Protecting Key Executives in Global Hot Spots

The recent suicide bombing in Istanbul and the Paris bombing last November killed and injured innocent bystanders and sent shockwaves around the globe. Such attacks also cause organizations to question international travel out of fear of putting their key executives and employees in harm’s way.global travel

As the risk profile changes in some locations that were once considered safe, it is critical to reassess and more deeply examine company programs to protect business travelers abroad.

First of all, for companies and their insurance advisors, there is no substitute for great advance planning. If a company is contemplating overseas travel and can establish well in advance that there exists a need for key person insurance, the coverage is easier to obtain and more cost effective. The reality is that the heightened awareness around a dangerous trip often results in an insurance need being developed or uncovered with little notice. When this need arises, the underwriting process migrates from the traditional life and disability insurance market to the playing field of high limit or specialized risk underwriters.

In one notable example, a large U.S. company recently made a significant investment in a defense contractor. Shortly after the investment closed, the company named a new chief executive officer and sought to acquire $50,000,000 of key person life and disability insurance.

As of the day of the request, their insurance advisor had eight business days to secure the insurance before the CEO departed for the Middle East, with stops in such international hot spots as Iraq and Afghanistan. Because of the abbreviated time frame, traditional life and disability insurance was not an option. The advisor needed to turn to a specialty underwriter that deals with exceptionally large and complex human capital risks.

Armed with the CEO’s itinerary (see below) and details of the executive’s compensation and equity incentive agreement, the advisor had enough information to present the submission to the underwriters. Within 72 hours, a policy was issued that covered the private equity firm’s loss of the CEO directly due to an accidental death or disability, as well as a result of acts of war or terrorism.

Few domestic life and disability carriers possess the ability to underwrite large risks when there is high-risk exposure in the world’s hot zones. Instead, companies and their brokers must work with large international insurers that are willing to deploy meaningful capacity.

The easiest way for advisors to access these markets is through an experienced U.S.-based correspondent who is skilled at designing and underwriting coverage in these volatile locations. Local correspondents or managing general underwriters also serve to guide brokers through the regulatory complexities that go along with underwriting risks through surplus lines carriers—something most life and health producers have little experience with.

The best brokers are masters at uncovering details from their clients, documenting them and communicating them effectively to underwriters. A well-written cover memo will often be the basis for offering coverage and can be the primary source for pricing consideration. A complete itinerary coupled with security details are the underwriter’s key points of interest, so make sure the information is gathered and communicated as early as possible.

Frequently, specific plans will be classified when working with international defense contractors, but one way or the other, the basic information must be made available. When underwriting coverage in highly hostile areas, rates can vary based on multiple factors, such as security arrangements, travel vendors, length of stay and, in highly hostile areas, rates even vary down to specific latitude and longitude coordinates, often within a single city or locale.

No detail is too small for spelling out the need for the insurance and financial justification, including the purpose of the trip and the client’s specific duties and objectives. This is the information that sets apart a submission and makes it more likely for an underwriter to go out on a limb with preferential pricing and terms.

Keep in mind, when underwriting risks in highly volatile areas—with the propensity for rapid deterioration—it may not be possible to negotiate coverage or a rate guarantee for the entire duration of the client’s journey. It is essential to keep in mind that the best underwriting offers go to advisors who deliver the most detailed and accurate information.

Example of a CEO’s itinerary:

Day 1 – Depart Commercial Air for Dubai

Day 3 – Arrive in Baghdad, Iraq – Transport to Camp Butler

Day 4 – Depart Baghdad and arrive in Dubai

Day 5 – Depart Dubai arrive Kabul, Afghanistan – Transport to Camp Gibson

Day 6 – Fly to Kandahar, Afghanistan

Day 7 – Depart Kandahar, Afghanistan – fly to Abu Dhabi

Day 12 – Depart Abu Dhabi for U.S.

It is important that we don’t allow acts of terrorism to knock the wheels off our economy. Business travel and face-to-face meetings are key elements in making us what we are, so it’s imperative that we mitigate the associated risk whenever possible.

Holding Executives Accountable for Cybersecurity Failures

The average cost of a data breach for companies surveyed has grown to $4 million, a 29% increase since 2013, with the per-record costs continuing to rise, according to the 2016 Ponemon Cost of a Data Breach Study, sponsored by IBM. The average cost hit $158 per record, but they are far more costly in highly regulated industries—in healthcare, for example, businesses are looking at $355 each, a full $100 more than in 2013. These incidents have grown in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014.

Ponemon wrote:

Leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach–saving companies nearly $400,000 on average (or $16 per record). In fact, response activities like incident forensics, communications, legal expenditures and regulatory mandates account for 59 percent of the cost of a data breach. Part of these high costs may be linked to the fact that 70 percent of U.S. security executives report they don’t have incident response plans in place.

