Tag Archives: crisis management

In a Crisis, Will You Be Ready?

S___ happens!

Fifty years ago, Rock, David and I were at Pelican Aviation’s hangar listening to several seasoned pilots talk about their most terrifying experiences in the air. One said, “The engine made a loud noise, the plane shook violently and suddenly I couldn’t see a thing.” One of us innocently asked, “What happened – did the windshield shatter?” His answer was simple, “No, tears.”

Having spent much of my adult life in insurance, I’ve seen many disasters. The question is: Are we ready?

Hurricane Katrina was a terrible event for Mississippi. In New Orleans, there was minimal wind damage, but there were levee failures and accompanying social/civil chaos.

There was also a little-noticed success story: LSU’s medical school relocated from New Orleans (blocks from the chaos) to Baton Rouge in about a week. This required some luck, community (BR and NO) support and, I believe, some divine intervention, but it was an example of leadership at its best.

What if you had to relocate your office, all your team and everyone’s families following a catastrophe? Have you even considered the possibility?

See also: 4 Lessons From Harvey and Irma  

Here’s reality – many if not most of us will face great challenges. Some may parallel experiences we’ve seen before, just with greater or lesser intensity. There will be more fires, hurricanes and floods. Terrorists will attack us again. Planes will crash. We can’t stop all the bad in the future – the best we can do is try to avoid or at least mitigate the damage.

Most of us watched the successful rescue of 12 young soccer players and their coach from a flooded cave in Thailand. Relative to 9/11 or Hurricane Katrina, it is a minor event, but I believe it will prove to be one of the best case studies anywhere of what to do when the stakes are high, time is limited and you don’t know what to do.

Remember, these folks were lost for about 10 days before anyone even knew where they were. The last few days of their stay were examples of calm, leadership, courage, planning, possibilities and then very deliberate action.

Every Seal, volunteer, civilian, etc. should be celebrated for their effort, courage and patience – living and learning as they progressed. They didn’t rush in, reacting to a terrible situation. They walked, crawled, and swam in, well-prepared and observing appropriate caution. In construction, we’d say: Measure twice, cut once.

Never forget that one of the rescue team died early in the process. Was this loss the impetus to do things differently? I don’t know. I do believe our greatest learning occurs in adversity – it is the wisdom of scar tissue! The death was tragic but may have slowed the process and improved results.

I encourage each of us to consider the disasters that could be on our horizon. Begin a crisis management process with your families and your organizations. You won’t have all the answers, and you don’t yet know all the questions – nonetheless, be as prepared as you can and program for the unexpected. Plan your actions and act your plan.

See also: Innovation — or Just Innovative Thinking?  

A speaker once said at an agents meeting, “the merchant of misery is either at your door, just left or will soon arrive.” The best thing you can to is to be as prepared as possible and hope and pray you are blessed with the courage, skills, patience, process and RESULTS that these Thai crisis managers enjoyed.

Be prepared. Practice your preparations. Preparedness is a process not a one-time event. If in the end all of your preparation is not needed, BE THANKFUL. If it is needed, you may thank me for the suggestion. Good luck and Godspeed.

Space, Aviation Risks and Higher Education

What do you do when a group of precocious students decide to build a satellite and launch it into space? Or, when they decide to build an unmanned aviation vehicle (UAV)—more commonly known as a drone—and fly it over a busy urban market? Or, when they design and launch a few rockets October Sky-style from a training field on campus before heading to a NASA competition for a chance at $50,000 in prize money?

As a risk manager, considering the answer to these questions may cause a heart palpitation or two as you think about the potential effects of these educational opportunities on the educational institution. Not only does the institution face increased liability and property damage risks, but there is also the potential for increased risk to reputation and even regulatory compliance considerations.

Insurance was likely the last thing the students at St. Thomas More Catholic School in Arlington, VA, were thinking about when they began construction on a shoebox-sized satellite called Cubesat. According to a Washington Post article, the purpose of Cubesat, which was released from the International Space Station on Feb. 15, 2016, is to beam photos from 200 miles above the Earth back to computers in their school library. You can view pictures from the satellite here.

