The Curse of the Black Adder
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
One Fine Fall Day
Aaron Scott watched with pride as his German shorthaired pointer Sadie bulled her way through the switchgrass. Sadie was six, an age when most hunting dogs started to show signs of aging. But Sadie was as heavy in the chest and shoulders as some males, and just as tough.
Then suddenly Sadie was on point, her stub of a tail twitching frenetically. Seconds later, the male bird exploded out of the brush. Aaron swung his grandfather’s over and under Remington up and dropped the bird cleanly. Aaron smiled. It didn’t get any better than this.
Then his phone rang. He had to get it. As the CFO for Pinecrest Food Markets, which had 44 stores in four states, it was part of his job to take calls, all calls.
“This is Aaron,” he said.
“Aaron, it’s Christine.” Christine was Aaron’s older sister and the CEO of the company. Aaron knew that tone in her voice. The news wasn’t good.
“We just got a letter from Spendex that they’ve been hit by malware. It looks like we may have lost credit card numbers for about 600,000 customers.”
Aaron paused and again looked at the scenery and savored the diminishing scent of spent gunpowder. He wished he could turn back the clock to one minute ago, but all that was gone.
“You there?” Christine said.
“I’m here,” Aaron said.
“Can you please get those dogs in the truck and get back to the office? We got work to do.”
Christine preferred jumping horses to bird-hunting. On a fox hunt, she could ride with anyone in the state.
Aaron loved his sister, but he also bore a scar over his right eyebrow where she’d clocked him with a rock when they were preteens.
“I’m comin’. Be there in 30,” Aaron said.
Pinecrest had been founded by Aaron’s grandfather William in an 800-square-foot shop in Johnstown, Pa. It had grown to where it had stores in eastern Ohio, its native western Pennsylvania, West Virginia and the Maryland panhandle.
Aaron and Christine ran it now. The phrase “three generations — shirt sleeves to shirt sleeves,” was how old-timers described how quickly an inherited family business could fall apart. Aaron and Christine had vowed they would prove that old saying wrong.
Back at the office, Aaron read the letter from the credit card transaction processing vendor Spendex. Spendex was reporting that as many as 26 of its regional retail customers lost credit card numbers to The Black Adder, a malware that strips names, credit card numbers and expiration dates from the magnetic stripes of credit cards.
“Now what?” said Christine.
“Well, we’ve got to tell every affected customer what happened and we need to do it soon,” Aaron said.
“How much is that going to cost?” Christine said.
“Quite a bit, but we’ve got insurance for it,” Aaron said as calmly as he could as he looked down at his iPhone and started scrolling through his contacts.
Aaron was playing possum with his cool tone. He was the family peacekeeper and he knew that his role at times like these was to keep a lid on the much more volatile Christine.
Christine exhaled, and Aaron kept his eyes on his iPhone.
Part of the Pinecrest brand came from where it was based and who founded it.
Based as it was in a state that was home to almost a million military veterans, Pinecrest aligned itself with traditional values like patriotism, community, faith and family.
There was a picture of a local veteran who had given his life in armed conflict in every Pinecrest store.
So when it came to the data breach notification, Christine Scott — in what she felt was full alignment with the brand — didn’t shrink from responsibility.
In addition to letters and emails sent to Pinecrest’s 600,000 affected customers, Christine called local news stations to broadcast news of the breach and her promises to make good. She didn’t bother to ask Aaron whether he thought that was a good idea.
“Every one of our customers will be reimbursed for their time and trouble, including a year’s worth of multi-bureau credit monitoring services,” Christine said while the TV cameras recorded her.
“Well that’s what the policy says, doesn’t it?” Christine said when Aaron told her later that she probably shouldn’t have said that on television.
The very next day, a phone call from Pinecrest’s insurance broker was the second bad call Aaron got that month.
“Multi-bureau? No. The policy will cover services from a single credit monitoring bureau,” the broker, Robert Franz, told Aaron.
