“Prevention is better than cure.”
- Desiderius Erasmus
We’ve received some attention following the Portland Business Journal’s feature, as well as inquiries about the origin of our Preventive Legal Strategy practice and how it works.
It all began a few years back while serving as in-house counsel for a global product manufacturer. We retained a large law firm to represent the company in a lawsuit involving a recalled product. The lawyers weren’t cheap, with the partner charging over $500 per hour and the associate charging nearly $400 per hour.
Less than a year into the lawsuit, in which we had already spent over $75,000 in lawyer fees, my assistant forwarded the partner a brief list of questions from our insurance broker about the case to assist with upcoming renewals. A week later, we received a multi-page formal report on firm letterhead followed by a $3,000 invoice for this work.
Frustrated by what I deemed to be an unnecessary report and excessive invoice, I called the partner and requested these entries be removed. I viewed them as a value-added service, reminding him of the amounts already paid. I also questioned the business sense in spending several hours on a formal report given its limited purpose. The partner wouldn’t bend, arguing the value of his firm’s time and how it needed to be compensated per the terms of the retainer agreement.
Where was the concern for our value?
Sometimes You Need to Distance Yourself to See Things Clearly
Prior to joining this company, I had been an associate with a private law firm for several years, so I was well-versed in billing hours for my work. My firm, like many other firms, had a strict rule that associates were required to bill at least 2,000 hours per year. Year-end bonuses and opportunities for advancement were largely tied to hitting this figure. Performance was largely inward-focused.
After managing a corporate practice, I finally noticed and began to appreciate the other side of the coin. It felt as though outside firms had been preying on our need for their services, as opposed to focusing outward toward our business success.
After this epiphany, I began reaching out to other in-house colleagues and managers to determine whether they were facing the same struggles with outside law firms. I wasn’t surprised with what I uncovered:
Growing distrust with outside law firms, at times wondering whether services provided were always in the best interests of the company;
Frustration with having to pay increasing hourly rates due to firm bloat and rising overhead, especially when attempting to manage legal spend;
Perception of law firms as not cost-effective on day-to-day inquiries given fears of receiving a large invoice for even minor requests; and
Confusion as to why law firms were only interested in reacting to client problems, as opposed to being proactive with preventive strategies to stay ahead of exposure.
It was clear the traditional law firm model of reactive services and billing hours was not client-facing, and it certainly was not business-forward in its approach.
The Ounce of Prevention
Having practiced on both sides of the fence, this was truly a problem in need of a solution. Fortunately, more nimble legal practices (not anchored by bloat and overhead) were already beginning to disrupt the legal industry by offering specialized services and flexible fee arrangements. This disruption extended to practices dedicated to helping businesses minimize their exposure to risks.
These Preventive Legal Strategy practices specialize in anticipating and reacting to risks before they materialize, providing cost-effective guidance with long-term benefits. When done properly, these practices can assist businesses with:
Improved understanding of risk exposure along primary and support activities;
Developing and implementing proactive strategies to prevent exposure;
Better informed decision-making;
Improved efficiency and reaction time, as well as consistency in application;
Lower contract, claim, litigation and regulatory exposure; and
Better opportunities to recover significant insurance proceeds when necessary.
Like preventive medicine, Preventive Legal Strategy practices help companies stay healthy up front in order to minimize likelihood of “disease” later.
It Works, It Really Works!
Shortly after starting our practice, we were approached by a product manufacturer that had no in-house counsel and a significant annual legal spend. They were in the middle of several lawsuits and couldn’t see a light at the end of the tunnel. They wanted a plan to get out from under the litigation and what seemed like endless invoicing by lawyers and legal strategies they did not fully understand or trust. Because of the competitive market, profit margins were already razor-thin and cash flow was closely monitored.
We sat down with the executive team to explain how a Preventive Legal Strategy practice could be of benefit. For a fixed monthly fee, we would manage all company claims and litigation as well as relations with insurers, help review and prepare enterprise-wide contracts, and further assist with developing and implementing strategies from supply chain operations to human resources to labor relations to procurement. We took the position that no project would be outside the scope of work, and that employees should feel free to call us with any matter. Our primary goal was to be an accessible, business-forward resource.
