Business Risk


As holiday shopping gets underway, several major retailers are opening even earlier this year offering the prospect of deep discounts and large crowds to an ever growing number of shoppers.

The National Retail Federation (NRF) notes that 140 million holiday shoppers are likely to take advantage of Thanksgiving weekend deals in stores and online.

Millennials are most eager to shop, with the NRF survey showing 8 in 10 (79.6 percent) of 18-24 year olds will or may shop over the weekend, the highest of any age group.

Much has been written about the risks of online shopping, but for those who still head to the stores, there are dangers there too.

The Occupational Safety and Health Administration (OSHA) reminds us that crowd related injuries can occur during special sales and promotional events. In 2008, a worker at Wal-Mart died after being trampled in a Black Friday stampede.

According to the aptly named blackfridaydeathcount.com, since 2006 there have been seven Black Friday-related fatalities and 90 injuries. As well as stampeding crowds, injuries have occurred as a result of altercations over TVs, road rage over parking spaces, shootings and distracted driving.

For employers and store owners OSHA offers comprehensive tips on how to create a safe shopping experience.

Crowd management planning should begin in advance of events likely to draw large crowds, and crowd management, pre-event setup, and emergency situation management should be part of event planning, OSHA says.

Tips include: hiring additional staff; having trained security or crowd management personnel on site; determining the number of workers needed in different locations to ensure the safety of an event; and preparing an emergency plan that addresses potential dangers facing workers including overcrowding, crowd crushing, being struck by the crowd, violent acts and fire.

For shoppers too, a personal safety and security plan is a good idea. The National Crime Prevention Council (NCPC) advises not to buy more than you can carry and to plan ahead by taking a friend with you or asking a store employee to help you carry packages to the car. Travelers offers some important tips here.

To all our readers, have a happy and safe Thanksgiving!

Reputational risk is among the most challenging to insure, says I.I.I.’s VP of Communications Loretta Worters in this timely tale of Uber shenanigans:

There’s no such thing as bad publicity, the old saying goes. But the publicity ridesharing company Uber is getting lately may not just harm its image, but can hurt its bottom line. And for a business valued by some at north of $50 billion, that’s a world of hurt!

The latest trouble for the beleaguered rideshare titan started earlier this week when SVP of Business Emil Michael was reported by BuzzFeed to have said that the company should initiate a million-dollar “smear campaign” against journalists. Worse still was CEO Travis Kalanick’s response, a rambling 13-tweet condemnation of Michael’s on-the-record screed. (To date, however, Michael still has his job.) Jumping into the fray was Uber investor Ashton Kutcher, who defended the company for “digging up dirt” on journalists.

A company’s reputation is core to its profitability and long-term competitiveness. And the challenges from social media and other interactive online platforms often force businesses to respond immediately. This in part explains why damage from reputational risk events oftentimes does not result from the initial crisis, but from how well the company responds to it.

This isn’t exactly the first time Uber has “stepped in it.” However, leaving aside Uber’s occasional self-destructive missteps, how vulnerable is Uber or any other company with a capricious C-suite?

Reputational risk is among the most challenging categories of risk to manage, according to 92 percent of companies responding to a survey from ACE Group. Fully 81 percent of respondents view reputation as their most significant asset—and most of them admit that they struggle to protect it. The report also suggests that organizations need a clear framework for managing reputational risk that reduces the potential for crises, taking a multi-disciplinary approach that involves the CEO, PR specialists and other business leaders.

While Uber’s Kalanick acknowledged his company needs to repair its image, he clearly would benefit from reputational risk insurance and the expertise of a risk manager—even if that risk manager’s counsel amounts to: “dude, shut UP!”

Reputational risk is not covered under a typical business policy, but companies can purchase coverage as a stand-alone policy which typically pays fees for professional crisis management and communications services; media spending and production costs; some legal fees; other crisis response and campaign costs such as research, events, social media, and directly associated activities.

New reputation insurance products have started to emerge in the marketplace that cover financial losses caused by bad news that harms a company’s profits. For example, Aon with Zurich, Willis and Chartis among others have come out with policies that address the exposures of reputational risk and offer risk management services to help corporations keep their reputations intact.

One thing is clear: as the rideshare business grows more competitive, Kalanick will need to do better at projecting a positive image. And if he took a cue from his own product, and let somebody else do the driving for a change, Kalanick would be following the lead of many a troubled CEO before him.

For information on the insurance implications of ride-sharing, check out this handy Q&A.