As Aaron spoke with Robert, he was multitasking and monitoring his emails. He saw an email marked “urgent” from Spendex. It was about the data breach.
“Hey Robert, can I call you back in a few minutes? I’ve got something hopping here,” Aaron said.
“Sure,“ Robert said, but in a tone that implied, “What could be more important than this?”
As it turned out, the email from Spendex was plenty important.
The notice from Spendex explained that although it was obligated to inform all of its customers that there had been a breach, in reality, only 14 of its 26 retail customers had been impacted. The clincher? Pinecrest wasn’t one of them.
Aaron pushed back from his desk and ran his hands through his hair.
“What the … ?” he said as loudly as he would say anything.
“What is it?” said Christine, popping her head into his office. She knew from the volume of Aaron’s voice that it was something big.
“We didn’t lose any data. We didn’t lose any data at all,” Aaron said.
“Great,” Christine said.
“No, not great,” Aaron said. “We just told about a million people that we did.”
“Now what do we do?” Christine asked.
Aaron felt that Christine had burned him before by going on television without seeking his counsel. That experience caused him to dig in his heels with Christine over what to do next.
“Slow down, just slow down,” Aaron said when the siblings met to go over strategy.
“I don’t know that we need to come out with an announcement just yet.”
Aaron’s reaction to his sister’s outspokenness had caused him to miscalculate. A full week went by until Pinecrest announced on its website and with another email blast that its customers had, after all, not been impacted by the Black Adder strike.
The company’s pause in making that announcement was as toxic as a rattlesnake bite.
The local media reacted negatively to the company’s week-long silence. News that the company sat on the knowledge that customers hadn’t lost data made the front pages of the Johnstown Tribune-Democrat and the Wheeling News-Register.
For the first time in its history, Pinecrest was dealing with the full brunt of a hit to its reputation.
The traditional print media was one thing, and no small thing in the markets Pinecrest served. But online commentary, ungoverned by journalistic ethics, pulled no punches. Commentators ridiculed the company for banking on the military sacrifices of previous generations, when it “didn’t have the guts,” in one poster’s vernacular, to tell people the truth.
The company’s broker, Robert Franz, phoned Aaron with even more bad news.
“You’re not covered for any of your breach notification expenses, or for any credit monitoring services,” Robert told Aaron.
“Please tell me why,” Aaron said, keeping his voice low because he was just not in the mood for any spontaneous crisis communications with his older sister.
“Under your policy, you’re only covered for notification and credit monitoring if there was an actual breach,” Robert said.
“No breach, no coverage,” he said.
“So we’re out about a million dollars,” Aaron said flatly. In the regional grocery business, where margins could sometimes be measured in the low single digits, a million dollars was a very big hit.
“I’m afraid so,” Robert said.
Sales at Pinecrest Food Markets were down around 10 percent in all four states that it operated in.
“Might as well shop at Supermart,”a grizzled Korean War veteran told Channel 11 in Charles Town, West Virginia.
With the company down a million out of pocket and with revenue hamstrung, Christine Scott and the rest of the Pinecrest team had some very difficult and expensive decisions to make.
Should they sue Spendex for its shoddy forensics? And what coverage did they have for the costs of that?
Rumors began to circulate in several state capitals that class action lawsuits were being prepared on behalf of the tens of thousands of Pinecrest customers who felt they were caused needless expense and worry because of the bad information Pinecrest put out to begin with.
Grandstanding attorneys general were probably not far behind. Pinecrest was possibly facing legal action on several fronts and it was unclear whether it had the coverage to pay for its defense.
With the world seemingly against them, Christine and Aaron took a day in late November and went to their grandfather’s hunting cabin in Somerset County.
The grouse were out there, but the two of them just sat staring at the fire in the cabin’s stone fireplace, with Aaron’s two bird dogs stretched out in front of the fireplace.
