Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015
Today s Agenda What are we talking about today? What is Risk Evolution of risk management Understand the importance of Risk Transfer Key elements of contractual transfer The Interaction of contracts and insurance Newest topic in insurance Cyber Liability Questions & Answers
What is risk Risk is present in everything we do ISO 31000, the international standard on risk management, defines it this way: Risk = the effect of uncertainty on your objectives. Risk can be a threat or an opportunity Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk 3
Why We Need to Manage Risk The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise. National Guidance on Implementing ISO 31000:2009 From NSAI in Ireland 4
5 Major Categories for External Global Risks Economic Risks Geopolitical Risks Environmental Risks Technological Risks Societal Risks 5
Top 5 Global Risks in Terms of Likelihood, 2007 2014: Insurance can help with most 6
Top 5 Global Risks in Terms of Impact,2007 2014: Insurance can help with most 7
12 Industries with Risk Issues in the next 10 years Health Care Health Sciences Energy (Traditional) Alternative Energy Petrochemical Agriculture Natural Resources Technology (incl. Biotechnology) Light Manufacturing Insourced Manufacturing Export-Oriented Industries Shipping (Rail, Marine, Trucking, Pipelines) 8
A Few Definitions ISO 31000 Risk is the effect of uncertainty on objectives Risk Management, the coordinated activities to direct and control an organization with regard to risk Risk Owner, the person or entity with the accountability and authority to manage risk Stakeholder is any person or organization that can affect, be affected by or perceive themselves to be affected by a decision or activity. They are both internal and external. Stakeholders are important to the process and key to activities like communication, consultation and reporting. Stakeholders interests and fears should be taken into account Risk management process is the systematic application of management policies, procedures and practices to the tasks and activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating, monitoring and reviewing risk. 9
Risk Management is Evolving Transactional Approach Purchase insurance to cover risks Hazard-based risk identification and controls Compliance issues addressed separately Safety & emergency mgmt handled separately Silo approach risk mgmt is not integrated across the organization Risk Manager is the insurance buyer Risk is bad focus is on transferring risk A Broader Risk Mgmt Approach Greater use of alternative risk financing techniques More proactive about preventing and reducing risks Integrates claims mgmt, contracts review, special event RM, insurance and risk transfer techniques Cost allocation used for education and accountability More collaboration as depts. are willing Risk Manager may be the risk owner Risk is an expense focus is on reducing cost-of-risk Enterprise Risk Management A wide range of risks are discussed and reviewed, including reputational, human capital, strategic and operational Aligns RM process with strategy and mission May include upside risks (opportunities) Helps manage growth, allocate capital & resources Risks are owned by all & mitigated at the department level Many risk mitigation & analytical tools available Risk Manager is the risk facilitator and leader Risk is uncertainty focus is on optimizing risk to achieve goals 10
Why should we take a broader approach to risk? Insurance companies estimate that only 20-30% of all risks are insurable Global interconnectedness forces us to think more broadly for example: Pandemic flu Cyber attacks World economy & supply chain risks Now more than ever, we need all stakeholders to be risk aware 11
Principles Framework RM Process Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best available info Tailored Takes human & cultural factors into account Transparent & inclusive Dynamic, iterative & responsive to change Facilitates continual improvement & enhancement of the org Continually improve the framework Mandate & Commitment Design framework for managing risk Monitor and review the framework Implement risk management Communicate and consult Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review 12
Risk Identification - Contracts What are we committing to? What will our responsibilities be? Who will pay if something goes wrong? Where will the money come from? What other post-loss duties exist? Communicate and consult Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review 13
Risk Analysis - Contracts How important is this contract? Who are the key players? What s our timeframe? What s the loss history for these type of endeavors? How costly could it be? Communicate and consult Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review 14
Risk Evaluation - Contracts How important is this contract? What options do we have? What can we negotiate? What s the risk management perspective? Communicate and consult Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review What do we recommend? 15
Risk Treatment Making Choices Avoid it? Establish the context Control the risk? Share responsibility? What can we do to reduce the risk? Should we finance the risk? Communicate and consult Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review Can we transfer the risk? 16
