420 likes | 571 Vues
Lessons Learned from Sandy Current Marketplace & Future Renewals Cyber Liability . Presented By: Jim Doyle, Peter Doyle & Hunter Maskill July 11, 2013 . Part 1: Lessons Learned from Sandy Presented by: Jim Doyle, Aon Risk Services, Inc. “Improbable” Is Becoming The Norm.
E N D
Lessons Learned from Sandy Current Marketplace & Future Renewals Cyber Liability Presented By: Jim Doyle, Peter Doyle & Hunter Maskill July 11, 2013
Part 1: Lessons Learned from Sandy Presented by: Jim Doyle, Aon Risk Services, Inc.
“Improbable” Is Becoming The Norm • Irene and Sandy directly impact New York City in consecutive years • A devastating Earthquake and Tsunami in Japan • A US East Coast Earthquake
Top 12 Most Costly Hurricanes in U.S. History (Insured Losses, 2012 Dollars, $ Billions) Sandy could become the 3rd costliest hurricane in US insurance history *Estimate as of 12/09/12 based on average of current range estimate midpoints from AIR, Eqecat and RMS.. Sources: PCS; Insurance Information Institute
Sandy: Stats • Aon Rapid Response teams deployed to surrounding NY–NJ-CT areas in advance of landfall • Aon clients impacted by Sandy: 343 • Active claims: 235 • Claim preparation: 56 • Over 40 property carriers • Claim exposure for reported claims: $2 -$2.4B
Beyond CAT Modeling: Ways To Be Prepared For The Next Disaster
Pre-Loss Preparation Identify Develop Track • Loss History • Your insurance adjuster, Insurance coverage and limits, deductibles, sub-limits, exclusions • Valuation of Assets and Potential Lost Income (per location) • Key revenue generating activities that may be impacted • Critical delivery points • Any cash flow and financing concerns • Internal/External team that will lead the documentation of potential losses • Comprehensive Business Continuity and Disaster Recovery Plans • Agreements with restoration and other vendors • Internal claims manuals and timely reporting measures • Reporting & tracking claims procedures • Interviewing and selection process for other required vendors 8
In a major loss scenario, how many people/companies would a risk manager need to deal with? • 1 • 2-5 • 5-7 • 7-10
Communication Overload RestorationContractor Architect/Engineering BuildingContractor RoofingConsultant IndustrialHygienist LossAdjusters InsuranceCompany CFO/Risk Manager Staff Media Supt/Board Other 3rdParties Your Day Job!
Minimize operational disruption? How Can We Coordinate all necessary resources? Initiate the claims process quickly to speed recovery and ensure the best possible result? Simplify
Vendors Restoration Contractor Building Contractor Architect/Engineering Roofing Consultant Industrial Hygienist Your Catastrophe Teams/ /External Partnership/ Loss Consultants Your Local Facility Operations Your Finance/Risk Management Dept Insurance Company/ Third Parties “One Voice” Lead and Control the Loss Adjustment…
Initial meetings with the insurer’s adjuster • Tour the loss location with your consultants and explain your business operations to the adjuster • Set the tone for the settlement process • Provide (as best as possible) a preliminary loss estimate and your efforts to mitigate the loss • Do not assume that you can make up the loss or that extra expenses will be minimal. • Discuss measurement of the loss period: • Strategies to expedite or mitigate • Betterments • Start-up problems • Request a partial payment based on expected short-term expenditures and supportable costs
Roles & Responsibilities in a complex loss INSURER(S) TEAM POLICYHOLDER TEAM CFO Insurer Claims Dept. Loss Mitigation Consultant Risk Manager Salvor Insurer Claims Manager Operations Insurer Account Executive Estimator Engineering Insurance Estimator Claims Adjuster Project Manager Reinsurers Shareholders / Investors Construction Underwriters Specialty Consulting Specialty Consulting Legal Legal Forensic Accountant Claims Auditors Other Experts Accounting
Property Loss Claims Survey* • Resolving large property claims has become more difficult over the last 20 years • Large property claims involve many people and a lengthy process • There are many reasons for claims disputes, even after all the facts are known • Insureds often experience expenses and lost earnings that are not covered by property insurance • Insureds often believe their insurance covers more than it does • Property insurance usually pays 76% to 87% of the amount claimed • *Transurance.com
Takeaways • Pre loss planning is key • Complacency is not an option After a loss… • Mitigation mentality – everyone benefits • Promote communication - involve everyone • Document everything and hold people accountable • Brand protection is ALWAYS your priority • Expect the unexpected www.aon.com/beprepared
Part 2: Current Market Conditions & Preparing for Future Renewals Presented by: Peter Doyle, Arthur J. Gallagher & Co.
Current Marketplace Summary Premiums are stable so far through 2013 Minimal catastrophic activity outside of OK tornadoes Low investment income No underwriting profit since 2007 Natural Disasters on Rise 2013 Natural Disaster projection is 20% higher than previous years RMS v 13 coming out soon!
Attitude Towards Future Risk Management Prepare for every renewal as if you are in a hard market. OR Prepare for every renewal as you did post 2005 and 2012 hurricanes!!!
Attitude Towards Future Risk Management Underwriting is becoming more sophisticated due to technology and underwriting tools available to underwriters to evaluate and price risk. Information is KEY! As brokers and insureds if we do not evolve with the market it will become increasingly more difficult to properly price our risks.
Five Questions to Ask? • Are you overpaying because your Property underwriting data is incomplete or inaccurate? • Incomplete or inaccurate underwriting data can account for a 15-50% increase in Probable Maximum Loss(PML) • Have you kept pace with the change of your facilities? Roofing? Renovations? • Do you have a procedure for monitoring location changes? • How complete is your secondary and primary COPE data? • What’s the source of your current building/content values and secondary underwriting data?
