In any contractual relationship, it’s important for the parties involved to properly allocate their combined risks.
Contractual risk transfer identifies critical exposures and assigns responsibility for preventing and paying for losses — but it’s not always an easy process. However, protecting your organization’s assets and bottom line is worth the effort.
A critical challenge
Managing contractual risk can be challenging, increasingly so as additional insured status has been eroded over time. In 2013, for example, ISO introduced new additional insured endorsements to commercial general liability policies that restricted limits afforded to additional insureds to those specified in a contract. That has made the underlying contract — and the allocation of contractual risk — more important than ever before.
A few reasons why risk professionals should pay close attention to contractual risk:
- To answer leadership’s questions. After a loss or disruption, the first question from the C-suite usually is: “What does the contract say?” Risk professionals who properly manage the contractual risk process — in conjunction with their legal counsel — can confidently answer this question.
- To build better relationships. An organization that is known to be diligent in managing contractual risk can send a message to vendors, suppliers, contractors, and other parties that it is serious about risk management. And that can drive more risk-conscious behavior by those other parties, contributing to better results for everyone.
- To avoid protracted legal struggles. Resolving a dispute about the responsibility for managing risk can be costly and disruptive to your business.
To build a more effective contractual risk transfer program, organizations should consider the following best practices:
- Create standard contractual risk terms. These should be thoroughly vetted and regularly updated. They should include tiered requirements that stipulate higher limits of insurance for more hazardous operations undertaken by your company or a counterparty to a contract.
- Train procurement professionals. Your procurement team should understand these standardized terms and why they’re important to risk management.
- Require authorization to bend terms. Specific business reasons may occasionally require changes to contract terms, but there should be a protocol for such deviations.
- Establish guidelines for when to involve risk management. For example, you might require that risk management be consulted on any contract that exceeds a certain dollar value or falls outside the scope of normal activities.
- Enforce collection and review of certificates of insurance. No work should begin until you have all necessary certificates of insurance in hand.
For more on this topic, listen to a replay of the Marsh webcast, Fortifying Your Contractual Risk Transfer Program.
Author: Janice Collins
(Bloomberg) — A new cyberattack similar to WannaCry is spreading from Europe to the U.S., hitting port operators in New York and Rotterdam, disrupting government systems in Kiev, and disabling operations at companies including Rosneft PJSC and advertiser WPP Plc.
More than 80 companies in Russia and Ukraine — and the Chernobyl nuclear plant — were initially affected by the Petya virus that disabled computers Tuesday and told users to pay $300 in cryptocurrency to unlock them. Telecommunications operators and retailers were also affected and the virus is spreading in a similar way to the WannaCry attack in May, Moscow-based cybersecurity company Group-IB said.
Rob Wainwright, executive director at Europol, said the agency is “urgently responding” to reports of the new cyber attack. In a separate statement, Europol said it’s in talks with “member states and key industry partners to establish the full nature of this attack at this time.”
Kremlin-controlled Rosneft, Russia’s largest crude producer, said in a statement that it avoided “serious consequences” from the “hacker attack” by switching to “a backup system for managing production processes.”
U.K. media company WPP’s website is down, and employees have been told to turn off their computers and not use WiFi, according to a person familiar with the matter. Sea Containers, the London building that houses WPP and agencies including Ogilvy & Mather, has been shut down, another person said. “IT systems in several WPP companies have been affected,” the company said in emailed statement.
The hack has quickly spread from Russia and the Ukraine, through Europe and into the U.S. A.P. Moller-Maersk, operator of the world’s largest container line, said its customers can’t use online booking tools and its internal systems are down. The attack is affecting multiple sites and units, which include a major port operator and an oil and gas producer, spokeswoman Concepcion Boo Arias said by phone.
APM Terminals, owned by Maersk, is experiencing system issues at multiple terminals, including the Port of New York and New Jersey, the largest port on the U.S. East Coast, and Rotterdam in The Netherlands, Europe’s largest harbor. APM Terminals at the Port of New York and New Jersey will be closed for the rest of the day “due to the extent of the system impact,” the Port said.
Cie de Saint-Gobain, a French manufacturer, said its systems had also been infected, though a spokeswoman declined to elaborate, and the French national railway system, the SNCF, was also affected, according to Le Parisien. Mondelez International Inc. said it was also experiencing a global IT outage and was looking into the cause. Merck & Co. Inc., based in Kenilworth, New Jersey, reported that its computer network was compromised due to the hack.
