at Nationwide. “We are in an age where our car is a giant computer, and we can turn on our air conditioners with our phones. Everyone holds data. It’s everywhere.”
Phishing Out Fraud
According to Lee, phishing is on the rise as one of the most common forms of cyber attacks. What used to be easy to identify as fraudulent has become harder to distinguish. Gone are the days of the emails from the Nigerian prince, which have been replaced with much more sophisticated—and tricky—techniques that could extort millions.
“A typical phishing email is much more legitimate and plausible,” Lee said. “It could be an email appearing to be from human resources at annual benefits enrollment or it could be a seemingly authentic message from the CFO asking to release an invoice.”
According to Lee, the root of phishing is behavior and analytics. “Hackers can pick out so much from a person’s behavior, whether it’s a key word in an engagement survey or certain times when they are logging onto VPN.”
On the flip side, behavior also helps determine the best course of action to prevent phishing.
“When we send an exercise email to test how associates respond to phishing, we monitor who has clicked the first round, then a second round,” she said. “We look at repeat offenders and also determine if there is one exercise that is more susceptible. Once we understand that, we can take the right steps to make sure employees are trained to be more aware and recognize a potentially fraudulent email.”
Lee stressed that phishing can affect employees at all levels.
“When the exercise is sent out, we find that 20 percent of the opens are from employees at the executive level,” she said. “It’s just as important they are taking the right steps to ensure they are practicing what they are preaching.”
Locking Down Ransomware
Another hot hacking ploy is ransomware, a type of property-related cyber attack that prevents or limits users from accessing their system unless a ransom is paid. The average ransom request for a business is around $10,000. According to the FBI, there were 2,400 ransomware complaints in 2015, resulting in total estimated losses of more than $24 million. These threats are expected to increase by 300% this year alone.
“These events are happening, and businesses aren’t reporting them,” Lee said.
In the last five years, government entities saw the largest amount of ransomware attacks. Lee added that another popular target is hospitals.
After a recent cyber attack, a hospital in Los Angeles was without its crucial computer programs until it paid the hackers $17,000 to restore its systems.
Lee said there is beginning to be more industry-wide awareness around ransomware, and many healthcare organizations are starting to buy cyber insurance and are taking steps to safeguard their electronic files.
“A hospital holds an enormous amount of data, but there is so much more at stake than just the computer systems,” Lee said. “All their medical systems are technology-based. To lose those would be catastrophic.”
And though not all situations are life-or-death, Lee does emphasize that any kind of property loss could be crippling. “On a granular scale, you look at everything from your car to your security system. All data storage points could be controlled and compromised at some point.”
The Future of Cyber Liability
According to Lee, the Cyber product, which is still in its infancy, is poised to affect every line of business. She foresees underwriting offering more expertise in crime and becoming more segmented into areas of engineering, property, and automotive to address ongoing growing concerns.”
“Cyber coverage will become more than a one-dimensional product,” she said. “I see a large gap in coverage. Consistency is evolving, and as technology evolves, we are beginning to touch other lines. It’s no longer about if a breach will happen. It’s when.”
About Nationwide’s Cyber Solutions
Nationwide’s cyber liability coverage includes a service-based solution that helps mitigate losses. Whether it’s loss prevention resources, breach response and remediation expertise, or an experienced claim team, Nationwide’s comprehensive package of services will complement and enhance an organization’s cyber risk profile.
Nationwide currently offers up to $15 million in limits for Network Security, Data Privacy, Technology E&O, and First Party Business Interruption.
Products underwritten by Nationwide Mutual Insurance Company and Affiliated Companies. Not all Nationwide affiliated companies are mutual companies, and not all Nationwide members are insured by a mutual company. Subject to underwriting guidelines, review, and approval. Products and discounts not available to all persons in all states. Home Office: One Nationwide Plaza, Columbus, OH. Nationwide, the Nationwide N and Eagle, and other marks displayed on this page are service marks of Nationwide Mutual Insurance Company, unless otherwise disclosed. © 2016 Nationwide Mutual Insurance Company.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Nationwide. The editorial staff of Risk & Insurance had no role in its preparation.