Risk Management 101: Changing World / Changing Exposures / Changing Insurance Needs

Risk Management 101:Changing World / Changing Exposures / Changing Insurance Needs

December 2010

Marsh 2

The Changing Face of the Worldand Risk Management

1970’s 20101970’s 2010

Marsh 3


1970’s 20101970’s 2010

Marsh 4


1970’s 20101970’s 2010

$4 $82

Marsh 5


1970’s 20101970’s 2010

Marsh 6


1970’s 20101970’s 2010

Auto

GeneralLiability

Property WorkersComp

Directors& Officers

Terrorism

ProductsLiability

EnvironmentalRisk

Technology

Pandemic

IdentifyTheft

Cyber Risk

EmergencyResponsePlanning

HumanCapital

Risk

EmploymentPractices

CreditRisk

PoliticalRisk

IntellectualProperty

ERM

Marsh 7


Marsh 8


Marsh 9

Risk Transfer Spectrum

Marsh 10

Property Damage (PD)

BuildingBuilders RiskContentsStockProperty of OthersInstallment SalesLeased EquipmentUnderground PropertyDocks or WharvesDams or DikesDefense CostsDebris RemovalDemolition Increase Cost of

ConstructionPollutionExpediting ExpensesFire Extinguishing

ExpensesExhibitsBrands and TrademarksPairs or SetsLoss Adjustment

ExpensesEarthquakeFlood

Boiler & MachineryConsequential LossTransitParcel PostEDP Equipment and

MediaValuable PapersAccounts ReceivableNewly Acquired PropertyUnnamed LocationsFine ArtsService Interruption - PDVacant BuildingControl of Damaged

MerchandiseTransmissions and

Distribution LinesRolling StockTenants and Neighbors

LiabilityDevaluationCoinsurance DeficiencyTax LiabilityTax Treatment of ProfitsComputer VirusProperty Off-siteMobil Equipment

Time Element (TE)Business Interruption (BI)Builders Risk BISoft CostsTransit BIOrdinary PayrollInterdependency

WorldwideExtended Period of

IndemnityExtra Expense (EE)Research and

Development Rental ValueBuilding LawsBuilding LawsContingent BI WorldwideLeader BIContingent EE WorldwideLeasehold Interest RoyaltiesImpounded WaterCivil or Military AuthorityService Interruption - TEIngress/Egress

ServicesProperty Loss ControlBusiness Continuity

PlanningCaptive ManagementAsset Valuation

ServicesCatastrophe

AssessmentForensic Accounting

Property Insurance Coverage and Services

Marsh 11

• Automotive Liability• General Liability• Products Liability• Umbrella Liability• Excess Liability• Workers Compensation• Professional Liability • (e.g. Medical Malpractice

Liability, Accountants Errors and Omissions, Brokers Errors and Omissions)

• Environmental Liability• Railroad Protective Liability• Marine Liabilities

Casualty Insurance Coverage

Marsh 12

Financial (FINPRO) Products Coverage

Directors & Officers (D&O)

Employment Practices Liability (EPLI)

Fiduciary

Crime

Information Security / Cyber Risk

Marsh 13

What Is D&O Insurance?

Definition The policy protects the directors and officers and the corporation against

financial loss caused by litigation brought against an Insured for an alleged Wrongful Act in their respective management capacity.

The policy will pay judgments, settlements and defense costs, subject to the deductible, terms and conditions of the policy.

Marsh 14

Claimant Distribution For Public Companies

Source: 2010 NERA

Marsh 15

Claimant Distribution for Private Companies

Source: 2010 NERA

49%

16%

16%

13%

6%

Employees

Shareholders

Customers/Clients/ConsumerGroups

Other 3rd Parties

Competitors and Suppliers

Marsh 16

Where are D&O the claims coming from?

A Marsh claims lawyer was involved in helping settle 25% of all securities class action claims in 2009.

• SEC Restructuring & Increased Funding• SEC Increasingly aggressive, with more focus

on individual accountability• Expansion of SEC authority via Dodd-Frank• Aggressive FCPA Enforcement

Aggressive Regulatory Regime Rise in Derivative Claims

•Aggressive Plaintiffs Bar•Increased scrutiny of SLCs•Increase in judicial scrutiny of Non-Cash derivative settlements •Plaintiff attorney fees issues

Marsh 17

Typical D&O Claim Trigger Events

Restating financial results (Revenue Recognition and accounting for reserves and contingencies are the most common).

Earnings that fail to meet projections/expectations.

Announcement that a product doesn’t work, wasn’t approved, or won’t be ready as planned.

