10 Tips for Securing Responsive Cyber Coverage

SAN DIEGO—With hacking incidents becoming all too common, risk managers are under increasing pressure to help protect their companies from the inevitable breach. Insurance is an option but policy forms are still developing. In a session at RIMS 2016, Joshua Gold, a shareholder with Anderson Kill and Debbie Gramer, director of global risk management at Arrow Electronics, Inc., offered the following 10 tips to risk mangers looking to secure the best possible coverage for their organizations.

  1. Be careful with insurance applications. Use precise language to convey your exposures to underwriters. Never answer “yes” or “no” to a question that doesn’t really have a yes or no answer.
  2. Retro dates. Hackers can be in systems for days, months or even years so it is important push retro dates back as far as possible.
  3. Look for clear policy coverage. Forms and terms change over time as the risks shift. Having clear language can remove ambiguity.
  4. Symmetry with other insurance (e.g., CGL, property). Review existing policies to determine where there may or not be coverage gaps.
  5. Get endorsements of special coverage needs. If you have exposures from cloud providers and third-party vendors, for example, you will need to specifically address these. Exclusions matter.
  6. If you accept payment cards, be aware of PCI issues and card brand fines and penalties.
  7. Address sub-limit concerns. Losses can be expensive. Make sure sub-limits are adequate.
  8. Beware of breach of contract exclusions.
  9. Beware of conditions on “reasonable” cybersecurity measures. “Reasonable” is a  subjective term. Specifically define security measures to remove any grey areas that could lead to a coverage dispute.
  10. Business interruption and reputational damage insurance may be vague but they are becoming more relevant. Business disruption is quickly becoming the most important operational consequence of a hacking incident. Make sure you are protected.

Balancing Risk and Compassion: Life Sciences Companies Face New Risks from Expanded Access

Pharmaceutical companies operate with a singular objective: bring drugs to market. This is how they profit, how they ensure that their products help the most people, and how they maintain the resources to continue innovating.

The lifecycle of drug development can be complex and onerous, despite improvements to the regulatory approval process over the past several years. Now, a trend sweeping the industry is forcing many pharmaceutical companies to decide under which circumstances they’re willing to divert resources from their mission of helping the masses.

Expanded Access, or “Compassionate Use,” refers to the use of an experimental drug not yet approved by the FDA to treat a critically ill patient outside of a clinical trial. The FDA received more than 1,800 requests for access to experimental drugs last year and, over the last five years, it has approved 99% of these requests.

But ultimately, once requests are approved by the FDA, it’s up to manufacturers to provide the drug to these patients, many of whom are children, and many of whom have just months left to live.

Companies are then faced with a choice: to provide an unapproved drug to individual patients, which can delay the process of making the drug widely available, or to deny the request and risk backlash from the public, who see only a dying patient and the pharmaceutical company that could save them. In several cases, the latter has fueled social media campaigns demonizing companies for withholding potentially life-saving medicines.

How a company handles expanded access requests can affect its reputation and financial stability. Pharmaceutical executives often operate under a microscope, where patient outcomes are the key to keeping investors on board. As expanded access patients often do not qualify for clinical trials, they may be higher-risk candidates, so reporting their results to the FDA could potentially prolong approvals and market availability. On the other hand, a company that denies an expanded access request can face significant reputational damage and even legal action if investors believe that management decisions hindered the company’s progress.

Small and mid-size life science firms in particular may fear that they don’t have the resources to navigate expanded access cases. But requests for experimental drugs are on the rise: the FDA saw a 92% year-over-year increase in requests in 2014. Companies need to prepare their approach and policies before they find themselves in the throes of a difficult decision with pressures mounting from both sides. Here are four ways they can set themselves up to make informed decisions about balancing risk with compassion:

Monitor the Regulatory Environment

Over the last year, the FDA has been working to simplify the process for physicians requesting access to experimental drugs on behalf of patients. In February 2015, the agency streamlined the application form, which now requires physicians to submit just eight types of information, as compared with 26 types in the previous form.

The FDA has also been working with life sciences companies to find alternative solutions to expanded access when needed, such as designing expedited open-label trials for these patients.

Additionally, as of August 2015, 24 states have introduced right-to-try bills, which allow physicians to request experimental drugs without going through the FDA’s application process.

With both federal and state governing bodies paving the way for easier access to experimental drugs, the decision to provide these drugs falls squarely on the shoulders of corporate leadership at pharmaceutical companies. These firms also ought to keep in mind the need to prioritize building and maintaining relationships with the FDA, which can be key in developing a creative solution.

