The Curse of the Black Adder
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
One Fine Fall Day
Aaron Scott watched with pride as his German shorthaired pointer Sadie bulled her way through the switchgrass. Sadie was six, an age when most hunting dogs started to show signs of aging. But Sadie was as heavy in the chest and shoulders as some males, and just as tough.
Then suddenly Sadie was on point, her stub of a tail twitching frenetically. Seconds later, the male bird exploded out of the brush. Aaron swung his grandfather’s over and under Remington up and dropped the bird cleanly. Aaron smiled. It didn’t get any better than this.
Then his phone rang. He had to get it. As the CFO for Pinecrest Food Markets, which had 44 stores in four states, it was part of his job to take calls, all calls.
“This is Aaron,” he said.
“Aaron, it’s Christine.” Christine was Aaron’s older sister and the CEO of the company. Aaron knew that tone in her voice. The news wasn’t good.
“We just got a letter from Spendex that they’ve been hit by malware. It looks like we may have lost credit card numbers for about 600,000 customers.”
Aaron paused and again looked at the scenery and savored the diminishing scent of spent gunpowder. He wished he could turn back the clock to one minute ago, but all that was gone.
“You there?” Christine said.
“I’m here,” Aaron said.
“Can you please get those dogs in the truck and get back to the office? We got work to do.”
Christine preferred jumping horses to bird-hunting. On a fox hunt, she could ride with anyone in the state.
Aaron loved his sister, but he also bore a scar over his right eyebrow where she’d clocked him with a rock when they were preteens.
“I’m comin’. Be there in 30,” Aaron said.
Pinecrest had been founded by Aaron’s grandfather William in an 800-square-foot shop in Johnstown, Pa. It had grown to where it had stores in eastern Ohio, its native western Pennsylvania, West Virginia and the Maryland panhandle.
Aaron and Christine ran it now. The phrase “three generations — shirt sleeves to shirt sleeves,” was how old-timers described how quickly an inherited family business could fall apart. Aaron and Christine had vowed they would prove that old saying wrong.
Back at the office, Aaron read the letter from the credit card transaction processing vendor Spendex. Spendex was reporting that as many as 26 of its regional retail customers lost credit card numbers to The Black Adder, a malware that strips names, credit card numbers and expiration dates from the magnetic stripes of credit cards.
“Now what?” said Christine.
“Well, we’ve got to tell every affected customer what happened and we need to do it soon,” Aaron said.
“How much is that going to cost?” Christine said.
“Quite a bit, but we’ve got insurance for it,” Aaron said as calmly as he could as he looked down at his iPhone and started scrolling through his contacts.
Aaron was playing possum with his cool tone. He was the family peacekeeper and he knew that his role at times like these was to keep a lid on the much more volatile Christine.
Christine exhaled, and Aaron kept his eyes on his iPhone.
Part of the Pinecrest brand came from where it was based and who founded it.
Based as it was in a state that was home to almost a million military veterans, Pinecrest aligned itself with traditional values like patriotism, community, faith and family.
There was a picture of a local veteran who had given his life in armed conflict in every Pinecrest store.
So when it came to the data breach notification, Christine Scott — in what she felt was full alignment with the brand — didn’t shrink from responsibility.
In addition to letters and emails sent to Pinecrest’s 600,000 affected customers, Christine called local news stations to broadcast news of the breach and her promises to make good. She didn’t bother to ask Aaron whether he thought that was a good idea.
“Every one of our customers will be reimbursed for their time and trouble, including a year’s worth of multi-bureau credit monitoring services,” Christine said while the TV cameras recorded her.
“Well that’s what the policy says, doesn’t it?” Christine said when Aaron told her later that she probably shouldn’t have said that on television.
The very next day, a phone call from Pinecrest’s insurance broker was the second bad call Aaron got that month.
“Multi-bureau? No. The policy will cover services from a single credit monitoring bureau,” the broker, Robert Franz, told Aaron.
As Aaron spoke with Robert, he was multitasking and monitoring his emails. He saw an email marked “urgent” from Spendex. It was about the data breach.