With so much on the line, more and more companies and consumers continue to search for whom to hold accountable for cybersecurity failures, and the message is becoming clearer: executives need to get serious or watch out.

In a recent report from Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports,” board members expressed a surprising amount of confidence in their abilities to understand and act on cyberrisk threats and indicated there are real risks on the table for IT and security executives. Almost all of those surveyed said that some form of action will be taken should these executives not provide useful and actionable information, with 59% claiming there is a good chance one or more security executives would lose their job over such reporting failures.

More board members (26%) ranked cybersecurity risk as their highest corporate priority than any other risk, including financial, legal, regulatory and competitive risks, and 89% said they are “very involved” in making cybersecurity decisions.

Following the typical presentations from IT and security executives, more than three in five board members are both significantly or very “satisfied” (64%) and “inspired” (65%), but 32% are significantly or very “worried,” and 19% are significantly or very “confused” and “angry.”

According to the report:

Of the information provided to them during these presentations, the majority of board members (97%) say they know exactly what to do or have a good idea of what to do with the information. This statistic, however, does conflict with IT and security executives’ thoughts on the information they present. Based on our December 2015 survey, only 40% of IT and security executives believe the information they provide the board is actionable. There is a clear disconnect here between what the board perceives is actionable information, and what IT and security executives define as data that can be used to make informed decisions.

“IT and security executives are focusing on what they believe are the most impactful issues: a) forward-looking information about known vulnerabilities that could potentially harm the company in the future, b) specifics about data that was lost as a result of known infiltrations and data breaches, and c) the impact of these infiltrations and breaches,” Bay reports. “Interestingly, while information about how much is spent to address cyber risk is reported by IT and security executives in less than one-half of the companies surveyed, this was the most commonly cited information that board members said they needed to make investments for cyber risk planning and expenditures.”

Bay also pointed to a critical challenge in the education gap of many board members and the reliance upon information security executives: a large portion of the education board members have on infosec is from the organization’s IT and security executives, and “when the person education you on cybersecurity is the same individual tasted with measuring and reducing cyberrisk, there’s a fundamental disconnect.” It is extremely difficult for board members to understand what they are missing without education of their own and a third-party audit in place.

As cyberrisk continues to become a top enterprise risk priority, the consequences of failure may impact more of the C-suite than just chief information security officers or top IT executives. In May, following a social engineering fraud case that resulted in a wire transfer of 50 million euros, Austrian aircraft parts manufacturer FACC fired its chief executive of 17 years. Some regulators also want to start holding chief executives accountable in a way that truly speaks to them: their paychecks. According to a report from members of parliament on the British Culture, Media and Sport Select Committee, Britain’s status as the leading internet economy in the G20 is under threat from a combination of increasing reliance on digital infrastructure, and inadequate protection of it. To address the issue, they suggest that chief executives who fail to prevent cybersecurity breaches have a portion of their pay docked.

Such was the case with Baroness Harding, the chief executive of TalkTalk, Britain’s fourth-largest broadband provider, which suffered a high-profile cyberattack recently. Her performance bonus was slashed by more than a third as a result of the company’s security failings.

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment,” said Jesse Norman, chairman of the committee. “Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”

How to Influence Risk Management Standards, Frameworks and Guidelines

What do you want risk management standards, frameworks and guidelines to do for your success? Many people depend on these documents to provide needed guidance. Yet, you have heard the reasons people give for not wanting to deal with risk management standards and frameworks. Perhaps you have even voiced these yourself, at one time or another:

  • Our organization is so unique, no one standard or framework could possibly apply.
  • Standards are the same as regulations—we don’t need more regulations.
  • We know what we are doing—we don’t need any guidance. Those things don’t apply to us anyway.

Whether we like it or not, standards are a part of life and our daily language. We refer to a gold standard as a measure of excellence. There are standard breeds of dogs, horses and even chickens. We have internet standards. And what would we do without standards of care, and food safety standards?

Standards have been around a long time, and actually have benefited society. When time was standardized along the prime meridian, commerce flourished. When the United States decided to build the transcontinental railroad using a standard gauge, deliveries of passengers and goods were made more efficiently. Anyone who has traveled internationally can attest to at least one outcome when there is a lack of standards: the proliferation of power adapters that are needed when representatives from different nations gather.

Standards and guidelines—which typically are voluntary—are not regulations. Standards are created through consensus, public comment and acceptance. Regulations, on the other hand, are mandated through legislation. A primary standard (or “recognized” standard) is an established norm or collection of “best practices” that evolve over time under the jurisdiction of an international, regional or national standards development body. Standards are published as a formal document that can establish criteria, methods, processes and practices. In contrast, a guidance document, company product, corporate standard, etc., that may be developed outside of a recognized standards setting body—but which becomes generally accepted—is often called a de facto standard.