Update Your Crisis Management Plan

Crisis management plans are sometimes written in broad strokes. In preparing for expanded access cases, risk managers need to bring together leadership from various departments—senior management, investor relations, finance, human resources, etc.—to weigh in on the specific risks associated with experimental drugs. Many firms will seek outside counsel to guide the process.

At a basic level, a crisis plan should map out vulnerabilities across all risk areas. For example, companies need to consider the process for securing their facilities, fielding press inquiries, addressing social media backlash, managing investor concerns and navigating potential lawsuits.

Most importantly, companies need to develop the principles that will guide decisions in crisis situations. Rather than scrambling for direction in the heat of public scrutiny, companies should establish a clearly-stated policy and set of guidelines for participation in expanded access programs. This will serve as the foundation of a response if an issue arises. Management must then be prepared to defend that position to all stakeholders, including employees, investors, patients, physicians and potentially press.

Evaluate and Re-evaluate Your Insurance Policies

Organizations need to consider which financial risks they can transfer to their insurance policies. Not everything will be insurable, but a strong policy can provide protection if an expanded access case threatens a company’s financial stability.

This starts with a comprehensive review of a company’s insurance portfolio with the issue of expanded access in mind. Oftentimes, risk managers revisit their policy language through the lens of a specific issue and realize that their expectations for coverage don’t accommodate current events. This can be the case with expanded access.

When reviewing their policies, companies need to understand the intent of the language relevant to expanded access and work with their broker to make sure the coverages are as granular as possible.

Lead the Way

This year, Johnson & Johnson created a Compassionate-Use Advisory Committee composed of doctors, bioethicists and consumer advocates to evaluate expanded access requests and make recommendations to the company’s clinicians. While many have hailed this as a creative solution for maintaining ethical standards, smaller companies with fewer resources cannot as easily take such an approach. These firms have an opportunity to set the standard for managing expanded access cases by developing thoughtful policies, collaborating with regulators and academics and, of course, addressing risks to business from the onset.

Cyber Insurance Purchasing Up, But Breaches Felt in Prices and Limits

NEW YORK—At yesterday’s Advisen Cyber Insights Conference, Zurich and Advisen released the fifth annual Advisen Cyber Survey of U.S. risk managers, finding a 9% acceleration in cyber liability insurance purchasing from 2014 to 2015. The firm has seen a 26% increase in the number of respondents who have coverage since the first survey in 2011.

Companies are taking cyberliability more seriously, Zurich reports, with the number of organizations developing data breach response plans up 10% from last year. What’s more, companies appear to be better recognizing the sheer amount of value at risk, with two-thirds of respondents saying they have either increased their policy limits or are considering doing so. While Zurich found that more organizations view information security as an organizational challenge rather than the purview of the IT department alone, and respondents said that boards and executive management are taking cyberrisk more seriously, those who have not yet obtained cyber coverage say it is because their superiors still do not see the need. There is also still a considerable difference in take-up rates among large corporations and small and mid-sized businesses, with Catherine Mulligan, senior vice president and national underwriting manager of specialty E&O, telling the audience there is an approximate 20-point spread between the groups.

“This year’s cyber survey shows that demand for coverage and higher limits has increased tremendously and we at Zurich have seen double digit growth year over year,” said Bryan Salvatore, president of specialty products for Zurich North America. “That is why we are heavily invested in identifying risks and delivering solutions and why we are committed to staying at the forefront of this issue.”

Marsh has also seen considerable growth in cyber liability insurance purchasing among its clients. According to the insurer’s new midyear cyber benchmarking report, the number of U.S.-based Marsh clients purchasing standalone cyber insurance increased 32% in the first half of 2015, up from 26% growth during this period in 2014. By sector, members of the education industry made up the biggest growth, with 155% more clients purchasing the coverage, followed by power and utilities with a 100% increase and manufacturing with a 76% increase. The healthcare sector remains Marsh’s largest buyer of cyber coverage, with 41% of all clients in this industry purchasing it by the end of the first half of 2015.

Cyber liability insurance growth rates

Sessions throughout the conference made clear that insurers—and the industry at large—are still struggling with what is also risk managers’ biggest challenge: data. Completely evaluating the true value at risk with cyber liability continues to elude both sides, although many new approaches and consultancy services are emerging. Further, the dearth of actuarial data not only compounds the challenges of the cyberrisk assessment process, but make it hard for the industry to set pricing and limits with confidence.

“It is hard for insurers to be prudent with cyber as risk managers often do not fully understand how to measure their exposure,” Mulligan said.

