Business Risk


A California Labor Commission ruling that an Uber driver is a company employee, not an independent contractor may dampen fears that the on-demand economy spells the end for workers compensation, liability and health insurance. At least for now.

As reported by numerous news outlets, here and here, the decision out of California – though it applies to a single driver – could significantly increase costs for the ride-sharing business if it is copied by other states and in other cases.

It could also have potential implications for other segments of the economy important to property/casualty insurers.

As the New York Times reports:

The classification of freelancers is in dispute across a number of industries, including at other transportation companies. And the debate is set to escalate as the number of online companies and apps like Uber and others rises.”

The ruling, which commentators say could hurt Uber’s $40 billion-plus valuation, orders Uber to pay Barbara Berwick, $4,152 in expenses for the time she worked as an Uber driver last year.

Here are a couple of key excerpts from the California Labor Commission decision:

Plaintiffs’ work was integral to Defendants’ business. Defendants are in business to provide transportation services to passengers. Plaintiff did the actual transporting of those passengers. Without drivers such as Plaintiff, Defendants’ business would not exist.”

And:

Defendants hold themselves as nothing more than a neutral technological platform, designed simply to enable drivers and passengers to transact the business of transportation. The reality, however, is that Defendants are involved in every aspect of the operation.”

In response to the ruling (which it has appealed) Uber stated:

The California Labor Commission’s ruling is non-binding and applies to a single driver. Indeed it is contrary to a previous ruling by the same commission, which concluded in 2012 that the driver ‘performed services as an independent contractor, and not as a bona fide employee.’ Five other states have also come to the same conclusion.”

Potential insurance issues arising out of the on-demand or sharing economy are a recurring topic of conversation these days.

In a recent presentation I.I.I. president Dr. Robert Hartwig noted that traditional insurance will often not cover a worker engaged in offering labor or resources through these on-demand platforms.

For example, private passenger auto insurance generally won’t cover you while driving for Uber and a homeowners insurance policy won’t cover a homeowner for anything other than occasional rents of their property.

Also, Dr. Hartwig said: “Unless self-procured, on-demand workers (independent contractors) will generally have no workers comp recourse if injured on the job.”

A new report from ratings agency Standard & Poor’s warns that the credit ratings of U.S. financial services companies could be vulnerable to cyber risks in future.

In its analysis, S&P says:

Although the many successful cyber-attacks have not yet resulted in any changes in Standard & Poor’s Ratings Services’ ratings on financial services companies, we view cyber-security as an emerging risk that we believe has the potential to pose a higher credit risk to financial services firms in the future.”

And:

It’s not difficult to envisions scenarios in which criminal or state-sponsored cyber-attacks (for credit implications, we don’t differentiate the sources of intrusion) would result in significant economic effects, business interruption, theft, or reputational risk.”

S&P goes on to explain that while cyber attacks can result in losses, and possible market disruptions, so far they have not resulted in negative rating actions because the exposure of targeted companies has been contained by their own financial wherewithal and to some extent insurance programs.

Nevertheless, the damage to reputation, brand, or competitive position may likely only truly be known in the years ahead.

S&P notes that threat alone does not determine rating responses and threat risk varies by sector:

Our credit opinion takes a balanced view incorporating other related factors, including how susceptible a firm’s competitive position would be to a cyber attack, the effectiveness of its response plan, and what is the firm’s financial flexibility, liquidity, and capitalization regarding its ability to replenish capital post-event.

While all financial services companies targeted by major data breaches have emerged intact, S&P says it is increasingly wary about the persistence of cyber attacks and what that might mean for consumer confidence to engage in commerce with the brand going forward.

S&P says it views the threat for the insurance industry overall as medium, albeit risks for health insurers are higher. Adequate/strong enterprise risk management programs and the very strong capitalization of insurers are some of the offsetting risk factors.

While the cyber insurance market is still emerging, S&P expects premiums to more than double to $10 billion in the next five to 10 years from $2.5 billion now.

Hat tip to Insurance Journal which reports on this story here.

 

Survey more than 800 corporate counsel representing companies across 26 countries on litigation trends and issues and you get some insightful findings.

Such is the case with the recently released Norton Rose Fulbright 2015 Litigation Trends Annual Survey.

For example, class action lawsuits were listed as the top issue by respondents in the United States, Canada and Australia.

U.S.-based respondents also reported a more litigious business environment than their peers, with 55 percent facing more than five lawsuits filed against their companies in the previous 12 months, compared with 23 percent in the United Kingdom and 22 percent in Australia.

There are also significant differences in the types of litigation that U.S. companies face compared with their peers worldwide.

