Category Archives: Business Risk

Allergic Reaction: EpiPen Needed to Restore Reputation

As the mother of a young child with a life-threatening nut and sesame allergy, it’s hard to remain objective and impartial when it comes to a company increasing the price of EpiPen, the life-saving allergy injector, by more than 400 percent since 2007.

However, the latest example of a company facing a public backlash, political pressure and social media storm due to its business practices illustrates the importance of having the necessary resources in place to mitigate the effects of a reputational risk crisis if and when it occurs.

As we’ve noted before in an earlier blog post, reputational risk is among the most challenging categories of risk to manage. A survey from ACE Group found that 81 percent of companies view reputation as their most significant asset—and most of them admit that they struggle to protect it.

The survey suggests that organizations need a clear framework for managing reputational risk that reduces the potential for crises, taking a multi-disciplinary approach that involves the CEO, PR specialists and other business leaders.

Mylan, the company at the center of the EpiPen controversy, has moved quickly to respond to the angry mob and to stem the drop in its share price which has so far lost investors $3 billion.

Yesterday, Mylan’s CEO Heather Bresch went on CNBC to announce the company was increasing financial assistance to patients to offset out-of-pocket costs of the EpiPen.

However, as The New York Times reports, Mylan did not say it would lower the list price — which has risen to about $600 for a pack of two EpiPens, from about $100 when Mylan acquired the product in 2007.

By the way, actress Sarah Jessica Parker also announced she is ending her relationship with Mylan after the pricing debacle broke.

Wherever you stand in this debate, the reality is the pharmaceutical industry is for-profit, as noted by Ms Bresch, and in the absence of a competitor or a generic, EpiPen is the latest example of a company trying to maximize profit.

Reputational risk is not covered by a standard business insurance policy, but companies can purchase coverage via a stand-alone policy which typically would pay fees for professional crisis management and communications services; media spending and production costs; some legal fees; other crisis response and campaign costs including research, events, social media and directly associated costs.

Newer reputation insurance products have also been developed that would cover a company’s financial losses due to reputational and brand damages.

In the mean time, in a climate of increased public, regulatory and investor scrutiny, the Mylan case is a good example of why companies need to be more proactive than ever to respond to challenges before they do serious damage to their brand and reputation.

Zika and Business Interruption Insurance

As the Zika virus continues its rapid spread and amid travel warnings, including one advising pregnant women not to travel to popular tourist destination Miami Beach as well as advice to postpone non-essential travel to Florida’s Miami-Dade County, questions on business interruption insurance are bound to arise.

So this is perhaps a good time to review what a business interruption insurance policy covers.

The Insurance Information Institute (I.I.I.) reminds us that business interruption coverage, sometimes known as business income insurance, covers financial losses resulting from a business’s inability to operate because of property damage due to an insured event.

Generally, business interruption insurance will cover:

•Revenue lost due to the closure.

•Fixed expenses, such as rent and utility costs.

•Expenses of operating from a temporary location.

But there must be direct physical damage to the property from a covered event for a business to be reimbursed under the policy.

A good example of a covered event would be a fire or windstorm that might damage property thereby causing a business to lose income.

A mosquito-borne infectious disease does not appear to meet the threshold for property damage under a traditional business interruption policy therefore.

In addition, while businesses may lose income due to fewer customers and tourists visiting an area because of fear over the Zika outbreak and in response to travel warnings, legal experts say there are several reasons why traditional business interruption insurance policies are unlikely to respond.

Some businesses may have an extension to their property insurance policy that could provide some business interruption coverage for non-damage scenarios (i.e. where there is no physical damage to an insured’s property), but limitations and exceptions to this coverage may apply.

Recently, the World Economic Forum (WEF) observed that beyond direct health impacts, infectious diseases can impose significant additional economic costs through a response called “aversion behavior”.

Aversion behavior includes actions taken by individuals to avoid any exposure to the illness, as well as actions taken by investors as they anticipate those individual decisions.

Even individuals with no direct contact with the disease will take a range of actions to avoid any risk of contracting the disease, the WEF says:

“As shown by the recent Ebola outbreak, these reactions can be rational or they can dramatically overestimate risk, leading to a wide variety of factors that can negatively impact the economy, from stress to labour and supply scarcity, financial market instability, and price increases.”

The economic impact of aversion behavior may be significantly greater than the direct economic impact from sickness and death, the WEF said.

For example in 2015 the World Bank estimated a potential loss in GDP of more than US$1.6 billion in Guinea, Liberia, and Sierra Leone as a result of the Ebola epidemic, and more than US$500 million across the rest of the continent. This was based on an erosion in consumer and investor confidence and disruptions to travel and cross-border trade.