Ultimately, the manufacturer signed with us. The increasing number of calls and expanded projects since then demonstrate that we’ve become a trusted resource. Cases are being closely managed, keeping litigation budgets within reason. We’ve also helped the company recover millions of dollars in insurance proceeds that may have otherwise been missed due to lack of awareness and strategy.
We include updated time-sheets with our monthly invoices to provide a comparison against the old hourly rates paid, as well on-boarding costs (since we’re really competing with that possibility as well). So far, so good. We’re nearing a year together and it’s safe to say both parties are looking forward to renewal.
Preventive Legal Strategy won’t work for everyone. Many established law firms are too hesitant to adopt more outward-facing models. At KEEFER, we’re fully embracing this new world order. As always, we’re here to help.
“Wouldn’t you prefer a good game of chess?”
- Joshua, WarGames
I know what you’re feeling. You have a significant business loss you think should be covered by your commercial insurance policy. Given the amount you spent on premium at renewal, you’re thinking it had better be covered. You’ve notified the carrier, waited patiently for the investigation to be completed . . . but you still don’t have an answer.
“Enough!” you exclaim after a couple months of waiting, “I’m getting a lawyer!” So you do a Google search and find numerous lawyers willing to represent your business to recover those insurance proceeds, some of which will even do so on a contingency basis. “Perfect!” you say, “We’ll be able to keep litigation costs to a minimum!”
Your new aggressive lawyer sends a demand letter to the insurer, threatening a lawsuit complete with bad faith claims if insurance proceeds are not received within 30 days. The insurer balks so your lawyer files a lawsuit on Day 31 seeking everything but the kitchen sink, including claims for punitive damages to make an example of that no-good insurer. At a minimum, just the possibility of being hit with punitive damages should cause the insurer to curl up into the fetal position and finally pay up, right? “Eeeexcellent!” you cackle in your best Montgomery Burns impression. Just a matter of time now.
And then it happens . . . after two years of litigation you lose the lawsuit and in turn your coverage, after a judge sides with the insurer. Failing to take all pre-lawsuit opportunities to resolve the claim amicably may have lost you the opportunity for coverage. What could you have done differently to avoid this outcome?
WTF is A-OK
There may be understandable reasons for the insurer’s delay. For example, property insurers were hit particularly hard in mid/late 2017 due to natural disasters such as Hurricanes Harvey, Irma and Maria, as well as wildfires in Western states. Resources, such as claims adjusters, have to be triaged and deployed to those major losses at the expense of smaller claims, comparatively speaking. Notwithstanding, it’s perfectly acceptable to ask the insurer “WTF?!!?” Even better, hire a lawyer to assist you with resolving your claim amicably, as a professionally-worded “WTF?!!?” from counsel typically results in quicker engagement by the adjuster.
Continued patience, thoughtful strategy and focus on the ultimate goal—i.e., maximizing insurance recoveries—should take precedence over immediately pushing the nuclear button. Going straight to aggressive overtures and threats will simply result in the claims adjuster handing the matter over to the legal department for further handling. This is especially the case when the nuclear phrase “bad faith” is made, and even more so when that phrase is uttered by your lawyer.
Don't get me wrong, there is a time and place for such hostility, but not until after exhausting every amicable pathway available, and only if you have a solid basis for asserting such a claim (hint: now is not the time to lose credibility). And consider that the insurer’s in-house coverage lawyers may be more inclined to find opportunities to deny coverage outright than the previous claims adjuster, who at the time was interested in negotiating the claim. I know, because I’ve been that coverage lawyer inside the insurance company.
Know Your SOL, or You’ll Be SOL
While tapping into your rejuvenated patience, keep in mind there will be a statute of limitations effectively barring lawsuits filed after that deadline. These statutes can vary, not only by state but also by nature of claim asserted (e.g., contract vs. tort). Make sure to look at your policy, since there will likely be a provision further limiting such deadlines. In fact, many policies require a lawsuit against the insurer to be filed within one year of the inception of loss. Beware, that one-year period could begin to run from the date of the event of loss itself, not the date you discovered that loss.
If a delay by the insurer is running up on one of these deadlines, make sure to ask the insurer for an agreement to toll or extend them while the parties are amicably attempting to resolve the claim. There should be no problem getting this agreement, and absolutely do not wait until after the deadline to take action or else it’s over! Your coverage attorney should be well-versed in tolling agreements and capable to negotiating these with the insurer.