For example, personal injury litigation is much more prevalent in the U.S. than elsewhere, with 21 percent of those polled selecting it as one of the most numerous types of cases faced in the previous 12 months, compared to just 15 percent in the survey overall.

In addition, intellectual property/patents (18 percent) and product liability (17 percent) cases were more common in the U.S. than worldwide (13 percent and 11 percent, respectively).

Going forward, more U.S. respondents say regulatory/investigations are a top concern (48 percent) compared with the broader sample (39 percent).

Intellectual property (IP)/patents disputes are also of greater concern in the U.S. (30 percent) compared with all respondents (21 percent).

In addition, more U.S. respondents list class actions (25 percent) and product liability (18 percent) as top concerns compared with the total sample (18 percent and 14 percent, respectively).

In the words of Richard Krumholz, head of dispute resolution and litigation, United States, Norton Rose Fulbright:

Our survey clearly demonstrates that the litigation and regulatory environment in the United States continues to pose some of the greatest risks which businesses from around the world face. This is reflected in rising litigation budgets and the size of disputes-focused staff compared to peer companies around the globe.”

Just to be clear, the average U.S. company has 20 in-house lawyers to handle disputes and the number of U.S. companies with an annual litigation spend of $1 million or more increased from 52 percent to 69 percent from 2012 to 2014.

Slightly more than half of the survey respondents are from companies with headquarters in the U.S.

The Insurance Information Institute (I.I.I.) has an excellent resource on business liability insurance here.

The financial impact of cyber exposures is close to exceeding those of traditional property, yet companies are reluctant to purchase cyber insurance coverage.

These are the striking findings of a new Ponemon Institute  survey sponsored by Aon.

Companies surveyed estimate that the value of the largest loss (probable maximum loss) that could result from theft or destruction of information assets is approximately $617 million, compared to an average loss of $648 million that could result from damage or total destruction of property, plant and equipment (PP&E).

Yet on average, only 12 percent of information assets are covered by insurance. By comparison, about 51 percent of PP&E assets are covered by insurance.

The survey found that self-insurance is higher for information assets at 58 percent, compared to 28 percent for PP&E.

In some ways, these results are not surprising.

Cyber insurance is a relatively new product, and while interest continues to increase, it will take time for the purchase rate to catch up with traditional insurances.

That said, the values at stake are enormous and as the report states, the likelihood of loss is higher for information assets than PP&E.

Another important takeaway from the survey is that business disruption has a much greater impact on information assets ($207 million) than on PP&E ($98 million).

This suggests the fundamental nature of probable maximum loss (PML) varies considerably for intangible assets vs. tangible assets, Ponemon says.

Business disruption represents 34 percent of the PML for information assets, compared to only 15 percent of the PML for PP&E.

A footnote states that while the survey results suggest PML in the neighborhood of $200 million, a growing number of companies are using risk analysis and modeling to suggest potential losses in excess of $500 million to over $1 billion and seek cyber insurance limit premium quotes and policy terms for such amounts.

More information on the growth in cyber insurance is available from the I.I.I. here.

Some 2,243 individuals involved in cyber and enterprise risk management at companies in 37 countries responded to the Ponemon survey.

The decision by Texas-based Blue Bell Creameries to recall all of its products after two samples of its ice cream tested positive for listeria is a timely reminder of the importance of product recall insurance.

Product recalls can be costly and logistically complex. In Blue Bell Creameries’ case the expanded voluntary recall announced Monday night includes ice cream, frozen yogurt, sherbet and frozen snacks distributed in 23 states and international locations.

Blue Bell said it was pulling its products “because they have the potential to be contaminated with listeria.”

The company had issued an earlier more limited recall last month after the U.S. Centers for Disease Control and Prevention (CDC) linked ice cream contaminated with listeria to three deaths in Kansas.

As of April 21, 2015, the CDC says a total of 10 people with listeriosis related to this outbreak have been confirmed from four states.

A 2014 report by Aon notes that the number of product recalls in the United States and Canada for both food products and nonfood products continues to grow year over year.

Each year, hundreds of products are recalled in the U.S. Some historically significant recall events have included such well-known brands as Tylenol, Perrier, Firestone Tires, Pepsi and Coca-Cola.

The Insurance Information Institute (I.I.I.) reminds us that product recalls can be financially devastating and potentially put a company out of business. No organization is immune to the risk of a product recall—even those with the best safety records, operational controls and manufacturing oversight.

In a post in the Wall Street Journal’s Morning Risk Report, crisis management experts note that how well a company succeeds at regaining customer trust following a product recall will likely determine whether it recovers from the negative hit to its reputation and bottom line.

True. Insurance can also help defray the financial hit on a company.

