Category Archives: Business Risk

Charlotte Unrest and Business Insurance

Ongoing civil unrest and protests in Charlotte, North Carolina following the police shooting of Keith Scott are reported to have caused significant property damage to businesses in the central area of the city.

The Charlotte Observer reports that entertainment complex EpiCentre faced looting and sustained significant damage Wednesday night. Numerous businesses were damaged, including Sundries EpiCentre, CVS, Enso and Fleming’s Prime Steakhouse, it said.

The NASCAR Hall of Fame was among other sites hit by vandals, with adjacent restaurants and hotels also damaged after officials declared a state of emergency for the city.

As clean-up gets underway it’s important to note that most commercial insurance policies generally include coverage for losses caused by riots. civil commotions and fires.

The definition of rioting covers looting by people who steal merchandise or other property from a premises. Vandalism is also covered.

According to The Charlotte Observer, a possible curfew for Thursday night is being discussed by city officials.

The Insurance Information Institute (I.I.I.) notes that if a business has to suspend operations or limit hours due to rioting, business interruption coverage is only covered if there is direct physical damage to the premises, forcing a business to suspend operations.

A “civil authority provision” in a business policy provides coverage for lost income and extra expenses in the event the police or fire department bars access to a specific area as a result of the danger caused by a riot or civil commotion.

In April 2015, looting and arson in Baltimore, Maryland, following the funeral for Freddie Gray, a 25-year-old who died after suffering a severe spinal cord injury while in police custody, resulted in estimated property damage of about $24 million, according to the I.I.I..

Five of the costliest civil disorders in the U.S. occurred in the 1960s. Here’s they are:

screen-shot-2016-09-22-at-10-35-42-am

Brushing up on Terrorism Insurance

Multiple explosions over the weekend in New York and New Jersey as well as a knife attack by an individual at a mall in Minnesota come amid heightened concerns of terrorist attacks 15 years after 9/11.

Some 29 people were injured in the blast Saturday night in New York City’s Chelsea neighborhood, which is also reported to have caused significant property damage. Meanwhile, nine were injured in the Minnesota mall attack, where the suspect was killed by police.

Monday morning another explosion was reported near Elizabeth train station in New Jersey, where up to 5 devices were found, and as the FBI investigation intensified and security tightened around major transportation hubs, law enforcement officials arrested a suspect in the NY/NJ blasts.

While the unfolding events are unsettling, it’s good to know that if the home you own were damaged by an explosion and fire, personal insurance policies have you covered.

Standard homeowners insurance policies cover the homeowner for damage to property and personal possessions due to explosion, fire and smoke—the likely causes of damage in a terrorist attack, according to the Insurance Information Institute (I.I.I.), even if terrorism is not specifically referenced in the insurance policy.

Condominium or co-op owner policies also provide coverage for damage to personal possessions resulting from acts of terrorism, while damage to common areas of a building like the roof, basement, elevator, boiler and walkways would be covered providing the condo/co-op board has purchased terrorism coverage.

Standard renters insurance policies also include coverage for damage to personal possessions due to a terrorist attack. Again, coverage for the apartment complex itself must be purchased by the property owner or landlord.

If your car is damaged or destroyed in an explosion your auto insurance policy will cover the damage if you have purchased “comprehensive” coverage.

Commercial insurers are required to offer coverage against terrorist attacks and many owners of commercial property, such as office buildings, factories, shopping malls and apartment buildings,  have purchased the coverage.

Marsh estimates some 60 percent of U.S. businesses have purchased terrorism insurance, up from 27 percent in 2003.

However, losses are only covered by a commercial terrorism insurance policy if the government officially certifies an attack as an act of terrorism. Several criteria must be met for the certification to be made. If property/casualty losses do not exceed $5 million in the aggregate, the act will not be certified as an act of terrorism.

Acts of terrorism are excluded from most standard business insurance policies.

Workers compensation—a compulsory line of insurance for all businesses—covers employees injured or killed on the job and therefore automatically includes coverage for acts of terrorism.

Check out I.I.I. facts and statistics on terrorism.

Faster Decisions, Fewer Challenges Among Cyber Buyers

Good news for cyber insurers. A majority of companies continue to have network security and data privacy insurance, and are making their purchase decisions faster and experiencing fewer purchasing challenges than in 2015.

The findings come in the newly-released 2016 Network Security and Data Privacy Study by Wells Fargo Insurance.

While in 2015 the study showed that 22 percent of companies buying insurance took more than 12 months to make the purchase decision, in 2016 just 8 percent of companies are currently taking that long, while 59 percent are taking six months or less.

Cost of coverage and finding a policy that meets a company’s needs remain the top two insurance purchasing challenges of 2016. However, the study found that 19 percent of companies did not experience any purchasing challenges, a significant improvement over 2015 when only 6 percent did not experience challenges.