Assuming you have a tolling agreement in place, or otherwise still have several months to spare, it’s time to learn more about the insurer’s investigation, reasonably cooperating as required under the policy. Research cases which could be favorable or adverse to your position and evaluate the respective merits of each other’s positions. Listen and don’t be so quick to go on the offensive. Definitely don’t concede any positions from the insurer that could have adverse consequences later, especially in writing (hint: those will likely become exhibits if a lawsuit is filed). You should also review and consider potential litigation strategies and outcomes . . . just don’t let your insurer know that you are doing so!
By Failing to Prepare, You are Preparing to Fail
At some point, you will get the insurer’s final settlement position. Armed with this information, think about the following:
· Is the insurer willing to pay something now? If so, how much?
· How much will it cost to sue the insurer from a fees and costs standpoint through different stages of litigation (e.g., motion to dismiss, motion for summary judgment, trial, appeal)?
· What are the chances you could lose at each stage?
· What are the chances you could win, including chances of prevailing on a dispositive motion?
· Assuming a win, what is the likely amount of recovery (hint: you are more likely to win contract damages than bad faith tort damages)?
Consider the drain litigation could have on management time and resources, especially during the onerous discovery stage. Consider also the possibility of gaining a reputation as a litigious insured and burning bridges with insurers who tag you as a “problematic risk,” which could harm you upon renewal.
Balancing and evaluating the responses to these inquiries against the settlement opportunity in front of you enables sound business decision-making. And it is certainly less risky than just throwing up your arms, pushing the red button and then hoping you’re not part of the fallout radius. At the end of the analysis, you may find that the insurer has already offered you a best-case scenario from a net standpoint.
The decision to go nuclear should always remain the very last option, and only after all other options have failed and you fully understand the business consequences of doing so. As always, we’re here to help.
“The time to repair the roof is when the sun is shining.”
- John F. Kennedy
If you have business operations in the Hail Belt regions of the United States, pay close attention to the 5th Circuit’s decision earlier this month in Certain Underwriters at Lloyd’s of London v. Lowen Valley View, L.L.C. In that case, a hotel filed a lawsuit against its insurer in the U.S. District Court for the Northern District of Texas for refusing to cover hail-related roof damage under a commercial property insurance policy.
The District Court agreed with the insurer’s argument that: (1) several hail storms had struck the vicinity of the hotel in the years preceding its claim; (2) only one of those storms fell within the relevant coverage period; and (3) the record lacked reliable evidence permitting a jury to determine which of those storms, alone or in combination, damaged the hotel. The 5th Circuit affirmed the ruling, determining the hotel’s engineering report—opining that the subject storm was the “most likely” cause of the damage—was not sufficient.
So Where (or When) Do We Begin?
Many commercial property policies contain provisions that any lawsuit against an insurer must be filed within one year following the “inception of loss,” otherwise it is barred. In other words, the “inception of loss” date starts the one-year clock ticking. The question then becomes, when exactly is that date?
The Wisconsin Supreme Court hit this issue head-on in the case of Borgen v. Economy Preferred Ins. Co. In its 1993 opinion, the Court determined that the phrase “inception of loss” in the context of hail damage rules out an interpretation which could postpone the starting point to the time when the insured discovered or should have discovered the loss. In other words, “inception of loss” means “the date of the specific hail storm,” not “the date I discovered the hail damage.”
There are only a handful of federal and state cases addressing this issue, with the majority of them either Borgen or its Wisconsin progeny. See also Des Longchamps v. Allstate Prop. & Cas. Ins. Co. (“Des Longchamps does not (and, indeed, cannot) deny that the loss to his property began on June 29, 2012 when the derecho’s winds and rain hit Washington D.C. This means that his claimed October hurricane damages are irrelevant (contractually speaking) to the timeliness question.”).