New virus called Petya
The strikes follow the global ransomware assault involving the WannaCry virus that affected hundreds of thousands of computers in more than 150 countries as extortionists demanded $300 in Bitcoin from victims. Ransomware attacks have been soaring and the number of such incidents increased by 50% in 2016, according to Verizon Communications Inc.
Analysts at Symantec Corp., have said the new virus, called Petya, uses an exploit called EternalBlue to spread, much like WannaCry. EternalBlue works on vulnerabilities in Microsoft Corp.’s Windows operating system.
The new virus has a fake Microsoft digital signature appended to it and the attack is spreading to many countries, Costin Raiu, director of the global research and analysis team at Moscow-based Kaspersky Lab, said on Twitter.
The attack has hit Ukraine particularly hard. The intrusion is “the biggest in Ukraine’s history,” Anton Gerashchenko, an aide to the Interior Ministry, wrote on Facebook. The goal was “the destabilization of the economic situation and in the civic consciousness of Ukraine,” though it was “disguised as an extortion attempt,” he said.
Kyivenergo, a Ukrainian utility, switched off all computers after the hack, while another power company, Ukrenergo, was also affected, though “not seriously,” the Interfax news service reported.
Ukrainian delivery network Nova Poshta halted service to clients after its network was infected, the company said on Facebook. Ukraine’s Central Bank warned on its website that several banks had been targeted by hackers.
Drought is the biggest risk to property, and cloud computing risk is the greatest exposure in liability, according to a report released Tuesday by Swiss Re Ltd.
The reinsurer’s Sonar Emerging Risk Insights Report features six emerging trend spotlights and highlights 20 more emerging risk themes identified by the company’s SONAR tool, an internal crowdsourcing platform that collects input and feedback from underwriters, client managers, risk experts and others within the insurance sector.
Increasing migration to cloud-based computing systems exposes business to new risks, Swiss Re said.
“Should an event bring down or severely impair,” cloud services from a single large provider, for example, “the financial loss could be immense,” said the report.
Water shortages and related problems also pose numerous threats.
Losses in agricultural, energy and forestry, risk of large-scale wildfires, drought-induced soil subsidence and water pollution events in the energy, mining and agricultural sectors are just some of the rising exposures related to drought, according to the report.
The report also identifies rising inflation and regulatory fragmentation as near-term risks, while tapping “underestimated infectious diseases” and “emerging artificial intelligence legislation” as longer-term threats.
“Ignoring emerging risks is just not an option. We need to prepare for the risks of tomorrow,” Patrick Raaflaub, Swiss Re’s group chief risk officer, said in the report.
(Bloomberg) — The Atlantic hurricane season will likely churn out an above-average 11 to 17 named storms, in part due to fading odds than an El Nino will form in the Pacific.
Of storms that emerge during the six-month season that begins June 1, five to nine will reach hurricane strength with winds of 74 miles (119 kilometers) per hour, the U.S. National Oceanic and Atmospheric Administration said Thursday.
Two to four may become major systems reaching Category 3 or stronger on the five-step Saffir-Simpson scale.
Vulnerability to losses
The Earth’s most powerful storms can threaten lives, destroy property and move global energy and agricultural markets. An estimated $28.3 trillion worth of homes, businesses and infrastructure is vulnerable to hurricane strikes in the 18 U.S. Atlantic coastal states, according to the Insurance Information Institute in New York.
The U.S. hasn’t been struck by a major system since Hurricane Wilma in 2005, said Dennis Feltgen, spokesman for the U.S. National Hurricane Center in Miami. In September, Hurricane Matthew killed at least 585 people, most of them on Haiti, making it the deadliest storm since Wilma. Matthew went on to graze the U.S. East Coast, causing widespread flooding across the South before making landfall in South Carolina.
Season average of 12 storms
In an average season, the Atlantic spins off 12 storm systems. A year ago, the U.S. predicted 10 to 16 would form while the season eventually saw 15 storms.
Last month, Colorado State University predicted the Atlantic would produce 11 named storms. A system is named when winds reach 39 mph and it becomes a tropical storm. The university, which pioneered seasonal hurricane forecasts, will update its outlook next week.
Meanwhile, the specter of a Pacific Ocean El Nino hangs over all hurricane forecasts. El Ninos can make it harder for hurricanes to form across the Atlantic by increasing wind shear that weakens storms. Earlier this month, the the U.S. Climate Prediction Center lowered the odds of El Nino forming to 45 percent from 50 percent in April.