Critical Underwriting Data Occupancy Type Construction Type Number of Stories Roofing Secondary Characteristics – up to 30 Year Built
Secondary COPE Characteristics Occupancy type RMS & ISO Construction type RMS & ISO Roofing Roof anchor Roof age Roof geometry Wind resistant windows Yr. Built Sq. Ft. Distance coastline Flood zone Lattitude Longitude Basements Flooring
Part 3: Cyber Liability Presented by: Hunter Maskill, AIG
Data Security – Not Just an IT Problem • Information security viewed as an IT Problem vs. Enterprise-wide risk management issue • - Misconception that IT alone can safeguard the organization • - Failure to address the human element and not just the technology • Negligence is the leading cause of a data breach, at 41% of all reported cases Sources: Ponemon Institute Cost of a Data Breach Report 2010 & Verizon Business 2011 Data Breach Investigations Report
Some Quick Stats • $214 per record is the average cost of a data breach, with an average total per-incident cost of $7.2 million in 2011 • - Breakdown of the number vs AIG costs • 96% of breaches could have been avoided if reasonable data security controls had been in place at the time of incident • 85% of hacking cases have had a patch available to fix the vulnerability for 18+ months • 86% of Clients identify cyber insurance as their top concern Sources: Carnegie Mellon Governance of Enterprise Security: CyLab 2010 Report, Ponemon Institute Cost of a Data Breach Report 2010, NetReaction, LLC, October 2012 AIG Study of 250 brokers & clients
What Can Cause a Breach… • Storage of prohibited / unnecessary data (magnetic stripe, secret PIN, old data) • Malware impacting computer systems • Employee / Contractor privileged access misuse • Physical security breach
Regulatory Environment • Increased industry, regulatory and legislative focus on security due to high profile data compromises • State Notification Laws • Revised Health Insurance Portability and Accountability Act (HIPAA) HITECH act for Protected Health Information (PHI) to include business associates doing business with healthcare organizations • Payment Card Industry Data Security Standards (PCI DSS)
Case Study – Hacking The Incident: People who applied online at for a job in a school district had their information accessed by a hacker. The hacker sent messages to former and current job applicants and informed them that the website was breached. A 14-year-old high school student was removed from class and taken to a juvenile detention center for his involvement in the breach. How to Apply This to You: 1. No such thing as impenetrable IT systems 2. Often times you don’t even know you’ve been hacked 3. What is your response plan? Who is your first call? Source: http://privacyrights.org/data-breach/new
Case Study – Employee Negligence The Incidents: • A document with sensitive worker's compensation claim information was accidentally sent out with an email to a number of school district employees. Social Security numbers and other information related to current and former employees that reported injuries were exposed. • A county public school system discovered that student names, ID numbers, grades, and other information were posted online. The information was available for a couple of days before school employees began the process of removing it from online. How to Apply This to You: 1. Employee training matters – CyberEdge Risk Tool can help 2. Monitor employee access to sensitive data Source: http://privacyrights.org/data-breach/new
Case Study – Stolen Portable Media The Incident: An employee working in human resources was robbed while transporting information between school districts. The employee stopped for lunch and discovered that an unencrypted flash drive containing personnel files containing names, social security numbers, addresses, dates of birth, and driver's license numbers had been stolen from their car. How to Apply This to You: 1. Physical controls & employee training 2. Remote wipe capabilities 2. Encryption (whole disk) for sensitive data on portable media Source: http://privacyrights.org/data-breach/new
Case Study – Mailing / Vendor Error The Incident: Students who paid tuition for education programs had their 1098T tax forms sent to the incorrect address. Between 150 and 200 people out of 2,000 were sent to the wrong address because a group of the tax forms were placed in envelopes without being properly separated. Some people received the forms of several people while others never got their tax forms. How to Apply This to You: 1. Know your vendors and your responsibilities in the event of a loss 2. Contractual indemnity language is important Source: http://privacyrights.org/data-breach/new
Cost Variation- Dependent on Vendor Selection • Healthcare organization • Breach of approx 50,000 records, including social security numbers • Two years of credit monitoring services provided to victims
What are the Consequences of a Breach? • Breach Notification Costs - Average industry consumer notification cost approx $12 per person • Identity Monitoring - Estimated approx $40 per person per year • Regulatory Actions - Always changing - Costs to defend and fines/penalties • Lawsuits & Defense Cost - Liability for damages - Costs of defense are rising • Unbudgeted Expenses - Lost man hours and resources • Reputational Damage - Lost customers/revenues – 66% of financial impact on a company Source: Ponemon Institute Cost of a Data Breach Report 2010
Gaps in Traditional Coverage • Traditional insurance policies frequently exclude intangible exposures, such as data loss due to virus, web attacks, and lost laptops • The following coverage is confined to physical perils such as fire, flood, fraud and theft: • Commercial General Liability (CGL) • Property • Crime / Fidelity Source: Carnegie Mellon Governance of Enterprise Security: CyLab 2010 Report
Risk Mitigation at the Enterprise Level • Commitment from Senior Level Management • Information Technology • Most Recent Technologies and Change Management • Limit Access to Sensitive Data • Legal • Understand the Changing Regulatory Environment • Implement Plans to Respond to a Breach in a Timely and Compliant Manner • Vendor Management • Proper Vetting of 3rd Party Vendors • Contract Management • Human Resources • Proper Hiring and Termination Techniques • Employee Training on How to Classify and Handle Data • Data Retention • Don’t Keep What You Don’t Need • Safe & Secure Methods of Disposing of Data • Risk Control • Physical Security • Written security policies • Transfer Risk to a Third Party (Insurance Solutions)