See Also: Should We Take This Risk?

Insurance was also, probably, the last thing students from the University of Wisconsin-Whitewater were thinking about in October 2015 when they launched their drone to capture aerial images of the new Whitewater City Market. According to the University of Wisconsin News, the purpose of the project was to respond to the market organizer’s request to geographically depict the organic growth of the Whitewater City Market. A video of the aerial images has been posted to YouTube and can be viewed here.

To the 54 college teams selected by NASA for 2015-2016 NASA Launch Challenge, insurance was likely pretty low on the list of considerations as the teams worked to design, construct, test, launch and successfully recover a high-powered reusable rocket and its payloads. The purpose of the challenge is to encourage participation in STEM fields and to examine innovative solutions to potential issues that may arise during space travel. There is also $50,000 in prize money for the top three teams that complete the challenge. For 2015-16, the competing rockets will be launched on April 16, 2016.

So, what are the risks associated with these types of activities, and how can insurance assist the college in transferring some of these risks?

According to a white paper recently published by Allianz, a large commercial insurer, these types of aviation/space risks can be bifurcated into two areas: (1) ground or pre-launch risks and (2) in-orbit or post launch risks.

Ground risks include:

  • Hazard or catastrophic risk to facilities because of fire. This type of risk can be significantly increased if someone is using flammable chemicals, such as nitrogen or any of the components present in rocket fuel. Keeping these materials on campus can create additional risk for the institution, which may not be contemplated in current insurance programs.
  • Transportation risk increases the risk of property and liability losses. Moving rocket components, including flammable materials, increases the potential for losses to (1) the components themselves and (2) a third party that may be injured as a result of an incident on the road.
  • Liability loss because of launch failure may result in damage to property near the launch site or even injury to a third party, faculty member or student. Failure to take adequate safety precautions during design/construction—working with chemicals, power tools and other materials—may result in increased potential for injury to students and faculty participating in the project.

Post-launch risks:

  • Loss of the object because of malfunction, damage or equipment failure, items that represent a significant investment of time, resources, and materials. Such a loss may result in the inability to participate in a competition, a loss of grant money or additional time spent rebuilding or reworking the project.
  • Liability loss due to in-air collision, falling objects or interference with another aerial object (such as a satellite signal or an airplane’s operating equipment)—these types of incidents may result in significant bodily injury or property damage of a third-party property.

Typical insurance policies maintained by most institutions may not provide adequate coverage for space/aviation risks:

Property policy—Provides coverage for loss or damage to property, equipment and materials of the university. Coverage is generally broad but may exclude: (1) hazardous materials, (2) property in transit or off premise, (3) property not owned by the university and (4) pollution because of the release of a hazardous substance or chemical.

General liability policy—Provides coverage for the injury or property damage of a third party because of the negligence of the institution or those operating on behalf of the institution. Coverage responds to a wide range of standard risks, but there may be exclusions for: (1) aviation risks, (2) loss caused by the acts of a third party, such as a student or contractor, (3) third-party liability related to a discharge of pollutants/chemicals, (4) loss of institutional reputation or cost of a crisis management team, (5) coverage for regulatory fines and penalties for failure to obtain proper permits, etc. and (6) the liability to a third party because of the failure of a vessel to perform as expected or because of a design flaw.

Automobile liability policy—Provides coverage for liability and property damage associated with the operation of a motor vehicle. Coverage responds to a wide range of standard risks, but there may be exclusions for: (1) pollution because of the discharge of a chemical substance transported on or in the vehicle, (2) liability for use of third-party transportation, such as a rental vehicle or bus charter or the use of a personal vehicle by a faculty member or student and (3) property damage to institutional property being transported on or in the vehicle.