Options for Transferring Risk Insurance Bonds Through contractual risk transfer: Contracts + insurance requirements Indemnification agreements Hold harmless agreements Waivers 17
Minimum Scope of Insurance Coverages: Premises liability Products and completed operations Blanket contractual liability Personal injury with deletion of employee exclusion Named as additional insured Deletion of limitations re explosion, collapse, underground hazards Independent contractors Broad form property damages Limits: $500,000/occurrence combined single limit for bi/property damage? 18
Minimum Scope of Insurance Additional insured on General Liability and Auto Current, valid insurance certificates with 30-days cancellation notice Insurers Best Rating of no less than A:VII Amend policies & certs: Your interest is primary & other ins excess Severability of interest (ins applies to each insured) Failure to comply with reporting provisions will not affect coverage 19
Additional Insured Provision Appointed officers, members, employees and volunteers are included as insureds with regard to damages and defense of claims arising from: a) Activities performed by or on behalf of the Named Insured b) Products and completed operations of the Named Insured c) Premises owned, leased or used by the Named Insured d) The ownership, operation, maintenance, use, loading or unloading of any auto 20
Insurance Provisions Define Insurance Requirements Coverage types, terms, formats Timeframes for maintaining coverage Limits, per occurrence and aggregate Financial stability of insurer Additional insured status, endorsements and certificates Put Requirements in RFPs / Contracts 21
Contractual Risk Transfer Factors to Consider Control of the Risk Knowledge of the Risk Statutory or Common Law Limitations Custom & Practice Bargaining Position Will it pass public policy scrutiny? 22
Cyber Liability 23
Data Breaches 2005-2014 Data Breaches / Millions of Records Exposed 800 700 600 500 400 300 200 100 Millions 222.5 783 220 656 662 619 200 180 160 66.9 321 498 140 446127.7 447 419 120 87.9 85.6 100 80 35.7 60 157 19.1 16.2 22.9 17.3 40 20 0 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 # Data Breaches # Records Exposed (Millions) 24
Worldwide Cybersecurity Spending 2011 2016F ($ Billions) $85 $83.2 12% $80 $75 $70 $65 $60 $55 $55.0 8.4% $60.0 $65.9 9.8% 7.9% $71.1 $76.9 8.2% Cybersecurity spending increased by an estimated $5.2B in 2014, $5.8B in 2015 and $6.3B in 2016 8.2% 10% 8% 6% 4% 2% $50 2011 2012 2013 2014F 2015F 2016F Worldwide Cybersecurity Spending % Change from Previous Year 0% 25
What Risks can be Transferred Buying insurance Breach response costs/crisis management costs Regulatory investigations, civil fines and penalties (where insurable by law) Litigation from individuals / class actions Litigation from financial institutions and other third parties Media liability libel, slander, intellectual property infringement damages and expenses Cyber Extortion consultant costs, ransom payments Data asset loss & non physical business interruption Loss of business income & extra expense 26
Available Coverages Exposure Category Network Security Liability Privacy Liability Regulatory Liability Legal / Notification Expense Description Provides liability coverage if an Insured's Computer System fails to prevent a Security Breach or a Privacy Breach Provides liability coverage if an Insured fails to protect electronic or non-electronic information in their care custody and control Coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws 1st Party expenses to comply with Privacy Law notification requirements Crisis Management Credit Monitoring Expense Forensic Investigations Public Relations 1st Party expenses to provide up to 12 months credit monitoring 1st Party expenses to investigate a system intrusion into an Insured Computer System 1st Party expenses to hire a Public Relations firm Data Recovery Business Interruption Cyber Extortion Technology Services/Products & Professional Errors & Omission Liability Media Liability 1st party expenses to recover data damaged on an Insured Computer System as a result of a Failure of Security 1st party expenses for lost income from an interruption to an Insured Computer System as a result of a Failure of Security Payments made to a party threatening to attack an Insured's Computer System in order to avert a cyber attack Technology Products & Services and Miscellaneous E&O can be added to a policy when applicable Covers the Insured for Intellectual Property and Personal Injury perils the result from an error or omission in content (coverage for Patent and Trade Secrets are generally not provided) 27
Assessing Cyber Risk What do you need Ponemon Studies: Cost per Record 200 150 100 cost per record 50 0 2006 2007 2008 2009 2010 2011 2012 2013 28
Assessing Cyber Risk What records do you have? 400 Breach Cost per Record by Industry 350 300 250 200 150 100 Cost per Record 50 0 29
Assessing Cyber Risk Which line are you? 30 Trends in Breach Cost ($M) by Co. Size 25 20 15 10 Small Medum Large X-Large 5 0 2009.5 2010 2010.5 2011 2011.5 2012 2012.5 2013 2013.5 2014 2014.5 30
Thank You Thomas Douglas Area Vice President Arthur J. Gallagher & Co. 12444 Powerscourt Dr. Suite 500 St. Louis, MO 63131 314-800-2225