What we will cover. Best Practices in Insurance and Risk Management. This session driven by pub revision. Publication goals:

Size: px

Start display at page:

Download "What we will cover. Best Practices in Insurance and Risk Management. This session driven by pub revision. Publication goals:"

Brook Daniel
5 years ago
Views:

1 Best Practices in Insurance and Risk Management A Report on the Industry Insurance Research Project Jim Booth, Brightstone Consulting & Brightstone Insurance Bryan Paulozzi, Brightstone Insurance Services What we will cover Best Practices Property Coverage Comm Gen Liability Auto Worker s Compensation Warehouseman s Legal E&O and Privacy Other Insurance Survey Results Respondent demographics Policy comprehension Key concerns Coverage gaps Claims experience Common coverage General expense % This session driven by pub revision Publication goals: Ins. and Risk Transfer Guideline created in 2000 by Jane Bindas Was not revised to keep up with changes PRISM granted permission for BIS/BCS to provide a free revision of publication July Sept., 2012 Calls to PRISM members to collect policy samples Sept. Nov., 2012 Survey sent to all PRISM members with reminders Publication drafted and edited Dec., 2012 delivered to PRISM for review Create more comprehensive reference document for industry insurance Update document to recognize risks that have emerged in the last 12 years Establish some industry benchmarks Increase risk awareness and education among operators Finding #1 Classification NAICS/SIC classifications were many and varied Warehousing may no longer be accurate for multiple service line business Business Services NOC may not be accepted by underwriters Libraries & archives is accurate but inadequate Better classification needed Finding #2 Policy comprehension 45% have read policies and believe they understand them 28% have read their policies and understand them very well 1 in 4 respondents either had not read or did not understand their policies

2 Who responded? 16 policy samples & 36 survey responses

3 Who responded services offered

4 Who responded subcontracted svcs

5 Who responded Revenue range

6 Who responded # Facilities

7 Who responded Vehicles

8 Who responded Employee #

9 Greatest insurable risk concern Data breach 57% Fire 28% Natural catastrophe (storm, flood) 14% Transportation related losses 14% General liability 10% Perceived coverage gaps More than half were satisfied with coverage Items mentioned by those not satisfied: General Liability Rack collapsing Data breach Bonding/employee crime insurance Property of others issues Excess Valuation Business revenue replacement for annuity businesses Lack of agent industry familiarity in some markets Claims: 72% had no claims We had a breach and are still in litigation. The insurance company did not offer the insurance we needed and told them we needed before the breach but denies that fact Customers who were not insured did not understand that and put pressure on us to pay for the recovery of records. Insurers tried to limit the insured value by dividing it by a number of boxes rather than accepting a total insured value. Data Breach Coverage 54.8% of respondents have no data breach coverage 45.2% identified coverage as follows: Employee fidelity bonds Errors and Omissions insurance Public liability insurance (GL) Network security liability and Professional liability Business management and indemnity Storage off premises, fidelity bonding, transit property coverage and legal defense Roundtable discussions What is the most confusing thing you are dealing with regarding insurance policies and coverage? What is the insurable risk that keeps you awake at night? What efforts are you making to mitigate risks through operations, contracts or other noninsurance areas? Best practices discussion Property Coverage Comm Gen Liability Auto Worker s Compensation Warehouseman s Legal E&O and Privacy Other

10 Types of insurance carried

11 Ins. Policy costs as % of gross revenue Property CGL Auto Comp < > 3 Uncat.

Questions? Jim Booth cell: 919 696 7754 jbooth@brightstoneconsulting.com www.

12 Questions? Jim Booth cell: Bryan Paulozzi cell:

Getting to Know E & O Jim Booth, Brightstone Insurance Services and Brightstone Consulting Services At one time, information management liability risk was fairly limited. Those days are long gone.

