The Curse of the Black Adder
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
One Fine Fall Day
Aaron Scott watched with pride as his German shorthaired pointer Sadie bulled her way through the switchgrass. Sadie was six, an age when most hunting dogs started to show signs of aging. But Sadie was as heavy in the chest and shoulders as some males, and just as tough.
Then suddenly Sadie was on point, her stub of a tail twitching frenetically. Seconds later, the male bird exploded out of the brush. Aaron swung his grandfather’s over and under Remington up and dropped the bird cleanly. Aaron smiled. It didn’t get any better than this.
Then his phone rang. He had to get it. As the CFO for Pinecrest Food Markets, which had 44 stores in four states, it was part of his job to take calls, all calls.
“This is Aaron,” he said.
“Aaron, it’s Christine.” Christine was Aaron’s older sister and the CEO of the company. Aaron knew that tone in her voice. The news wasn’t good.
“We just got a letter from Spendex that they’ve been hit by malware. It looks like we may have lost credit card numbers for about 600,000 customers.”
Aaron paused and again looked at the scenery and savored the diminishing scent of spent gunpowder. He wished he could turn back the clock to one minute ago, but all that was gone.
“You there?” Christine said.
“I’m here,” Aaron said.
“Can you please get those dogs in the truck and get back to the office? We got work to do.”
Christine preferred jumping horses to bird-hunting. On a fox hunt, she could ride with anyone in the state.
Aaron loved his sister, but he also bore a scar over his right eyebrow where she’d clocked him with a rock when they were preteens.
“I’m comin’. Be there in 30,” Aaron said.
Pinecrest had been founded by Aaron’s grandfather William in an 800-square-foot shop in Johnstown, Pa. It had grown to where it had stores in eastern Ohio, its native western Pennsylvania, West Virginia and the Maryland panhandle.
Aaron and Christine ran it now. The phrase “three generations — shirt sleeves to shirt sleeves,” was how old-timers described how quickly an inherited family business could fall apart. Aaron and Christine had vowed they would prove that old saying wrong.
Back at the office, Aaron read the letter from the credit card transaction processing vendor Spendex. Spendex was reporting that as many as 26 of its regional retail customers lost credit card numbers to The Black Adder, a malware that strips names, credit card numbers and expiration dates from the magnetic stripes of credit cards.
“Now what?” said Christine.
“Well, we’ve got to tell every affected customer what happened and we need to do it soon,” Aaron said.
“How much is that going to cost?” Christine said.
“Quite a bit, but we’ve got insurance for it,” Aaron said as calmly as he could as he looked down at his iPhone and started scrolling through his contacts.
Aaron was playing possum with his cool tone. He was the family peacekeeper and he knew that his role at times like these was to keep a lid on the much more volatile Christine.
Christine exhaled, and Aaron kept his eyes on his iPhone.
Part of the Pinecrest brand came from where it was based and who founded it.
Based as it was in a state that was home to almost a million military veterans, Pinecrest aligned itself with traditional values like patriotism, community, faith and family.
There was a picture of a local veteran who had given his life in armed conflict in every Pinecrest store.
So when it came to the data breach notification, Christine Scott — in what she felt was full alignment with the brand — didn’t shrink from responsibility.
In addition to letters and emails sent to Pinecrest’s 600,000 affected customers, Christine called local news stations to broadcast news of the breach and her promises to make good. She didn’t bother to ask Aaron whether he thought that was a good idea.
“Every one of our customers will be reimbursed for their time and trouble, including a year’s worth of multi-bureau credit monitoring services,” Christine said while the TV cameras recorded her.
“Well that’s what the policy says, doesn’t it?” Christine said when Aaron told her later that she probably shouldn’t have said that on television.
The very next day, a phone call from Pinecrest’s insurance broker was the second bad call Aaron got that month.
“Multi-bureau? No. The policy will cover services from a single credit monitoring bureau,” the broker, Robert Franz, told Aaron.
As Aaron spoke with Robert, he was multitasking and monitoring his emails. He saw an email marked “urgent” from Spendex. It was about the data breach.