Weak El Nino and above-average water temps
A weak or nonexistent El Nino and above-average water temperatures in the tropical Atlantic is driving the above-average storm forecast, Friedman said.
In addition, warm water provides fuel for budding storms, said Gerry Bell, hurricane seasonal forecaster at the U.S. Climate Prediction Center in College Park, Maryland.
“Right now, there is not much of an indication at all that the season will be below normal,” Bell said. “It really is a combination of factors this year that point to a more active season.”
Storms can wreak havoc on agricultural markets in Florida, the second-largest producer of orange juice behind Brazil, and the top domestic grower of cane sugar.
And while energy traders also closely watch forecasts, a surge in onshore fracking for natural gas has lessened the impact of bad weather on markets. Offshore drilling in the Gulf of Mexico will account for 4.1 percent of total U.S. gas production this year, down from 14 percent about a decade ago, Energy Information Administration data show. In addition, storms Katrina and Ike destroyed many old drilling rigs and platforms, which were replaced with equipment better able to withstand storm forces.
All hurricanes are dangerous
“The point is just because it is not a major hurricane doesn’t mean that it’s not dangerous, doesn’t mean it isn’t deadly, doesn’t mean we don’t need to be prepared for it,” Friedman said.
The U.S. is using a new hurricane model this year that has delivered more accurate tracks and intensity forecasts in tests, Friedman said. The newest geostationary weather satellite, GOES-16, launched last year, will be moved to watch both the Atlantic and the eastern U.S.
In another change, the National Hurricane Center will issue storm surge watches and warnings, as well as time-of-arrival graphics to better alert people to pending storm conditions, said Mary Erickson, deputy director of the National Weather Service.
Flooding, the deadliest part of hurricanes, “is often overlooked because folks are focused on wind,” Erickson said.
Separately, the U.S. also predicted 14 to 20 named storms would form in the eastern Pacific, mainly off Mexico. The eastern Pacific storm season began May 15.
Financial disaster preparedness begins with a thorough understanding of the risks facing the organization. As an organization grows and its operations become more intricate, its risks change and tend to become more complex. Accordingly, risks need to be assessed continuously, an exercise typically orchestrated by the risk manager with support from throughout the company.
Beyond the many challenges of physical recovery following a catastrophe, additional problems affecting financial recovery often occur because key areas of risk were overlooked or their potential impacts were not fully understood. For example, a real estate services provider had adequate liability coverage for cyber breaches but did not anticipate the potential financial impact of an interruption of its IT systems. The company experienced a cyber intrusion that shut down its servers for 24 hours, resulting in a multimillion-dollar loss that was only partially covered by insurance.
Risks that are not identified or clearly understood in advance are difficult to manage in a cost-effective manner following a catastrophic event. Such risks expose an organization to unexpected and often avoidable financial losses. The process of risk identification, analysis, mitigation and transference is a critical part of the financial preparedness process.
Once risks have been identified and analyzed, seven key areas of financial preparedness must be addressed:
1. Planning for business continuity
The foundation of financial preparedness, business continuity planning entails understanding how, and to what degree, your organization will be able to service its customers and maintain solvency in the event of a major shutdown of operations or other catastrophic event. This can include a variety of actions, such as fulfilling orders using existing inventory, receiving support from other company locations, outsourcing production and/or services, and setting up a temporary location. These actions help ensure continuity of operations and, in doing so, also help mitigate the loss.
In planning for business continuity, it is important to consider unexpected occurrences and challenges. Catastrophic losses can occur in ways that were not anticipated or previously experienced by an organization. For example, as a result of Superstorm Sandy in 2012, a company lost two of its major data centers, one located in New York City and a backup center located miles away in New Jersey. The company’s management never anticipated the possibility of a hurricane impacting both data centers at the same time. Organizations must explore a wide range of possible causes of loss and the resulting impacts when assessing both the maximum possible and the maximum probable loss.
2. Understanding employee retention
Retaining key employees and other members of the workforce following a catastrophic event is essential to the continuity and restoration of a company’s operations. Organizations must assess whether or not insurance will be necessary to cover labor costs following a catastrophic loss.
3. Understanding and mitigating costs
In addition to labor, there are many other costs that will continue following a catastrophic loss. The key to managing these costs is assessing the organization’s (and each facility’s) structure of variable and fixed costs and determining how they will likely be impacted following a partial or complete shutdown of operations.