Product recall insurance helps cover a wide range of costs including advertising and promotional expenses to launch a recall, as well as the costs related to product destruction and disposal, business interruption and repairing a damaged reputation, the I.I.I. says.

Another coverage worth considering is product contamination insurance, which protects a company’s bottom line in the event its product is accidentally or maliciously contaminated.

The April 2013 Boston bombing may have marked the first successful terrorist attack on U.S. soil since the September 11, 2001 tragedy, but terrorism on a global scale is increasing.

Yesterday’s attack by the Al-Shabaab terror group at a university in Kenya and a recent attack by gunmen targeting foreign tourists at the Bardo museum in Tunisia point to the persistent nature of the terrorist threat.

Groups connected with Al Qaeda and the Islamic State committed close to 200 attacks per year between 2007 and 2010, a number that grew by more than 200 percent, to about 600 attacks in 2013, according to the Global Terrorism Database at the University of Maryland.

Latest threats to U.S. targets include calls by Al-Shabaab for attacks on shopping malls.

And a recent intelligence assessment circulated by the Department of Homeland Security focused on the domestic terror threat from right-wing sovereign citizen extremists.

On January 12, 2015, President Obama signed into law the Terrorism Risk Insurance Program Reauthorization Act of 2015.

A new I.I.I. white paper, Terrorism Risk Insurance Program: Renewed and Restructured, takes us through each of more than eight distinct layers of taxpayer protection provided under TRIA’s renewed structure.

While TRIA from its inception was designed as a terrorism risk sharing mechanism between the public and private sector, an overwhelming share of the risk is borne by private insurers, a share which has increased steadily over time.

Today, all but the very largest (and least likely) terrorist attacks would be financed entirely within the private sector.

Enactment of the 2015 reauthorization legislation has brought clarity and stability to policyholders and the insurance marketplace once again, the I.I.I. notes.

In the week before Christmas when Congress adjourned without renewing the Terrorism Risk Insurance Act (TRIA), Jeffrey DeBoer, president and CEO of The Real Estate Roundtable, a trade group representing real estate industry leaders, said:

This law does not stop terrorist attacks. But it does disrupt terrorists’ goals of damaging our economy.”

The I.I.I. paper makes a similar point:

Since its creation in 2002, the federal Terrorism Risk Insurance Act, and its successors, have been critical components of America’s national economic security infrastructure. TRIA has cost taxpayers virtually nothing, yet the law continues to provide tangible benefits to the U.S. economy in the form of terrorism insurance market stability, affordability and availability.”

For a federally backed program, that is quite a success story.

A new report from across the pond points to a large gap in awareness when it comes to cyber risk and the use of insurance among business leaders of some of the UK’s largest firms.

Half of the leaders of these organizations do not realize that cyber risks can be insured despite the escalating threat, the report found.

Business leaders who are aware of insurance solutions for cyber tend to overestimate the extent to which they are covered. In a recent survey, some 52 percent of CEOs of large organizations believe that they have cover, whereas in fact less than 10 percent does.

Actual penetration of standalone cyber insurance among UK large firms is only 2 percent and this drops to nearly zero for smaller companies, according to the report.

While this picture is likely a result of the complexity of insurance policies with respect to cyber, with cyber sometimes included, sometimes excluded and sometimes covered as part of an add-on policy, the report says:

This evidence suggests a failure by insurers to communicate their value to business leaders in coping with cyber risk. This may, in part, reflect the new and therefore uncertain nature of this risk, with boards more focused on security improvement and recovery planning than on risk transfer. It nevertheless risks leaving insurance marginalized from one of the key risks facing firms.”

Senior managers in some of the UK’s largest firms were interviewed for the report published jointly by the British government and Marsh, with expert input from 13 London market insurers.

As a first step to raising awareness, Lloyd’s, the Association of British Insurers (ABI) and the UK government have agreed to develop a guide to cyber insurance that will be hosted on their websites.

Reuters has more on the report here.

A protracted labor dispute that continues to disrupt operations at U.S. West coast ports underscores the supply chain risk facing global businesses.

Disruptions have steadily worsened since October, culminating in a partial shutdown of all 29 West coast ports over the holiday weekend.

The Wall Street Journal reports that operations to load and unload cargo vessels resumed Tuesday as Labor Secretary Tom Perez met with both sides in the labor dispute in an attempt to broker a settlement amid growing concerns over the impact on the economy.

More than 40 percent of all cargo shipped into the U.S. comes through these ports, so the dispute has potential knock on effects for many businesses.

A number of companies have already taken steps to mitigate the supply chain threat, according to reports. For example, Japanese car manufacturer Honda Motor Co, among others, has been using air freighters to transport some key parts from Asia to their U.S. factories – at significant extra expense.