There are additional types of coverage that may be needed, including:

Pollution coverage—Including premises pollution (to provide coverage for the institution’s own facilities) and pollution liability coverage (to provide coverage for third-party exposure to pollutants)

Aviation/space coverage—Specialized policies can provide coverage for losses to an aerial vessel or its equipment and, also, for the most common types of liability loss (collision, crash or interference). Note: Special endorsements may be required for drones.

Inland marine rider/policy—Provides coverage for scheduled equipment and property that may not otherwise be covered by the institution’s standard property coverage. This can include coverage for property that is being transported in a vehicle

Crisis management coverage—Provides coverage for loss or damage to the institution’s reputation; this may include coverage for the costs to engage a crisis mitigation team and public relations experts or the cost to take other steps to preserve and restore the reputation of the institution.

See Also: What Is the Future for Drones?

Professional liability—Provides coverage to professionals because of the failure of the design/construction or for the failure of the devise to perform as intended. This coverage may include coverage for damages not related to injury or to property damage— including the financial loss and the costs for rework and redesign.

Not all insurance policies are created equal—individual coverage and policies may respond differently. Please consult with an expert if you if you have questions about coverage for these types of institutional activities.

8 Points to Consider on Cyber Insurance

A common question we often hear CEOs, CFOs and directors of businesses and public and private institutions ask is, “What terms and conditions should I consider when buying cyber insurance?” We have compiled a list of some of the most important terms and conditions to consider. However, you should discuss more nuanced industry and organization specific terms and conditions with your broker and insurance coverage attorney.

1. Crisis Services

Crisis services include the costs for computer forensic investigations to determine the cause of the data breaches, obtaining legal guidance, notifying victims, providing credit monitoring to the victims, and promoting media or public relations campaigns. According to Net Diligence’s 2014 Cyber Claims Study, almost half of the total amount of insurance company payouts from data breaches was for crisis management services. The Ponemon Institute’s 2014 Cost of Data Breach Study: U.S. also reported unusually high churn rates following news of data breaches. Your organization will want professional assistance to communicate to your customers, regulators, business partners and vendors that you are taking appropriate and reasonable steps to protect your customers with respect to any loss of data and that you will take reasonable steps to try and safeguard your customers’ data going forward.

2. Regulatory Defense (including fines and penalties)

Regulatory agencies, such as the Federal Trade Commission and Department of Health and Human Services, actively investigate data breaches within their jurisdictional powers. There are many examples of corrective actions, penalties and fines imposed by the Office of Civil Rights on behalf of HHS for HIPAA violations, including the $4.8 million in HIPAA settlements following the data breaches at New York-Presbyterian Hospital and Columbia University. This is especially important to keep in mind if your organization is a healthcare provider (a HIPAA-covered entity) responsible for its patient information or has a self-funded health plan (a separate type of HIPAA “covered entity”) where your organization is ultimately responsible for the security of the plan participants’ data. Many policies have a sublimit for regulatory defense. You may think you have a $10 million policy, only to find out that you have a sublimit for regulatory defense of $500,000, which may leave you woefully underinsured. Net Diligence reported that the average healthcare sector payout in 2014 was $1.3 million, with the median regulatory defense payout being a little more than $1 million and the mean regulatory settlement cost being $937,500.

3. Prior Acts Coverage/Retroactive Date

Prior acts coverage provides protection against prior acts that may lead to a claim during the policy period. The “retroactive date” is the date when your coverage begins, and can be subject to negotiation. Although Verizon’s 2015 Data Breach Investigations Report noted that the time from compromise to discovering the compromise is at its smallest deficit ever recorded (days or less, 45% of the time), data breaches can take many months to detect. Here is a common example: On Jan. 1, 2015, a particular program offers a patch to mitigate certain security vulnerabilities. A hacker finds that your company failed to install the patch and uses it as a means to enter your network, sets up a program to start filtering and collecting your data and then installs the patch to prevent detection of the intrusion. You apply for cyber insurance soon thereafter. Just after closing the 2015 Christmas holiday shopping season, the hackers send your data out, at which point you detect the intrusion. Your insurer subsequently notifies you that it is denying coverage for the claim because of prior acts that occurred before coverage began. This is why you want the broadest “prior acts” coverage possible. You may also want to negotiate an extended reporting period, as a subsequent insurer may claim that the data breach events did not occur during its policy period.