Sadie looked up hopefully as Aaron got up to throw another log on the fire.
“No huntin’ today, Sadie girl. Daddy is not in the mood,” Aaron said as Christine nursed a bottle of local craft-distilled rye.
“May I have some of that, please?” Aaron asked.
“Get your own bottle,” said Christine.
A regional grocery chain gets into hot water after it loses customer financial data. Making matters worse is that the company does not have a good grasp on the language in its cyber coverage policy. The company also suffers reputational damage when it notifies customers based on bad information.
1. Know your partners: Pinecrest sees its problems go from bad to worse because the company it uses to process credit card transactions has shoddy forensics and reports data breaches for customers that in the end had no data breach.
2. Know your coverage: Pinecrest suffers needless losses because key executives don’t understand its insurance policy when it comes to services available under the coverage for data breach notification and credit monitoring.
3. Be as transparent as possible: When it comes to notifying customers of substantial issues that could impact their expenditures, getting out quickly with the best information is extremely important. Pinecrest actually has good news to report midway through this story, but sits on it due to internal friction. The good of the team must clearly win out here.
4. Create realistic expectations: Coverage existed for Pinecrest officials to put together a reasonable response when customer data was lost. But a key executive broadcast inflated statements about what Pinecrest would be able to do, creating equally inflated expectations.
5. Hold vendors accountable: Given the volatile expansion of cyber risk, it makes good sense to require vendors contractually to indemnify you if they lose your crucial customer data.
The issues covered in this scenario center around crisis management and insurance pitfalls associated with loss from a cyber breach. This follow-up webinar focused on specific loss trends and cyber exposures, as well as presented steps to take to strengthen your crisis risk management program.
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
Jill Heald is a woman that loves to focus and hates distractions.
Heald paid close attention when an earthquake struck Japan in 2011 and a typhoon flooded Thailand that same year.
The press and the trade press laid out the gory details. Major companies; auto manufacturers, electronics companies and telecommunications companies were hit with supply chain losses they did not see coming. And the losses were big.
As the risk manager for Auto-Spire, an electronics manufacturer that makes integrated circuits used in the automotive industry, the Thailand and Japan losses made a deep impression on Heald. She vowed to herself that that sort of thing would never happen to her company.
Post-2011, shifts in Auto-Spire’s procurement process resulted in the company sourcing semi-conductors from an up and coming Malaysian manufacturer. Looking ahead to 2016, Heald in mid-2015 began thinking about and seeking approval for an ambitious contingent time element coverage insurance package.
“How big are we talking?” her broker asked her when she first sketched her plan in a phone call.
“Based on a brief meeting I had with Auto-Spire procurement folks, I believe a $25 million program should be sufficient, given the redundancy of our supply chain,” Heald told her broker.
“Well, we’re not going to get it all in one place,” the broker said. “Let me make some calls,” he said.
“How about we set up some face-to-face meetings with some of the underwriters?” Heald said.
“No need,” the broker said. “This is what you’re paying me for,” he said.
Unease gnawed at Heald after she hung up with the broker. It would make her feel a lot better to meet with the underwriters and some of their claims teams.
But the broker was who he was. Nobody had his contacts and he was a wizard with carrier relationships, or so everybody said.
Two days later the broker called her back.
“Okay I’ve got some ideas but we’ve got some work to do,” the broker said.
The nut was this: The CTE program that Heald was envisioning was going to require the participation of two, maybe three carriers. The way the broker presented the story, he’d been burning the midnight oil to connect with underwriters in the U.S. and Bermuda.
“So let me see if I’ve got this straight,” Heald said.
“We’ve got one U.S. carrier on the primary layer at $15 million.”
“Correct,” the broker said.
“And two carriers in the second layer at $5 million a pop. Both based in Bermuda,” Heald said.
“Again, correct,” the broker said.
They both agreed the premium prices were historically very good. The location of the semi-conductor maker was not a high flood risk. And the soft property market was another blessing.
