Immediate Vault Immediate Access

Recovery in the Aftermath of a Hurricane

The 2022 hurricane season may be nearing its end, but it is clearly not over just yet. With Tropical Storm Nicole approaching landfall and expected to reach the U.S. as a Category 1 hurricane, Florida residents are once again in storm preparation mode and in the coming days, they will be dealing with the storm’s impact. The aftermath of a hurricane presents many risks—while the storm may be over, the danger is not. Any storm that damages power lines, gas lines or electrical systems, puts you and your business at risk due to fire, electrocution or explosion.

Proceed With Caution

Even once we enter the recovery phase, it is important to take precautions in flooded areas. Never drive across flowing water; a few inches of water may cause you to lose control of your vehicle and as little as a foot of flowing water will carry away a small car. Similarly, avoid wading in floodwaters. They may be contaminated by agricultural or industrial chemicals, or hazardous agents. Remember that standing water can be dangerous as it may be electrically charged from underground or downed power lines.

Before entering a building that has suffered wind or flood damage, conduct a preliminary inspection to make sure it is stable. If there is extensive damage, have a professional engineer or architect certify that it is safe. A professional should also check the gas, water and electrical lines and appliances for damage.

When using a generator for building system power, be sure that the main circuit breaker is off and locked out prior to starting the generator and that there is no exposed electrical wiring or equipment. This will prevent inadvertent energizing of power lines or uninsulated circuitry and help protect utility line workers and building occupants from possible electrocution.

Rebuilding and Restoring

Damage to your business can have a dramatic and far-reaching impact, so it is best to be prepared for the worst. It is natural to want to get back to a storm-hit property as soon as possible, but a little extra caution can go a long way in these circumstances.

Once the property is deemed safe by local officials, specially trained recovery teams in appropriate personal protective equipment can help assess the damage and work with management to implement an action plan to safely get your business back up and running. It is important to photograph and document all damage and notify your insurance agent as soon as possible. Then you can proceed to make temporary repairs to protect the building and its contents.

Preparing for the Future

An average hurricane season produces 14 named storms, of which seven become hurricanes, and three become major hurricanes. Recovery is never a one-and-done proposition—there will always be other hurricanes and hurricane seasons. Regardless of whether or not you experienced damage this year, if your business is in a hurricane prone area, or has the potential for a hurricane, you need to put your hurricane preparedness plan into action by building your hurricane kits, gathering needed supplies, and training your employees in pre- and post-hurricane activities. Do not wait for the next storm to form, as, it becomes increasingly more difficult to acquire the necessary equipment and supplies for your location once a warning has been issued and a storm looming in the not-too-far distance. 

NOAA’s main function is to monitor weather and distribute alerts and warnings. Since 2019, NOAA has been utilizing models that provide a more realistic expected arrival times for storms. Having the ability to better pinpoint a storm’s arrival enables businesses to better prepare their locations and their people for the impeding storm. This technology also helps to reduce loss-of-life and injury, in addition to the potential catastrophic financial impact a hurricane can have on a business.

The recovery period that storm-impacted Florida businesses are in following this year’s storms presents a great opportunity for learning. It is essential that organizations have a process in place to assess weaknesses and strengths in their hurricane readiness plan before the next event. What went well before, during and after the storm? What can be improved or implemented to address any unexpected challenges from this event?

If history has taught us anything, it is that a common thread across the responses to all natural disasters is a lack of awareness and preparation. As one of nature’s most destructive events, hurricanes are powerful and far-reaching, often causing dangerous storm surges that can be felt hundreds of miles inland. With potential maximum wind speeds of 200 mph and the ability to drop more than 2.4 trillion gallons of water in a single day, hurricanes are not to be taken lightly. By identifying areas of vulnerability and taking actions to prepare, businesses can potentially reduce the impacts of a catastrophic hurricane.