“Hey Robert, can I call you back in a few minutes? I’ve got something hopping here,” Aaron said.
“Sure,“ Robert said, but in a tone that implied, “What could be more important than this?”
As it turned out, the email from Spendex was plenty important.
The notice from Spendex explained that although it was obligated to inform all of its customers that there had been a breach, in reality, only 14 of its 26 retail customers had been impacted. The clincher? Pinecrest wasn’t one of them.
Aaron pushed back from his desk and ran his hands through his hair.
“What the … ?” he said as loudly as he would say anything.
“What is it?” said Christine, popping her head into his office. She knew from the volume of Aaron’s voice that it was something big.
“We didn’t lose any data. We didn’t lose any data at all,” Aaron said.
“Great,” Christine said.
“No, not great,” Aaron said. “We just told about a million people that we did.”
“Now what do we do?” Christine asked.
Aaron felt that Christine had burned him before by going on television without seeking his counsel. That experience caused him to dig in his heels with Christine over what to do next.
“Slow down, just slow down,” Aaron said when the siblings met to go over strategy.
“I don’t know that we need to come out with an announcement just yet.”
Aaron’s reaction to his sister’s outspokenness had caused him to miscalculate. A full week went by until Pinecrest announced on its website and with another email blast that its customers had, after all, not been impacted by the Black Adder strike.
The company’s pause in making that announcement was as toxic as a rattlesnake bite.
The local media reacted negatively to the company’s week-long silence. News that the company sat on the knowledge that customers hadn’t lost data made the front pages of the Johnstown Tribune-Democrat and the Wheeling News-Register.
For the first time in its history, Pinecrest was dealing with the full brunt of a hit to its reputation.
The traditional print media was one thing, and no small thing in the markets Pinecrest served. But online commentary, ungoverned by journalistic ethics, pulled no punches. Commentators ridiculed the company for banking on the military sacrifices of previous generations, when it “didn’t have the guts,” in one poster’s vernacular, to tell people the truth.
The company’s broker, Robert Franz, phoned Aaron with even more bad news.
“You’re not covered for any of your breach notification expenses, or for any credit monitoring services,” Robert told Aaron.
“Please tell me why,” Aaron said, keeping his voice low because he was just not in the mood for any spontaneous crisis communications with his older sister.
“Under your policy, you’re only covered for notification and credit monitoring if there was an actual breach,” Robert said.
“No breach, no coverage,” he said.
“So we’re out about a million dollars,” Aaron said flatly. In the regional grocery business, where margins could sometimes be measured in the low single digits, a million dollars was a very big hit.
“I’m afraid so,” Robert said.
Sales at Pinecrest Food Markets were down around 10 percent in all four states that it operated in.
“Might as well shop at Supermart,”a grizzled Korean War veteran told Channel 11 in Charles Town, West Virginia.
With the company down a million out of pocket and with revenue hamstrung, Christine Scott and the rest of the Pinecrest team had some very difficult and expensive decisions to make.
Should they sue Spendex for its shoddy forensics? And what coverage did they have for the costs of that?
Rumors began to circulate in several state capitals that class action lawsuits were being prepared on behalf of the tens of thousands of Pinecrest customers who felt they were caused needless expense and worry because of the bad information Pinecrest put out to begin with.
Grandstanding attorneys general were probably not far behind. Pinecrest was possibly facing legal action on several fronts and it was unclear whether it had the coverage to pay for its defense.
With the world seemingly against them, Christine and Aaron took a day in late November and went to their grandfather’s hunting cabin in Somerset County.
The grouse were out there, but the two of them just sat staring at the fire in the cabin’s stone fireplace, with Aaron’s two bird dogs stretched out in front of the fireplace.
Sadie looked up hopefully as Aaron got up to throw another log on the fire.
“No huntin’ today, Sadie girl. Daddy is not in the mood,” Aaron said as Christine nursed a bottle of local craft-distilled rye.
“May I have some of that, please?” Aaron asked.
“Get your own bottle,” said Christine.