I.I.I. chief actuary Jim Lynch offers his perspective on how insurers are responding to climate change:

The insurance industry got a report card this week on a test I’m not sure they knew they were taking. And the grading curve was, in my opinion, harsh.

Ceres, a nonprofit group that promotes sustainable business practices, rated 330 insurers – life, health and property/casualty – on how well they are responding to climate change.

Before I wade further into the topic, it is important to acknowledge that insurance companies and their managers have a range of opinions on global warming that is as wide as the opinions of Americans overall on the topic. There is no insurance industry position, though there are individuals and companies with strong opinions – just as with all Americans.

On a four-point scale, nine companies got the highest mark (“leading”): Ace, Munich Re, Swiss Re, Allianz, Prudential, XL Group, The Hartford Financial Services Group, Sompo Japan and Zurich. Matthew Sturdevant of the Hartford Courant does a nice job rounding up how these firms earned their grade.

Ceres gave “minimal” or “beginning” rankings to 276 insurers, 84 percent on my calculator. The New York Times played up that aspect. But the analysis may be skewed because of the source of the rankings and how Ceres adapted that source.

Ceres took a National Association of Insurance Commissioners (NAIC) survey that six states require on climate change. The survey consists of eight yes-or-no questions, each of which follows up with why the insurer answered as it did. The follow-up questions are open-ended – companies can respond with as little or as much information as they like.

The questions help regulators when they assess a company’s enterprise risk management, specifically how hard a company looks for potential problems that might not hit them until years from now. Climate change certainly has that potential.

Ceres took those answers and graded them on its own criteria, resulting in six scores from 1 to 4, which it then re-summarized into a single grade.

Boiling a complex set of open-ended answers is tricky enough, but Ceres has, in my opinion, misused the NAIC survey, which is supposed to help regulators understand how well insurers are considering climate change in their risk management, not whether insurers are acting as stewards of the environment.

So it doesn’t seem like Ceres is giving a fair test. Insurers are answering questions on how climate change might affect their business then being rated on how their actions will reduce carbon emissions. It’s like being told to write an essay, then being graded on penmanship.

How could this skew results? Some insurers are minimally exposed to climate change, so it would not be prudent risk management for them to devote valuable resources to the issue. Medical malpractice writers are an obvious example. Climate change might be important to the world at large, but how relevant is it to the operation of a medical malpractice writer?

Property insurers are in a different boat, pardon the irresistible pun. Rising sea levels and growing weather extremes are important developments, and it would seem a prudent coastal writer would consider whether those trends will continue, abate or accelerate. A company that writes worldwide has still more to think about, as climate trends would affect other countries more than our own.

Seen that way, it makes perfect sense that some large, multinational insurers are concerned about climate change while small writers not exposed to property insurance are less so.

On the life/health side, there is a signal-to-noise problem. Climate change appears to have an impact on mortality, but it’s really small. A 2011 Brookings study suggested that climate change will increase U.S. age adjusted mortality rates by about 3 percent over the next 85 years or so. That rate has declined by 1 percent per year over the past 35 years. So the impact of climate change on mortality is likely to be overwhelmed by other forces at work.

That’s not to say that life expectancies outside the U.S. won’t be affected more. But a life insurer that only writes U.S. risks might not want to incorporate climate change-induced mortality changes from, say, Australia, into its business model.

Regardless, life insurers have a built-in mortality hedge in pairing annuity sales with life insurance. People who die sooner drive life insurance profits lower. But they push annuity profits higher, and vice versa. Combine that with the small impact of climate change on U.S. mortality and it makes perfect sense that a great many U.S. life insurers have decided that climate change doesn’t form a central part of their risk management strategy.

Health insurers are in a similar situation. Gradual changes in health have small effects on their business, and those changes can be easily adjusted to year by year. Pandemics are a bigger risk, so risk management efforts focus there.

That helps explain why health and life insurers didn’t score as high as property/casualty insurers. They have less at stake.

California’s insurance department doesn’t sound too concerned. Ceres relied on CA DOI information to compile its report, so there’s a good chance the Ceres researchers saw a 2013 press release that said this:

The results of this year’s survey are a positive sign for the insurance industry and the environment,” said Commissioner Jones. “It is encouraging to see that insurers are aware of the risks that a changing climate brings, and moreover they are taking steps to ensure their responses to these risks are sufficient to protect their business.”

More than 1,000 companies [Duplicates and multi-company insurance groups account for the difference between Ceres’ total and California’s.] were required to respond to the survey. The survey revealed that roughly 75 percent of insurers have a plan for identifying climate change-related risks that could affect their business, and are taking actions to mitigate these risks. Responses to the eight survey questions reveal that nearly every insurer is aware of the risks posed by a changing climate, and an overwhelming majority of insurers have incorporated mitigating practices into their business model.”