13 Getting to Know E & O Jim Booth, Brightstone Insurance Services and Brightstone Consulting Services At one time, information management liability risk was fairly limited. Those days are long gone. The greatest liability risk now facing information management companies is a data breach. According to a 2011 Ponemon Institute Report, the cost of a data breach climbed to $214 per compromised record (Ponemon Institute, LLC, 2012). Each incident averaged $7.2 million. A small business may not survive an incident of this magnitude and must protect itself in some other way. That is the purpose of a well-written errors and omissions (E & O) insurance policy. E & O insurance is also known as professional liability insurance. It is a specialized insurance product designed to protect an operator from specific liabilities associated with the services they perform. Most persons are familiar with medical malpractice insurance, which is a form of professional liability insurance. E & O is not meant to replace the other casualty insurance policies an operator may have, such as general liability or auto liability, but rather protect against a different set of exposures, for example, protecting you from the hazards of a data breach. Selecting the Right Product To make an intelligent decision regarding E & O insurance, it is necessary to engage in a bit of education. The fundamental questions in insurance do not change a decision must be made based on what you want to insure, the hazards you are insuring against, and the flexibility of coverage application in a claim scenario. In the case of E & O, the fundamental concern is the preservation and protection of your business. Regardless of the services performed, a substantial claim could exceed your capability to satisfy the claim. If that happens, your business is in great jeopardy. Commercial information management companies seek additional insurance protection like E & O to mitigate losses due to data breach incidents. A significant breach can multiply losses across a range of categories. Cost of legal defense is a component of most policies, and provides payment of legal defense costs to defend your business against claims. Policy holders are generally offered a choice between a duty to defend (an insurer s obligation to provide defense against claims made under a liability policy) or reimbursement of defense costs. Depending upon the policy selected, other types of coverage associated with E & O may include the payment of fines or penalties, reimbursement for notification costs and credit monitoring, and business interruption and extra expense costs associated with restoring network operations. Coverage is not limited to just these areas. Additional hazards might include funds transfer fraud, e-commerce extortion attempts, computer program and data-restoration expenses, crisis management event expenses, computer fraud, and communications and media liability. Exclusions are an important consideration when selecting the appropriate policy. E & O is liability coverage; some exclusions may be in place because there are (or should be) other liability policies that already cover losses of that nature. For example, if one of your delivery vehicles is backing out of a dock area and destroys an ornamental pillar on the client s property, E & O would not cover this type of loss, even though it occurred as you were providing services. Why? This is already covered in a commercial auto liability policy. The same would be true for a client who slips and falls when reviewing records in your viewing room. The general liability policy is in place to cover losses of this nature. Policies should always be reviewed carefully, especially when exclusions are concerned. In some cases, a carrier may exclude a vital coverage, such as fines for regulatory violations, and reinsert the coverage later in the policy under endorsements. Here is an example of an exclusion from an actual policy specimen: any action brought by or on behalf of the Federal Trade Commission (FTC), Federal Communications Commission (FCC), or any other federal, state, or local government agency or other licensing organizations in such entity s regulatory, quasiregulatory or official capacity, function, or duty. Because some data breach actions may be pursued by the FTC, an interpretation of that language in isolation would lead a policy holder to believe that breaches involving the FTC would be excluded from coverage. However, in the endorsements section of the same policy specimen, language appears along with the instruction that the previous language is deleted and replaced as follows: any action brought by or on behalf of the FTC, FCC, or any other federal, state, or local government agency or other licensing organizations in such entity s regulatory, quasiregulatory, or official capacity, function, or duty other than is expressly covered hereunder as a result of a breach of privacy regulations. 12 PRISM International

