Tag Archives: pandemics

Immediate Vault Immediate Access

Using Captives to Insure Against Black Swan Events

Posted on by

Until recently, a global pandemic was, in most people’s minds, little more than a compelling plot to blockbuster films and apocalyptic science-fiction stories. A disease drastically changing the way of life and business operations for people across the globe and inciting wide-spread fear, quarantines and stay-at-home regulations was unthinkable for most beyond the “prepper” community. Now, though, after weeks of lives overturned, hindsight is 20/20 (pun intended). Many business owners and executive teams now agree the threat was obvious. A black swan.

As popularized by finance professor and Wall Street trader Nassim Nicholas Taleb in relation to financial markets, the term “black swan” refers to a rare or low-probability event that deviates from what is normally expected but poses critical threat. The 2008 financial crisis, the 2001 Fukushima nuclear disaster, the 9/11 terrorist attack and the dot-com crash of 2000 are all considered black swan events. We can never know with specificity which particular black swan will come, but we can know with certainty that one eventually will. And, due to their severe consequences, we should therefore consider how to make sure our lives and businesses will be robust against them. 

Insurance for Black Swans

Third-party commercial insurance policies often include business interruption coverage. Business interruption insurance protects against losses sustained due to periods of suspended operation. With COVID-19, many businesses considered non-essential have been forced to close and numerous businesses that are still hanging on have experienced challenges to their revenue streams as a result of coronavirus restrictions. This is where this form of insurance comes into play. However, pandemics are not the only black swans that business interruption insurance would cover. It could also cover losses from unexpected events like natural disasters, cybersecurity attacks, terrorist attacks or fallout from climate change. Also, even if a business’s insurance policy does not cover pandemic disease through business interruption, it is possible that other policies might be triggered due to the chain reaction caused by the black swan, such as:

  • Supply Chain Interruption
  • Loss of Key Customer
  • Subcontractor Default
  • Property (e.g., loss of access to business premises due to quarantines)
  • Catastrophic Risks

However, third-party commercial insurance policies are not always enough. These policies are often riddled with exclusions that prevent coverage during the time it is most needed and can lead to a claim being denied. Commercial insurance for an asymmetrical threat like a black swan event can also be extremely costly or difficult to obtain. And in many cases, coverage is simply unavailable. For example, during the avian flu epidemic, many U.S. insurers added an exclusion to their policies, “Exclusion for Loss Due to Virus or Bacteria” (ISO form COP 01 40 07 06). Similarly, the insurance industry responded to SARS by adding exclusions to preclude coverage for losses triggered by business interruption.

Businesses need to review their insurance policies to identify gaps in coverage. Some may want to consider filling these gaps and strengthening their coverage by supplementing the third-party commercial insurance by pooling their risks in a captive insurance company.

Taking Black Swans Captive

A captive insurance company is a licensed insurance company that is usually owned by a related business or its owner. That company can then insure a wide variety of the related business’s risks—risks likely to be implicated in any black swan event such as supply chain interruption, loss of a key supplier or customer, subcontractor default, bankruptcy of certain counterparties, or losses from governmental actions like forced business suspension or quarantines.

Via reinsurance arrangements, the captive insurance company can then pool its risks with the risks of many unrelated business, usually including those in completely different industries. Some of those businesses and industries will no doubt be the beneficiaries of most any given black swan event.  

For example, some physician practices that specialize in elective surgeries have seen their revenues cut by half overnight due to states prohibiting such procedures in order to preserve medical equipment for use by those fighting COVID-19 on the front lines. But other medical practices have seen their revenues skyrocket as COVID-19 has spiked demand for their services. By risk pooling via a captive insurance company, the claims of those practices that are suffering will therefore be paid in part by those that are prospering. This loss-sharing will allow the former to stay in business and continue covering their costs (such as rent and salaries), thereby making the entire economy more robust. And next time around, the proverbial shoes may just be on the other feet. In some cases captive insurance companies may also receive very favorable tax treatment that also provides additional liquidity during times of crisis. 

Preparing for the Next Black Swan Event

The coronavirus has heightened awareness of the need for both risk management and strategic planning to prevent future crises from negatively impacting company financials and viability. Sadly, not all businesses will remain healthy and viable through this pandemic, and it is too late for those impacted by the coronavirus to insure those particular losses. But business owners and executives can take immediate steps now to prepare for the next black swan, whatever it may be and whenever it may come. 