Cyberrisk Management Tips for Businesses Amid the Russia-Ukraine War

A wide range of risks are trickling down from Russia’s assault on Ukraine, from sanctions compliance to supply chain disruption to business interruption. Cyberrisk has also drawn considerable concern and the threat landscape continues to evolve rapidly, though the details of increased cyberattack activity are not yet fully known and may be largely unfolding below the surface right now. Attacks attributed to Russia have been launched against a range of targets in Ukraine, including new destructive malware campaigns, targeted information-gathering against a range of civilian and government targets, and attacks on critical infrastructure.

Concerns about escalating cyber activity around the crisis are a vivid reminder of the importance of knowing your threat model and adjusting your risk management priorities accordingly. According to experts ranging from independent cybersecurity professionals to officials at the Cybersecurity and Infrastructure Security Agency (CISA), organizations at greatest risk right now include critical infrastructure, banks and other financial services firms, and of course key service providers in Ukraine or Russia.

Spill-over to other businesses is more likely with cyber conflict, however, particularly given Russia is one of the most advanced and aggressive nation-state cyber threat actors—remember the crippling global attack known as NotPetya that upended supply chains in 2017 resulted from a Russian cyberattack on Ukraine. That is not to say that there is necessarily cause for panic, simply that the effects of cyber conflict can be unexpected, widespread and potentially severe.

At this point, for most companies that are not in a high-risk position as a direct result of the war, the best course of action for risk professionals is to focus on ensuring your company has an updated and detailed incident response plan on hand and distributing it to relevant members of the organization, reviewing and potentially strengthening your general cybersecurity posture, and reminding employees about cyber hygiene.

For example, given the tragic events and breaking developments around the conflict, many may be glued to news or social media. Unfortunately malicious actors are known to take advantage of such situations by posting phishing links on social media with alleged news updates or email scams that purport to collect charity donations. Remind employees about these perils and offer refreshers on how to spot phishing scams and the need to exercise caution with links in emails or on social media.

“In addition to taking a fresh look at plans and other policies within an organization’s cybersecurity risk framework, businesses should consider a few common-sense tips to prepare for a potential cyber incident,” advised Annmarie Giblin, partner at Hinshaw & Culbertson and leader of the firm’s data privacy and cybersecurity practice. Giblin recommended risk professionals take the following steps to boost cyberrisk management efforts right now:

  1. Print out a hard copy of any necessary polices and plans, like the cyber incident response plan, the business’ cyber insurance policy and a contact list for the organization, so you have them available in the event you cannot access your system and need to communicate with employees through alternative methods.
  2. Remind your employees about common cyber scams and reiterate that there will be no retaliation for reporting a cybersecurity mistake, such as clicking on a bad link.
  3. Have key members of the executive team and incident response team set up a secure but alternate method of communication, such as sharing phone numbers or creating a different off system email address to communicate in the event the business’ systems are not available or not trusted.
  4. Keep track of the latest threats and get the research over to your IT team so they can update your firewall, and/or contact the business’ security services provider and make sure they are aware of and addressing these new malware strains.
  5. Evaluate and if possible, test your business continuity plans. Organizations should be asking themselves, “What does the work day look like without access to the business’ systems?” and “How can we still work without any technology support?”

Cyber insurance firm Coalition has put together a guide to basic cybersecurity measures to help organizations—policyholders and otherwise—proactively manage cyberrisk and reduce the likelihood of a cybersecurity incident. The guide provides 10 key steps to help improve cyberrisk management, highlighting the basics of each mitigation measure, tips on how to implement, and even some vendor suggestions for credible options, if desired. Coalition notes this may be particularly helpful for small and mid-sized businesses that do not necessarily have dedicated in-house information security experts, but it could also be worth a look for any risk professional who wants an overview of mitigations that should be in place or ways to fill those gaps. Check it out here: https://info.coalitioninc.com/rs/566-KWJ-784/images/DLC-2020-12-2021-Coalition-Cybersecurity-Guide.pdf

For more resources on cyberrisk management best practices, cyber incident response, cyber insurance considerations, and more, check out Risk Management Magazine’s extensive cyber coverage here. Some of the highlights below can help address key concerns that you—or your board—may have right now, and offer actionable strategies to strengthen your cyberrisk readiness and boost employee cyber hygiene:

Texas Cold Crisis: Insurance Options for Severe Weather Disruption

On February 15, a massive and unseasonal storm with frigid temperatures spiked the demand for power and outpaced the supply, severing power to 26 million Texans. Unpredictable weather patterns present risks for business owners, but also create an opportunity to improve their risk mitigation strategies to address future uncertainties. 