14 One additional consideration when selecting E & O coverage is the issue of claims. All policies dealing with liability are designed to pay someone else in the event of a loss. Some events may require a rapid response to control costs and maintain client goodwill. In response to this need, there are some E & O carriers that provide first-party coverage. This type of coverage pays you in the event of a loss, so that you can act in coordination with the client and insurance carrier to respond to a situation that could quickly spiral out of control. A data breach incident is a prime example. With no involvement in the investigation or notification process, the client may perceive a lack of concern or responsibility on your part. Firstparty coverage provides a means to engage immediately during the initial stages of a breach event and keep everything under control, especially cost and client relationships! How can you know for sure whether you have coverage in a certain situation? You must read the policy carefully! Before coverage is bound you should ask to be provided a copy of the policy. Taking the time to read the policy completely is absolutely essential. Insuring agreements are contracts. You would not sign a contract without reading it, and you should not bind insurance coverage without reading the policy and making a determination that the risks you intended to cover in the policy are actually included in the policy document. As much as you may like and trust your insurance broker, you must never rely on his or her opinion. Insurance is a personal contract between you and the carrier and you must make sure your interests are adequately protected by conducting your own careful review. Careful reviews of this type require enough time to assess, study, consult, and revise. It is helpful to budget at least 90 days into the renewal or quotation process to make sure you have adequate time to carry out these important activities. As to the question of how much insurance is the right amount, the data from Ponemon and other sources help define the extent of a possible loss. When considering those costs, the selection of a limit can be made based on the individual organization s appetite for risk. By having an in-depth conversation with your insurance broker and others who are central to the protection of your business s welfare, such as your attorney and accountant, you can make a more informed insurance decision regarding limits. Operational Mitigation of Risk Some service activities lend themselves to claims that would be made under an E & O policy. Any activity involving the transportation, transfer, or storage of sensitive information is a key area for information management professionals. The use of subcontractors is another. In conducting a self-assessment focused on mitigating risk, it is instructive to use questions asked by insurers as a guide. Their actuarial methods have identified areas likely to generate claims and, by inference, operational steps that could be taken to prevent or reduce risks inherent in providing professional services. Here are seven key areas of focus to help mitigate internal risk and improve business operations. Encryption Perhaps no technology holds greater promise for mitigating the effects of a data breach than encryption. Where the Health Insurance Portability and Accountability Act (HIPAA) is concerned, a breach event is not deemed to have occurred if data have been encrypted to applicable National Institute of Standards Technology standards. In the information management industry, it is most common to think of encryption 7 Keys to Mitigate Internal Risk Encryption Contract Language Policies IT System Review Employee Training Disaster Recovery Planning and Testing Loss History as it relates to data tapes. The insurance perspective is much broader. Common questions regarding encryption involve not only removable media but also server encryption, encryption of data transmission, encryption of data on work stations (especially laptops), wireless network encryption, and encryption of data on portable devices. Clients should also be encrypting materials before they send them off site. Technologies such as self-encrypting drives have greatly reduced the cost of implementation. Encryption should be addressed whenever you are selling data protection services or structuring contracts. Contract Language PRISM International members have long been familiar with terms found in the Standard Storage and Service Agreement, particularly language dealing with the limitation of liability. There has been some concern expressed by legal professionals as to whether the combined use of a contract and work order constitute a complete warehouse s receipt and whether the lack of a warehouse s receipt invalidates other provisions of the Uniform Commercial Code (UCC). This is a matter to take up with your attorney if it remains a concern for you. Insurance carriers who write E & O policies are very interested in several aspects of client contracts, such as whether indemnification language in your contract favors you or the client. Review contract language to make sure your services and payment terms are well-defined (which in most cases would be a function of the Schedule A and may involve defining some terms to remove any type of ambiguity). There are also risks associated with subcontractors, specifically whether you have contracts in place with subcontractors and whether subcontractors are required to indemnify you. Policies Effective policies are a key area of focus for underwriters. Privacy policies are especially critical, including whether such policies were drafted by an attorney, whether they appear on your website, and how often they are reviewed. Policies regarding the handling of third-party information, records retention and disposition, and the disposal of equipment that may contain sensitive data are central to the information management industry. Policies and procedures dealing with employee termination are a point of focus, especially when immediate removal of access to networks and facilities is concerned. If coverage is to be bound in areas like cyberliability, there will also be many questions related to website content, content ownership, copyright and trademark issues, and policies regarding framing and linking of content. A number of policies and procedures are driven by compliance efforts within 14 PRISM International

the organization. As a result, underwriters may inquire about whether policies have been reviewed against applicable laws, rules, and regulations and are compliant.