Check out I.I.I. facts and statistics on mortality risk here.

Zika virus resources from the Centers for Disease Control and Prevention (CDC) are available online.

According to the CDC, as of August 17, there were 2,260 cases of Zika in the U.S.

Below is the CDC map of Zika cases reported in the U.S.:

Screen Shot 2016-08-23 at 9.03.27 AM

Banner Health Breach: Are You Covered?

Up to 3.7 million payment card and patient medical records are reported to have been compromised in a cyber attack at Phoenix, Arizona-based healthcare provider Banner Health, underscoring the threat faced by the medical/healthcare sector.

Beginning June 17, the attack targeted Banner Health patients, health plan members, healthcare providers and retail customers.

On its website, Banner Health said it had discovered in early July that cyber attackers may have gained unauthorized access to computer systems targeting payment card data at food and beverage locations, including cardholder name, card number, expiration date and internal verification code.

In late July, Banner Health also discovered that patient information, health plan member and beneficiary information may have been compromised—including names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers.

Physician and provider information may also have been compromised, including names, addresses, dates of birth, social security numbers and other identifiers.

As investigators look into the specifics of this breach, a glance at the numbers reveals that Banner Health will almost double the number of records compromised in U.S. data breaches targeting the medical/healthcare sector in 2016, per figures released by the Identity Theft Resource Center (ITRC).

As of August 2, 2016, some 206 data breach events, exposing just under 5 million records, had been tracked against the medical/healthcare sector, according to the ITRC. Make that 207 data breaches, exposing 8.7 million records.

With Banner Health, total data breach events year-to-date will also rise to at least 573 breaches, with 17.2 million records exposed. (This does not account for any other data breaches that may have occurred since August 2).

A recent Ponemon report wisely reminded us that “no healthcare organization, regardless of size, is immune from data breach.”

In the last two years, the average cost of a data breach for healthcare organizations was estimated at more than $2.2 million, according to Ponemon.

“Data breaches in healthcare are increasingly costly and frequent, and continue to put patient data at risk. Based on the results of this study, we estimate that data breaches could be costing the healthcare industry $6.2 billion.”

Criminal attacks are currently the leading cause of breaches in healthcare, Ponemon said. All the more reason for cyber insurance to be purchased, as the I.I.I. advises in this white paper.

U.S. Exposure to Brexit Referendum

London, for decades the financial center of Europe, finds itself on the brink of a monumental vote. On Thursday, British voters will decide whether to leave the European Union in what’s known as the Brexit referendum.

While there is uncertainty over what a Brexit could mean for the UK economy and for London, there is also uncertainty over what it would mean for the United States and for U.S. companies.

The Los Angeles Times reports that while the U.S. economy is better insulated than most from the risk of market turmoil, the Brexit referendum has added to uncertainties in a presidential election year and to lingering concerns about China’s economic slowdown.

A lot of U.S. companies have something to lose if the UK decides to leave the EU, with the banking and insurance sectors among those most likely to be affected, according to this CNBC report.

Some U.S. companies have moved not just parts of their operations but whole headquarters from the U.S. to the UK, CNBC says.

For example, the world’s largest insurance broker Aon, relocated its corporate headquarters to London from Chicago in 2012, in a move designed to give the company greater access to emerging markets through London.

Aon told CNBC in a statement:

“If Britain votes to leave the European Union, the innovative center of excellence that has set London apart in the insurance space will be deeply challenged.

“Talent is a true differentiator for the city of London, and to create a barrier between the industry that addresses the world’s most complex risks and the global talent needed to do this will have real implications.”

If companies lose the ability to passport their services into Europe, they may decide to move their European hubs and staff out of London and the UK, which would lead to significantly higher operational costs.

The London insurance market has been very vocal on why remaining in the EU is the best outcome for insurers.

As Lloyd’s chief risk officer Sean McGovern said earlier this year, the London market is currently the largest global hub for commercial and specialty risk—controlling more than £60 billion ($88 billion) of gross written premium.

And the UK’s membership of the EU gives it access to the world’s largest insurance market with a world market share of nearly 33 percent and total insurance premiums of nearly Euros 1.4 trillion ($1.6 trillion).

In a recent paper, Lloyd’s, the International Underwriting Association and Fidelis warned that Brexit poses a significant threat to London insurance jobs and business.

Read more about the insurance sector impact of a Brexit in this analysis by London law firm Clifford Chance.

Aon’s full statement on the EU referendum is available here.

What Does A Cyberattack Really Cost?

The current market value put on the business impact of a cyberattack is grossly underestimated, according to a new report from Deloitte Advisory.

