Tag Archives: act of terrorism

Am I Covered For Cyber-Terrorism?

Are you covered for cyber-terrorism? If you have not purchased Cyberliability insurance, the answer is likely no. A General Liability policy needs bodily injury, property damage or possibly an advertising injury to respond. Property insurers don't view data as tangible property, and a property policy needs a peril like wind, fire or hail to respond to a loss. Crime policies cover embezzlement by employees. In the event of a cyber-terrorism loss, you can look to all of these policies for coverage, but there is only one policy that is designed specifically for this type of exposure — Cyberliability.

The next question is, what constitutes cyber-terrorism? When you think of activities committed by a terrorist, your first thoughts might be actions that lead to death or destruction of property. There are other ways terrorists can inflict harm, including through electronic means.

Below are scenarios that might be covered by a properly structured Cyberliability policy:

Sadly, the array of bad things for a terrorist to try extends far beyond the items listed above. They are out there working on ways to cause mayhem without leaving the comfort of wherever they may call home.

  1. Hackers funded by a foreign government get into your insured's network and cause private information to be leaked into the public domain.
  2. Hackers funded by a hostile party hijack an insured's network and computers and use them to cause a denial of service attack against other third parties, who then sue the insured for not preventing such an event.
  3. Unnamed hackers from a foreign nation deliver a virus to an insured's network and wipe out 30,000 company laptops causing a business interruption loss.
  4. Foreign-sponsored hackers launch denial of service attacks at everyone in the insured's industry in retaliation for some action taken by our own government. The business interruption may be covered, as well as a security breach arising from the attack.
  5. Hackers penetrate the control system for a manufacturing client's assembly line and prevent them from producing their product.
  6. Hackers replace a client's website with offensive or politically motivated content that causes people to sue for emotional distress, libel or slander.
  7. Hackers penetrate an insured's network and threaten to release private records or intellectual property.

To most insurers, it won't matter who is behind the security breach. The hackers can be foreign-sponsored, the kid next door, a disgruntled former employee or an organized crime gang. Coverage should apply regardless of who funded the attack. Cyberliability insurance policies are there to respond to liability claims arising from a security breach as well as some first-party expenses. There are also policies that include coverage for data restoration expenses and business interruption losses.

You probably won't see a policy that states, “You are covered for cyber-terrorism;” however, you should look for any definition of what constitutes a hacker. We have yet to see any definition that differentiates between prankster hackers, criminal hackers, political hackers, organized crime hackers or any other group. It is in the policyholder's favor that the definition isn't limited by a detailed description.

Most policies will be silent regarding the origin of the network attack; it remains your responsibility to be vigilant for any terrorism exclusion as well as acts of war exclusions. If you have been reading the newspapers lately, you have seen articles alleging that other nations have sponsored network attacks against companies and defense contractors in the United States. Some of those alleged foreign nations include Iran, China and North Korea. Our government hasn't classified those as acts of war, but at some point those actions could be deemed a precursor to war. A declaration of war usually requires a vote by Congress, which could take months, meaning that an insurer would likely have to wait to respond until the point a formal declaration of war is made. Insurers aren't intending to cover an aspect of war between two countries, but if an insured's computer network is collateral damage, they should provide coverage for the damages and liability.

A commonly asked Cyberliability question concerns the theft of intellectual property by a foreign nation, company or other party. Unfortunately that first-party loss is not contemplated in current Cyberliability insurance policies. There are intellectual property policies out there designed to defend and enforce patents, but it can be challenging to prove who took the information and how to find them. Those policies usually respond to claims once a competing product with the same or similar design(s) is sold on the open market. The theft of digital blueprints may not be enough to trigger these policies. There are also issues regarding the enforceability of intellectual property rights outside the United States.

A quick search of our major metropolitan newspapers shows that a number of industries are in the sights of a variety of hacker groups. The current list of primary targets includes financial institutions, power companies and defense contractors. In light of these ongoing activities of terrorists and state-sponsored hackers, it remains a good time to look at Cyberliability insurance. Your clients may not specifically be targeted by cyber-terrorists, but their network could suffer collateral damage or be used to inflict damage upon others.