A regional grocery chain gets into hot water after it loses customer financial data. Making matters worse is that the company does not have a good grasp on the language in its cyber coverage policy. The company also suffers reputational damage when it notifies customers based on bad information.
1. Know your partners: Pinecrest sees its problems go from bad to worse because the company it uses to process credit card transactions has shoddy forensics and reports data breaches for customers that in the end had no data breach.
2. Know your coverage: Pinecrest suffers needless losses because key executives don’t understand its insurance policy when it comes to services available under the coverage for data breach notification and credit monitoring.
3. Be as transparent as possible: When it comes to notifying customers of substantial issues that could impact their expenditures, getting out quickly with the best information is extremely important. Pinecrest actually has good news to report midway through this story, but sits on it due to internal friction. The good of the team must clearly win out here.
4. Create realistic expectations: Coverage existed for Pinecrest officials to put together a reasonable response when customer data was lost. But a key executive broadcast inflated statements about what Pinecrest would be able to do, creating equally inflated expectations.
5. Hold vendors accountable: Given the volatile expansion of cyber risk, it makes good sense to require vendors contractually to indemnify you if they lose your crucial customer data.
The issues covered in this scenario center around crisis management and insurance pitfalls associated with loss from a cyber breach. This follow-up webinar focused on specific loss trends and cyber exposures, as well as presented steps to take to strengthen your crisis risk management program.
The Fury of Anais
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
Buddy Welch, an analyst with the National Hurricane Center at Florida International University in Miami, is finishing his second cup of coffee on the morning of August 22, 2017 as he monitors a tropical wave formation off of the western coast of Africa.
Buddy looks over to his colleague Jonathan Schell.
“Hey Jon, will you come look at this a second?”
“Sure, what is it?” Schell says before walking over to Buddy’s desk and looking over his shoulder.
“Look at that,” Welch says, pointing to the satellite images on his monitor.
“That’s a very strong wave,” Schell says, watching the evidence of the strong tropical wave moving off of the coast of Africa.
“Could be the strongest thing we’ve seen all summer,” echoes Buddy.
“By far,” the two scientists say at the same time.
“We’ve got very warm water in the Atlantic right now,” Jonathan adds.
He and Buddy continue to monitor the tropical wave for signs of strengthening and possible convection. Forecast models indicate that conditions are ripe for the wave to organize quickly into a tropical storm and thereafter, a hurricane.
The tropical wave does become a tropical storm, dubbed “Anais,” and bolstered by unusually warm ocean water, it intensifies as it moves across the tropical Atlantic toward the Caribbean and the United States.
On August 26, Anais is upgraded to a hurricane in the tropical Atlantic, east of the Eastern Caribbean.
As the hurricane moves through the Caribbean, past Hispaniola, the National Hurricane Center notifies residents and emergency managers up and down the Eastern Seaboard that Anais poses a very real and severe threat.
Several days later, on the 1st, Anais buffets the Bahamas with high winds. It spares the Bahamas a direct hit and instead veers north- northwest and, now classified as a Cat 4, with maximum sustained winds of 150 mph, takes dead aim at the coast of North Carolina.
Ray Bonner, risk manager for the City of Norfolk, Va. is one of those who takes heed.
Bonner immediately convenes Norfolk’s crisis management team, which is more sophisticated than many because it has a “business resilience” subcommittee that is dedicated to coordinating with municipal officials in the event of a natural catastrophe. The committee’s mandate is to help businesses open as soon as possible in the aftermath of a major storm.
“This hurricane could hit every coastal city from Wilmington, N.C. to Boston,” Bonner tells his assembled crisis management team.
“We can’t be sure that we’ll get much help from neighboring emergency responders if that’s the case,” he tells the committee.
On Labor Day, September 4, Anais strikes Wilmington, N.C. as a Cat 4. The storm cripples the Wilmington power grid and causes 13 deaths.
All Fall Down
Despite the damage done by Anais in Wilmington, Bonner and other members of Norfolk’s crisis management team are frustrated by what they see as a lack of sense of urgency in some quarters to evacuate as necessary and take proper precautions. Perhaps distractions due to end-of–summer Labor Day plans are partially to blame, they reason.