Practical Effect of These Cases Read Together
Let’s say you operate a business in Plano, Texas, and have a commercial property policy with a January 1 renewal date. You’ve noticed some recent leaks over the last week in your eight-year-old roof. Based on this discovery, you enlist a roofing contractor to investigate further. You're advised the roof needs to be replaced due to the existence of hail damage, so you submit a claim to your insurance carrier. Now, consider Plano has had at least 14 significant hail strikes since your roof was installed:
Storm Date Min. Hail Size Range (Max)
4/6/2018 1.50” (up to 2.00”)
4/11/2016 1.50” (up to 2.50”)
3/23/2016 1.25” (up to 2.00”)
8/17/2012 1.00” (up to 1.50”)
6/13/2012 1.75” (up to 3.00”)
Based on Borgen, the relevant “inception of loss” date would be the most recent June 6, 2018 hail storm and each specific storm prior to that. This would mean any claims potentially implicating the April 21, 2017 and earlier events could be time-barred (assuming your prior year policies contain that pesky one-year filing limitation mentioned above). To make matters worse, given the number of equivalent hail strikes over the course of years, you will likely have an uphill battle under Lowen Valley View in attributing the recent 2018 storms to a loss under your current policy.
Even if it were somehow possible to assign each item of roof damage to a particular hailstorm—and further that statute of limitations issues would not limit recovery almost entirely—the number of storms create another problem. With 14 storms occurring over the life of your roof, the insurer could argue in favor of 14 separate occurrences, which in turn would mean having to go through 14 separate deductibles before you ever saw a single dollar of insurance proceeds. Depending on the amount of your deductible, this could mean you won't recover any insurance proceeds even if the claim was somehow covered in principle.
So Now What?
These rulings, read together, put the onus on business owners in the Hail Belt to conduct at least annual roof inspections to determine the existence of any roof damage potentially attributable to a particular insurance policy. It further puts the onus on business owners to understand the claim process, and to absolutely know the deadline for filing a lawsuit.
If you do have a claim and are running up on the deadline, seek an agreement from the insurer to toll (or extend) the deadline while trying to resolve the claim amicably. They shouldn’t have any problem with this, and make sure the agreement is documented (hint: now would be a good time to have discussed the claim and strategies with coverage counsel).
Long story short, be proactive with your property insurance as opposed to reactive. As always, we’re here to help.
We’ve completed our May lecture series through the Oregon State Bar, and are excited to sponsor the upcoming Northwest Electronics Design and Manufacturing Expo in October! This year’s theme is “New Product Introduction and Getting to Market” and Chris will be presenting on managing business interruption and supply chain risks . . . we hope to see you there!
"Let's take extra care to follow the instructions or you'll be put to sleep."
- President Business, The LEGO Movie
Let’s say your company makes products and is sued by a group of individuals claiming they were injured by one of those products.
If you’re like most companies, you would notify your insurance carrier and then hope you have insurance coverage for those lawsuits. Assuming you do, you get a letter from a law firm the insurance company hires for you and then periodically provide information and documents when asked . . . you may even give a deposition if you’re lucky! Otherwise, you stay out of the mix and let this lawyer represent your company’s interests until a letter comes notifying you the case has been settled. No worries, right? WRONG!
Behind the scenes, the insurer is paying the fees for your lawyer (known as “panel counsel” since they are chosen from a panel list acceptable to the insurer). The insurer is also controlling the defense strategy for your company, including when and how to settle the case. Your insurance policy permits the insurer to do this, and also requires your cooperation, so this is perfectly normal. However, if you are not managing this panel counsel, you could find yourself blindsided with higher premiums than expected at renewal.
A Brief Case Study
Let me give you an example based on a matter I recently concluded for a manufacturing client. This company was one of several defendants which had been sued by the estate of an individual who was killed in an accident. Fortunately, this company was insured, so it forwarded the lawsuit to the insurance carrier, which in turn assigned panel counsel to defend the company. So far, so good.
A couple months into the lawsuit, I was called by the head of the company after he received a copy of a 20-page status letter prepared by the panel counsel to the insurer. He was confused since his company had an agreement with a third party supplier, requiring that supplier to accept full responsibility for defense and any damages to the extent of any defect claims involving my client’s products. Given my background and experience with insurers and managing claims and litigation, he wanted me to review and provide guidance.
Here’s where it got dicey . . . panel counsel acknowledged the supply agreement in the report but buried it low in the list of “to-do” action items, recommending instead extensive discovery, at least 20 depositions, retaining and deposing multiple experts and then preparing and filing a couple motions for good measure. To make matters worse, panel counsel opined in the report that our mutual client could be found 15% – 25% liable for the death at trial, and that damages could well exceed $5 million.