4. Network Business Interruption Coverage

This covers certain losses while your network is interrupted as a result of a data breach. This is especially important if your organization engages in e-commerce. How much profit would you lose if your organization was down for several days while law enforcement and your computer forensics consultants investigated the cause of a data breach?

5. Contingent Business Interruption Coverage (resulting from the acts or omissions of third parties)

Many organizations rely on third parties for processing data. For example, many healthcare providers rely on third-party billing companies and clearinghouses to process payments, making them “business associates” under HIPAA. Similarly, self-funded health plans frequently contract with third-party business associates for claims management and other plan administration functions. If the business associate suffered a data breach affecting your patients’ (or enrollees’) data, your organization may bear the ultimate responsibility for the breach. Accordingly, your organization will want coverage to offset this potential loss. Your organization may also want to consider negotiating the self-insured retention or deductible in case of a loss so that the third party is responsible to pay for the deductible if it results from the third party’s acts or omissions.

6. Defense Option/Reimbursement of Costs

Some cyber insurance policies require the insurance company to hire consultants and attorneys to defend your organization, while others agree to reimburse reasonable and necessary costs. Using your own consultants and attorneys make sense if they know your system and are familiar with your business, so you won’t have to pay for them to come up to speed on your organization. You will want to consider which path you will want to take.

7. Costs of Restoring and Recreating Data

The cost to restore or recreate data if taken or damaged can be extensive. Your organization will need to assess the cost of this coverage and its need.

8. Extortion Coverage

Criminals continue to run phishing scams where a user clicks on a link that serves to encrypt a laptop or other computer. Oftentimes, one laptop or computer can infect others, and you’ll want to negotiate this coverage to simply pay for the data to be restored.

How to Spot and Avoid Your Next Crisis

Q: Can I identify my organization’s next crisis? If so, how?

A: Jim Satterfield– Undoubtedly, yes. Knowing what the next crisis might be is a way to think about planning and information. There are warning signs and indicators when we discuss human behavior. Understanding behaviors of concern and identifying them earlier in the process is imperative. It provides an idea of the frequency and severity of a situation.

If we can see those indicators, if we can identify those behaviors, then we can intervene before they become a problem. Sometimes, they are business or financial indicators; sometimes, it’s just human behavior.

On 9/11, I was EVP and chief operating officer of a public technology firm with employees in the States and around the world. When the first plane hit the first tower, we thought it could have been an accident. When the second plane hit the second tower, clearly not an accident. We called a meeting in our boardroom and, while sitting around the table, decided it was a day unlike any that we’ve ever seen.

Our management team decided it would be better to let everybody go home. I turned to our HR director and said, “Could you send a global email out to everybody in the company telling them they could just go home”? She went back to her desk, and she typed this message: “If you want to live, leave.”

The intended message was to be: “If you want to leave, leave.” Those are two entirely different messages. “If you want to live, leave.” “If you want to leave, leave.”

Thinking about your messages when you’re not under stress is very, very critical, and planning makes a difference.

Q: I already have a detailed and updated copy of our organization’s crisis plan. Do I need to have a digital copy, as well?

A: Jim Satterfield– Unless you’re planning to add a psychic on your crisis management team, it’s not going to do you any good to have an outdated or out-of-reach plan. Keeping your plans current and available is crucial. If you can’t get access to the right information at the right time, it’s not going to do you any good. “Oh, the plan’s back in the office, and I’m at home.”

Speed is quality. Getting the right answers to the right people at the right time becomes a critical element in every crisis.

Q: What should my organization’s key messages be to each stakeholder group for vulnerabilities and threats?

A: Jim Satterfield– What we’re going to say internally will be different than what we’ll say externally. Think about who your stakeholders are. If you’re in a business that’s heavily regulated, you have regulators as a stakeholder group. You have employees and investors, as well. If a school, you have parents, students and possibly church affiliation. You have various elements to be dealt with, and that makes a difference in approach.