On Sunday Honda also said it would have to slow production for a week at U.S.-based plants in Ohio, Indiana, and Ontario, Canada, as parts it ships from Asia have been held up by the dispute.

Toyota Motor Corp. has also reduced overtime at some U.S. manufacturing plants as a result of the dispute.

A brief published by Marsh last year noted that a West Coast port strike or shutdown could have broad consequences for global trade, business and economic conditions.

Organizations with effective risk management and insurance strategies in place will be best prepared to manage and respond to situations that hamper their flow of goods and finances, Marsh noted.

In 2002, a similar labor dispute ultimately led to the shutdown of ports along the West coast costing the U.S. economy around $1 billion each day, and creating a backlog that took six months to clear.

Many businesses purchase marine cargo insurance to protect against physical loss or damage to cargo during transit. This type of insurance generally will not respond in the event that a strike or other disruption at a port delays the arrival of insured cargo, unless there is actual physical damage to the cargo, according to Marsh.

However, some policyholders may have obtained endorsements to their insurance policies, or purchased additional coverage to protect themselves from the effects of port disruption.

Trade disruption insurance (TDI), supply chain insurance, and specialty business interruption insurance may also provide coverage for the financial consequences of a port disruption, Marsh wrote.

A study by FM Global of more than 600 financial executives found that supply chain risk, more than any other, was regarded as having the greatest potential to disrupt their top revenue driver. FM Global’s Resilience Index can help executives evaluate and manage supply chain risk.

In what is being described as potentially the largest breach of a health care company to-date, health insurer Anthem has confirmed that it has been targeted in a very sophisticated external cyber attack.

The New York Times reports that hackers were able to breach a company database that contained as many as 80 million records of current and former Anthem customers, as well as employees, including its chief executive officer.

Early reports here and here suggest the attack compromised personal information such as names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

On a website – www.AnthemFacts.com — set up to respond to questions, Anthem noted that there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.

Anthem said the breach was discovered on January 27 and that the company is fully cooperating with the FBI investigation. The health insurer has been praised for its initial response in promptly notifying the FBI after observing suspicious activity.

An FBI statement quoted in an LA Times article noted:

Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”

On the dedicated website, Anthem president and CEO, Joseph R Swedish, offered a personal apology to members. Anthem has also established a toll-free number – 1-877-263-7995 FREE – that both current and former members can call if they have questions related to the breach.

In 2014, the medical/healthcare sector accounted for 42 percent of data breaches – the largest among industry sectors – as reported by the Identity Theft Resource Center (ITRC).

In fact, breaches in the medical/healthcare industry have accounted for the largest percentage of data breaches by industry sector since 2012, which ITRC attributes primarily to the mandatory reporting requirement for healthcare breaches to the Department of Health and Human Services (HHS).

If the estimate of 80 million records compromised holds, this will put the Anthem data breach up there with recent mega breaches of 2014 such as eBay (145 million people affected), JP Morgan (76 million households and 7 million small businesses affected) and Home Depot (56 million unique payment cards).

While 2014 was dubbed the year of the mega breach, the Ponemon Institute recently warned that 2015 is predicted to be as bad or worse as more sensitive and confidential information and transactions are moved to the digital space and become vulnerable to attack.

As of January 27, 2015, some 455,377 records had been exposed in 64 breaches reported to the ITRC. This followed a record high of 783 U.S. data breaches exposing 85.6 million records tracked by the ITRC in 2014.

For an analysis of cyber risk and insurance, download this Insurance Information Institute (I.I.I.) white paper.

While the Sony cyber attack has put the spotlight on sophisticated external attacks, a new report suggests that insiders with too much access to sensitive data are a growing risk as well.

According to the survey conducted by the Ponemon Institute, some 71 percent of employees report that they have access to data they should not see, and more than half say this access is frequent or very frequent.

In the words of Dr. Larry Ponemon, chairman and founder of The Ponemon Institute:

This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences.”

While the focus in recent weeks has been on the risk of external attacks, the Ponemon study finds that data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks they present.

Some 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

In a workplace environment where employees are under pressure to deliver more, faster, cheaper, it’s easy to overlook security risks in the name of efficiency.

Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half believe their companies strictly enforce security policies related to use of and access to company data.

The flip side is that businesses need to be reticent of going to the other extreme, limiting data that their employees or customers need.

Some 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs. And 68 percent say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Ponemon interviewed 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees in a range of industries including financial services, public sector, health and pharma, retail, industrial and technology and software.

More on insider threats in this I.I.I. paper on cyber risks.

Next Page »