That sounds like an industry that is handling the issue prudently, even if it is not the way an environmental group would prefer.

As the number of companies suffering a data breach continues to grow – with U.S. retailer Staples now reported to be investigating a breach – so do the legal developments arising out of these incidents.

While companies that have suffered a data breach look to their insurance policies for coverage to help mitigate some of the enormous costs, recent legal developments underscore the fact that reliance on traditional insurance policies is not enough, notes the I.I.I. white paper Cyber Risks: The Growing Threat.

A post in today’s Wall Street Journal Morning Risk Report, echoes this point, noting that a lawsuit between restaurant chain P.F. Chang’s and its insurance company Travelers Indemnity Co. of Connecticut could further define how much, if any, cyber liability coverage is included in a company’s CGL policy.

Collin Hite, partner and leader of the insurance recovery group at law firm Hirschler Fleischer tells the WSJ that whatever the outcome of this case, companies that want to be sure they are protected against cyber-related losses may have to purchase separate cyber liability policies—and make sure those policies are broad enough to encompass the myriad ways an attack could cost the firm money.

P.F. Chang’s confirmed in June that it had suffered a data breach in which data from credit and debit cards used at its restaurants was stolen.

An earlier post in the Hartford Courant Insurance Capital blog by Matthew Sturdevant has the details on the legal action between Travelers and P.F. Chang’s.

To-date the application of standard form commercial general liability (CGL) policies to data breach incidents has led to various legal actions and differing opinions, according to the I.I.I. paper on cyber risks.

One recent high profile – and oft-cited case – followed the April 2011 data breach at Sony Corp. in which hackers stole personal information from tens of millions of Sony PlayStation Network users.

A New York trial court ruled that Zurich American Insurance Co. owed no defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.

In his ruling, New York Supreme Court Justice Jeffrey K. Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.

Further expertise and analysis on cyber risks and insurance is available from the I.I.I.

A second annual survey from Experian and the Ponemon Institute appears to show that more companies are prepared for a data breach, and that cyber insurance policies are becoming a more important part of those preparedness plans.

The study, which surveyed 567 executives in the United States, found that 73 percent of companies now have data breach response plans in place, up from 61 percent in 2013. Similarly, 72 percent of companies now have a data breach response team, up from 67 percent last year.

In the last year the purchase of cyber insurance by those companies has more than doubled, with 26 percent now saying they have a data breach or cyber policy, up from just 10 percent in 2013.

However, this means that two-thirds of respondents – 68 percent – are still not buying cyber policies. (Six percent of respondents are also unsure whether their company has cyber insurance.)

Interestingly, the fact that more companies have data breach response plans in place does not appear to instill greater confidence that they are effective.

Despite the existence of plans, only 30 percent of respondents say their companies are effective or very effective in developing and executing a data breach plan, the survey found.

Why are the plans not effective?

The survey indicates that in many cases a breach response plan is largely ignored after being prepared.

Some 41 percent of respondents say there is no set time for reviewing and updating the plan, while 37 percent say they have not reviewed or updated the plan since it was put in place.

All of this comes as the frequency of data breaches is accelerating. Some 60 percent of respondents say their company experienced more than one data breach in the past two years, up from 52 percent in 2013. And 43 percent say their company had a data breach in the last year, up from 33 percent in 2013.

Check out the latest I.I.I. white paper on this topic Cyber Risks: The Growing Threat.

More on this story from the Wall Street Journal’s Risk & Compliance Report.

Drought continues to make the headlines, with the latest U.S. Drought Monitor showing moderate to exceptional drought covers 30.6 percent of the contiguous United States.

Its weekly update also shows that 82 percent of the state of California is in a state of extreme or exceptional drought. Reservoir levels in the state continued to decline, and groundwater wells continued to go dry, the U.S. Drought Monitor says.

20140923_usdm_home

The LA Times reports that California’s historic drought has 14 communities on the brink of waterlessness. It quotes Tim Quinn, executive director of the Association of California Water Agencies, saying that communities that have made the list are often small and isolated and have relied on a single source of water without backup sources.

However, Quinn also tells the LA Times that if the drought continues, larger communities could face their own significant problems.

A recent article at CFO.com by Lauren Kelley Koopman, a director in PwC’s Sustainable Business Solutions practice, makes the point that when water-related disruptions affect operations, companies can suffer significant profit and losses and pay higher prices for goods in the supply chain.