Q: What resource can help with quick decision-making?

A: Jim Satterfield– What you do is list in one column things that could happen, things that could damage:

  • The facility
  • The employees
  • The data
  • The brand
  • The reputation

Across two more columns, we indicate what would qualify as a minor event and what is considered a crisis. You then include descriptive terms and circulate it to the entire company.

Immediately, when something comes up, refer to the matrix. If an employee is injured, but did not receive emergency treatment, it remains a minor event. If the employee had to have some medical attention, it rises to the next level. If an employee dies, that’s crisis. It’s at the highest level that management would want to be involved, so creating an event activation matrix is the fastest way to get that quick response with everyone on the same page at the same time.

Q: What are common mistakes people have made during a crisis?

A: Jim Satterfield– These are the five failures that we see over and over and over again in a disaster or crisis:

  • Failure to control critical supply chains
  • Failure to train employees for both work and home
  • Failure to identify and monitor all threats and risks
  • Failure to conduct exercises and update plan
  • Failure to develop crisis communications plans
  • About 70% of employees don’t know what they’re supposed to do in a disaster or a crisis. In addition, 95% don’t have a disaster plan at home. If something happens in your area, and you think your family is at risk, family wins. That’s why people don’t show up in a crisis, because they’re concerned about their family.

    We work on these failures through our Predict/Plan/Perform process. First, identify groups. Then conduct exercises and establish how you’re going to monitor and communicate. When you think about your individual plans, think about them in light of these groups. You need to build preparation in from all of these groups that could ultimately be a problem within the organization.

    Q: Are school students classified under workplace violence?

    A: Jim Satterfield– Yes, because it’s a workplace. The school is a workplace, yes.

    Q: Prevention is rare in organizations that have small staffs. Have you found organizations are willing to assign staff to conduct social media monitoring on their time?

    A: Jim Satterfield– They can, or you can use an outside service that will do it for you. This route is much more cost-effective. Why? Because that’s the specialist’s full-time job.

    Whatever your full-time job is, you’re good at that job. If you only do something every now and then, you’re not going to be as good, and you may miss an important signal or piece of information.

    We are finding organizations — both large and small — are conducting monitoring as a preventative measure, and we conduct such intelligence gathering for a number of clients.

    Why Buy Cyber and Privacy Liability. . .

    An industry known for embracing paper and shunning change, the property and casualty insurance market struggles to keep pace with the modern business world, which is full of personally owned mobile and other portable devices, and concepts such as advanced persistent threats (APTs), the Internet of Thingsand the “cloud.” While insurance companies are known for creating bespoke policies to address new risks not initially contemplated within the confines of traditional property and liability policies (see Y2K, environmental legal liability and employment practices liability), insureds are within their right to see how those current programs address 21st-century risks.

    If only one of Target, Snapchat, Facebook, Google, Twitter, Yahoo! Adobe and so on and so forth had suffered a serious data breach within the last few months, that would be sufficiently troubling. Yet data breaches have become so ubiquitous that a single week (if not days) without one hitting the headlines seems almost strange. By now every organization should appreciate that—no matter how robust and sophisticated its network security is—it remains a vulnerable target for cybersecurity breaches and the host of negative consequences that typically follow, including class action lawsuits (so far, dozens of suits have been filed against Target), substantial breach notification costs, and other “crisis management” expenses, including forensic investigation, credit monitoring, call centers and public relations efforts, as well as potential regulatory investigations, fines and penalties.

    This article will briefly look at how an organization’s commercial general liability—specifically, the personal and advertising injury coverage—may currently address privacy risks.

    Although there can be substantial overlap between the concepts of cybersecurity, network security liability and privacy, as they typically are understood in the industry, this article will focus on those risks associated purely with privacy risks, or the “unauthorized access, collection, use or disclosure of personal information.” Therefore, we will not be covering those issues related to cyber liability, or “breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification and call center costs.” This article will also not be addressing the recent first-party bodily injury, property damage and business interruption coverage associated with the damage attributable to unauthorized access of operational technology (SCADA systems).