Spotting Coronavirus-Related Phishing Emails

Posted on by

Amid widespread public concern and constantly evolving news about the COVID-19 pandemic, cybercriminals are finding new fodder for phishing campaigns. With the eagerness for new information about the coronavirus outbreak, distraction during disruption, and the disorienting shift to remote work for many, employees may be particularly susceptible to falling for these schemes right now.

Some of these phishing emails play off companies having employees work from home to launch credential-stealing attacks. Such phishing campaigns may impersonate IT teams or may direct recipients to fake login pages to access work networks or accounts remotely. See the screenshot at right for an example. Email security firm Mimecast’s Threat Intel team reported seeing over 300 examples of such a campaign using a fake OneDrive login.

“We see that threat actors are keeping up with the daily developments concerning the coronavirus,” said Mimecast’s Threat Intel team. “As the pandemic continues to spread and more and more people are made to work from home, we are seeing more phishing emails that are trying to trick users into giving their credentials through a faked login page. Threat actors are actively utilizing this pandemic to attempt to compromise individual’s accounts and organization’s networks. The potential for human error will inevitably increase in the coming weeks and we expect to see more of these phishing attempts in the coming days and weeks.”

Other phishing scams purport to be new updates from government authorities or public health organizations, directing recipients to click malicious links for updates on the spread of the COVID-19 pandemic, new containment measures ordered by governments, or local advisories. Last month, the World Health Organization warned that some criminals were spoofing WHO officials to send fraudulent emails, and Kaspersky Labs reportedly found emails spoofing the CDC asking for Bitcoin donations to help fund a coronavirus vaccine. Some other phishing emails include malicious attachments purporting to be tips for protecting yourself from the coronavirus or maps of the outbreak, for example, but actually contain malware.

“We are living in a heightened time of cyberrisk,” said David Simpson, Virginia Tech professor and former chief of the Federal Communications Commission’s Public Safety and Homeland Security Bureau. “Cybercriminals will take advantage of public fear and due diligence health measures to generate coronavirus-themed phishing attacks. We should be aware of unsolicited COVID-19 emails with specious links or attachments.”

To help employees detect these scams, check out the following infographic from Cofense’s Phishing Defense Center for tips on spotting coronavirus-related phishing emails:

Preparing for a Pandemic: Review Business Continuity Plans Amid Coronavirus Outbreak

Posted on by

Organizations worldwide have been reacting to the recent coronavirus outbreak, COVID-19, in a variety of ways, from restricting nonessential employee travel to canceling large events. The possibility of a pandemic has the potential to disrupt workforces, supply chains and economic activity in the months ahead. So, it is with a sense of urgency that prudent organizations review and update their business continuity plans to insure their operational resiliency.

A healthy and available workforce is any organization’s most valuable asset. A pandemic will incapacitate some employees and result in other employees being quarantined. This could result in a major disruption to normal operations, with potentially large numbers of employees working from home or remote locations.

To protect your workforce and help ensure its continued productivity, it is critical to:

  • Establish a strategy that enables employees to continue to function without endangering them.
  • Have a plan to isolate employees should the threat of possible infection arise.
  • Ensure employees can effectively work from home.
  • Verify that you have the tools, technology, capacity, and security measures in place to support a large remote workforce.
  • Review your HR policies to ensure employees will not be personally impacted if they must be quarantined for an extended period and modify any policies as appropriate to give greater flexibility to normal working arrangements. 
  • Determine your priorities and the minimum staffing requirements to support these priorities, in case you need to function with a significantly reduced workforce.
  • Identify key employees and ensure other staff members have received appropriate training to comprehensively cover their absence.
  • Create a communications plan that includes providing employees and other stakeholders with regular situation updates as well as actions taken.

In a global economy, virtually every organization is connected to or dependent upon others. You may not be directly affected by a pandemic, but could be impacted if a vendor at a critical point in your supply chain is. Understanding your dependence on entities outside your organization is critical. Are your critical third parties (e.g., suppliers, vendors and service providers) prepared?

To protect your operations and ensure continuity of services or products to your customers, it is important that you:

  • Map your dependencies to understand where disruptions might impact your value chains.
  • Review the preparedness of your critical third parties (suppliers, vendors, service providers, etc.).
  • Identify single points of failure in your ecosystem.