Water management issues pose significant operational, regulatory and reputational risks to companies, the article noted.

And a recent report from the University of California found that farmers had spent an extra $500m in pumping extra water to cope with the state’s drought, while the total economic cost to the state’s agricultural industry reached $2.2bn.

For insurers, droughts can be costly. Drought, wildfires and heat waves caused 29 deaths and $385 million in insured losses in the U.S. in 2013, according to Munich Re.

In 2012, drought in various parts of the U.S. caused $15 billion to $17 billion in insured losses, making it the second costliest disaster after Hurricane Sandy.

The recent disclosure of a major data breach at retailer Home Depot has once again put the spotlight on the increasing vulnerability of businesses to cyber threats and the need for cyber insurance.

But companies are uncertain of how much insurance coverage to acquire and whether their current policies provide them with protection, according to a new report by Guy Carpenter.

It speculates that one of the roots of the uncertainty stems from the difficulty in quantifying potential losses because of the dearth of historical data for actuaries and underwriters to model cyber-related losses.

Furthermore, traditional general liability policies do not always cover cyber risk, Guy Carpenter says.

It notes that in the United States, ISO’s revisions to its general liability policy form consist primarily of a mandatory exclusion of coverage for personal and advertising injury claims arising from the access or disclosure of confidential information.

Though still in its infancy the cyber insurance market potential is vast, Guy Carpenter reports. It cites Marsh statistics estimating that the U.S. cyber insurance market was worth $1 billion in gross written premiums in 2013 and could reach as much as $2 billion this year.

The European market is currently a fraction of that, at approximately $150 million, but could reach as high as EUR900 million by 2018, according to some estimates.

Guy Carpenter also warns that cyber attacks are now top of mind for governments, utilities, individuals, medical and academic institutions and companies of all sizes, noting:

Because of increasing global interconnectedness and explosive use of mobile devices and social media, the risk of cyber attacks and data breaches have increased exponentially.”

Cyber attacks also present a set of aggregations/accumulations of risk that spread beyond the corporation to affiliates, counterparties and supply chains, it adds.

Check out the I.I.I. paper on this topic: Cyber Threats: The Growing Risk.

One day after a magnitude 6.0 earthquake struck the San Francisco/Napa area of California, the Northern California Seismic System (NCSS) says there is a 29 percent probability of a strong and possibly damaging aftershock in the next seven days and a small chance (5 to 10 percent probability) of an earthquake of equal or larger magnitude.

The NCSS, operated by UC Berkeley and USGS, added that approximately 12 to 40 small aftershocks are expected in the same seven-day period and may be felt locally.

As a rule of thumb, a magnitude 6.0 quake may have aftershocks up to 10 to 20 miles away, the NCSS added.

According to Dr. Robert Hartwig, president of the Insurance Information Institute (I.I.I.), this earthquake is the strongest to impact the area since the 1989 Loma Prieta quake which resulted in $1.8 billion in insured claims (in 2013 dollars) being paid to policyholders.

Initial reports suggest the greatest damage has been to historic buildings in the city of Napa, with the downtown area cordoned off to fully assess damage. There have also been reports of non-structural damage such as items falling off shelves, including wine bottles and barrels, and substantial sprinkler leakage to many buildings.

The Napa region is most known for its wine industry, but tourism draws visitors to the area year-round.

napa_earthquake_usgs_map

A report by catastrophe modelers CoreLogic EQECAT gave an initial estimate of $500 million to $1 billion in insured losses. Residential losses would account for about one half to one quarter of this loss estimate.

If the loss exceeds $1 billion it will be from uncertainty in commercial losses, CoreLogic EQECAT said, and losses to the wine industry could increase this estimate:

Business interruption (BI) losses are a major concern. As this is a very popular tourist area, many businesses – including wineries and restaurants – have sustained damage, both non-structural and structural.”

CoreLogic EQECAT noted that the Napa Valley wine harvest was already underway. Losses would have been less if this event had occurred pre-harvest.

According to the Napa Valley Vintners Association, while there have been reports of damage at some Napa Valley wineries and production and storage facilities, particularly those in the Napa and south Napa areas, vintners are still assessing their individual situations. More information is expected in the next 24 to 72 hours.

Standard homeowners, renters and business insurance policies do not cover damage from earthquakes. Coverage is available either in the form of an endorsement or as a separate policy.

I.I.I. earthquake facts and stats show California had the largest amount of earthquake premiums in 2013, at $1.6 billion, accounting for 61 percent of U.S. earthquake insurance premiums written.