Power outages are not caused by storms alone. Heat waves, hurricanes and wildfires can also create power outages—and outages are more common than business leaders may think. S&C’s 2018 Commercial and Industrial Power Reliability Report found that one in four businesses experience at least one power outage per month. The Department of Energy estimates that these outages cost companies $150 million per year. Although companies may face spoilage-related losses, data centers often experience the most severe consequences. When a data center goes down, it can impact a business’s most vital proprietary assets. According to a Ponemon Institute study, the cost of an unplanned data center outage is $5,600 per minute with an average recovery time of 119 minutes resulting in a loss over $690,000.

The cost for businesses goes beyond damage. Litigation tends to run rampant, and with the recent Texas power outages, businesses are already facing lawsuits. The family of an 11-year-old boy who died of hypothermia is suing energy company Entergy and grid operator Electric Reliability Company of Texas. Multiple wrongful death lawsuits are predicted from incidents including carbon monoxide poisonings, house fires and shelter closings.

A range of insurance options can help businesses protect themselves from complex, evolving and completely unpredictable risks such as natural disasters and climate change.

Property insurance protects the building and physical assets like equipment, supplies, inventory, fixtures and computers. However, property insurance may not provide all the coverage needed. Exclusions like floods, sink holes, earthquakes, terror incidents, and chemical, nuclear, biological and environmental events are likely not covered. An unexpected policy exclusion can be devastating and result in a claim being denied, leaving business owners and leaders feeling helpless and infuriated.

Business interruption insurance is helpful but may not be enough. Typically, when damage obstructs business operations, it is covered by property insurance, and business interruption insurance covers losses from interruption. However, a natural disaster can create a perfect storm, so to speak. For example, if an establishment is forced to close due to lack of power, there can be a denial of claims. Business owners may be able to have property repaired, but cannot recoup the lost revenue through insurance.

Another option for businesses is to choose captive insurance and own their own insurance company. This establishes a more robust approach to risk management, and enables the business or business owner to own a profitable second business. This can help lower commercial insurance costs, build up assets and loss reserves, enhance critically needed cash flow and liquidity, and help prevent losses from hollowing out the total business entity. Importantly, successful captive insurance companies are filled with liquid assets that back the reserves for potential future losses, owned by the business or business owner. Liquid assets are often more desirable than durable assets that depreciate and may be difficult to sell. Finally, a captive insurance company is a regulated entity.

A captive primarily insures its parent company or related companies, so the parent company can purchase insurance from its wholly owned captive. Such purchases may replace all, or a portion, of its commercial insurance. Additionally, risks that are unable to be insured, are cost prohibitive, or are underinsured in the commercial insurance market can be placed in the captive insurance company. The captive can also insure gaps in third-party commercial insurance policies.

Benefits of Captives in Natural Disasters

While businesses with claims for property insurance or business interruption coverage are denied, a business with a captive insurance company would not face exclusions that leave them vulnerable. Since a captive insurance policy can be written to be broad and robust, it has more triggers than third-party commercial insurance, sos an event may covered where business interruption might not provide coverage.

Captive insurance also serves as a valuable financial strategy. When captives build up loss reserves, backed by corresponding assets, those assets are available for dealing with a catastrophic event. When a business has to restart or relocate their operations, assets are readily available to help it navigate the challenges and pursue big changes. The business owner can use the asset buildup in successfully managed captive insurance companies to help grow the business by funding acquisitions, growth strategies and enhanced risk mitigation strategies via a dividend from the captive insurance company to the business owner.

Before another crisis strikes, businesses should review insurance policies, determine whether current policies offer adequate coverage, and determine if a captive will help them face the next worst-case scenario.