When assessing the impact of a disruption to your ecosystem, it is important to recognize the amount of time before the actual impact occurs. So, as you review and update your plans, you should also conduct walkthroughs and exercises. This is the best method for identifying gaps in your procedures and will give you the highest chance of successful execution. Active participants will become familiar with the goals and objectives of the plan and begin to use it as guidance rather than a prescriptive list of tasks to be followed without applying rational thought. Practicing the execution of your plan ensures all necessary parties understand their roles and responsibilities.

During preparedness reviews, you should also assess the tools used to maintain relevant information and assist in executing your plans. Old technologies and obsolete tools will put successful execution of even the best plans at risk. Identify any deficiencies in the tools available and create a comprehensive list of requirements that will enhance your ability to execute. The sooner you begin to upgrade your tool set, the sooner you will be able to reduce execution risk.

An organization’s ability to effectively respond to a disruption of its workforce or a critical third-party not only depends on how effective you were in the planning process, but also how effective you were with the tools you have and the training you implemented. The tools you use to communicate, maintain situational awareness, and provide current and accurate information will also have a major impact on the execution of the plan.

Managing Coronavirus Business Interruptions

Posted on by

The novel coronavirus 2019-nCoV, now called COVID-19, has continued to spread through China and beyond, with more than 1,800 deaths reported as of this writing. The virus’s spread has also had major impacts on business operations around the world, slowing or shuttering international companies’ operations in China and prompting travel restrictions and evacuations.

Businesses around the world are taking travel precautions and creating or updating existing response plans to address these risks. Dr. Adrian Hyzler, chief medical officer of healthcare, assistance and risk management company Healix, told the RIMScast podcast that “Companies have to think on their feet and have crisis meetings, twice, sometimes three times a week just to try and keep up with the changes in government regulations and what they have to do to try and manage the situation.”

But companies may not be able to manage all of the issues resulting from COVID-19-related business interruptions, and some may even fail to fulfill their contractual obligations because of supply chain complications, risking severe penalties. If this occurs, companies throughout the supply chain have options for protecting themselves or recovering from lost business.

If contracts allow, companies may attempt to invoke force majeur clauses, which, according to international law firm Reed Smith, “excuse a party’s performance of a contract if an unforeseen event beyond its control prevents performance.” To prepare for these complications, Reed Smith recommends that companies:

  • review their contracts to determine what, if any, rights and remedies they have as a result of the delayed performance of contracts due to force majeure; 
  • provide timely notice of a force majeure event; 
  • prepare for potential litigation concerning failure-to-supply issues and the application of force majeure clauses, including by taking (and documenting) reasonable steps to mitigate the impact of the novel coronavirus; 
  • update form force majeure clauses to take into account, to the extent possible, modern risks to contractual performance, including diseases, epidemics or quarantines.

Reed Smith also noted that if a company intends use a force majeur clause to avoid financial penalties for business interruptions as a result of COVID-19, they should “take (and document) reasonable steps to mitigate the impact of the novel coronavirus. While these steps may prove futile, they are essential predicates to mounting a valid force majeure defense.”

There may also be insurance options for covering COVID-19-related losses. When speaking with the RIMScast podcast, Reed Smith’s Richard P. Lewis said that depending on a company’s exposures, some options for covering losses include contingent business interruption coverage, event cancellation policy, supply chain insurance or travel insurance. But, Lewis said, “The first big category would be first party insurance. That would be property insurance and more specifically a first party or property insurance policies providing ‘time element coverage’ that is impacted by time, usually known as business income or business interruption insurance.”

Lewis also said while property (like a factory that is shut down after the outbreak) may not have suffered actual physical damage, there could be legal precedent for claiming physical loss or damage “if the building can’t be used for its intended purpose.” Anderson Kill P.C.’s Finley T. Harckham also noted that in case law, people becoming sick on a property will not count as property damage, but contaminants at a property (including pathogens like COVID-19) could qualify.

U.S. companies, Lewis said, will be dealing with “contingent exposures, meaning the property affected is their customers’ or suppliers’ and not their own property.” However, if those companies have their own property, coverage is likely dependent on whether it was “closed by the order of a civil authority because of the actual presence of a virus and not the suspected presence of a virus.” Harckham noted that these restrictions would likely trigger civil authority coverage, which many insurance policies contain.

However companies attempt to cover their losses, Lewis recommended “Just make sure that if if this thing goes to court that you’re able to prove your losses. And that means to document them and to have witnesses who are able to explain what it is you lost and be able to testify at trial with that if it comes to that.”

To hear the full conversations with Hyzler and Lewis, listen to the RIMScast episode “What Risk Professionals Should Know About the Coronoavirus” here.