Policy Considerations for Covering Special Exposures. Claire Lee Reiss Program Director National League of Cities Risk Information Sharing Consortium

Transcription

1 Policy Considerations for Covering Special Exposures Claire Lee Reiss Program Director National League of Cities Risk Information Sharing Consortium

2 Special exposures Coverage that targets a loss with special implications (emerging, affects some but not all members, unique in some way) Cyber (1 st & 3 rd party; statutory mandates; fines) Sewer back-up (3 rd party; emerging no fault) Special events Drones Skateboard parks Pools often treat differently from each other and from commercial insurers

3 Focus on cyber and sewer back-up Issues we ll discuss for each coverage: Types of potential losses from an event Pool approaches to coverage Policy considerations for selecting an approach

4 Cyber Coverage

5 What is a cyber event? Hacking Phishing Physical loss of, or unauthorized access to, computer or computer media Non-electronic loss of sensitive information (i.e. dumpster diving ) Accidental or intentional disclosure of private information

6 First party damages Member s own losses due to the cyber event Cost to repair or replace city technology & data Theft of city money/funds transfer fraud Extortion Business interruption & extra expense

7 Third party liability Liability to others Identity theft due to disclosure Defamation Trademark/copyright infringement Conduit for damage to others systems System unavailability Fraud from spoofing city system Possible consequences: damages, defense costs, and meeting regulatory requirements

8 Data breach response expenses Remedial actions required of those who hold private information that is disclosed improperly Often required by state law (esp. notification) Crisis management Legal services & forensics Public relations Notification ($2-5+) Mitigation (credit monitoring) ($12-15+)

9 Fines and penalties Government regulatory Credit card companies

10 Past losses due to cyber events Very low losses per RISC survey - so far Still a potentially serious and expensive risk Examples of RISC member cyber events Stolen laptop containing personally identifiable info Hard drive stolen while in possession of IT vendor Including private information in public presentation Malware on community center credit card equipment Key stroke recorder due to phishing money stolen Inappropriate access by public employees

11 Reasons to provide cyber coverage You may be covering already Increase in cyber attacks on cities Increased use of mobile devices with sensitive information Increased legal requirements for data privacy and breach notification Increased publicity of breaches Many members want cyber coverage Competitors are providing cyber coverage

12 Risks of providing cyber coverage Unpredictable losses Setting premiums too high or low Inadequate information about member exposures Development costs but uncertain demand Need for special skill sets Underwriting, claims & loss control Failure to understand legal requirements Positioning in competitive environment

13 General approaches to cyber coverage Few exclude cyber coverage outright Treat as standard coverage regular premium Existing policy language not excluded Cyber-specific coverage language or endorsement 1 st or 3 rd party coverage or endorsement Offer as optional coverage for additional premium Sublimit with additional limits for increased premium

14 Retained risk v. pass through Coverage on pool paper ceding risk to insurer Advantages Pool doesn t bear the risk Pool has benefit of insurer expertise in designing coverage and responding to breach Disadvantages Insurer gets the premium Coverage may not be tailored to members needs Lack of control over settlement

15 Occurrence v. claims made/made & reported Occurrence arising from an occurrence during the coverage period Claims made/made & reported claims made during coverage or extended reporting period Considerations 3 rd party liability: A breach may occur a long time before it is discovered Damages may take a long time to develop Pool may be exposed to loss long after coverage ends Considerations Data Breach Recovery Expenses: Good loss control

16 Triggers Occurrence (risk of unintended interpretations) Cyber liability event Security breach Unauthorized access Unintentional data compromise Information breach/interrelated information breaches

17 Limits Regular policy limits if no exclusion Sub-limits for cyber losses First party, third party, response, mitigation, penalties Higher limits for additional premium Special aggregate Ambiguity of occurrence Research says: Limits range $25,000 - $1,000,000 Aggregates range $25,000 - $5,000,000 Higher aggregates may be shared by all members: allocation? Claims/defense costs inside/outside limits

18 Member loss sharing Deductibles Regular policy deductible if no exclusion $2,500 - $5,000 per claim or occurrence Coinsurance for certain losses Public relations Privacy notification costs Prior consent of pool for certain notification costs

19 Exclusions Exclusions Certain intentional acts Unauthorized/unlawful collection of personal info Regulatory fines (sometimes) Coverage that belongs elsewhere: employment practices/labor relations/bi/pd/antitrust etc.