Heald and her broker bound the coverage before Thanksgiving for the year 2016.
In April of 2016, Typhoon Lumba-Lumba, Malaysian for dolphin, strikes Malaysia as a CAT 4.
The morning after the typhoon strikes, Heald is online and on the phone trying to determine if the city where the Auto-Spire semi-conductor supplier is located was heavily damaged in the storm.
The good news is that it did not appear to be. The bad news comes within days when deliveries of semi-conductors from Malaysia to Auto-Spire’s U.S. factories slow to a crawl.
“Do we know what’s going on?” Heald said to an Auto-Spire executive in procurement at the end of the week.
“The communication there is horrible Jill,” the procurement executive said. “I wish I could tell you more, but right now I have next to nothing.”
“How could you have next to nothing?” Heald said to no one after she hung up with procurement. “It’s your job.”
Using her broker’s more robust international contacts, Heald pushes hard and gets some information. It’s just that the information she gets is not comforting.
The information is sketchy but it appears that several suppliers to the semi-conductor maker were knocked out by the typhoon.
Facing millions in lost sales, Heald and her broker file a claim on their CTE coverage for $20 million.
Heald is immediately descended upon by underwriters for the three carriers. The underwriters are demanding answers to a number of questions.
“We see there is no claims handling agreement associated with this program. Who’s the adjuster of record?” an underwriter for the U.S.-based carrier on the primary layer asked Heald.
“Adjuster of record? I’ve never heard of the phrase,” Jill Heald said.
With no claims handling agreement in place between Auto-Spire and the carriers on the CTE program, Heald spends weeks responding to the various carriers’ document requests.
Three weeks after the storm struck, Heald’s broker calls her with his version of good news.
“Hey, I talked to Ajax Ltd., they’re going to cut you a check for $1 million as an advance while these CTE claims get sorted out,” the broker said.
With semi-conductor shipments from Malaysia at a trickle, Heald takes little solace in this.
“Really? I guess I’ll take it,” Heald says. But the truth is that she’s worn down to a nub in all the back and forth between the carriers.
The lack of a claims handling agreement has translated into weeks of delays in getting claims information filed and adjusted. Each carrier has a different process for adjusting the claim.
All three carriers use the services of outside forensic accountants. Unfortunately, each carrier uses a different accounting firm.
There are also different terms and conditions between the different policies. Whether there could be coverage gaps created by those differing terms and conditions is an ongoing source of stress for Heald.
“There’s got to be a better way to do this,” she told her broker on the phone one day. “We should have had transparency into this ahead of time.”
“Look Jill, I’ve been doing this a long time,” the broker said.
“I don’t care how long you’ve been doing it. You and I could have done it better,” Heald shot back.
And one million is looking like a drop in the bucket next to lost sales to the automakers that are starting to reach into the tens of millions.
It’s now six weeks after the storm hit and the Malaysian supplier is still not fully back up to speed.
A Hellish Grind
The typhoon that struck Malaysia and clipped Auto-Spire’s supply chain resulted in $45 million in lost sales.
Heald heaps the blame on herself, even though this is an organizational failure. Heald was led to believe that $25 million of CTE was sufficient but Auto-Spire’s dependence on third party suppliers was increased due to the recent shift in its procurement process.
It wasn’t that the carriers on the program didn’t pay the claim, they eventually did. But the delays caused by the lack of a claims handling agreement created serious tension between Heald and the Auto-Spire C-suites. Not to mention cash flow problems on top of the lost sales due to the crimp in Auto-Spire’s supply chain.
“A promise to pay is a promise to pay…. in a timely manner,” her CFO thundered at her when she broke the news to him that due to delays in adjusting the Malaysia claims the carriers still hadn’t cut Auto-Spire checks.
“They are going to pay Jim, it’s just that the claims process got extended more than we would like,” Heald told him.