Your Panel Counsel Can Adversely Affect Your Premiums
Let me tell you a little bit about how insurance adjusters generally set reserves. When a lawsuit comes in, the adjuster will set defense cost reserves (e.g., attorney fees, discovery costs, experts) based on panel counsel’s recommended strategy. The adjuster will also set loss reserves based on the anticipated settlement or trial value at different mile-markers in the case. Of course, the adjuster relies on panel counsel’s periodic status letters to determine these reserves.
In my client’s case, a reasonable adjuster could have reviewed panel counsel’s 20-page letter and, based on the suggested strategy and exposure, set initial defense cost reserves of at least $50,000 with another $250,000 to $500,000 in loss reserves. This, of course, in addition to the $10,000+ already spent in the initial review and preparation of that 20-page status letter. This was my client’s first claim related to an alleged product defect. Had the adjuster in fact reserved this way, my client’s insurance premiums could have skyrocketed for the upcoming renewal period.
Effectively Managing Panel Counsel
After reviewing the status letter, followed by a brief outburst of expletives, I calmed down and called panel counsel to introduce myself as managing counsel for the case on behalf of the company. We discussed the current strategy and exposure assessment in light of the exculpatory supply agreement. After explaining the harm that could potentially be done to our mutual client at renewal, panel counsel ultimately agreed that the best course would be to immediately tender defense to the third party supplier, performing only necessary discovery items afterward. In the event the supplier balked, it would be sued and we would seek summary judgment given the clear and unambiguous language of the contract.
Having agreed to this new strategy, I requested panel counsel forward the insurance adjuster a status letter downgrading anticipated loss exposure to $0 given indemnity. All of this was set in motion within 24 hours of that phone call, the case was tendered to the third party which was later brought into the case. As a “happily ever after,” the case settled at mediation with nothing paid by my client and minimal defense costs incurred in the interim. At renewal, the insurance premium increased only nominally as a result of the claim . . . things could have been a lot worse.
It's a Team Effort
Don’t get me wrong, the insurer’s relationship with panel counsel is important and necessary, as insurers need to be able to predict outcomes of lawsuits as much as possible in order to make business decisions on behalf of their insured businesses (and themselves!). However, if these lawsuits are not also managed by counsel solely representing the insured’s interests, this dynamic can lead to excessive defense costs, exposure to unnecessary strategies and improper liability and damages assessments. All of this can lead to adverse reserving by the claims adjuster and, ultimately, skyrocketing premiums or worse . . . loss of insurance coverage altogether.
Long story short, don’t simply hand off your case to the insurer and then forget about it. Review status letters before they are sent to the insurer. Understand the litigation strategies being developed and implemented, as well as potential loss exposure. Don't be afraid to question how these things could affect your existing insurance coverage. In sum, manage the case with a critical eye and, if commercially feasible, retain a lawyer looking solely out for your company’s best interests to assist. As always, we’re here to help.
. . . maybe.
This May, Chris Keefer will be presenting a 5-part series through the Oregon State Bar on Insurance for Product Manufacturers. For those of you unable to attend the Lunch and Learn sessions, the courses will be available online as well. Check it out!
“On board were the Twelve: the poet, the physician, the farmer, the scientist, the magician and other so-called gods of our legends.”
- "Atlantis" by Donovan
It is no surprise that companies are aggressively mobilizing to address and combat risks of cyberattack and data breach. According to The Global State of Information Security Survey 2018 from PwC, at least 56% of responding global executives reported having some form of overall information security strategy in place. In a referenced report, PwC highlights the importance of making sure diverse stakeholders are involved in developing and implementing those strategies, including “business, technology and risk management leaders—as well as the CEO and CFO.”
This “it takes a village” perspective not only applies to mitigating internal cyber risks but should also be applied to transferring cyber risks to insurance carriers. This begs the question, “Who should be part of your corporate cyber insurance team?” Here are a few suggestions to help you get the ball rolling:
At least one information technology (IT) representative with knowledge of the enterprise-wide systems used, data storage practices and technology vendors is obviously critical. Such a representative should be able to estimate the number of confidential records being stored that are subject to potential breach and access, which in turn can assist in determining how much insurance you should purchase. This information can also help assess the number of records which could be subject to potential coverage sub-limits which could blindside you if unprepared.
You will want make sure this individual also has a strong grasp of the company’s operational technology (OT) issues as well, especially to the extent of supply chain, logistics and other physical processes vital to corporate success. For example, consider a cyberattack which results in delayed delivery of important production planning information to your primary factory. Along those lines, the IT/OT team member can provide valuable guidance toward insurance considerations such as acceptable business interruption limits and length of waiting periods, further assisting with harmonizing insurance procurement with existing enterprise-wide business continuity strategies (hint, your company should have these in place).
