In a well-publicized incident during the 2016 electoral cycle, a campaign official was embarrassed by the admission that he had unwittingly clicked on a phishing email, which may have opened a window to a significant security breach. In a completely separate series of events, a well-known restaurant chain saw its brand undergo a series of tarnishing revelations regarding the difficulties with controlling certain bacteria during food preparation.
Cyber risk is ever-evolving. Because every security system is vulnerable, no cyber security policy is considered fully comprehensive. The constantly changing nature of cyber risk threats means that while coverage can be written for known risks, these are in a constant state of flux and the next attack will have a different wrinkle.
For this reason, there is no established standard cyber insurance form utilized by carriers in the commercial insurance market. Although most policies provide third-party liability coverage as well as first-party coverage for loss or damage to property, there is a wide variation in other needed coverages. More specifically, businesses need to know whether coverage is provided, and at what level, for:
regulatory actions
incident response costs
credit and identity monitoring
transmission of viruses
business interruption and extra expenses
extortion expenses
data loss and restoration
The constantly evolving nature of cyber risk translates into an equally fluid landscape when it comes to claims management. Indeed, the challenge with any loss resulting from new forms of security breaches is to determine what different exposures or additional expenditures are allowable under the current policy language.
A separate area of complexity resulting from discovery involves determining the responsible party for the cause of the loss as well as ascertaining whether options exist for subrogation of a third party. Additionally, pinpointing as clearly as possible the exact timing and trigger of the incident is critical in calculating loss of income.
All of these challenges and more make cyber risk a sophisticated web of complexities which will continue to morph in unpredictable ways in the future.
Considered from one angle, reputational damage is like any other source of risk, which can affect the corporate bottom line and growth. As such, it should be considered in the same context and at the same time as other sources of exposure that require strategic approaches.
However, it is also distinctly different. Unlike many risks, reputational damage is difficult to predict. In many cases, it may also be difficult to quantify the financial impact of exposure, a priori, to reputational damage. This difficulty is compounded by the fact that reputational damage is most often considered a secondary risk to a larger primary risk; in fact, reputational damage can often be costlier in the long run than the primary risk.
From the standpoint of claims management, the key is being able to separate out what portion of the loss is under the primary coverage, and what passes to the secondary coverage. For example, an actual product liability issue can be of short duration. However, a second category of vulnerability often flows from today's complex regulatory environment. Oversight by governing bodies – whether HIPAA, Dodd-Frank, Consumer Protection Agency or other – means increased scrutiny, which can cause direct expenses. Even the types of cyber breaches mentioned above, which have recently plagued national and international retailers, can have lasting deleterious effects.
It is important to realize that crisis management, while necessary, is inadequate as a single strategic response. Unquestionably, it is critically important to think through the various audiences that must be reached in the event of a potentially reputation-damaging crisis, and formulate the proper responses to them. Having such a plan in place ensures that responses and protocols will employ pre-approved statements both during and following any crisis event.
And yet, a more robust and fully functional approach to reputational damage must attempt to quantify the magnitude of exposure and distinguish between primary and secondary spheres of coverage.
Growth of the global economy has resulted in more outsourcing and dependence on foreign manufacturing and products. Less apparent is that lengthier supply chains have multiplied exposure to a wide spectrum of events, many of which are either uncommon in the domestic environment or of recent derivation.
Risks associated with fires and floods, even earthquakes and volcanic eruptions have always been with us, even without climatic volatility. Yet, in addition to plant explosions, customs issues and product seizures, global unrest has produced a panoply of new and evolving risks that include border closures, embargoes and blockades, and terrorist attacks, as well as closures of roads, railways and airports; strikes and riots; and threats of political violence and insurrection.
Such threats often occur in combination and can produce a staggering variety of loss categories. These normally begin with loss of income and product replacement costs. To these may be added the extra expenses of expediting product or service replacement, as well as increased purchasing costs. In worst cases, damages can extend to relocation costs or the negotiation and mediation expenses that attend contractual differences with replacement suppliers.
The sheer proliferation of variables can prove daunting to claims managers. Supply chain losses typically involve dealing with different entities or authorities in various legal jurisdictions simply to determine precise dating of events, as well as other mitigating factors in order to determine the amount of loss. The determination of which additional costs or contingent expenses qualify as intended is of critical importance and depends on a precise and careful reading of existing insurance agreements and policy language.
The most recent decade has been characterized by increased activity in new laws and regulations as well as changes to existing statutes and rulings at both the federal and state level. While such activity invariably accompanies changes in administrations, examples in the last few years include new OSHA requirements and changes in labor laws that affect hours of service and how overtime is paid.
It is difficult to understate the potential corporate exposure to regulatory change, either at the executive or legislative level, particularly after an election. While the current thrust may be toward deregulation, it would take an adept prognosticator to attempt to determine how this might play out.
The Affordable Care Act stands out as an avatar of the potential effect of regulatory change. Behind that obvious example, clearly the decisions and authority of many agencies, including but not limited to the EPA, OSHA, EEOC and the Departments of Labor and Transportation, have all seen heightened activity in the last decade. Their rulings have been accompanied by stiff fines and penalties, as well as aggressive prosecution for noncompliance.
Dealing with foreign governments brings its own forms of exposure unique to the countries or jurisdictions in which one is doing business. All of these, especially with the ongoing global political volatility, can produce vulnerability to quick changes in administrations resulting in unreasonable demands and abrupt interruptions to normal business operations.
While the liabilities cannot be predicted, losses can include reduction or temporary cessation of income resulting from regulatory and administrative changes themselves, as well as legal expenses resulting from challenging administrative actions or defending corporate actions. In addition, fines and penalties can also often be anticipated, as well as additional expenses for compliance. Yet another category of expense may accrue from the efforts of dealing with foreign governments or relocation of product or supplies following action by a governmental body or agency.
A spate of claims handling challenges can result. The first order of business is a forensic gathering of details to determine when the insured was first affected by the legislative or regulatory change. Only after this has been accomplished is it possible to determine even the amount of loss of income. A more robust estimate of loss will depend on determining which additional expenses are covered according to the definition of coverage in the policy. Even then, further challenges remain, including the gathering of information involving foreign exposure regarding exact dates and details of the circumstances and events triggering the loss.
No claims strategy can be regarded as sufficient without taking all of these factors into account to determine the full magnitude of exposure to regulatory change.
*Written by: Jeff Ellington - JEllington@atlascaptives.com