    We will first summarize the current industry standard form key coverage grant, definitions and exclusions. We will then discuss the recent Sony decision and the new 2014 industry form exclusionary endorsements targeted at eliminating coverage for data breaches under standard-form CGL coverage.

    Current standard-form CGL coverage

    The Coverage B “Personal and Advertising Injury Liability” coverage section of the current standard-form Insurance Services Office, Inc. (ISO) CGL policy states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’ which is caused by an Id. §1.b.offense arising out of [the insured’s] business.” “Personal and advertising injury” is defined in the ISO standard-form policy to include a list of specifically enumerated offenses, which include the “offense” of ‘[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.’” The policy further states that the insurer “will have the right and duty to defend the insured against any ‘suit.’” The CGL Coverage B can indemnify and provide a defense against a wide variety of claims, including claims alleging violation of privacy rights, such as data breach cases.

    Coverage disputes have generally focused on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies. Courts generally (although certainly not universally) have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging breach of privacy laws and regulations, including, for example, in respect of claims alleging violations of the Telephone Consumer Protection Act (TCPA), claims alleging violations of the Fair Credit Reporting Act (FCRA), claims alleging violations of the Fair and Accurate Credit Transactions Act (FACTA), claims alleging violations of the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, claims alleging violations of the California Confidentiality of Medical Information Act (CMIA), and claims alleging violations of the California Lanterman-Petris-Short Act. Courts have found in favor of coverage in data breach cases, although the recent decision in Zurich American Insurance Co. v. Sony Corp. of America et al. highlights the issues that insureds may face in obtaining coverage for data breaches under CGL policies.

    Zurich v. Sony

    Arguably the most visible legal case surrounding the applicability of the CGL personal and advertising injury coverage to claims alleging data breach came about because of Sony’s massive 2011 PlayStation data breach. Zurich American and Mitsui Sumitomo had issued primary CGL policies to Sony. In April 2011, hackers broke into Sony networks and stole personal and financial information of more than 100 million users.

    Sony was named as a defendant in numerous class actions immediately following the breach. Mitsui denied coverage, and Zurich responded by filing a declaratory relief action seeking a declaration that Zurich had no duty to defend.

    At issue in the case is whether Sony or the hackers were responsible for the actual “publication” of the personally identifiable information (PII). A New York court recently held that there was no coverage, essentially because it was the perpetrators of the breach who ultimately “published” the private information, rather than Sony itself. Legal experts have argued both in favor of and against the court’s decision, arguing, among other things, that the trigger for the personal and advertising injury coverage must be an affirmative act by Sony or, conversely, that coverage is triggered to the extent Sony has liability.

    The case is currently under appeal, and its final decision will potentially be an indicator of how insurers and courts will view data breach coverage under the personal and advertising injury coverage.

    In the meantime, however, the decision underscores the difficulties that insureds can face in pursing data breach coverage under their traditional CGL policies.

    Although this endorsement appears to have quietly flown in under the radar, it in reality is even more sweeping than the 2014 data breach exclusionary endorsements because it entirely eliminates coverage in the first instance.

    Conclusion

    Over the years, the commercial general liability policy has been the proverbial “catch all” for claims subsequently determined to be outside the intent and scope of the underwriters. Past examples have included pollution liability, asbestos, employment practices liability and professional liability. Cyber and privacy liability may well be heading in the same direction. Insurers are stating publicly that this exposure was never contemplated when the policy language was drafted. And, of course, cybersecurity and privacy liability has recently risen to potentially catastrophic levels of potential liability (e.g., Target). Insurers, therefore, are increasingly seeking to separately insure the risk, subject to separate underwriting criteria.

    In the end, before a cybersecurity or privacy incident, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure to cyber and privacy risks, their risk tolerance, the sufficiency of their existing insurance coverage and the potential role of specialized cyber risk coverage.