The easier purchasing process may be related to less internal resistance, Wells Fargo said. Likewise, in 2016, fewer companies (24 percent) believed the risk was not big enough to warrant the purchase of network security and data privacy insurance.

screen-shot-2016-09-08-at-10-03-24-am

Of the companies in the study that had purchased insurance, one-fifth reported filing a network security and data privacy insurance claim in the last 12 months, and most were satisfied with their coverage.

Another key takeaway for cyber insurers? Protecting the business against financial loss was the primary reason for purchasing coverage (81 percent) in 2016, as in 2015. However, protecting the company’s reputation is an increasing concern, with 70 percent citing it in 2016, compared to just 58 percent in 2015.

Purchasing insurance is an important step, but it should be used in tandem with developing and testing a comprehensive incident response plan and performing a thorough cyber risk assessment, Wells Fargo noted.

The second annual study analyzed trends of network security and data privacy issues among 100 decision makers at companies with $100 million or more in annual revenue.

Check out Insurance Information Institute’s (I.I.I.’s) latest white paper on cyber risk threats and challenges here.

Allergic Reaction: EpiPen Needed to Restore Reputation

As the mother of a young child with a life-threatening nut and sesame allergy, it’s hard to remain objective and impartial when it comes to a company increasing the price of EpiPen, the life-saving allergy injector, by more than 400 percent since 2007.

However, the latest example of a company facing a public backlash, political pressure and social media storm due to its business practices illustrates the importance of having the necessary resources in place to mitigate the effects of a reputational risk crisis if and when it occurs.

As we’ve noted before in an earlier blog post, reputational risk is among the most challenging categories of risk to manage. A survey from ACE Group found that 81 percent of companies view reputation as their most significant asset—and most of them admit that they struggle to protect it.

The survey suggests that organizations need a clear framework for managing reputational risk that reduces the potential for crises, taking a multi-disciplinary approach that involves the CEO, PR specialists and other business leaders.

Mylan, the company at the center of the EpiPen controversy, has moved quickly to respond to the angry mob and to stem the drop in its share price which has so far lost investors $3 billion.

Yesterday, Mylan’s CEO Heather Bresch went on CNBC to announce the company was increasing financial assistance to patients to offset out-of-pocket costs of the EpiPen.

However, as The New York Times reports, Mylan did not say it would lower the list price — which has risen to about $600 for a pack of two EpiPens, from about $100 when Mylan acquired the product in 2007.

By the way, actress Sarah Jessica Parker also announced she is ending her relationship with Mylan after the pricing debacle broke.

Wherever you stand in this debate, the reality is the pharmaceutical industry is for-profit, as noted by Ms Bresch, and in the absence of a competitor or a generic, EpiPen is the latest example of a company trying to maximize profit.

Reputational risk is not covered by a standard business insurance policy, but companies can purchase coverage via a stand-alone policy which typically would pay fees for professional crisis management and communications services; media spending and production costs; some legal fees; other crisis response and campaign costs including research, events, social media and directly associated costs.

Newer reputation insurance products have also been developed that would cover a company’s financial losses due to reputational and brand damages.

In the mean time, in a climate of increased public, regulatory and investor scrutiny, the Mylan case is a good example of why companies need to be more proactive than ever to respond to challenges before they do serious damage to their brand and reputation.

Zika and Business Interruption Insurance

As the Zika virus continues its rapid spread and amid travel warnings, including one advising pregnant women not to travel to popular tourist destination Miami Beach as well as advice to postpone non-essential travel to Florida’s Miami-Dade County, questions on business interruption insurance are bound to arise.

So this is perhaps a good time to review what a business interruption insurance policy covers.

The Insurance Information Institute (I.I.I.) reminds us that business interruption coverage, sometimes known as business income insurance, covers financial losses resulting from a business’s inability to operate because of property damage due to an insured event.

Generally, business interruption insurance will cover:

•Revenue lost due to the closure.

•Fixed expenses, such as rent and utility costs.

•Expenses of operating from a temporary location.

But there must be direct physical damage to the property from a covered event for a business to be reimbursed under the policy.

A good example of a covered event would be a fire or windstorm that might damage property thereby causing a business to lose income.

A mosquito-borne infectious disease does not appear to meet the threshold for property damage under a traditional business interruption policy therefore.

In addition, while businesses may lose income due to fewer customers and tourists visiting an area because of fear over the Zika outbreak and in response to travel warnings, legal experts say there are several reasons why traditional business interruption insurance policies are unlikely to respond.

Some businesses may have an extension to their property insurance policy that could provide some business interruption coverage for non-damage scenarios (i.e. where there is no physical damage to an insured’s property), but limitations and exceptions to this coverage may apply.

Recently, the World Economic Forum (WEF) observed that beyond direct health impacts, infectious diseases can impose significant additional economic costs through a response called “aversion behavior”.