RIMS Virtual Advocacy Week: A Q&A with Florida Insurance Commissioner David Altmaier

Today, RIMS is taking its annual Legislative Summit online, kicking off the first RIMS Virtual Advocacy Week. Featuring a full slate of networking, a panel on pandemic insurance, updates on the 2020 U.S. elections, and hands-on advocacy with members of Congress, RIMS Virtual Advocacy Week is still open for last-minute registrations, if you want to join in on the action.

On Wednesday, September 16, the agenda includes a fireside chat with Florida Insurance Commissioner David Altmaier, who is also president-elect of the National Association of Insurance Commissioners (NAIC). Commissioner Altmaier has held the position for four years and has been with the Florida Office of Insurance Regulation office for nearly 12.

Altmaier recently appeared on RIMScast to discuss the issues he will address in Wednesday’s session, most notably the impact COVID-19 has had on the landscape of business interruption coverage. Check out the highlights below, and download the episode for Commissioner Altmaier’s full interview and a deeper dive into other topics such as ORSA reports, the Terrorism Risk Insurance Act (TRIA) and the National Flood Insurance Program (NFIP).

What playbook did you use to prepare and react to COVID-19?

David Altmaier:  Our response initially looked a lot like what we would do for an inbound hurricane: We assembled what we call our “incident management team,” and started to look at the types of needs of consumers from an insurance standpoint. We put into place mechanisms that we thought would be helpful as the pandemic began to take hold in Florida and around the United States. And we saw insurance commissioners around the country doing the same thing, obviously, as the pandemic unfolded and we started to see other risks and concerns emerge.

COVID-19 has been at the forefront of all of our regulatory discussions going back to March of this year. and that will continue to be at the forefront of our discussions even after the pandemic has concluded.

Business interruption insurance is closely tied to it and has emerged as one of the more pressing insurance issues as a result of the pandemic. We have seen issues like telemedicine and catastrophe response in a virtual setting, for example, also come up as a result. [That has] impacted how we go to work every day and how we interact with our stakeholders, and I think those will be some worthy discussion topics as well.

How can the risk management community drive meaningful change in regulations, policies and legislation?

DA: As discussions take place about an event that we haven’t seen in a really long time, like a pandemic, there will be a lot of ideas that come up in terms of how to react to the current pandemic, as well as how to prepare for future pandemics. And I think that, as we have those conversations, there’s going to be a multitude of stakeholders whose viewpoints are important.

Risk managers are certainly going to be at the top of that list because they are going to understand the risks that the insurance industry faces. We see ideas of what level of responsibility the insurance industry [should have] in terms of covering things like business interruption insurance. Their expertise will be invaluable as we begin to work with state and federal leaders in crafting policies that can assist with the current pandemic, as well as future pandemics.

Own Risk and Solvency Assessment, or ORSA, is a framework heralded by the NAIC. Why should risk and insurance professionals look to ORSA reports for guidance?

DA: ORSA reflects how our insurance market, along with other majors of our economy, evolves over time and responds to new and emerging risks. It’s a constantly changing environment that regulators are trying to evolve along with, and our teams here in the insurance departments are trying to make sure that we stay ahead of the curve in terms of identifying those emerging risks.

The ORSA report is a glimpse into the thought process for our larger companies and groups into the boardroom and into the C-suites. [It features] theories on their own risk and how their unique position in the marketplace might expose them […] and require them to take steps to mitigate those risks. It’s a really critical piece of information for regulators to have as we build our own supervisory plans, going forward. Obviously, the pandemic that has occurred—like with any catastrophe—potentially highlights things that may have previously not been considered.

Let’s talk about force majeure. The pandemic has inspired new legislation to be drafted that affects the language of insurance policies in an effort to cover interruption. Where does the NAIC stand on that?

DA: NAIC sent feedback to Congress early on, in early to mid-March, with our thoughts that requiring carriers to cover losses that weren’t previously contemplated under the policy forms could do a lot more long-term harm than short-term good.

We have seen some state houses file state legislation that would be similar, in that it would require carriers to cover business interruption losses even if the policy forms didn’t contemplate that. We’ve sort of left it to individual insurance commissioners in those states to work with their legislatures on what’s best for their market.