It finds that the direct costs commonly associated with data breaches, such as regulatory fines, breach notification and protection costs, and public relations costs account for less than 5 percent of the total business impact.

But the effects of a cyberattack can be even more far-reaching and last for years, resulting in a wide range of hidden or intangible costs related to loss of intellectual property, operational disruption, increase in insurance premiums, and devaluation of trade name.

In fact more than 95 percent of the financial impact of a cyberattack is likely to accrue in these areas and businesses can be caught especially unprepared for these intangible costs.

In a press release, Don Fancher, principal, Deloitte Advisory, and global leader for Deloitte forensic, says:

“Rarely brought into executive and board conversations around cyber risk are the costs and consequences of IP theft, cyber espionage, data destruction, or business disruption, which are much harder to quantify and can have a significant impact on an organization.

“Our intent is not to scare executives into thinking that all cyber incidents will be more costly than they think. It’s to give them a better understanding of their specific risks so they can make more educated decisions that are aligned with their business strategies.”

Find out more about cyber risks and insurance in this Insurance Information Institute paper.

Small Business Interrupted

Every business comes with a certain amount of risk. Although difficulties and challenges can’t be avoided, they can be mitigated with the proper precautions, planning and insurance coverage.

In support of National Small Business Week (May 1-7) and to help business owners understand insurance, the Insurance Information Institute (I.I.I.) developed this infographic that focuses on business interruption insurance which is also posted on the I.I.I’s Business Pinterest Board.

Did you know that after a catastrophe or other disaster 40 percent of businesses do not reopen and another 25 percent fail within a year?

When a business is shut down due to a damaging event it loses revenue. Meanwhile, the business still has to pay its bills and may incur additional expenses as a result of the disruption.

Fortunately, with business interruption coverage, many of these costs and losses can be reimbursed.

A recent report from Allianz Global Corporate & Specialty (AGCS) found that the economic impact from business interruption is often much higher than the cost of physical damage in a disaster and is a growing risk to companies worldwide.

In that report AGCS also noted that the vast majority of BI losses are not caused by natural catastrophes, but rather non-natural hazard events like human error or technical failure.

Cyber business interruption risk is often underestimated, another report found.

More information on covering losses with business interruption insurance is available at the I.I.I. website.

IoT and Piracy Increase Risks to Shipping

A hacker causes an oil platform located off the coast of Africa to tilt to one side, forcing it to temporarily shut down. A port’s cyber systems are infiltrated by hackers to locate specific containers loaded with illegal drugs and remove them undetected.

These are just a few of the cyber attacks on the shipping industry reported to date, according to Allianz Global Corporate & Specialty SE’s (AGCS) fourth annual Safety and Shipping Review 2016.

But such attacks are often under-reported as companies opt to deal with breaches internally for fear of worrying stakeholders, AGCS notes.

“When reports of attacks do surface, details are usually vague, making it extremely difficult to gauge the headway the industry has made in strengthening online security.”

The shipping industry’s reliance on interconnected technology also poses risks. Cyber risk exposure is growing beyond data loss.

Technological advances including the Internet of Things (IoT) and electronic navigation means the industry may have less than five years to prepare for the risk of a vessel loss, AGCS warns.

There has already been one known incidence of Somali pirates having infiltrated a shipping company’s systems to identify vessels passing through the Gulf of Aden with valuable cargoes and minimal on-board security, leading to the hijacking of a vessel.

In the words of Captain Andrew Kinsey, senior marine risk consultant AGCS:

“Pirates are already abusing holes in cyber security to target the theft of specific cargoes. The cyber impact cannot be overstated. The simple fact is you can’t hack a sextant.”

The industry needs more robust cyber technology in order to monitor the movement of stolen cargoes, according to Kinsey.

For the first time in five years piracy attacks at sea failed to decline in 2015. International Maritime Bureau statistics show there were 246 piracy attacks worldwide in 2015, up from 245 in 2014.

Attacks in South East Asia continue to increase, with the region accounting for 60 percent of global incidents and Vietnam a new hotspot, AGCS reports.

The Insurance Information Institute offers facts and statistics on marine accidents here.

Tianjin: A Reminder of Insurance Need in Developing Countries

The explosions at the Port of Tianjin, China could ultimately become one of the largest man-made insurance loss events worldwide ever recorded, according to Swiss Re sigma.

Based on Swiss Re’s latest estimates, the total insured property loss of the Tianjin explosions is likely to be around USD 2.5 billion to USD 3.5 billion, making it the largest man-made insured loss event in Asia ever recorded.

Tianjin currently ranks as the third largest man-made insured global loss (in 2015 dollars), behind the September 11, 2001, terrorist attacks in New York, Washington and Pennsylvania and the 1988 Piper Alpha oil rig disaster.