Ultimately, standards provide value when they foster common understanding reflecting collective wisdom, while creating efficiencies and better results for the organizations using them. In benefiting organizations, risk management standards generally recommend, but do not require, risk management criteria, methods, processes and practices. Therefore, they boost risk management’s value—one of the reasons you should care about risk management standards, frameworks and guidelines. And shouldn’t you be involved in developing guidance about your daily work? Another reason to care.

The problem is not a shortage of risk management standards and frameworks, but the proliferation of standards and frameworks that, at times, seem to contradict each other. The result is confusion, even about how terms and concepts are used. Sorting through these contradictions is challenging, particularly when others in the organization may be advocating a different risk management approach. These differences lead respective proponents to argue about which one is “right” or “better,” rather than focusing on the value that risk management can deliver. Creating a new risk management standard does not necessarily help the situation, as it usually just becomes one more competing standard.

There is an unmistakable need for understanding how to apply various risk management standards. Another reason for you to care: how complementary—or contradictory—risk management standards and frameworks may be can either help or hurt your efforts.

ACT NOW

We all have a unique opportunity right now to influence two of the major risk management guidance documents: ISO 31000:2009 developed by the International Organization for Standardization and the COSO ERM Framework 2004 under the auspices of the Committee of Sponsoring Organizations. Both are undergoing revision reviews at this time.

To influence the ISO 31000 revision: Seek to join the national mirror committee of your country. In the United States, the Technical Advisory Group for the American National Standards Institute (ANSI) is administered by the Association of Safety Engineers (ASSE) and chaired by Carol Fox, RIMS vice president of strategic initiatives. If you are interested in joining the US TAG, contact Ovidiu Munteanu for information and an application (omunteanu@asse.org).

To influence the COSO revision: The revision is open for public comment June 15 through September 30, 2016. COSO has expanded its website, www.COSO.org, with a section on the Framework update that includes the proposed Framework, survey and comment tools, and FAQs about the project, details of the most significant updates and how to respond to the survey. Written comments on the exposure draft will become part of the public record and will be available on the COSO website through Dec. 31, 2016.

Brexit Creates Turmoil

Brexit
Britain’s unexpected vote to leave the European Union has left many unanswered questions, some of which may not be resolved for years as Britain and the EU iron out the details of the split. Meanwhile, in the wake of the announcement, oil prices dropped, global stock markets have taken a significant hit, the Euro and the British Pound plunged.

Fitch said today that overall, Britain’s decision is broadly “credit negative” for most U.K. sectors.

During a Eurasia Group conference call this morning, Europe associate Charles Lichfield asserted, “The U.K. has lost relevance to Washington.” In the past, he explained, the United States has worked closely with Britain on many European issues, but will now bolster relations with Germany, Spain and other countries, bypassing Britain.

According to the Wall Street Journal:

The move triggered a selloff across markets dragging down the British poundcommodities and shares in U.K.-listed banks, utilities and oil-and gas companies including BP PLC and Royal Dutch Shell PLC, whose shares fell 6.2% and 4.9%, respectively.

A spokesman for Shell said the company will work with the U.K. government and European institutions on navigating a British exit from the EU, known as Brexit. The Bank of England announced it was prepared to use its $371.85 billion war chest to stabilize the market.

The uncertainty in the marketplace after the referendum could hurt oil companies by exacerbating the already-challenging environment created by lower oil prices. In the aftermath of the vote, U.K. Prime Minister David Cameron announced plans to step down.

The referendum is expected to jolt the U.S. economy, likely driving up the value of the dollar.

Members of the insurance industry and their buyers are wondering what the impact on Lloyd’s and the London market will be. So far, Lloyd’s has maintained a cool façade.

“I am confident that Lloyd’s will stay at the center of the global specialist insurance and reinsurance sector, and I look forward to continuing our valuable relationship with our European partners,” Chairman John Nelson said in a statement on the vote. “For the next two years our business is unchanged. Lloyd’s has a well prepared contingency plan in place and Lloyd’s will be fully equipped to operate in the new environment.”

The Financial Times, however, expects the insurance sector to be “hit hard” by the vote and that the impact could have a negative impact on the London market.

According to the FT, “One of the big attractions to insurers of operating via Lloyd’s is that it has passporting rights into the EU. Many of the insurers who do business there at the moment say that after a Brexit they will simply shift some of their business to subsidiaries within the EU, bypassing the Lloyd’s market in the process.”

Brexit is also expected to have more impact on the life insurance market than property/casualty. “The impact on the non-life insurers was more muted, given that many of them have little cross-border business and hold very conservative investment portfolios. Shares in Direct Line, RSA and Admiral were all down in mid-single digits,” according to the FT.