Emerging Risks, Emerging Challenges
2016 was an interesting year, albeit a risky one.
In a well-publicized incident during the 2016 electoral cycle, a campaign official was embarrassed by the admission that he had unwittingly clicked on a phishing email, which may have opened a window of vulnerability to a significant breach of security. In a completely separate series of events, a well known restaurant chain saw its brand undergo a series of tarnishing revelations having to do with the extreme difficulties having to do with controlling certain bacteria in food preparation processes.
Both of these cases shared something in common. In each, there was an initial or inherent risk as well as a larger exposure or series of follow-on effects. In addition, they were both indicative of the kinds of complex risks which attend a fully networked and globalized economy. The structure of this economy, and the ever-changing technical and legal milieu which affect it, help to explain why it is hazardous speculating about the kinds of risks that are just over the horizon, and how they might affect the challenges of mediating claims.
Still, it might be instructive to look at a few recent trends in emerging risks and think about why they can be expected to continue and, in some cases, strengthen.
Cyber Risk
The salient feature of cyber risk is its ever-evolving nature. Because there is no security that cannot be breached, there is no cyber security policy that can be regarded as fully comprehensive. The constantly changing nature of cyber risk threats means that, while coverage can be written for known risks, these are in a constant state of flux and the next attack will have a different wrinkle.
For this reason, unlike other coverage forms, there is no established standard cyber insurance form utilized by carriers in the standard commercial insurance market. Although most policies provide third-party liability coverages as well as first-party coverage for loss or damage to property, there is a wide variation in other needed coverages. More specifically, businesses need to know whether coverage is provided, and at what level, for
• regulatory actions
• incident response costs
• credit and identity monitoring
• transmission of viruses
• business interruption and extra expenses
• extortion expenses
• data loss and restoration
The constantly evolving nature of cyber risk translates into an equally fluid landscape when it comes to claims management. Indeed, the challenge with any loss resulting from new forms of security breaches is to determine what new exposures or additional expenditures are allowable under the current policy language.
A separate area of complexity resulting from discovery involves determining the responsible party for the cause of the loss as well as ascertaining whether options exist for subrogation of a third party. Additionally, pinpointing as clearly as possible the exact timing and trigger of the incident is of critical importance in calculating loss of income.
All of these challenges and more make cyber risk a sophisticated web of complexities which can be expected to continue to morph in unpredictable ways in the future.
Reputational Damage
Considered from one angle, reputational damage is like any other source of risk, which can affect the corporate bottom line and growth. As such, it should be considered in the same context and at the same time as other sources of exposure that require strategic approaches.
However, it is also distinctly different. After all, unlike many risks, reputational damage is difficult to predict. In many cases, it may also be difficult to quantify the financial impact of exposure, a priori, to reputational damage. This difficulty is compounded by the fact that reputational damage is most often considered a secondary risk to a larger primary risk; in fact, reputational damage can often be costlier in the long run than the primary risk.
From the standpoint of claims management, the key is being able to separate out what portion of the loss is under the primary coverage, and what passes to the secondary coverage. For example, an actual product liability issue can be of short duration. However, a second category of vulnerability often flows from today’s complex regulatory environment. Oversight by governing bodies – whether HIPAA, Dodd-Frank, Consumer Protection Agency or other – means increased scrutiny, which can cause direct expenses. Even the types of cyber breaches mentioned above, which have recently plagued national and international retailers, can have lasting and deleterious follow-on loss effects.
It is important to realize that crisis management, while necessary, is inadequate as a single strategic response. Unquestionably, it is critically important to think through the various audiences that must be reached in the event of a potentially reputation-damaging crisis, and formulate the proper responses to them. Having such a plan in place ensures that responses and protocols will employ pre-approved statements both during and following any crisis event.
And yet, a more robust and fully functional approach to reputational damage must attempt to quantify the magnitude of exposure and distinguish between primary and secondary spheres of coverage.
Supply Chain Interruption
It is a tautology that the growth of the global economy has resulted in more outsourcing and dependence on foreign manufacturing and products. What is less apparent is that lengthier supply chains have multiplied exposure to a wide spectrum of events, many of which are either uncommon in the domestic environment or of recent derivation.
Risks associated with fires and floods, even earthquakes and volcanic eruptions have always been with us, even without climatic volatility. Yet, in addition to plant explosions, customs issues and product seizures, global unrest has produced a panoply of new and evolving risks that include border closures, embargoes and blockades, and terrorist attacks as well as closures of roads, railways and airports; strikes and riots; threats of political violence and insurrection and collision of conveyance.
Such threats often occur in combination and can produce a staggering variety of loss categories. These normally begin with loss of income and product replacement costs. To these may be added the added expenses of expediting product or service replacement as well as increased purchasing costs. In worst cases, damages can extend to relocation costs or the negotiation and mediation expenses that attend contractual differences with replacement suppliers.
The sheer proliferation of variables can prove daunting to claims managers. Supply chain losses typically involve dealing with different entities or authorities in various legal jurisdictions simply to determine precise dating of events as well as other mitigating factors in order to determine the amount of loss. The determination of which additional costs or contingent expenses qualify as intended is of critical importance and depends on a precise and scrupulous reading of existing insuring agreements and policy language
Legislative/Regulatory Change
The most recent decade has been characterized by increased activity in new laws and regulations as well as changes to existing statutes and rulings at both the federal and state level. While such activity invariably accompanies changes in administrations, and is thus difficult to predict early in 2017, examples in just the last few years include new OSHA requirements and changes in labor laws that affect hours of service and how overtime is paid.
It is difficult to understate the potential corporate exposure to regulatory change, either at the executive or legislative level, particularly after an election. While the current thrust may be toward deregulation, it would take an adept prognosticator indeed to attempt to determine how this might play out.
The Affordable Care Act stands out as an avatar of the potential effect of regulatory change. Behind that obvious example, clearly the decisions and authority of many agencies including but not limited to the EPA, OSHA, EEOC and the Departments of Labor and Transportation have all seen heightened activity in the recent decade. Their rulings have been accompanied by stiff fines and penalties as well as aggressive prosecution for noncompliance.
Dealing with foreign governments brings its own forms of exposure, unique to the countries or jurisdictions in which one is doing business. All of these, especially with the ongoing global political volatility can produce vulnerability to quick changes in administrations resulting in unreasonable demands and abrupt interruptions to normal business operations.
While the liabilities cannot be predicted, losses can include reduction or temporary cessation of income resulting from regulatory and administrative changes themselves, as well as legal expenses resulting from challenging administrative actions or defending corporate actions. In addition, fines and penalties can also often be anticipated, as well as additional expenses for compliance. Yet another category of expense may accrue from the efforts of dealing with foreign governments or relocation of product or supplies following action by a governmental body or agency.
A welter of claims handling challenges can result. The first order of business is a forensic gathering of details to determine when insured was first affected by the legislative or regulatory change. Only after this has been accomplished is it possible to determine even the amount of loss of income. A more robust estimate of loss will depend on determining which additional expenses are covered according to the definition of coverage in the policy. Even then, further challenges remain, including the gathering of information involving foreign exposure regarding exact dates and details of the circumstances and events triggering the loss.
No claims strategy can be regarded as sufficient without taking all of these factors into account to determine the full magnitude of exposure to regulatory change.
By Jeff Ellington, CIC, Vice President, Atlas Insurance Management
Jeff Ellington joined Atlas Insurance Management in 2011 and is a Vice President with the firm. As a successful insurance professional with over 30 years of combined experience, he has worked in multiple facets of the commercial insurance industry, including sales, marketing, underwriting and management.