“Hey Robert, can I call you back in a few minutes? I’ve got something hopping here,” Aaron said.
“Sure,“ Robert said, but in a tone that implied, “What could be more important than this?”
As it turned out, the email from Spendex was plenty important.
The notice from Spendex explained that although it was obligated to inform all of its customers that there had been a breach, in reality, only 14 of its 26 retail customers had been impacted. The clincher? Pinecrest wasn’t one of them.
Aaron pushed back from his desk and ran his hands through his hair.
“What the … ?” he said as loudly as he would say anything.
“What is it?” said Christine, popping her head into his office. She knew from the volume of Aaron’s voice that it was something big.
“We didn’t lose any data. We didn’t lose any data at all,” Aaron said.
“Great,” Christine said.
“No, not great,” Aaron said. “We just told about a million people that we did.”
“Now what do we do?” Christine asked.
Aaron felt that Christine had burned him before by going on television without seeking his counsel. That experience caused him to dig in his heels with Christine over what to do next.
“Slow down, just slow down,” Aaron said when the siblings met to go over strategy.
“I don’t know that we need to come out with an announcement just yet.”
Aaron’s reaction to his sister’s outspokenness had caused him to miscalculate. A full week went by until Pinecrest announced on its website and with another email blast that its customers had, after all, not been impacted by the Black Adder strike.
The company’s pause in making that announcement was as toxic as a rattlesnake bite.
The local media reacted negatively to the company’s week-long silence. News that the company sat on the knowledge that customers hadn’t lost data made the front pages of the Johnstown Tribune-Democrat and the Wheeling News-Register.
For the first time in its history, Pinecrest was dealing with the full brunt of a hit to its reputation.
The traditional print media was one thing, and no small thing in the markets Pinecrest served. But online commentary, ungoverned by journalistic ethics, pulled no punches. Commentators ridiculed the company for banking on the military sacrifices of previous generations, when it “didn’t have the guts,” in one poster’s vernacular, to tell people the truth.
The company’s broker, Robert Franz, phoned Aaron with even more bad news.
“You’re not covered for any of your breach notification expenses, or for any credit monitoring services,” Robert told Aaron.
“Please tell me why,” Aaron said, keeping his voice low because he was just not in the mood for any spontaneous crisis communications with his older sister.
“Under your policy, you’re only covered for notification and credit monitoring if there was an actual breach,” Robert said.
“No breach, no coverage,” he said.
“So we’re out about a million dollars,” Aaron said flatly. In the regional grocery business, where margins could sometimes be measured in the low single digits, a million dollars was a very big hit.
“I’m afraid so,” Robert said.
Sales at Pinecrest Food Markets were down around 10 percent in all four states that it operated in.
“Might as well shop at Supermart,”a grizzled Korean War veteran told Channel 11 in Charles Town, West Virginia.
With the company down a million out of pocket and with revenue hamstrung, Christine Scott and the rest of the Pinecrest team had some very difficult and expensive decisions to make.
Should they sue Spendex for its shoddy forensics? And what coverage did they have for the costs of that?
Rumors began to circulate in several state capitals that class action lawsuits were being prepared on behalf of the tens of thousands of Pinecrest customers who felt they were caused needless expense and worry because of the bad information Pinecrest put out to begin with.
Grandstanding attorneys general were probably not far behind. Pinecrest was possibly facing legal action on several fronts and it was unclear whether it had the coverage to pay for its defense.
With the world seemingly against them, Christine and Aaron took a day in late November and went to their grandfather’s hunting cabin in Somerset County.
The grouse were out there, but the two of them just sat staring at the fire in the cabin’s stone fireplace, with Aaron’s two bird dogs stretched out in front of the fireplace.
Sadie looked up hopefully as Aaron got up to throw another log on the fire.
“No huntin’ today, Sadie girl. Daddy is not in the mood,” Aaron said as Christine nursed a bottle of local craft-distilled rye.
“May I have some of that, please?” Aaron asked.
“Get your own bottle,” said Christine.
A regional grocery chain gets into hot water after it loses customer financial data. Making matters worse is that the company does not have a good grasp on the language in its cyber coverage policy. The company also suffers reputational damage when it notifies customers based on bad information.