Well before the hurricane made landfall, Bonner and risk managers from other East Coast cities got on a conference call to discuss the storm’s potential impact and how each city might coordinate with the other to assist in recovery.
“This could end up being every bit as bad as Hurricane Sandy,” said Elizabeth Acres, the risk manager for Boston, Mass.
“Or worse,” said Jay Baker, the risk manager for New York City.
“You ever heard of the Norfolk/Long Island Hurricane of 1821?” Baker says.
“No,” says Acres and others simultaneously.
“I’ll send you the link,” he says. “Path of Anais looks very similar to the path of that 1821 hurricane.”
On September 5, Anais, still a Cat 4, hits Norfolk. Without losing strength, the hurricane continues north, striking Cape May, N.J., New York City and Connecticut in turn.
The storm is every bit as damaging as Hurricane Sandy was, and causes historical levels of wind and flood damage throughout the Washington, D.C. to Boston megalopolis.
Back in Norfolk, Bonner, along with the city’s emergency response coordinator Jim Christopher, is touring flooded sections of the city on September 7 in a zodiac that’s equipped as an emergency response boat.
They’re touring one of the city’s business districts, which is still inundated with three feet of water. The zodiac reaches the end of a block and Christopher eases off on the throttle.
The two men stare at the devastation in the deserted business district in silence. They can see dresses and hats floating, half-submerged in the gray flood waters, through one of the few intact store windows.
“I don’t see when these businesses can re-open,” Bonner says.
“I don’t see when we even get into these shops to have a look at them,” Christopher says.
On September 12, Bonner again gets on a conference call with his fellow risk managers from cities in the Northeast. Accompanying them on the call is Ray Harbridge, a Northeast Regional Director for the Federal Emergency Management Agency.
Boston’s Elizabeth Acres leads the dialogue with Harbridge.
“Ray, can you update us on the timeline for any funding assistance we might get from Washington?” Acres says for openers.
“We have no answers in that area Liz,” Harbridge says.
“We’re dealing with an unprecedented level of damage to the six largest cities in the East,” Harbridge said.
“First impressions are that we have millions of people affected,” he said.
“And that’s not even getting into the business impact,” Bonner said.
“That’s correct,” Harbridge said.
“We’ve got to concentrate on housing and medical care for those most vulnerable and those displaced,” he said.
“I know you’ve got plenty of worries on your end, but you’re going to have to rely on your own resources for the foreseeable future. I really don’t know when we see a way clear of all this,” he said.
“Let’s face facts folks,” New York’s Jay Baker said after Harbridge, extremely pressed for time, hung up.
“We still haven’t received federal reimbursement for Hurricane Sandy damage and expenses in some cases, and we’re five years out from that.”
“We’re going to be at this a long time,” Boston’s Acre said.
“You can take that five years from Sandy and double it,” Baker said.
Ever since he heard the first indication from the National Hurricane Center that Anais should be watched, back in late August, Ray Bonner’s mind had been turning on something.
When Hurricane Sandy struck New Jersey and flooded Lower Manhattan in 2012, it caused a permanent shift in Bonner’s thinking.
Before Sandy, the idea that a major hurricane would come near enough to cause substantial damage in New York was thought to be a “Black Swan” event, something with an extremely low possibility, albeit having potentially devastating consequences.
After Sandy, Bonner began to think about ways to mitigate the costs of a major hurricane strike. He’d begun discussions with the City’s budget director and its finance committee on the possible purchase of layers of reinsurance that could help the city defray not only the costs associated with hurricane clean-up and repair, but the lost property tax and business income tax revenue should the region’s homes and businesses take a big hit.
Presentations Bonner made on the Norfolk/Long Island Hurricane of 1821 to city finance officials left them unmoved, though. It wasn’t that city leaders were callous to Bonner’s concerns. But pressing matters like negotiations with unionized police and firefighters took up most of their attention.