15 the organization. As a result, underwriters may inquire about whether policies have been reviewed against applicable laws, rules, and regulations and are compliant. IT System Review Vulnerabilities within IT systems account for the majority of data breaches around the world. Verizon s 2012 Data Breach Investigations Report (Verizon RISK Team, 2012) confirmed that 98% of data breaches originated outside the organization, with fewer than 1% originating with business partners. In the same report, it was reported that 81% of breaches were a result of some form of hacking, and 96% of hacks were judged as being not highly difficult. The report also found that 94% of all data compromised involved servers, and 85% of breaches took weeks or more to discover. It is no wonder that insurance carriers remain intensely interested in IT systems. Firewall technology, antivirus software, intrusion detection software, password policies, and internal and external verifications of system integrity through audit are ways to mitigate potential risk. Policies and procedures requiring software updates as soon as they are available helps reduce risk because updates may correct previous vulnerabilities or protect software against new threats. In addition, other external and regulatory audits often appear on applications particularly related to Payment Card Industry Data Security Standard (PCI DSS) audit and certification, HIPAArelated audit and certification, and Gramm Leach Bliley (GLB) audit and certification. The Verizon report underscores the importance of these external audits. The report states that 96% of victims subject to PCI DSS had not achieved compliance. Employee Training Training employees in areas like safe information handling procedures, compliance-related requirements inherent in HIPAA, and IT policies and procedures is one of the best strategies for preventing losses and claims. This includes maintaining confidentiality agreements with employees and enforcing compliance. Some insurers also request that the person within the organization responsible for computer security is identified by name and title. If no such person exists within your organization, a strategy to develop such a role should be a priority. Disaster Recovery Planning and Testing Because E & O coverage can include areas like crisis management, data restoration, and business interruption, having a fully formed disaster recovery plan, business continuity plan, and incident management plan become focus points. This will cover some very familiar territory, like off-site data protection services and hot-site contracting for emergency off-site restoration of operations. There will also be divergence in the purpose of some of these plans: a data breach is not necessarily a disaster but will certainly be an incident that requires an effective response strategy. In recent years, some clients have included a request that elements of, or, in some cases, complete disaster recovery/business continuity/incident response plans be included as a part of the bid submission. Taking the time to create these documents may provide a sales advantage over competitors who have not engaged in this type of exercise. Of course, a plan is only helpful if it works. All plans should be tested on a periodic basis, improved whenever possible, and updated frequently. Tests may include other employee safety or emergency equipment testing as well. Loss History This may seem obvious, but a failure to respond appropriately to a prior loss can leave a business vulnerable to both the vagaries of the marketplace and the negative responses of underwriters who may not have an appetite for extending coverage to organizations that do not appear to have learned from their mistakes. If you have experienced an incident that was (or would have been) covered by E & O insurance, it is important to identify the points of risk and vulnerability and work to minimize those risks. These questions will be asked on any E & O application. That should be reason enough to perform an assessment and adjust operations, policies, and procedures. Probably a more important and long-lasting reason to engage in this type of response strategy is to become a better business. These efforts can become the seed for overall quality improvements and may boost employee morale at a time when it will probably be stretched thin. So what would occur in the case of a loss? The most important thing to remember in an insurance context is to contact your insurance agent immediately! After claim forms are completed, the matter is assigned to an attorney, and the insurance company takes over from there. In the case of thirdparty coverage, which is more typical of standard policies, the insurance company reacts to the client s claims when they are made. This could take some time because costs may not be known for a while. In the case of first-party coverage, the insurance company acts immediately on your behalf to assist with notification, credit monitoring, and other critical steps that must be taken to comply with breach notification laws. A Vital Tool E & O insurance is a vitally important risk mitigation tool that helps protect your business in an environment of increasing risk. This type of insurance is fundamentally different than other types of liability insurance and is critically important to organizations that have exposure through the transfer and storage of third-party information. Although E & O is vital, it should not represent the only strategy to mitigate risk. Implementation of strong encryption technology across the enterprise, IT vulnerability audits, policy development, employee training, strong contract terms, and reassessment of lessons learned from previous losses are all strategies that can be employed to protect your business. F References Ponemon Institute LLC. (2012 March) cost of data breach study: United States. Retrieved October 16, 2012, from www. symantec.com/content/en/us/about/media/pdfs/b-ponemon cost-of-data-breach-us.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide CODB_US. Verizon RISK Team. (2012) data breach investigations report. Retrieved October 16, 2012, from About the Author Jim Booth is the records and information management practice group leader for Brightstone Insurance and is a principal with Brightstone Consulting Services. He can be reached by at jbooth@brightstoneins.com. 16 PRISM International

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE As many of you know, Gramm-Leach-Bliley requires "financial institutions" to establish and implement a Safeguard Rule Compliance