“It’s not the carriers’ fault,” she added.
“How do you mean?” he said.
“It’s my fault actually,” Heald said.
“I should have had a pre-loss claims handling agreement in place. That would have streamlined the process much more and given all parties a clearer picture of the claims handling process.
“But you didn’t do that,” the CFO said.
“No, I didn’t,” Heald said.
“What about your broker, shouldn’t he have put something like this in place?”
“I don’t want to blame him either. The fact is that we didn’t do it,” Heald said.
“So how much time do you think that cost us, in terms of getting paid,” the CFO said.
“Hard to say,” Heald said. “Six weeks minimum,” she added.
“Do you know what it costs to borrow $20 million for six weeks?” the CFO said.
“Not off of the top of my head,” Heald said.
“A lot,” the CFO said. “A lot.”
It is also clear to Heald that she needs to develop a better channel of communication with the procurement group so that she can be in a better position to procure adequate insurance for the needs created by Auto-Spire’s supply chain.
She thought she was doing the right thing in putting together a substantial CTE program. Now it all feels like a cruel joke.
Risk & Insurance® partnered with FM Global to produce this scenario. Below are FM Global’s recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.
What to Do Before a Loss
In most cases, you’ll receive no warning before disaster strikes. If you experience a sizable loss, the loss itself may be your smallest issue. You might also be worried about injuries, deaths, lost market share, revenue stream, notifying shareholders or something else.
When a loss happens, it is similar to the start of a professional sports game. It is a culmination of all the practice leading up to the game, only the practice is the pre-loss planning. That’s why pre-loss planning is so important. Before a loss occurs, work with your broker and/or insurer(s) to develop a plan for loss management that is carefully tailored to meet your unique needs.
The following is a list of the key information your loss management plan should cover:
- procedures and guidelines for handling loss, including a clear delineation of who will report the loss to your insurance partner(s).
- a detailed list of names and contact information of members of your emergency response team
- key contacts at your subsidiaries and remote offices
- contingency arrangements with emergency services and critical suppliers
- tailored loss-handling and claims cooperation agreements with other program participants
- global coordination requirements
- assignment of emergency duties for local plant personnel, your corporate insurance department, your broker and others
- a designated liaison to work with the adjuster
Without pre-loss planning, there can be fear of the unknown. However, with pre-loss planning it can be reassuring to know that you just have to pick up the phone and make only one call when a loss occurs, know who is coming to your site and know how your insurer will respond.
Many emotions come with an actual loss. Pre-loss planning can provide you that much needed level of confidence when you need it most in your job.
Managing Construction’s True Risk Exposure
When it comes to the construction industry, the path to success is never easy.
After a long, deep recession of historic proportions, the sector is finally on the mend. But as opportunities to win new projects grow, experience shows that more contractors go out of business during a recovery than during a recession.
Skilled labor shortages, legal rulings in various states that push construction defects onto general liability policies, and New York state’s labor laws that assign full liability to project owners and contractors for falls from elevations that injure workers are just some of the established issues that are making it ever harder for firms to succeed.
And now, there are new emerging risks, such as the potential for more expensive capital, should the Federal Reserve increase its rates. This would tighten already stressed margins, perhaps making it harder for contractors and project owners to invest in safety and quality assurance, and raising the cost of treating injured workers.
Liberty Mutual’s Doug Cauti reviews the top three risks facing contractors and project owners.
“Our customers are very clear about the challenges they are facing in the market,” said Doug Cauti, the Boston-based chief underwriting officer for Liberty Mutual’s construction practice.
“Now more than ever, construction risk buyers – and the brokers who serve them – are leveraging our team’s deep expertise to find solutions for complicated risks. This goes way beyond what many consider the traditional role of an insurance carrier.”
Other leading risks facing contractors and project owners.
Given the current risk environment, firms that simply seek out the cheapest coverage could leave themselves exposed to these emerging risks. And that could result in them becoming just another failed statistic.