Norfolk’s finances were basically sound. Bonner’s attempts to sway city leaders to a different way beyond floating bonds and raising taxes on the back end in the event of a catastrophe just couldn’t gain any traction. City officials felt that they had things under control and didn’t want to start piling on new expenses like insurance premiums.
Six months after Anais struck, analysts released data that showed the storm caused $40 billion in wind damage and $70 billion in storm surge damage to cities and towns from Wilmington, N.C. to Boston.
What Bonner considered a real threat after Sandy struck turned out to be true after Anais. Norfolk city finances, which had previously been solid, began to deteriorate.
Twenty percent of the Norfolk/Virginia Beach region’s housing stock was rendered uninhabitable by Anais. Reductions in property tax revenue, coupled with business tax revenue reductions, were creating budget deficits in Norfolk and in every other city that was hit by Anais.
That public sector pain was being repeated in the private sector. Loss of mortgage interest and principle payments, a lynchpin of the banking system, led to the failures of dozens of regional banks and severe limitations on the revenue of the larger banks.
In 2021, four years after Anais hit, the Rand Corporation released a study, titled “The Anais Effect” which estimated that the economic damage from Anais restricted growth in the Northeast by seven percent from 2017 to 2021.
Rand Corp. researchers estimated that by 2027, 10 years after the storm, an “Anais Recession” — the first ever regional economic recession connected to a natural catastrophe — would limit growth on an annual basis in the Northeast by five percent.
Risk & Insurance® partnered with Swiss Re Corporate Solutions to produce this scenario. Below are Swiss Re Corporate Solutions’ recommendations on urban and corporate resilience, and a reminder about the company’s global expertise in the areas of Nat Cat modeling and disaster preparedness. This perspective is not an editorial opinion of Risk & Insurance®.
The 1821 hurricane struck the mid-Atlantic and Northeast United States at a time in history when human population and concentration of value were dramatically lower than present day. In fact, only 136,000 people lived in Washington and New York at the time. If a major catastrophic event like the 1821 Norfolk Long Island Hurricane was to happen today, it would cause 50% more damage than Sandy and potentially cause more than $100 billion in property losses stemming from wind damage and flooding from storm surge.
That’s just one part of the story, however. Taking into consideration lost tax revenue due to destroyed homes and business, lower real estate values and other economic considerations, the broader economic impact would grow to over $150 billion. That’s well above the aggregate losses of all storms which recently impacted the Eastern United States, including Hurricane Sandy.
With an eye toward a future event that could dwarf Sandy in terms of insured and economic losses, Swiss Re has published a new report that analyzes the 1821 hurricane and how a repeat event would impact the region today. Download the report at: http://media.swissre.com/documents/the_big_one_us_hurricane_web2.pdf
To prepare for such a future event, large scale urban resilience must be at the forefront of the risk management community. Of course, protecting lives should be the highest priority for city authorities seeking to improve their disaster preparedness. Beyond that, municipalities and businesses – large and small – must work together to ensure critical infrastructure and supply chain redundancy. This can be accomplished, in part, by more fully understanding the geographic hazards via advanced modeling techniques using Swiss Re’s CatNet® tool.
CatNet® – Advanced Modeling
Combining satellite imagery with Google MapsTM and Swiss Re’s proprietary historical data, CatNet® allows risk management professionals to analyze worldwide natural hazard exposures. CatNet® features:
- Natural hazard atlas
- Country-specific insurance data
- Disaster statistics
This allows risk managers to prepare local, regional and cross-regional risk profiles to assist management in disaster preparedness. The result is a more informed viewpoint about a company’s or city’s insurance considerations and potential enterprise risk management gaps. An organization’s disaster preparedness can be further enhanced by partnering with local authorities, businesses and municipal leaders to ensure community-wide resilience.
Contractors Face Complex Insurance Scenario
With today’s expanding global marketplace, U.S.-based construction companies naturally seek growth opportunities in foreign countries. For instance, China has been on a decades-long building spree. Middle Eastern nations continue to invest in massive developments. Cross-border construction activity among developed countries, particularly in Europe and Japan, remains robust.
