RIMS/RMAFP PRESENTATION Joe A. Ramirez Catherine Crane
RISK TRANSFER VIA INSURANCE Most Common Method Involves Assessment of Risk and Loss Potential Risk of Loss Transferred For a Premium Insurance Contract Dictates Transfer of Loss Critical That Contract Terms Match Expectations For Coverage Otherwise Risk Management Strategy Is Frustrated
CONTRACTS Exculpatory Agreements Indemnification Agreements Waiver of Rights of Recovery Insurance Requirements Additional Insured Endorsements
FRONTING/SELF-INSURED RETENTION Fronting Policy Where Insurance May Be Required by Government or Regulatory Body Nominal Premium For Issuing A Policy With 100% Deductible or Self-Insured Retention ( SIR ) Self-Insured Retention Only Part of Risk Is Transferred SIR v. Deductible
RISK RETENTION/RISK PURCHASING GROUPS 1986 Liability Risk Retention Act What are RRG s and RPG s Group Members Are Part of the Same Industry RRG s Are Funded By Members, Insure Against Risk of Loss and are Subject to Government Insurance Regulators It Is a Liability Insurer RPG s Are Members Who Band Together To Purchase Insurance on a National Level
POSSIBLE ADVANTAGES TO A RISK RETENTION GROUP RRG s can offer lower rates, broader coverage, more favorable loss experience, access to reinsurance markets, and insulation from insurance market cycles However, RRG s are limited it to providing liability insurance only they cannot write other lines of insurance. State t guaranty funds are unavailable.
CAPTIVE INSURER Similar Concept as a Risk Retention Group A Parent Company s Subsidiary Acts Like a Traditional Insurance Company Extends to Additional Lines of Insurance Like WC and Property
LOSS RESERVING Assess Liability What Are The Likely Damages What Would It Cost to Defend The Claim Incurred But Not Reported Reserves Estimate of Losses For Claims That May or May Not Have Occurred But Have Not Been Reported Actuaries Develop IBNR Reserves Using Varying Methods Like Average Cost Per Claim Goal Is To Accurately Predict Cost of Losses
NEW DEVELOPMENTS IN CYBER LIABILITY & INSURANCE
CYBER NIGHTMARE Target cyber attack traced to external payment system used by vendors. Cost $400M+ TJ Maxx breach traced to a hacker with a laptop in a store parking lot. Cost $256M 41% of data breaches via third party business partners. 35% of data breaches due to lost/stolen laptop, smartphone, ipad, USB drive, etc. Breaches often go undiscovered for months. Average organizational cost $5.4M; $188/record.
WHAT IS DIFFERENT NOW? Traditional Insurance Coverage Options for Cyber Liability Gone In May 2014 Commercial General Liability Policies Commercial Umbrella & Excess Liability Policies Owners & Contractors Liability Policies Products/Completed Operations Liability Policies
OLD CGL POLICY Personal and Advertising Injury (Coverage B): an oral or written publication, in any manner, of material that violates a person ss right of privacy. Data breach involving personal information = personal injury potentially covered under B Coverage B does not provide: first-party coverage, eg e.g. forensic investigations, data restoration, customer notification, credit monitoring, regulatory penalties.
EXIT CGL COVERAGE Target, Neiman Marcus, Michaels Customer lawsuits implicate B-side CGL coverage via allegations of privacy invasion Shareholder derivative suits implicate D & O coverage alleging g negligent g failure to adequately protect customers data; failure to timely inform customers, failure to adequately monitor payment systems, etc. Enter ISO s new Data Breach exclusion:
2014 CYBER EXCLUSIONARY ENDORSEMENT This insurance does not apply to access or disclosure of confidential or personal information "Personal and advertising injury" arising out of any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial i information, credit card information, health information or any other type of nonpublic information. This exclusion applies even if damages are claimed for notification o costs, s, credit monitoring o expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's s or organization's confidential or personal information.