Employee Concentration Impacting Workers' Compensation Renewals

Workers' compensation continues to be a challenged line, with historically poor results, a benign interest rate environment, and diminished prior year reserve redundancy. Another issue worth noting is the uncertainty around the potential 2014 extension of the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA), which has heightened the focus on aggregation of workers' compensation risk.

Employee Concentration
For years, carriers have monitored workers' compensation exposure aggregations (their cumulative exposures in a geographic area) as a way of assessing the potential impact that an earthquake would have on their book of business. Such analysis has been commonplace in earthquake prone areas, such as California, for many years. However, after the September 11, 2001 terrorist attack, workers' compensation carriers and reinsurers immediately began to focus on employee concentration in large cities which were deemed high risk targets for terrorist events.

Insurance carriers continue to view risks from a concentration perspective — both on an individual accounts basis as well as the aggregate across their portfolio and correlated lines of business. Some carriers will decline a risk outright simply because they are “overlined” in a particular zip code or city. Or, the carrier might impose a surcharge on the premium for the use of their limited capacity for a particularly large workers' compensation risk.

Reinsurers similarly set a maximum amount of capacity they can offer in a particular geographic area and for catastrophic loss scenarios. Insurers purchase this capacity as one way to reduce their potential to incur an outsized catastrophic loss and manage their modeled worst case scenario within their financial risk tolerance.

To that end, catastrophic models have been developed. Catastrophic models allow carriers to gauge their potential exposures in a geographic area under a variety of different event scenarios that are either probabilistic or deterministic in nature. During the last 10 years, carriers have made adjustments to their books of business according to the output of these models to limit their potential exposure to terrorist events — sometimes across multiple product lines.

A unique consideration with workers' compensation over other insurance contracts is workers' compensation policies have statutory coverage (in this case being synonymous with unlimited) rather than a stated limit which could cap a carrier's liability for a certain loss. Given the statutory nature of the coverage, it is difficult for carriers to estimate their maximum exposure to workers' compensation.

The issue of employee aggregation affects any employer with a large number of employees in a single location, but is highlighted in industries such as financial institutions, hospitals, defense contractors, higher education, hotels, professional services, and nuclear.

Impact Of Pending TRIPRA Expiration
Because of the significant financial impact of the September 11 terrorist attacks, Congress created the Federal Terrorism Risk Insurance Act (TRIA) to provide a financial backstop to the insurance industry that would cap losses in the event of another large-scale terrorist event. The Act was initially set to expire at the end of 2005, but because of the ongoing risk of terrorism, and the reliance on it by insurance carriers, it has been extended several times. It is now set to expire on December 31, 2014.

When most people think of TRIA/TRIPRA, they think of the property insurance marketplace. Without this backstop in place, many high-profile properties would not be insurable in the commercial marketplace. However, workers' compensation is also deeply impacted, as there are large amounts of people working in highly concentrated areas.

Although the expiration of the Terrorism Risk Insurance Program Reauthorization Act is almost two years away, the impact of this is already being seen in the marketplace. Employers in certain industries, employers with large employee concentrations, or in certain cities can expect less available capacity with some carriers scaling because of the increased exposure to their balance sheet created by losing some or all of the protections provided under the Federal Terrorism Risk Insurance Act. This trend has the potential to escalate and broaden as we get closer to the TRIPRA expiration date.

In addition, more employers may face increased rates for their workers' compensation coverage because of the combination of less competition and capacity, as well as an increased potential exposure for the carriers. If a policy is being issued that provides coverage beyond the TRIPRA expiration date, and the future of the legislation is not known, carriers will likely price this under the assumption those protections will be allowed to sunset or may be significantly modified.

What To Expect At Renewal
When faced with a potentially challenging renewal and one that may be impacted by this issue, what can you do? We recommend starting the renewal process early, at least 120 days (or more) prior to the policy or program effective date. In the case of Marsh, we will work with you to develop a communications strategy and presentation tactic around all key risk exposures, including modeling and risk analytics in support of your renewal objectives.

For carrier presentations and Q-and-A, insureds must be thoroughly conversant with details of exposures and operations; mergers, acquisitions, and divestitures; loss trends, safety programs, and risk management practices; and future plans, to the extent that they can be shared publicly.