“Actuarial data is the Holy Grail of the cyberinsurance market: we’re all searching for it and it’s just not there,” said Bob Parisi, cyber product leader at Marsh, who moderated a session on the struggle to quantify and model cyberrisk.

In addition to the actuarial uncertainty, the considerable number of large losses over the past few years is continuing to push up the cost of cyber, forming what Willis executive vice president Peter Foster described as a “hot” market that will have to cool and solidify with time. Parisi chose to describe the market as “brittle” after absorbing several hundred million dollars in losses, and a range of insurers and brokers reported that premiums have increased dramatically as a result. The Marsh study found that price increases across industries averaged 19%, with 32% increases among retailers, the most frequently breached sector over the past few years.

cyber insurance limits purchased

While these breaches and better estimates of the real cost of cyber incidents have helped many companies realize they may be underinsuring for cyber liability, the move to correct this is getting more difficult. Insurers have said repeatedly that there is plenty of capacity in the cyberinsurance market and many buyers have increased the limits purchased, but higher limits of liability are increasingly hard to come by, and none really exist in excess of $100 million. Particularly for businesses that have yet to implement serious efforts to address information security, rate increases appear sure to continue, and simply buying more coverage will not only be unsustainable, but may not even be possible as insurers give more thought to the capacity they are willing to commit to these risks.

“There is just not enough capacity to extend $50 to $100 million limits to every account,” said Greg Vernaci, AIG’s head of cyber in the United States and Canada. “We are looking to reward those companies with a robust information security posture who go beyond and take a multifaceted approach to managing cyberrisk.”

Should Your Company Install an Office Surveillance System?

There are plenty of compelling reasons to install a surveillance system in your office, but there are also a number of reasons not to. Cameras are becoming more and more common in our daily lives, and choosing whether or not to embrace them in your own workplace can be a challenging decision.

There are advantages and disadvantages to consider before installing cameras and phone/Internet monitoring. Here are a few of them:

Pro: Cameras prevent theft

There is no denying that a camera monitoring system is going to drastically reduce incidents of employee theft. Studies have shown time and time again that areas that are clearly monitored by camera systems have significantly less crime than places that suggest anonymity. If you have a problem with items going missing around the office, installing cameras can be a way of showing that you are aware of the problem without directly confronting a potentially innocent employee. Cameras are a highly effective deterrent that can quickly nip a theft problem in the bud.

Con: Cameras may offer a false sense of security

If you have a particularly devious employee, cameras may actually work against you. If an employee really wants to steal from the office, he or she will probably find a way to do so regardless of the cameras. You may feel like you do not need to do anything else once cameras are installed, which can cause you to let your guard down. For this reason, cameras should be used as an addition to your current loss prevention plan, rather than being used as the primary deterrent.

Pro: Cameras provide evidence

If an unforeseen incident occurs on your company’s property, you may have to deal with a lawsuit. Having cameras installed ensures that you have indisputable evidence to back up your story. If you suspect an employee of misconduct, you can simply check the camera to make sure your worries are not misguided. You never want to have to depend on your cameras, but it is certainly nice to know that they are there when you do.

Con: Employees may feel stifled

Any office manager knows that keeping morale up is essential to keep productivity high. Although you may mean well, installing cameras can sometimes be viewed as an invasion of privacy. It is important to form a bond of trust with your employees, and cameras or phone/Internet monitoring can undo the work you have done to establish meaningful relationships. However, explaining your stance on the issue and approaching it head-on may help to alleviate any concerns your staff may have.

Pro: Monitoring employees provides valuable training materials

Sometimes explaining how to handle a situation just isn’t as effective as being able to show a trainee a video or recording of a similar situation. Or, if an accident occurs, having video or audio recordings allows you to see what went wrong and prevent problems next time. Often words do not carry nearly as much impact as a recording of a real-life situation, so in-office surveillance can make your employees better at their jobs and more equipped to handle tough situations.

Con: The cost

Although today’s surveillance cameras are surprisingly budget-friendly, you still have to consider the cost of hiring employees to monitor them. You may also need to have them repaired if something goes wrong. Depending on the size of your office, buying multiple cameras and monitors can get quite pricy. The cameras often pay for themselves in the long run, however, by reducing theft and increasing productivity.

Choose based on your situation

Every office is different, and what works for one may not be ideal for another. Cameras can be absolutely essential in some situations, or you may be able to operate just fine without them. You may want to start with just a camera or two to see how your employees react, and then add more if necessary. Making the right choice for your office can be challenging, but in-office surveillance can be a valuable way to protect your livelihood and improve employee conduct.