20 Underwriting Loss control benefits and pricing coverage Losses (probably none) Types of information handled Location of sensitive data Security policies and procedures Physical security for equipment Protective software Information security training for employees Breach response plan

21 Sewer Back-up Coverage

22 Potential losses from a sewer back-up Clean-up: repair and replacement of damaged property Most citizens don t have sewer back-up coverage Inability to use affected property Bodily injury and illness Public relations Environmental penalties

23 Portion of losses due to sewer back-ups Significant producer of claims for some pools, according to RISC survey Two pool s sewer losses: 10.6% claims by number &.5% losses 22% claims by number and 11% losses Half closed without payment Average paid claim was around $6,000

24 Coverage based on 3 rd party liability Caused by member fault Often inadequate inspection & maintenance May be covered because not excluded same premium May be covered using specific language/endorsement for more premium May be separate underwriting May be sub limits and aggregates Usually occurrence basis Often informal no-fault for clean up costs

25 Considerations favoring 3 rd party liability basis Pool has high losses for sewer back-ups Member sewer systems structurally compromised Pool s finances are tight Member needs and expectations Consistent with other liability exposures Members can t/don t want to pay for no-fault coverage Competitive environment

26 Why consider no-fault coverage? Need expressed by members Citizen expectations costs will be covered Formalize current practice of paying for clean up Public health benefits of rapid clean up Reduces liability claims and legal costs Mitigates damages, if legally liable Stabilizes costs for members Competitive advantage

27 Considerations against a no-fault basis Catastrophe risk Internal costs Development cost Uncertainty of demand if extra cost Underwriting and renewal work Extra claims administration cost Disincentive for homeowners to install back flow preventers and buy coverage One pool conditions coverage on installation of back flow device (at pool expense) on affected premises

28 How is no fault sewer back-up configured? Separate language within GL or by endorsement No fault exists alongside 3rd party coverage: may be voided if 3 rd party implicated Covers clean up costs, usually property damage, but not bodily injury Usually occurrence basis Often combined with water main rupture and in one case with other no-fault property damage

29 No-fault premiums Fully fund costs to avoid subsidy Approaches to setting premium Based on GL premium Per head of population Per tap or connection into city sewers Adjustment of premium for poor loss control v. deductible increases Deductible increases help members and avoid speculation about how much premium must increase

30 Exclusions from coverage Exclusions help protect from catastrophes Extreme weather (rainfall) events Eligibility of event for federal or state disaster aid Extended power failures affecting sewer facilities Damage to foundations Losses unrelated to member activities Resulting from illegal connections Occurring during homeowner work on wastewater system

31 Recovering losses from other sources Other insurance Excess over affected citizen s other insurance Pay affected citizen s deductible Subrogation No contractual waiver Must assist in exercise of subrogation rights

32 Member loss sharing Special deductibles As low as $250: as high as $10,000 per occurrence Multiple options may be offered Lower limits Per building/structure $5,000 $50,000 Limit per occurrence $5,000 - $100,000 Annual aggregate limit $10,000 $300,000 + Educate members in advance about limits and deductibles

33 Impact of definitions on member loss sharing Occurrence, structure, & building are often defined terms Occurrence multiple events in 72 hrs Building/structure group of structures served by a single tap

34 Tiered cost sharing One pool s approach: tiered cost sharing Pool pays initial $50,000 net of deductible After $50,000 member pays 80% and pool 20% If losses exceed $250,000 in a year, pool pays Deductible applies separately to each separately identifiable dwelling unit: business/residential Also works extensively with members to train about what to say when responding to the scene

35 Underwriting considerations Loss history Fault v. no-fault; different types of claims Age and condition of infrastructure Legal liability Discretionary immunity defense & tort cap Loss control Inspection, maintenance and repair requirements Tool kits (policies, procedures, model ordinances) Crews trained about maintenance & communication

36 Conclusion No one approach Gather and analyze information Loss data Legal requirements Members exposures and needs Competitive forces Be respectful of uncertain risk

37 Questions? Claire Lee Reiss Program Director, NLC-RISC National League of Cities 1301 Pennsylvania Ave., NW Washington, DC