We will help you be familiar with respective insurers' cost of capital and pricing strategy — understanding how carriers evaluate your firm's experience and risk profile, and how they initially develop rates and premiums.

High quality data differentiates employers in the eyes of insurance carriers. In today's environment, it is imperative that organizations provide underwriters with complete, accurate, and thorough data and analysis in order to differentiate their risk profile.

There has already been a significant increase in questions that carriers are asking at renewal that focus on the risks associated with a potential terrorist event. Employers with a large concentration of workers, especially those in major metropolitan areas, should be prepared to provide the following details to carriers:

  • Information on employee marital/dependency status.
  • Employee telecommuting/hospitality practices and impact on concentration.
  • Physical security of the building including information about guards, surveillance cameras, parking areas, HVAC protections.
  • How access to the building is controlled.
  • Construction of the building and location of the offices.
  • Management policies around workplace violence, weapons, and employment screening.
  • Employee security procedures.
  • Emergency response/crisis management plan.
  • Fire/life safety program.
  • Security staff.
  • Crisis management procedures.

In addition, carriers may wish to send their loss control engineers for a physical inspection of larger facilities and to interview building/facility management.

The Increasing Demand For Better Data
Because both insurance carriers and reinsurers focus on catastrophic models, it is extremely important that employers provide the highest quality of employee accumulation data, as this will ensure they are favorably differentiated by insurance carriers.

If your company has multiple shifts or operates in a campus setting, make sure you report both the total number of employees and the number working during peak shifts — as well as the actual buildings where the employees are located.

The number of employees working during peak shifts is the actual exposure to a terrorist event, not the total number of employees. Also, some businesses have a large percentage of their workforce in the field or telecommuting, rather than the office where their payroll is assigned. Providing this information to carriers significantly reduces the potential exposures associated with employee concentration. In addition, identifying the actual building where employees work on a campus — rather than a single building — helps overcome pitfalls of the catastrophic model. This also better reflects an employer's exposure to catastrophic losses.

As options about future real estate plans are considered (i.e. in terms of consolidation of employees from multiple locations in a city to a single location, or the impact of closing or consolidating satellite locations and relocating employees in major metropolitan areas), it is wise to review and consider the potential impact on workers' compensation pricing and capacity.

Because of the current political and economic climate in the US, renewal of the TRIPRA by Congress is far from certain. Marsh is continuing to monitor this issue closely, and we are working with employers and insurance industry representatives to raise awareness of the important role that TRIPRA plays in the insurance marketplace.

When Terrorism Becomes A Reality

This week's tragedy at the Boston Marathon has touched each of us on a very personal level and puts fear in our hearts that this could happen again. As the dust settles at the site, there will be many unanswered questions, and some of those issues will concern terrorism and insurance for terrorism.

What do we know at this point?

  1. It is being speculated that this is an act of terrorism.
  2. It is uncertain if it is an act of domestic or foreign terrorism.
  3. It is, also, unlikely at this point that this will be a Certified Act of Terrorism.

What are the immediate insurance issues that we see from this event?

  1. Severe injuries and death
  2. Direct damage to buildings and structures
  3. Direct damage to property (including vehicles)
  4. Closure of areas due to direct loss and civil authority
  5. Debris removal and damage
  6. Workers Compensation

For all of us in the insurance industry, we have to be asking ourselves:

  1. Are we offering terrorism coverage to our insureds?
  2. Are we going beyond just the offer of the Terrorism Risk Insurance Act (TRIA) and offer stand-alone terrorism insurance, which is available in the insurance market place?
  3. Are we carefully documenting our conversations with our insureds about the terrorism offer?

The Insurance Community University has two important classes for you to attend:

Update on Terrorism Exposures and Insurance — May 7, 2013

  • Overview of terrorism risk and exposure
  • Review of TRIA (Terrorism Risk Insurance Act)
  • Terrorism Insurance

Insight on Errors & Omissions — April 25th and 26th

We have heard it a thousand times — “documentation;” but in light of the bombing, we have to take a harder look at what we are doing: your files must speak for themselves and contain the notes on discussions, offers, acceptances, rejections, and follow ups. The Errors & Omissions class is approved with various insurance companies, including Fireman's Fund for credit on your agent's Errors & Omissions renewal insurance.