1. Know your partners: Pinecrest sees its problems go from bad to worse because the company it uses to process credit card transactions has shoddy forensics and reports data breaches for customers that in the end had no data breach.
2. Know your coverage: Pinecrest suffers needless losses because key executives don’t understand its insurance policy when it comes to services available under the coverage for data breach notification and credit monitoring.
3. Be as transparent as possible: When it comes to notifying customers of substantial issues that could impact their expenditures, getting out quickly with the best information is extremely important. Pinecrest actually has good news to report midway through this story, but sits on it due to internal friction. The good of the team must clearly win out here.
4. Create realistic expectations: Coverage existed for Pinecrest officials to put together a reasonable response when customer data was lost. But a key executive broadcast inflated statements about what Pinecrest would be able to do, creating equally inflated expectations.
5. Hold vendors accountable: Given the volatile expansion of cyber risk, it makes good sense to require vendors contractually to indemnify you if they lose your crucial customer data.
The issues covered in this scenario center around crisis management and insurance pitfalls associated with loss from a cyber breach. This follow-up webinar focused on specific loss trends and cyber exposures, as well as presented steps to take to strengthen your crisis risk management program.
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
Jill Heald is a woman that loves to focus and hates distractions.
Heald paid close attention when an earthquake struck Japan in 2011 and a typhoon flooded Thailand that same year.
The press and the trade press laid out the gory details. Major companies; auto manufacturers, electronics companies and telecommunications companies were hit with supply chain losses they did not see coming. And the losses were big.
As the risk manager for Auto-Spire, an electronics manufacturer that makes integrated circuits used in the automotive industry, the Thailand and Japan losses made a deep impression on Heald. She vowed to herself that that sort of thing would never happen to her company.
Post-2011, shifts in Auto-Spire’s procurement process resulted in the company sourcing semi-conductors from an up and coming Malaysian manufacturer. Looking ahead to 2016, Heald in mid-2015 began thinking about and seeking approval for an ambitious contingent time element coverage insurance package.
“How big are we talking?” her broker asked her when she first sketched her plan in a phone call.
“Based on a brief meeting I had with Auto-Spire procurement folks, I believe a $25 million program should be sufficient, given the redundancy of our supply chain,” Heald told her broker.
“Well, we’re not going to get it all in one place,” the broker said. “Let me make some calls,” he said.
“How about we set up some face-to-face meetings with some of the underwriters?” Heald said.
“No need,” the broker said. “This is what you’re paying me for,” he said.
Unease gnawed at Heald after she hung up with the broker. It would make her feel a lot better to meet with the underwriters and some of their claims teams.
But the broker was who he was. Nobody had his contacts and he was a wizard with carrier relationships, or so everybody said.
Two days later the broker called her back.
“Okay I’ve got some ideas but we’ve got some work to do,” the broker said.
The nut was this: The CTE program that Heald was envisioning was going to require the participation of two, maybe three carriers. The way the broker presented the story, he’d been burning the midnight oil to connect with underwriters in the U.S. and Bermuda.
“So let me see if I’ve got this straight,” Heald said.
“We’ve got one U.S. carrier on the primary layer at $15 million.”
“Correct,” the broker said.
“And two carriers in the second layer at $5 million a pop. Both based in Bermuda,” Heald said.
“Again, correct,” the broker said.
They both agreed the premium prices were historically very good. The location of the semi-conductor maker was not a high flood risk. And the soft property market was another blessing.
Heald and her broker bound the coverage before Thanksgiving for the year 2016.
In April of 2016, Typhoon Lumba-Lumba, Malaysian for dolphin, strikes Malaysia as a CAT 4.
The morning after the typhoon strikes, Heald is online and on the phone trying to determine if the city where the Auto-Spire semi-conductor supplier is located was heavily damaged in the storm.
The good news is that it did not appear to be. The bad news comes within days when deliveries of semi-conductors from Malaysia to Auto-Spire’s U.S. factories slow to a crawl.
“Do we know what’s going on?” Heald said to an Auto-Spire executive in procurement at the end of the week.