As PwC astutely reports, there is something to be said for including a C-suite representative on the team. The CFO (or perhaps COO) should provide sufficient project visibility and accountability, as well as access to departments and representatives ensuring a thorough investigation prior to pulling the trigger on an insurance carrier and coverage. And the CFO likely has control of the company purse strings, so it's probably a good idea to get this person engaged early for budgeting purposes . . . especially if there could be glaring holes in your cyber insurance program.
Your CFO/COO team member can also be helpful in providing an overview of contracting practices within the company. Keep in mind your company likely has enterprise-wide contracts with suppliers, vendors, distributors, customers and/or clients. Your company may have unwittingly (or wittingly) assumed certain liabilities under these contracts, including liability for losses to these third parties in the event of a cyberattack or data breach involving your system. You need to know what is in these contracts in order to identify and select appropriate cyber insurance carriers, and then tailor your insurance limits, sub-limits and coverage appropriately.
3. Cyber Insurance Broker
A brokerage firm with a well-developed cyber practice should be able to provide effective access to this insurance market. With 60+ cyber insurance carriers offering stand-alone policies, and the cyber landscape still largely underdeveloped with varying policies, there are ample opportunities to identify brokers who can work with your company to access appropriately-capitalized insurers.
A firm with an established cyber presence should also have relationships with underwriters who can provide guidance on opportunities to reduce costly premiums across multiple prospective carriers. For example, if you were one of the 56% of responding executives mentioned above, there should be some level of premium savings for such efforts.
Last, but certainly not least (I’m sure there’s a lawyer joke in there somewhere), you should include on your team sophisticated counsel who can review and analyze your company’s complex contracts and insurance policies to identify and triage potential gaps in your cyber coverage. Counsel can further assist to the extent of any vague and ambiguous language in the insurance policy needing clarification (hint, you’ll want to do this before your sign on the dotted line and pay premium).
Counsel should be able to effectively synthesize the information provided by your company as part of the initial audit (via IT/OT, CFO, COO and other company representatives) and then work with your broker representative to identify, negotiate and then select the appropriate cyber insurance carrier and policy language tailored to your risk profile as much as possible.
Best practice involves utilizing your team all year, evaluating and adapting, as the cyber landscape is continually changing. This should include regular attention to your insurance coverage . . . so don't wait until renewals or make this a once-a-year conversation! As always, we’re here to help.
“Don’t talk to me about contracts, Wonka, I use them myself.”
- “Square Deal” Sam Beauregarde
If you are a product brand, you’ve probably been required to enter into many agreements with everyone from manufacturers to distributors, payment processors to financial institutions and vendors of all shapes and sizes. Hopefully you’ve had the opportunity to review and understand these contracts, as landmines may exist within that labyrinth of legalese mumbo-jumbo which can affect the insurance you have purchased for your business. In this article, we’ll look at a few of these, particularly in the context of your cyber insurance policy.
BLT, Hold the Mayo
First, these contracts may require that you add another business to your insurance policy, otherwise known as an “additional insured.” This means that your new partner is able to enjoy coverage under your insurance policy, and at your cost (hint, insurers typically require additional premium for adding insureds to a policy).
Second, these contracts may also require that you hold certain minimum levels, or limits, of coverage. Beware these contracts may have varying minimum limits, which could affect the levels of insurance you purchase in order to stay compliant across all contracts.
Third, your contracts may also require different types of coverage. For example, one vendor may require that you carry commercial general liability and worker’s compensation insurance. Another may require you to carry cyber insurance. Yet another may require commercial auto liability coverage. Make sure you have all appropriate lines of coverage in place in order to stay compliant with your business partners.
Something About Making an Ass of U and Me . . .
In addition to adding businesses to your policy, as well as keeping minimum levels and types of coverage, these agreements may also require you to assume certain liabilities of your new business partners. This is especially true if you sell products online and will be taking confidential customer data and payment card information which could be stolen by bad guys.
To the extent your business partners could be blamed for such an event by their customers, clients or investigators, they may incorporate “tender of defense and indemnification” provisions into the contracts, effectively passing this responsibility to you. More specifically, if they are sued by their customers or clients or are investigated as a result of a cyberattack or data breach involving your system, they may be able to contractually force you to pay their costs of defense such as lawyer fees, settlements and judgments.