Aversion behavior includes actions taken by individuals to avoid any exposure to the illness, as well as actions taken by investors as they anticipate those individual decisions.

Even individuals with no direct contact with the disease will take a range of actions to avoid any risk of contracting the disease, the WEF says:

“As shown by the recent Ebola outbreak, these reactions can be rational or they can dramatically overestimate risk, leading to a wide variety of factors that can negatively impact the economy, from stress to labour and supply scarcity, financial market instability, and price increases.”

The economic impact of aversion behavior may be significantly greater than the direct economic impact from sickness and death, the WEF said.

For example in 2015 the World Bank estimated a potential loss in GDP of more than US$1.6 billion in Guinea, Liberia, and Sierra Leone as a result of the Ebola epidemic, and more than US$500 million across the rest of the continent. This was based on an erosion in consumer and investor confidence and disruptions to travel and cross-border trade.

Check out I.I.I. facts and statistics on mortality risk here.

Zika virus resources from the Centers for Disease Control and Prevention (CDC) are available online.

According to the CDC, as of August 17, there were 2,260 cases of Zika in the U.S.

Below is the CDC map of Zika cases reported in the U.S.:

Screen Shot 2016-08-23 at 9.03.27 AM

Banner Health Breach: Are You Covered?

Up to 3.7 million payment card and patient medical records are reported to have been compromised in a cyber attack at Phoenix, Arizona-based healthcare provider Banner Health, underscoring the threat faced by the medical/healthcare sector.

Beginning June 17, the attack targeted Banner Health patients, health plan members, healthcare providers and retail customers.

On its website, Banner Health said it had discovered in early July that cyber attackers may have gained unauthorized access to computer systems targeting payment card data at food and beverage locations, including cardholder name, card number, expiration date and internal verification code.

In late July, Banner Health also discovered that patient information, health plan member and beneficiary information may have been compromised—including names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers.

Physician and provider information may also have been compromised, including names, addresses, dates of birth, social security numbers and other identifiers.

As investigators look into the specifics of this breach, a glance at the numbers reveals that Banner Health will almost double the number of records compromised in U.S. data breaches targeting the medical/healthcare sector in 2016, per figures released by the Identity Theft Resource Center (ITRC).

As of August 2, 2016, some 206 data breach events, exposing just under 5 million records, had been tracked against the medical/healthcare sector, according to the ITRC. Make that 207 data breaches, exposing 8.7 million records.

With Banner Health, total data breach events year-to-date will also rise to at least 573 breaches, with 17.2 million records exposed. (This does not account for any other data breaches that may have occurred since August 2).

A recent Ponemon report wisely reminded us that “no healthcare organization, regardless of size, is immune from data breach.”

In the last two years, the average cost of a data breach for healthcare organizations was estimated at more than $2.2 million, according to Ponemon.

“Data breaches in healthcare are increasingly costly and frequent, and continue to put patient data at risk. Based on the results of this study, we estimate that data breaches could be costing the healthcare industry $6.2 billion.”

Criminal attacks are currently the leading cause of breaches in healthcare, Ponemon said. All the more reason for cyber insurance to be purchased, as the I.I.I. advises in this white paper.

U.S. Exposure to Brexit Referendum

London, for decades the financial center of Europe, finds itself on the brink of a monumental vote. On Thursday, British voters will decide whether to leave the European Union in what’s known as the Brexit referendum.

While there is uncertainty over what a Brexit could mean for the UK economy and for London, there is also uncertainty over what it would mean for the United States and for U.S. companies.

The Los Angeles Times reports that while the U.S. economy is better insulated than most from the risk of market turmoil, the Brexit referendum has added to uncertainties in a presidential election year and to lingering concerns about China’s economic slowdown.

A lot of U.S. companies have something to lose if the UK decides to leave the EU, with the banking and insurance sectors among those most likely to be affected, according to this CNBC report.

Some U.S. companies have moved not just parts of their operations but whole headquarters from the U.S. to the UK, CNBC says.

For example, the world’s largest insurance broker Aon, relocated its corporate headquarters to London from Chicago in 2012, in a move designed to give the company greater access to emerging markets through London.

Aon told CNBC in a statement:

“If Britain votes to leave the European Union, the innovative center of excellence that has set London apart in the insurance space will be deeply challenged.

“Talent is a true differentiator for the city of London, and to create a barrier between the industry that addresses the world’s most complex risks and the global talent needed to do this will have real implications.”

If companies lose the ability to passport their services into Europe, they may decide to move their European hubs and staff out of London and the UK, which would lead to significantly higher operational costs.

The London insurance market has been very vocal on why remaining in the EU is the best outcome for insurers.

As Lloyd’s chief risk officer Sean McGovern said earlier this year, the London market is currently the largest global hub for commercial and specialty risk—controlling more than £60 billion ($88 billion) of gross written premium.