By understanding and assessing continuing costs, the organization can better plan for mitigation of those expenses and required insurance coverage. The preparation of a simple business interruption values worksheet does not typically go deep enough—the process requires a detailed understanding of operations and related costs, and ways they will be impacted following a loss.
4. Identifying other sources of potential funding
Insurance is typically the first line of defense following a catastrophic loss, but other sources of funding may also be available. For example, if the president formally declares a disaster, state and local government entities, eligible nonprofits (including hospitals, colleges and universities) and Native American tribes may qualify for federal disaster relief, including Federal Emergency Management Agency (FEMA) Public Assistance Program grants, U.S. Department of Housing and Urban Development Community Development Block Grant Disaster Recovery grants, and Federal Highway Administration disaster grants.
In the case of FEMA Public Assistance grants, the documentation and reporting processes can be onerous, with a multitude of eligibility requirements that address the applicant, facilities, work performed and costs incurred. FEMA also has many insurance requirements, particularly for organizations that have received FEMA funding for previous disasters. Developing an understanding of these and other federal guidelines and implementing necessary procedures and controls before a disaster occurs can help ensure that maximum funding is secured in a timely manner, and can also help withstand audits by federal agencies.
5. Assessing liquidity needs
It is critical to maintain liquidity following a loss event. A careful assessment of the amount and timing of potential recovery from insurance and other sources of funding, consideration of continuing costs and extra expenses to maintain operations, and the need for capital to rebuild operations can shed light on the requirements for cash reserves and access to credit during an extended operational shutdown. While insurers may provide advances following a catastrophe, final settlement often takes longer than expected. Planning in this area can help avoid unexpected cash shortages that put business continuity at risk.
6. Developing a loss response team
Before a loss occurs, it is essential to identify and train the team that will support the organization following a loss event. Internal resources should include a broad spectrum of resources spanning the risk, legal, finance and accounting, operations, sales, engineering, and procurement departments. Additional external resources may include debris removal companies, general contractors, engineers, attorneys, accountants and other consultants. Developing your team and outlining their roles before a loss occurs will help expedite the recovery process, increasing its overall effectiveness and saving costs.
7. Assessing insurance coverage
An organization must conduct a review of its coverage at least annually and even more frequently when faced with significant changes in operations. Often, companies discover too late that their insurance policies do not provide sufficient coverage for property damage, business interruption and extra expenses. Many also discover unclear or ambiguous policy language that creates settlement issues.
An annual policy review should provide an understanding of the risks covered, sublimits, exclusions, deductibles, waiting periods and coinsurance requirements. This process can help ensure that risks are covered in the manner intended by management. Following annual renewals, it is also important to determine if any risks need to be further addressed and mitigated due to changes in coverage that may have occurred during the underwriting and renewal process.
The review should include an assessment of the organization’s covered locations and confirmation that the policy lists (or contains appropriate blanket coverage for) all existing locations, especially recently added ones. It should also include an assessment of the statement of values to determine whether property values are current. Property values may need to be updated as companies add, upgrade or sell equipment, invest in new capital, and change physical structures.
The organization’s business interruption values should also be assessed. This means, at a minimum, assessing each location and operation to determine the organization’s exposure to a loss of net income and expenses that would likely continue following a catastrophic event. As your business grows or declines or margins change, business interruption values will likely change as well. Failing to update these values could result in a gap in coverage due to insufficient policy limits, or potentially trigger a coinsurance penalty if designated in the policy.
In assessing insurance, it is important to pay close attention to sublimits, exclusions, waiting periods and deductibles, all of which can significantly impact an organization’s level of financial recovery. As an example, a large entertainment facility experienced a significant loss when an electrical outage led to the cancellation of a show on a busy weekend. Management was surprised to learn that the loss was not covered due to a 48-hour waiting period for “service interruption.”
The period of indemnity specified in a policy may also have a major impact on recovery. Insurance policies typically define the period of indemnity as beginning on the date of loss and extending through the period during which the property can be repaired, rebuilt or replaced, with reasonable speed, to the condition that existed prior to the loss (or, alternatively, the date business is resumed at a new location). Many policies also provide an “extended period of indemnity” of 30 days or more to give the business additional time to restore normal operations. This extended period can provide critical support for financial recovery.