ENTER CYBER INSURANCE Cyber insurance not a mature business line so coverage and pricing varies much more than for more established risks. First-party coverage: losses to policyholder s own data, lost income and other harm to the policyholder s business. Third-party coverage: policyholder s liability to third parties arising from a data breach or cyber attack. Vendors?
FIRST-PARTY COVERAGE Theft and fraud. Covers destruction or loss of policyholder s data as a result of a criminal or fraudulent cyber event or employee error. Forensic investigation. Covers the legal, technical or forensic services necessary to assess whether a cyber attack has occurred, to assess the impact of the attack, and to stop the attack. Business interruption. Covers lost income and related costs where a policyholder is unable to conduct business due to a cyber event or data loss. Extortion. Covers costs associated with the investigation of threats to commit cyber attacks against the policyholder s systems and for payments to extortionists. Computer data loss and restoration. Covers physical damage to, or loss of use of, computer-related assets, including the costs of retrieving and restoring data, hardware and software. Crisis management Covers crisis management and public relations Crisis management. Covers crisis management and public relations expenses.
THIRD-PARTY COVERAGE Litigation. Covers the costs associated with civil lawsuits, judgments, settlements t or penalties resulting from a cyber event. Regulatory response. Covers the legal, technical or forensic services necessary to respond to governmental inquiries and fines or penalties. Notification costs. Covers the costs to notify customers, employees or other victims affected by a cyber event, including notice required by law. Credit monitoring. Covers the costs of credit monitoring, fraud monitoring or other related services to customers or employees. Media liability. Provides coverage for media liability, including coverage for copyright, trademark or service mark infringement resulting from online publication by the insured. Privacy liability. Provides coverage for liability to employees or customers for a breach of privacy.
ISO DATA BREACH FORM Information Security Protection Policy, ISO form EC 00 10 11 09 Media liability (infringement & privacy violation + defense costs) Security breach liability (unauthorized access to or disclosure of personal information & virus transmission) Programming errors & omissions liability resulting in disclosure of personal information Cost to replace or restore e-data or programs Costs related to cyber extortion Business income & extra expense Reputation repair expenses Investigation, notification, credit monitoring, call center costs Defense costs, employee error, regulatory & PCI penalties optional
CYBER INSURANCE AKA cyber security insurance cyber risk insurance data breach/loss insurance information security insurance network security insurance e-commerce insurance e-business insurance hackers insurance
DIRECTORS AND OFFICERS INSURANCE Joe A. Ramirez
D&O MARKET IS HARDENING
PREMIUMS ESCALATING Towers-Watson, Directors-and-Officers-Liability-2012-Survey-of-Insurance-Purchasing-Trends
WHY IS THE D&O MARKET HARDENING Increase in D&O Litigation Increase in Regulatory Activity SEC Investigations and Actions FDIC Suits Against D&O s Increased International Exposure
WHAT/WHO/WHERE DOES D&O COVER No Standardized Forms Coverage Can Vary Even Within One Insurer Sides A, B and C D&O s, Employees, Risk Managers, Lawyers, or the Organization Wrongful Acts World-Wide Coverage But Optional Coverages EPL, Fiduciary i or Crime
WHY WOULD A PRIVATE COMPANY NEED D&O COVER Attract Outside Directors Protect D&O s Personal Assets Protect the Company Future IPO? Claim Examples
COMMONLY CITED EXCLUSIONS Fraud and Ill-Gotten Gains Breach of Contract Prior Notice Related Acts
POLICY CONDITIONS AND OTHER PROVISIONS Claims-Made Coverage Eroding Limits/Shared Limits Presumptive Indemnification Duty to Defend v. Reimbursement Allocation Consent Clause/Hammer Clause Change in Control Notice of Circumstances
CONTACT Joe A. Ramirez Catherine C. Crane Partner Of Counsel jramirez@hollandhart.com ccrane@hollandhart.com 303-290-1605 303-290-1608