And the UK’s membership of the EU gives it access to the world’s largest insurance market with a world market share of nearly 33 percent and total insurance premiums of nearly Euros 1.4 trillion ($1.6 trillion).

In a recent paper, Lloyd’s, the International Underwriting Association and Fidelis warned that Brexit poses a significant threat to London insurance jobs and business.

Read more about the insurance sector impact of a Brexit in this analysis by London law firm Clifford Chance.

Aon’s full statement on the EU referendum is available here.

What Does A Cyberattack Really Cost?

The current market value put on the business impact of a cyberattack is grossly underestimated, according to a new report from Deloitte Advisory.

It finds that the direct costs commonly associated with data breaches, such as regulatory fines, breach notification and protection costs, and public relations costs account for less than 5 percent of the total business impact.

But the effects of a cyberattack can be even more far-reaching and last for years, resulting in a wide range of hidden or intangible costs related to loss of intellectual property, operational disruption, increase in insurance premiums, and devaluation of trade name.

In fact more than 95 percent of the financial impact of a cyberattack is likely to accrue in these areas and businesses can be caught especially unprepared for these intangible costs.

In a press release, Don Fancher, principal, Deloitte Advisory, and global leader for Deloitte forensic, says:

“Rarely brought into executive and board conversations around cyber risk are the costs and consequences of IP theft, cyber espionage, data destruction, or business disruption, which are much harder to quantify and can have a significant impact on an organization.

“Our intent is not to scare executives into thinking that all cyber incidents will be more costly than they think. It’s to give them a better understanding of their specific risks so they can make more educated decisions that are aligned with their business strategies.”

Find out more about cyber risks and insurance in this Insurance Information Institute paper.

Small Business Interrupted

Every business comes with a certain amount of risk. Although difficulties and challenges can’t be avoided, they can be mitigated with the proper precautions, planning and insurance coverage.

In support of National Small Business Week (May 1-7) and to help business owners understand insurance, the Insurance Information Institute (I.I.I.) developed this infographic that focuses on business interruption insurance which is also posted on the I.I.I’s Business Pinterest Board.

Did you know that after a catastrophe or other disaster 40 percent of businesses do not reopen and another 25 percent fail within a year?

When a business is shut down due to a damaging event it loses revenue. Meanwhile, the business still has to pay its bills and may incur additional expenses as a result of the disruption.

Fortunately, with business interruption coverage, many of these costs and losses can be reimbursed.

A recent report from Allianz Global Corporate & Specialty (AGCS) found that the economic impact from business interruption is often much higher than the cost of physical damage in a disaster and is a growing risk to companies worldwide.

In that report AGCS also noted that the vast majority of BI losses are not caused by natural catastrophes, but rather non-natural hazard events like human error or technical failure.

Cyber business interruption risk is often underestimated, another report found.

More information on covering losses with business interruption insurance is available at the I.I.I. website.

IoT and Piracy Increase Risks to Shipping

A hacker causes an oil platform located off the coast of Africa to tilt to one side, forcing it to temporarily shut down. A port’s cyber systems are infiltrated by hackers to locate specific containers loaded with illegal drugs and remove them undetected.

These are just a few of the cyber attacks on the shipping industry reported to date, according to Allianz Global Corporate & Specialty SE’s (AGCS) fourth annual Safety and Shipping Review 2016.

But such attacks are often under-reported as companies opt to deal with breaches internally for fear of worrying stakeholders, AGCS notes.

“When reports of attacks do surface, details are usually vague, making it extremely difficult to gauge the headway the industry has made in strengthening online security.”

The shipping industry’s reliance on interconnected technology also poses risks. Cyber risk exposure is growing beyond data loss.

Technological advances including the Internet of Things (IoT) and electronic navigation means the industry may have less than five years to prepare for the risk of a vessel loss, AGCS warns.

There has already been one known incidence of Somali pirates having infiltrated a shipping company’s systems to identify vessels passing through the Gulf of Aden with valuable cargoes and minimal on-board security, leading to the hijacking of a vessel.

In the words of Captain Andrew Kinsey, senior marine risk consultant AGCS:

“Pirates are already abusing holes in cyber security to target the theft of specific cargoes. The cyber impact cannot be overstated. The simple fact is you can’t hack a sextant.”

The industry needs more robust cyber technology in order to monitor the movement of stolen cargoes, according to Kinsey.

For the first time in five years piracy attacks at sea failed to decline in 2015. International Maritime Bureau statistics show there were 246 piracy attacks worldwide in 2015, up from 245 in 2014.

Attacks in South East Asia continue to increase, with the region accounting for 60 percent of global incidents and Vietnam a new hotspot, AGCS reports.

The Insurance Information Institute offers facts and statistics on marine accidents here.