Screen Shot 2016-03-30 at 10.09.19 AM

The Tianjin experience highlights the new potential risks facing developing countries with rapidly-developing economies, according to the latest sigma study.

2015 was the third year in a row that the biggest man-made loss globally originated from an emerging market, a reminder of the importance of insurance for developing countries, sigma says.

“The event shows the large loss potential in a country like China, with a fast-growing economy. If further evidence is needed, in 2013 a fire at a major high-tech semiconductor plant in Wuxi, also in China, caused insured losses of USD 0.9 billion.”

Financial protection through insurance is key to restoring business operations and recouping losses, sigma notes.

Accurate assessment of exposures, appropriate coverage terms and adequate pricing are likewise crucial:

“For re/insurers, they need to actively identify monitor and manage exposures in hazard zones and in areas with high asset-value concentrations.”

The complexities of the Tianjin loss have challenged re/insurers, and highlighted the accumulation of risks that can arise from a single large-scale industrial catastrophe event.

While destroyed and damaged vehicles account for most of the Tianjin losses, uncertainties remain as to the types of insurance policies involved.

Property and cargo present major risk accumulation factors in ports, especially in big centers like Tianjin, sigma observes.

The Insurance Information Institute has useful facts and statistics on man-made disasters here.

Don’t Ask, Don’t Tell

We’re reading an item of interest from across the pond where the United Kingdom’s Institute of Directors (IoD) has issued a new report that gives insight into how companies tend to react if they are under a cyber attack.

The IoD study, supported by Barclays, revealed that most companies keep quiet, with under one third (28 percent) of cyber attacks reported to the police.

This is despite the fact that half (49 percent) of cyber attacks resulted in interruption of business operations, the IoD noted.

Hat tip to forbes.com which reports on the IoD findings in this blog post.

It’s worth noting that here in the United States, the Identity Theft Resource Center (ITRC) has long maintained that the record number of U.S. data breaches it tracks are by no means the whole story.

Many data breaches fly under the radar, the ITRC says, because businesses want to avoid the financial dislocation, liability and loss of goodwill that comes with disclosure and notification.

Back to the UK the survey of nearly 1,000 IoD members also showed a worrying gap between awareness of cyber risks and preparedness.

Even though nine in 10 of business leaders said cyber security was important, only 57 percent had a formal strategy in place to protect themselves, and just one fifth (20 percent) held insurance against an attack.

In the words of Professor Benham, author of the IoD report:

No shop=owner would think twice about phoning the police if they were broken into, yet for some reason, businesses don’t seem to think a cyber breach warrants the same response.

Our report shows that cyber must stop being treated as the domain of the IT department and should be a boardroom priority. Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance.”

With 34,500 members, ranging from start-up entrepreneurs to CEOs of multinational companies, the IoD is the UK’s largest organization for business leaders.

More on cyber security in the Insurance Information Institute’s paper Cyber Risks: Threat and Opportunities.

PwC: Incidence of Cybercrime Sharply Higher

Cybercrime has jumped to the second most reported type of economic crime affecting 32 percent of global businesses, according to a just-released survey by PwC.

PwC’s Global Economic Crime Survey 2016 found that while traditional leaders of economic crime–asset misappropriation, bribery and corruption, procurement fraud and accounting fraud–all showed a slight decrease over 2014 statistics, cybercrime is on a steady increase.

In fact over one quarter of the 6,000 respondents to PwC’s survey said they’d been affected by cybercrime.

Despite a sharply higher incidence of reported cybercrime among PwC’s respondents, the survey found that most companies are still not adequately prepared for–or even understand the risks faced.

Only 37 percent of organizations have a cyber incident response plan in place and many boards are not sufficiently proactive regarding cyber threats.

Even though  boards have a fiduciary responsibility to shareholders when it comes to cyber risk in several countries, PwC found that less than half of board members actually request information about their organization’s state of cyber-readiness.

Losses from cybercrime can be heavy, PwC reported. A handful of respondents (around 50 organizations) said they had suffered losses over $5 million. Of these, nearly one-third reported cybercrime-related losses sin excess of $100 million.

Reputational damage was considered the most damaging impact of a cyber breach among survey respondents, followed by legal investment and/or enforcement costs.

According to PwC:

The insidious nature of this threat is such that of the 56 percent who say they are not victims, many have likely been compromised without knowing it.”

This year’s results show that the incidence of economic crime has come down, for the first time since the global financial crisis of 2008-9 (albeit marginally by 1 percent).

Check out  the I.I.I. white paper  Cyber Risk: Threat and Opportunity  for the latest on cybercrime, risks and insurance.