“The communication there is horrible Jill,” the procurement executive said. “I wish I could tell you more, but right now I have next to nothing.”
“How could you have next to nothing?” Heald said to no one after she hung up with procurement. “It’s your job.”
Using her broker’s more robust international contacts, Heald pushes hard and gets some information. It’s just that the information she gets is not comforting.
The information is sketchy but it appears that several suppliers to the semi-conductor maker were knocked out by the typhoon.
Facing millions in lost sales, Heald and her broker file a claim on their CTE coverage for $20 million.
Heald is immediately descended upon by underwriters for the three carriers. The underwriters are demanding answers to a number of questions.
“We see there is no claims handling agreement associated with this program. Who’s the adjuster of record?” an underwriter for the U.S.-based carrier on the primary layer asked Heald.
“Adjuster of record? I’ve never heard of the phrase,” Jill Heald said.
With no claims handling agreement in place between Auto-Spire and the carriers on the CTE program, Heald spends weeks responding to the various carriers’ document requests.
Three weeks after the storm struck, Heald’s broker calls her with his version of good news.
“Hey, I talked to Ajax Ltd., they’re going to cut you a check for $1 million as an advance while these CTE claims get sorted out,” the broker said.
With semi-conductor shipments from Malaysia at a trickle, Heald takes little solace in this.
“Really? I guess I’ll take it,” Heald says. But the truth is that she’s worn down to a nub in all the back and forth between the carriers.
The lack of a claims handling agreement has translated into weeks of delays in getting claims information filed and adjusted. Each carrier has a different process for adjusting the claim.
All three carriers use the services of outside forensic accountants. Unfortunately, each carrier uses a different accounting firm.
There are also different terms and conditions between the different policies. Whether there could be coverage gaps created by those differing terms and conditions is an ongoing source of stress for Heald.
“There’s got to be a better way to do this,” she told her broker on the phone one day. “We should have had transparency into this ahead of time.”
“Look Jill, I’ve been doing this a long time,” the broker said.
“I don’t care how long you’ve been doing it. You and I could have done it better,” Heald shot back.
And one million is looking like a drop in the bucket next to lost sales to the automakers that are starting to reach into the tens of millions.
It’s now six weeks after the storm hit and the Malaysian supplier is still not fully back up to speed.
A Hellish Grind
The typhoon that struck Malaysia and clipped Auto-Spire’s supply chain resulted in $45 million in lost sales.
Heald heaps the blame on herself, even though this is an organizational failure. Heald was led to believe that $25 million of CTE was sufficient but Auto-Spire’s dependence on third party suppliers was increased due to the recent shift in its procurement process.
It wasn’t that the carriers on the program didn’t pay the claim, they eventually did. But the delays caused by the lack of a claims handling agreement created serious tension between Heald and the Auto-Spire C-suites. Not to mention cash flow problems on top of the lost sales due to the crimp in Auto-Spire’s supply chain.
“A promise to pay is a promise to pay…. in a timely manner,” her CFO thundered at her when she broke the news to him that due to delays in adjusting the Malaysia claims the carriers still hadn’t cut Auto-Spire checks.
“They are going to pay Jim, it’s just that the claims process got extended more than we would like,” Heald told him.
“It’s not the carriers’ fault,” she added.
“How do you mean?” he said.
“It’s my fault actually,” Heald said.
“I should have had a pre-loss claims handling agreement in place. That would have streamlined the process much more and given all parties a clearer picture of the claims handling process.
“But you didn’t do that,” the CFO said.
“No, I didn’t,” Heald said.
“What about your broker, shouldn’t he have put something like this in place?”
“I don’t want to blame him either. The fact is that we didn’t do it,” Heald said.
“So how much time do you think that cost us, in terms of getting paid,” the CFO said.
“Hard to say,” Heald said. “Six weeks minimum,” she added.
“Do you know what it costs to borrow $20 million for six weeks?” the CFO said.
“Not off of the top of my head,” Heald said.
“A lot,” the CFO said. “A lot.”
It is also clear to Heald that she needs to develop a better channel of communication with the procurement group so that she can be in a better position to procure adequate insurance for the needs created by Auto-Spire’s supply chain.