Disclosure of a regulatory investigation into a company’s conduct.

Internal investigation of questionable practices by a current or former officer.

Inadequate disclosure regarding mergers, acquisitions or divestitures. In a merger or acquisition there are two sets of potential shareholder plaintiffs.

Unfair Trade Practices/Antitrust Actions – Competitor claims; regulatory complaints.

Creditor Claims -alleging misrepresentation, inadequate or inaccurate disclosure in financial reporting.

Employment-related Claims – Especially for Not-For-Profit Corporations.

Marsh 18

Overview of the D&O Policy

Marsh 19

Indemnification

State laws typically provide a basis to allow a company to indemnify persons who are agents of the company if they are acting in good faith, in the interests of the company, and had no knowledge of the illegality of their actions.

– Indemnification may include directors, officers, or employees

Company bylaws typically outline the scope and procedures for indemnification:

– Standard for directors and officers, but may extend to employees.

– Review the bylaws to determine where you stand.

Why a corporation could not or may not indemnify?

– Financial insolvency

– Derivative Claim: claim is brought on behalf of the corporation

– Interpretation of “Good Faith”

Marsh 20

Key Coverage Issues

Severability of the Exclusions: “The knowledge of one Insured shall not be imputed to any other Insured for the purpose of determining the applicability of the exclusions…”; Preferable: full severability of coverage for all exclusions, not just the “personal conduct” exclusions.

Severability of the Application and Attachments: “No knowledge or information possessed by any Insured person shall be imputed to any other Insured person to determine whether coverage should be available.

Non-Rescission Clauses: “In consideration of the premium charged, it is agreed that notwithstanding anything in this policy to the contrary, the insurer shall not be entitled under any circumstances to rescind this policy with respect to Insuring agreement A only.”

“Final Adjudication” versus “In fact” wording: Fraud and Personal Profit exclusion.

Order of Payments Wording: (A/K/A “Priority of Payments” Clause).

Marsh 21

Key Coverage Issues

Definition of Claim: Informal and formal investigations; administrative, civil and regulatory proceedings; criminal proceedings; monetary and nonmonetary relief; written demands; target letters.

“Arising out of” vs. “For”: Lead-in wording to the Bodily Injury/Property Damage Exclusion; Pollution Exclusion.

“Failure to Maintain Insurance” Exclusion: delete.

Professional Services and Product Recall Exclusions: Obtain carve-out for shareholder claims.

Marsh 22

Limit, Retentions and Premiums SnapshotPublicly Traded Only

$0

$100,000

$200,000

$300,000

$400,000

$500,000

$600,000

$700,000

$800,000

Retention $500,000 $600,000 $750,000

Premium $370,000 $500,000 $570,000

$350M $600M $950M$0

$10,000,000

$20,000,000

$30,000,000

$40,000,000

$50,000,000

$60,000,000

Limits $35,000,000 $40,000,000 $55,000,000

$350M $600M $950M

Marsh 23

Increased Use of Advanced Analytics

Frequency and Dismissal Rate Based on Varying Market Cap

0.00%

1.00%

2.00%

3.00%

% away from Current MC

Fre

q R

ate

-20.00%

0.00%

20.00%

40.00%

60.00%

Dis

mis

sal

Rat

e

Freq Rate Dismissal Rate

Freq Rate 1.80% 1.93% 2.04% 2.14% 2.22%

Dismissal Rate -15.16% 20.58% 37.52% 45.83% 54.06%

Minus 40% Minus 20% Current MC P lus 20% P lus 40%

2.04%Statistical Probability of Securities Class Action =

Peer Analysis, Share Data & Financial Relativities

0.70

1.00

1.30

Debt to Equity

Price Earning Ratio

Short Interest /Shares Outstanding

Intangible Asset /Asset

Company

Industry

What is D&O insurance meant to protect against?

What is the right amount of D&O insurance coverage?

What tools should I be utilizing to assist in making a decision?

What is D&O insurance meant to protect against?

What is the right amount of D&O insurance coverage?

What tools should I be utilizing to assist in making a decision?

Marsh 24

What is Employment Practices Liability?

Any liability from an actual or alleged “Employment Practices Violation” by an employee, applicant or third party.

Employment Practices Liability (EPL) includes, but is not limited to, allegations of:– Discrimination– Harassment (sexual or otherwise)– Failure to provide equal opportunity of employment– Wrongful termination– Retaliation– Failure to employ or promote– Negligent evaluation– Libel, slander, humiliation– Infliction of emotional distress– Wrongful failure to provide or enforce corporate policies– Violation of an employee’s civil rights including:

Title VII of the Civil Rights Act American with Disabilities Act (ADA) Age Discrimination in Employment Act (ADEA) Family and Medical Leave Act (FMLA) Equal Pay Act (EPA)

Marsh 25

Who is an Insured and What is a Claim?