It is also crucial to understand your needs with regard to employee payroll following a catastrophic loss. Business interruption insurance policies may provide full, limited or no coverage for “ordinary payroll” following a catastrophic loss. Ordinary payroll refers to payroll expenses of employees other than executives, department managers, employees under contract and other employees deemed vital to continuing operations. Companies with a critical need to keep such employees after a loss typically require this type of coverage in their policy.
Coverage for extra expense should also be assessed and considered in light of potential actions following an interruption of operations. This coverage generally addresses expenses incurred during the period of restoration to avoid or minimize the suspension of operations at either the current location or temporary locations.
A variety of special coverages are available to cover other areas of risk and may be appropriate for risks specific to the organization, such as insurance for contingent business interruption (to cover losses sustained by your organization as a result of physical damage occurring at your suppliers’ or customers’ facilities), supply chain disruption and cyber incidents.
Source: Risk Magazine
Author: Allen Melton
Author: Michael Speer
So, what’s next for the Trump administration’s handling of health data privacy and security issues now that the 100-day milestone has been reached?
So far, despite the overall anti-regulatory tone of the new administration, it appears that enforcement of HIPAA is moving along at the same or perhaps even a slightly more aggressive pace than what was taken by the Department of Health and Human Services under the Obama administration.
“Congress established OCR to adapt to new technology – and to protect it.”
In one of his first speeches, Roger Severino, who last month took on the job of director of HHS’s Office for Civil Rights, promised to keep HIPAA privacy and security enforcement a top priority.
“I came into this job with an enforcement mindset,” Severino said on April 27 during a session at the Health Datapalooza conference in Washington, according to HealthcareITNews. “Congress established OCR to adapt to new technology – and to protect it.”
But will that mindset continue? A lot likely depends on the resources OCR gets for fiscal 2018. The staff has been stretched thin in recent years, especially as OCR has been digesting the findings of more than 200 HIPAA compliance audits of covered entities and business associates. Plans to launch a smaller number of more comprehensive audits in early 2017 have already been delayed until later this year. And who knows if that will even happen?
Privacy attorney David Holtzman, the vice president of compliance at security consulting firm CynergisTek who formerly was a former senior policy adviser at OCR, notes that so far this year, in terms of enforcement actions taken by OCR, the agency could break its aggressive record of 2016, which included 12 settlements and one civil monetary action – not to mention the relaunch of audits.
“OCR has continued its stepped-up enforcement of the HIPAA privacy, security and breach notification rules. Thus far in 2017, the agency has announced negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million,” he says.
“In all but one of these cases, organizations have also been saddled with multiyear corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016, in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations.”
But it’s still unclear how the Trump administration will handle bigger-picture health data privacy and security issues.
“I believe it is important to distinguish between broader policy decisions and the day-to-day operations of the department’s mission,” he says. “While we have not seen evidence of how administration policy on health data security and privacy issues will develop, there is ample evidence that it is business as usual in OCR’s administration of the HIPAA privacy and security standards.”
While meeting HIPAA compliance requirements doesn’t necessarily equal the kind of robust security efforts needed to effectively safeguard data – including data that goes beyond patients’ protected health information – OCR’s recent enforcement ramp-up likely will help nudge security laggards out of their complacency.
But it’s also important to remember that the OCR enforcement actions we’re seeing have been in the works for years. Looking ahead, will OCR be spending less time investigating major breaches that get reported now? Let’s hope not.
Here’s an updated look at the sobering breach stats: As of April 28, there were 1,921 major breaches affecting nearly 173.4 million individuals reported to OCR since September 2009, according to HHS’ “wall of shame.” And to date, OCR has issued 47 HIPAA settlements and two civil monetary penalties.
So, while there’s been an a slight uptick in the number of enforcement actions taken by OCR over the last year or two, the reality is that there are still slim odds that you’ll end being smacked with a financial penalty related to a breach.
And the odds could grow even slimmer if OCR finds itself with a barebones budget for fiscal 2018. President Trump has proposed big cuts to HHS’ overall budget for the next fiscal year beginning on Oct. 1, and he has also instructed federal agencies to plan reducing their workforces near term.
In the meantime, OCR likely will keep picking and choosing cases for settlements that highlight common mistakes entities make in safeguarding patient information. Plus, the HIPAA enforcement agency will continue to release guidance that addresses confusing and critical security and privacy issues.
Hopefully, the healthcare sector will continue to learn from these cases and guidance and make it a higher priority to bolster their overall risk management programs to better safeguard all data against evolving threats.
Author: Marianne Kolbasuk McGee