She thought she was doing the right thing in putting together a substantial CTE program. Now it all feels like a cruel joke.
Risk & Insurance® partnered with FM Global to produce this scenario. Below are FM Global’s recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.
What to Do Before a Loss
In most cases, you’ll receive no warning before disaster strikes. If you experience a sizable loss, the loss itself may be your smallest issue. You might also be worried about injuries, deaths, lost market share, revenue stream, notifying shareholders or something else.
When a loss happens, it is similar to the start of a professional sports game. It is a culmination of all the practice leading up to the game, only the practice is the pre-loss planning. That’s why pre-loss planning is so important. Before a loss occurs, work with your broker and/or insurer(s) to develop a plan for loss management that is carefully tailored to meet your unique needs.
The following is a list of the key information your loss management plan should cover:
- procedures and guidelines for handling loss, including a clear delineation of who will report the loss to your insurance partner(s).
- a detailed list of names and contact information of members of your emergency response team
- key contacts at your subsidiaries and remote offices
- contingency arrangements with emergency services and critical suppliers
- tailored loss-handling and claims cooperation agreements with other program participants
- global coordination requirements
- assignment of emergency duties for local plant personnel, your corporate insurance department, your broker and others
- a designated liaison to work with the adjuster
Without pre-loss planning, there can be fear of the unknown. However, with pre-loss planning it can be reassuring to know that you just have to pick up the phone and make only one call when a loss occurs, know who is coming to your site and know how your insurer will respond.
Many emotions come with an actual loss. Pre-loss planning can provide you that much needed level of confidence when you need it most in your job.
The Doctor as Partner
Professionals helping employees return to work after being on disability or a leave of absence face many challenges. After all, there is a personal story behind each case and each case is unique.
In the end, the best outcome is an employee who returns to the job healthy and feeling well taken care of, while at the same time managing the associated claim costs.
Learn what most employers want from their group disability and life benefits program.
While many carriers and claims managers work toward these goals, in the end they often tend to focus on minimizing costs by aggressively managing claims to get the worker back on the job, or they “fast track” claims, approving everything and paying little attention to case management.
Aggressively managed claims can leave many employees and their doctors feeling defensive and ill-at-ease, creating an adversarial relationship that ultimately hinders return to work and results in higher direct and indirect employee benefit costs for the employer. Fast track or non-managed claims can lead to increased durations, costs and workforce productivity issues for employers.
Is it possible to provide a positive employee benefit experience while at the same time effectively managing disability and lowering an employer’s overall benefit costs?
A Unique Approach
Liberty Mutual Insurance’s approach to managing disability and absence management focuses on building consensus among all stakeholders – the disabled employee, treating physician, employer and insurer. And a key component of this process is a large team of consulting physician specialists, leading practitioners from a variety of specialties, highly regarded experts affiliated with leading medical universities across the country.
“About 16 years ago, our national medical director, Dr. Ed Crouch, proposed that if we worked with a core group of external consulting medical specialists – rather than sending most claims for Independent Medical Evaluations – we could do a better job making disabled employees and their attending physicians comfortable, and therefore true partners in producing better disability management outcomes and employee benefit experiences,” said Tim Kastrinelis, senior vice president, Distribution Partnerships at Liberty Mutual Benefits.
“In this way, our consulting physician and the attending physician are able to work with the disability case manager, the employee and the employer to deliver a coordinated, collaborative approach that facilitates a productive lifestyle and return to work.”
The result of Dr. Crouch’s initiative has produced positive results for the clients of Liberty Mutual Insurance. This consensus building approach to managing disability with consulting physician expertise has helped achieve industry leading client retention results over the past decade. In fact, 96 percent of Liberty Mutual’s group disability and group life clients renew their programs.
“By getting all stakeholders on the same page and investing heavily in consulting physician specialists, we have been able to lower claim costs and shortened claim duration for our group disability policyholders. …In the end, it’s a win-win for all.”