The company and any employee including past, present, part time, seasonal, and temporary employees, volunteers, and applicants for employment are all insureds.

The definition of “claim” includes:

– A written demand for monetary damages or other redress

– An administrative proceeding

– A lawsuit

– A demand for arbitration or an alternative dispute resolution

– An allegation that the insured harassed or discriminated against a nonemployee of the insured

EPL policies are written on claims made forms

Marsh 26

EPL Hot Topics

Focus on Dukes v. Wal-Mart: If Supreme Court agrees to hear the case and affirms the class certification, it will change the standards for assessment of punitive damages in class actions. Punitive Damages claim of $1B

– Dukes class action claim began with 1 single EEOC charge. Remember to notice your EEOC claims!

Workplace Bullying Legislation pending is pending in many states now. Employers are encouraged to address that in their Employee Handbooks and EPLI policies.

Misclassification of Employees: US DOL “Misclassification Initiative” targets employers who misclassify their employees as independent contractors rather than employees and will impose sanctions and penalties against those employers. Also, potential exposure for civil and criminal violations of wage and hour related laws.

Continued Increase in Wage and Hour Related Claims: These continue to be excluded under EPLI policies

EEOC Charges:

– 2009: Second highest number of EEOC charges in history and recovered a record high $294M through administrative and enforcement actions

– Notable increases in claims asserting discrimination based on religion, national origin and disability;

– Reasons for Increases: economic conditions, greater access to the EEOC by public, increased awareness of rights by employees, increased diversity and shift in workforce

Marsh 27

EPL Hot Topics

EEOC Areas of Focus in 2010 and beyond:

– Faster and efficient resolution of charges: More aggressive enforcement under the Obama administration, including increased budget

– Systemic Initiative: Continued aggressive litigation strategy employed by EEOC

– Employment Background Screening: Additional resources deployed on cases involving discriminatory use of credit reporting and other employment background check methodology in hiring, termination and other employment related decisions

– Caregiver Discrimination: EEOC has reported an increase in claims by individuals alleging that they have been denied certain conditions of employment because of their status as a caregiver.

– Pregnancy Discrimination Focus

Marsh 28

EPL Claims EnvironmentEEOC Charge Statistics 2009

93,277

82,79279,43281,293

84,442

95,402

75,76875,428

0

20,000

40,000

60,000

80,000

100,000

120,000

2002 2003 2004 2005 2006 2007 2008 2009

9423,386

11,134

22,77821,451

33,613

28,028

33,579

RaceSex/Gender

Retaliation

Disability

AgeNational O

rigin

Religion

Equal Pay

The number for total charges reflects the number of individual charge filings. Because individuals often file charges claiming multiple types of discrimination, the number of total charges for any given fiscal year will be less than the total of the eight types of discrimination listed.

Marsh 29

What is Information Security Risk?

The failure to safeguard confidential information (in any format) or thefailure of your network security that results in:

THIRD PARTY

Legal liability to others for computer security and privacy breaches

– Identity theft

– Loss Mitigation Damages

– Card Re-issuance

– Theft / Destruction of Information

– Virus Transmission

Marsh 30

What is Information Security Risk?

The failure to safeguard confidential information (in any format) orthe failure of your network security that results in:

FIRST PARTY

Your costs

– Forensic Investigation

– Crisis Management

– Statutory Compliance

– Voluntary Loss Mitigation Services (credit monitoring, ID theft repair)

– Regulatory (defense costs & penalties)

Marsh 31

Risk Trends

Legal liability to others for computer security & privacy breaches

– Regulatory changes & enforcement

Failure to safeguard data

Plaintiff actions

– Correlation

– Loss mitigation strategy

– Credit monitoring

Card re-issuance liability

Vendors, service providers & partners errors

Marsh 32

Overview of the Current State of the MarketSecurity & Privacy Insurance

Insurance Marketplace Drivers

– Regulatory activity (nearly as much as actual losses) has driven demand for this coverage, especially for privacy liability with its pre-claim covers for regulatory defense and indemnification for compliance with privacy breach notice statutes.

– 45 States have now enacted their own versions of a privacy breach notification law, creating a patchwork quilt of legislation affecting any commercial entity that collects or stores personally identifiable information.

– Recent multimillion dollar losses in key industry sectors—notably retail, financial institutions, health care, and higher education—have caused insurers to either target them as a class or decline them outright.