So what is the best way to approach your risk management program?
Understanding the Emerging Picture
Construction firms have been dealing with multiple challenges over the last several years. Now, several new emerging risks could further complicate the business.
After an extended period of historically low interest rates, the Federal Reserve is indicating that rates could rise in late 2015 or sometime in 2016. That would surely impact construction firms’ cost of capital.
“At the end of the day, an increased cost of capital is going to impact many construction firm’s margins, which are already thin,” Cauti said.
“The trickle-down effect is that less money may be available for other operational activities, including safety and quality programs. Firms may need to underbid and/or place low bids just to get jobs and keep the cash flow going,” Cauti said.
“Now more than ever, construction risk buyers – and the brokers who serve them – are leveraging our team’s deep expertise to find solutions for complicated risks.”
— Doug Cauti, Chief Underwriting Officer, Liberty Mutual National Insurance Specialty Construction
“Experience shows us that shortcuts in safety and quality often lead to more construction defect claims, general liability claims and workers’ compensation claims,” Cauti said.
Currently, the frequency of worker injuries is down on a national basis but the severity of injuries is on the rise. If those frequencies start creeping up due to less robust safety programs, the costs could grow fast.
And if this possible trend is not cause enough for concern, the growing costs associated with medical care should have the attention of all risk managers.
“Five years ago medical costs represented 56 percent of a claim,” said Jack Probolus, a Boston-based manager of construction risk financing programs for Liberty Mutual.
“By 2020, that medical cost will likely grow to 76 percent of an injured worker’s claim, according to industry experts,” Probolus said.
Rising interest rates and rising medical costs could form a perfect storm.
Focusing on the Total Cost of Risk
For risk managers, the approach they utilize to mitigate the myriad of existing and emerging risks is more important than ever. The ideal insurance partner will be one that can integrate claims management, quality assurance and loss control solutions to better manage the total cost of construction risk, and do it for the long term.
Liberty Mutual’s Doug Cauti reviews the partnership between buyers, brokers and insureds that helps better manage the total cost of insurance.
In the case of rising medical costs, that means using claims management tools and workflows that help eliminate the runaway expense of things such as duplicate billings, inappropriate prescriptions for powerful painkillers, and over-utilization of costly medical procedures.
“We’re committed to making sure that the client isn’t burdened in unnecessary costs, while working to ensure that injured employees return to productive lives in the best possible health,” Probolus said.
The right partner will also have the construction industry expertise and the willingness to work with a project owner or contractor from the very beginning of a project. That enables them to analyze risk on the front end and devise the best risk management program for the project or contractor, thereby protecting the policyholder’s vulnerable margins.
“We want to be there from the very beginning,” Liberty Mutual’s Cauti said.
“This isn’t merely a transaction with us,” he added. “It’s a partnership that extends for years, from binding coverage, through the life of the project and deeper as claims come in and are resolved over time,” he said.
In other words, it’s a relationship focused on value.
Today’s construction insurance market – with an abundance of capacity – can lead to new carriers entering the market and/or insurers seeking to gain market share by underpricing policies.
“We see it all the time,” Liberty Mutual’s Cauti said.
Where does this leave insureds? Frustrated at pricing instability, or by the need to find a new carrier. And wiser, having learned the wisdom of focusing on value, that is the ability to better control the total cost of risk.
“Premium is always important,” notes Liberty Mutual’s Cauti. “But smart buyers also understand the importance of value, the ability of an insurer to partner with a buyer and their broker to develop a custom blend of coverages and services that better protect a project’s or contractor’s bottom line and reputation. This is the approach our dedicated construction practice takes.
Why Liberty Mutual?
For more information on how Liberty Mutual Insurance can help assess your construction risk exposure, contact your broker or Doug Cauti at [email protected].
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty Mutual Insurance. The editorial staff of Risk & Insurance had no role in its preparation.