–Tim Kastrinelis, Senior Vice President, Distribution Partnerships, Liberty Mutual Benefits
A Collaborative Approach
In the case of complex disability medical health situations, Liberty Mutual’s disability case managers play a vital role in seeking additional expertise—an area where the industry’s standard has been to outsource the claimant for independent medical examinations.
However, Liberty Mutual empowers its disability case managers with the ultimate responsibility for the outcome of each claim. The claimant and the case manager stay together throughout the life of the claim. This relationship is the foundation for a collaborative approach that delivers a better employee benefit experience and enables the claimant to return to work sooner; which more effectively controls total disability claim and absence costs.
Sending a disabled employee with complex medical needs to an external specialist may sound like a cost-effective path, but it often comes at the cost of sacrificing the relationship and trust built between the employee and case manager. The disabled employee must explain their medical history to a new clinician, which he or she is often reluctant to do. The attending physician may be uncooperative as this move can appear to question his or her treatment plan for the employee.
As a result, the entire claims process takes on an adversarial atmosphere, building major roadblocks to the ultimate goal of helping the claimant return to a productive lifestyle.
Liberty Mutual takes a different approach. Nearly 100 physicians representing more than 30 medical specialties are available to consult with its medical and claims professionals, working side-by-side with case managers.
More than 95 percent of these consulting physicians are in active practice, and therefore up-to-date on the latest clinical best practices, treatment guidelines, therapies, medications, and programs. Most of these physicians are affiliated with leading medical universities across the country. “We recruit specialists from around the country, getting the best from such prestigious institutions as Harvard, Yale, and Duke,” said Kastrinelis.
These highly-credentialed physicians help case managers focus on providing the support needed for the disabled employee to successfully return to work as quickly as appropriate. Their collaborative work with the attending physicians provides the behind-the-scenes foundation that leads to a positive claimant experience, results in a better outcome for the claimant, and more effectively reduces total claim costs.
Coordinated Care Plan
When one of these consulting physicians reaches out to an attending physician, there’s an immediate degree of respect and high regard for his or her opinion. This helps pave the way to working together in the best interest of the employee, improving treatment plans and return to work results.
In this process, the claimant is not sent to yet another doctor; instead, the consulting specialist works with the attending physician to help fill in the gaps of knowledge or provide information that only a specialist would have. Although not an opportunity to direct care, these peer-to-peer discussions can help optimize care with the goal of helping the employee return to work.
The attending physician may have no knowledge of the challenges the employee faces in order to return to work. A return to work plan created in concert with the specialist, disability case manager, employer, and attending physician can set expectations and provide the framework for a proactive and effective return to a productive lifestyle.
“Our consulting physicians bring sophisticated medical expertise to the discussion, and help build consensus around a return-to-work plan, helping us more effectively impact a claim’s outcome and costs, and at the same time provide a better claimant experience,” said Kastrinelis.
“We can work more collaboratively with the attending physician, manage expectations, and shepherd the employee through the process much more effectively and in a much more high-touch, caring, and compassionate manner. Overall, we’re able to produce better outcomes as a result of this consensus building approach.”
“Our approach – including the use of consulting medical experts – helped us significantly reduce disability costs over two years for one large health service company,” notes Kastrinelis. “We cut average short-term disability claim durations by 4.2 days in that time, while increasing employee satisfaction with our unique disability management model and collaborative, partnership approach.
How did Liberty Mutual’s unique approach lower claim costs, reduce disability duration and improve the benefit experience for one customer?
“By getting all stakeholders on the same page and investing heavily in consulting physician specialists, we have been able to lower claim costs and shortened claim duration for our group disability policyholders,” said Kastrinelis.
“Plus, we, the employee, and the employer also get the bonus of creating a better employee benefit experience. This model has shaped our disability and absence management program to more aptly reflect our core mission of helping people live safer, more secure lives. In the end, it’s a win-win for all.”
How does Liberty Mutual provide a superior employee benefit experience?
Tim Kastrinelis can be reached at email@example.com. More information on Liberty Mutual’s group disability and absence management offerings can be seen at https://www.libertymutualgroup.com/business-insurance/business-insurance-coverages/employee-benefits.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty Mutual Insurance. The editorial staff of Risk & Insurance had no role in its preparation.