Marsh 33

Breach Example

January 18, 2010

National Corp Reveals Potential Breach of 1.2 Million Accounts

National Corp., a financial services company based in Radnor, PA disclosed a security vulnerability that may have leaked personal data of 1.2 million customers.

The company revealed the possible data breach in a letter to the attorney general of New Hampshire on January 4. Lawyers for the firm say the breach of the portfolio information systems had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source last August. While the letter did not disclose how the breach happened, it says the unidentified source sent FINRA a username and password that could access the portfolio system. This username and password had apparently been shared among employees of the company and vendors.

Marsh 34

Evolution and Insurability of a Data Breach

Item Insurable?

1 Hire forensics investigator Yes

2 Engage outside counsel to determine obligations

Yes

3 Engage public relations firm Yes

Marsh 35


Item Insurable?

3 Hire third party to assist with statutory notification

Written notice Phone banks

Yes

4 Offer credit monitoring and identity theft relief services as part of notice

Yes

5 Engage outside counsel for defense against lawsuit

Yes

Marsh 36


Item Insurable?

5 Damages resulting from lawsuit (s) Yes

6 Engage outside counsel resulting from regulatory investigation (FTC, State AG)

Yes

7 Fines and penalties resulting from regulatory investigation

TBD

Marsh 37

Example

A financial services provider loses a data tape containing unencrypted customer account data, not credit cards). A class action lawsuit follows resulting in the following costs:

– Technical Forensics $900,000

– ID Theft Forensics $2,900,000

– Mailing Costs $2,200,000 (includes secondary notification to “class”)

– Call Center $75,000 (most handled in-house)

– Credit Monitoring $2,500,000

– Additional Loss Mitigation $2,500,000

– Outside Attorney Expenses $1,100,000

– Additional Settlement Costs $5,000,000 (including plaintiffs fees)

Total – $16,175,000

Average security breach in 2009 = $6.75M

Marsh 38

Actual Paid Claims

Wrongful disclosure of information by employee of credit union who sold information to outsiders:

– Amount paid by insurer for liability claim and first party loss: $1.8 million

Third party computer hacker stole credit card information:– Amount paid by insurer for liability claim: $5 million

(note that this was the primary policy limit—claim eroded excess limits as well)

Third party computer hacker stole passwords by electronic means and used those passwords to gain access to personal information:

– Amount paid by insurer for liability claim (class action): $8 million plus

Employee sold customer data to others: – Amount paid by insurer for liability claim: $9.1 million

Employee stole and sold information to identity theft ring:– Amount paid by insurer for notice and liability claim: $2.6 million

Unauthorized access to database resulting from stolen passwords:– $4.5 million

Insured's employees released proprietary information of the claimant to third parties: – $715 thousand

Source: AIG

Marsh

Marsh 39

Data BreachEvent Modeling

Number of records compromised 100,000 250,000 500,000 1,000,00

Privacy notification costs 400,000 $1,000,000 $2,000,000 $4,000,000

Call center costs $100,000 $250,000 $500,000 $1,000,000

Credit monitoring cost $1,000,000 $2,500,000 $5,000,000 $10,000,000

ID theft repair $500,000 $1,250,000 $2,500,000 $5,000,000

Total estimated first party costs* $2,000,000 $5,000,000 $10,000,000 $20,000,000

Account / card reissuance liability $600,000 $1,500,000 $3,000,000 $6,000,000

Fraud liability $5,000,000 $12,500,000 $25,000,000 $50,000,000

Total estimated third party liability $5,600,000 $14,000,000 $28,000,000 $56,000,000

Total estimated privacy event $7,600,000 $19,000,000 $38,000,000 $76,000,000

Based upon number of records compromised

* May be subject to a Privacy Event Cost Sublimit

Assumptions:Notification costs - $4 per recordCall center costs - $5 per call (20 percent expected participation)Credit monitoring - $50 per record (20 percent expected participation)ID theft repair - $500 per record (1 percent of those monitored experience identity theft)Card re-issuance - $6 per record (potential liability to issuers, i.e., banks)Fraud liability - $1,000 per record (range is $500 per record to $6,400 average fraud charges - 5 percent experience fraud)

Marsh

Marsh 40

Thank you!

Questions – Further Discussion

David G. Wilkins, CIC

Managing Director

Marsh

15 West South Temple Suite 700

Salt Lake City Utah, 84101

801-533-3650

Email: [email protected]

Documents

Risk Management 101: Changing World / Changing Exposures / Changing Insurance Needs