This figure includes the state-run California Earthquake Authority, the largest provider of residential earthquake insurance in California. Only about 10 percent of California residents currently have earthquake coverage, down from about 30 percent in 1996, two years after the Northridge, California, earthquake.

The percentage of homeowners and renters who have earthquake insurance in the affected area is very low – in Napa less than 6 percent, and in Sonoma less than 10 percent, according to the California Earthquake Authority.

Check out key facts from the I.I.I. on the insurance industry’s contribution to the California economy here.

Companies large and small appear to have been targeted in what is being described as the largest known data breach to date.

As first reported by The New York Times, a Russian crime ring amassed billions of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.

The NYT said it had a security expert not affiliated with Hold Security analyze the database of stolen credentials and confirm its authenticity.

The records, discovered by security experts Hold Security, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites.

According to Hold Security’s own report, the hackers didn’t just target large companies. They targeted every site that their victims visited:

With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”

The NYT said so far the criminals have not sold many of the records online, but appear to be using it to send spam on social networks.

If ever there was a reason to research – and buy – cyber insurance, this would be it.

In its recently published paper Cyber Risks: The Growing Threat, the Insurance Information Institute (I.I.I.) notes that reliance on traditional insurance policies is not enough, as companies face growing liabilities in this fast-evolving area.

Following the Target data breach and other high profile breaches, the I.I.I. said the number of specialist cyber insurance policies is increasing, and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks.

It cited data from broker Marsh showing a 21 percent increase in the number of clients purchasing cyber insurance from 2012 to 2013. That growth is accelerating in 2014.

Meanwhile, a new report from PwC US and the Investor Responsibility Research Center Institute (IRRCi) indicates that while companies must disclose significant cyber risks, those disclosures rarely provide differentiated or actionable information.

According to the report’s authors:

The consequences of poor security include lost revenue, compromised intellectual property, increases in costs, impact to customer retention, and can even contribute to C-level executives leaving companies.”

It suggests that investors focus on corporate preparedness for cyber attacks, and then engage with highly-likely targets to better understand corporate preparedness and to demand better and more actionable disclosures (though not at a level that would provide a cyber-attacker a roadmap to make those attacks).

Global fatalities from acts of terrorism jumped by 30 percent in the last year even as the number of attacks decreased, according to a new interactive mapping platform from risk analytics firm Maplecroft.

Some 18,668 terrorism fatalities were recorded in the 12 months prior to July 1, up 29.3 percent from an annual average of 14,433 for the previous five years.

Over the same period there were some 9,471 global terrorism attacks at an average of 26 a day, down from a five-year average of 10,468. This indicates that terrorist methods have become increasingly deadly over the last year, Maplecroft said.

Nigeria recorded by far the highest number of fatalities per attack, with 146 reported attacks in the last year resulting in 3,477 fatalities – an average of 24 fatalities per attack (compared to 2 fatalities per attack in Iraq).

Iraq recorded the highest number of attacks, with 3,158 acts of terrorism resulting in 5,929 fatalities.

China, Egypt, Kenya and Libya are seeing the most significant increases in the risks of terrorist attacks, the Maplecroft Terrorism and Security Dashboard (MTSD) reveals.

The MTSD classifies 12 countries as ‘extreme risk,’ including: Iraq (most at risk), Afghanistan (2nd), Pakistan (3rd), Somalia (4th), Yemen (6th), Syria (7th), Lebanon (9th) and Libya (10th). Many of these countries are blighted by high levels of instability and weak governance, Maplecroft notes.

However, of particular concern for investors, the important growth economies of Nigeria (5th), the Philippines (8th), Colombia (11th) and Kenya (12th) also feature in the category.

Jordan Perry, a principal political risk analyst at Maplecroft says:

Libya, Kenya and Egypt are among a handful of countries to witness a significant increase in risk in the MTSD and investor confidence in key sectors, including tourism and oil and gas, has been hurt. When faced with rising security costs and decreasing safety for their personnel, companies can, and do, reconsider their country-level commitments.”

The MTSD logs, analyzes and plots all reported incidents of terrorism, piracy, political violence and human rights abuses by security forces down to 100m² worldwide. It also draws on Maplecroft’s seven years of global data to reveal terrorism and security trends across 197 countries.

Maplecroft CEO Alyson Warhurst makes the important point that the dynamic nature of terrorism means individual events are impossible to predict, but the information included in the MTSD can help organizations make informed decisions relating to market entry, security measures for in-country operations, duty of care obligations, supply chain continuity and risk pricing.

Check out I.I.I. facts and stats on terrorism risk.

Next Page »