That’s the good news for U.S. contractors considering or already involved in global projects. On the flip side, it’s critical to realize that international opportunities present different challenges than domestic projects.
Construction services represent a significant portion of global trade. World exports of construction rose 2% (to $115 billion) in 2012, the World Trade Organization estimates. The European Union and Asia represent the major share of that trade. Yet, while international trade in construction is on the rise, every country retains its own laws regarding insurance, so building a multinational insurance program represents a significant challenge.
ACE’s recently published whitepaper, “Global Construction: International Opportunities, Local Risks” focuses on educating risk managers about the complexities of going global.
Key issues for contractors to consider include:
Legally speaking, compliance for U.S. contractors operating outside the U.S. is much more complex than for their domestic operations. For example, by operating in different countries, multinational contractors must adhere to a myriad of local national laws and regulations regarding the “duty of care” they owe to the general public and other third parties. While most of the developed world has established employer duty-of-care legislation, the majority of the countries where many of these new global projects are available have not. A contractor’s insurance program should be flexible enough to handle claims in several different jurisdictions and provide adequate coverage for awards granted in emerging, as well as developed, legal jurisdictions.
Continuity of coverage across borders
For projects in foreign countries, a proactive risk management strategy should not only address the wide range of exposures typical in a given construction project, but also the impact that the differing local laws and regulations may have on the insurance coverage. For example, a contractor may have to obtain local insurance policies for various lines of business to cover the risks associated with its operations and to be compliant with local insurance requirements.
Building multinational solutions
A multinational program using “non-admitted” coverage can be a cost-effective alternative to local coverage. Such non- admitted coverage is usually arranged in the parent company’s home country to insure exposures in other countries. Some countries, however, don’t allow non-admitted coverage, while others may allow it subject to conditions such as prior approval. In the past the threshold question was whether non-admitted insurance could be used, but today companies should also consider potential changes in enforcement practices as well as evolving regulations.
Local services can be crucial
Besides compliance issues, companies should address issues such as how local claims will be handled and paid, and which other local services they may need in the event of a claim or incident. For example, companies building projects in the European Union may want to purchase environmental coverage that responds to the demands of the European Environmental Liability Directive in order to provide proper insurance protection for potential liability associated with damage to the environment or natural resources. On a broader level, catastrophe planning should be part of a global risk management strategy.
Public/private partnerships may bring new risks
Another consideration for contractors revolves around project structure. Typically in the U.S., construction projects have been driven either by the owners or the contractors and the insurance coverage reflected that through an owner- or contractor-controlled insurance program (OCIP/CCIP). Today, while more U.S. projects are being structured as public-private partnerships, because the structure is more common in Europe, U.S. contractors considering projects abroad may encounter it for the first time. Public-private partnerships raise questions about how risks and liabilities are apportioned among the parties, so contractors may find themselves sharing responsibility for risks that are not typically part of a standard project, or have increased exposures for professional liability.
M&As can impact insurance programs
With the growth of the global construction economy, and the rising need for the development or improvement of infrastructure in emerging economies, an increasingly multinational approach has led to consolidation and merger-and-acquisition activity in the construction marketplace. As this trend continues, companies also need to consolidate their insurance programs to achieve better efficiency by individual lines of business and to meet insurance requirements in different countries.
The takeaway: local risks, global solution
For contractors working in more than one country, maintaining consistent insurance coverage across borders while controlling costs clearly presents a number of challenges. By using a controlled master policy and admitted insurance from local carriers, contractors potentially gain greater insight into their claims trends and an increased ability to identify locations experiencing significant losses. With this information, contractors also will be in a better position to take corrective action and reduce losses.
Finally, while varying insurance regulations and markets must be addressed, contractors should evaluate the insurance carrier, its experience and presence in foreign markets and its relationships with local insurers around the world. When it comes to international construction projects, the right insurance coverage will play a crucial role in long-term success.
To learn more about how to manage global contracting risks, read the ACE whitepaper: “Global Construction: International Opportunities, Local Risks.”
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with ACE Group. The editorial staff of Risk & Insurance had no role in its preparation.