But what does this mean, and how does it affect you? Hopefully you have a cyber insurance program in place with first- and third-party coverage for cyberattacks or data breaches. As we discussed back in December, first-party cyber insurance can help with costs for recovering lost or damaged data, notifying customers, credit monitoring services and public relations, as well as lost business income from network interruption. Third-party cyber insurance covers legal defense costs in the event of lawsuits against your company for data breach, settlements and judgments, and regulatory fines and penalties. Things can change, however, if those legal defense costs come from your business partner tendering defense or requesting indemnification under the contract.
Cyber insurance policies generally exclude from coverage (i.e., insurers will not pay) liabilities assumed by contract, including those contracts you enter into with vendors and other business partners. Let’s say your company is the victim of cyberattack or data breach occurs and numerous records are compromised. A series of claims, lawsuits and investigations ensues. Several of your vendors wind up being sued and subsequently tender their defense and investigation costs to you under the respective contracts.
Under this scenario, you should be covered to the extent you undertake crisis response measures to minimize reputational harm to you and your vendors as a result of the cyber event. You should also be covered for lawsuits and investigations aimed directly at you. However, you may not be covered to the extent of your vendors’ tender of defense and indemnification costs, since those are assumed liabilities which are excluded under your cyber policy.
Make sure you review your contracts to determine what cyber-related liabilities you are assuming. To the extent possible, negotiate those contract provisions in advance with your business partners. Of course, success on this front may be dependent on bargaining leverage given the relative size of your company compared to your partner. In the alternative, consider having your insurance carrier create carve-outs for these contracts. There may be some additional premium paid, as the insurer will not want to undertake those risks without some cost for doing so. Then take a look at the adequacy of your limits and sub-limits of your full cyber coverage program, given the potentially catastrophic consequences of a cyber event.
Long story short, read and understand the agreements with your business partners, understand the liabilities you are assuming in those contracts, and then assess and react to the effects of those liabilities on your insurance program. As always, we're here to help.
"By failing to prepare, you are preparing to fail." - Benjamin Franklin
It's here. Allianz has released its 2018 Risk Barometer, identifying the top global business risks facing companies according to 1,911 risk experts from 80 countries. Not surprisingly, business interruption/supply chain disruptions, cyber events and natural catastrophes took the top three spots (these were numbers 1, 3 and 4, respectively, in both 2016 and 2017). In order to ring in the new year on the right foot, here are three things you can do internally to minimize your company's exposure to some of these business risks:
1. Develop and implement cross-functional policies and procedures
Consider developing and implementing policies and procedures across your primary and support activities. You can work with cross-functional departments to establish robust controls involving factory performance, regulatory and trade compliance, sales and marketing practices, market corrective actions and recalls, workplace behavior, cyber hygiene, litigation readiness and record retention. Then take the next step of educating your workforce and managers on a regular basis to ensure these tailored best practices are indeed being practiced. For example:
- Business interruptions along your supply chain: consider quality, cost, accuracy, delivery and sustainability controls to determine performance of your factories and logistics vendors against certain benchmarks, as well as implementing business continuity procedures in the event one of your factories, suppliers or distributors goes down.
- Cyber events: consider implementing enterprise-wide cyber hygiene practices to minimize exposure to cyberattacks and data breaches.
- Employment practices: consider developing and implementing an anti-discrimination, bullying and harassment policy, a return to work policy for injured employees to minimize instances of malingering, as well as succession planning procedures in the event of the departure of a manager or executive.
- Marketing and sales practices: consider implementing a process where draft print and online materials are first routed cross-functionally to ensure the appropriateness of claims as well as regulatory compliance.
Of course, this is just a small handful of examples, and there may be many others applicable to your particular business.
2. Work with your CFO and Risk Department to determine appropriate risk transfer levels
Your insurance carrier may tell you that it is willing to insure you at a certain level. For example, it may tell you that it will provide $10 million in coverage subject to a $250,000 deductible. That means the insurer’s obligation doesn’t trigger until your company has paid the first $250,000 in losses related to a particular insurable event. In other words, the insurance company is dictating to you what your risk transfer point should be.
Consider instead working with your CFO and Risk Department to determine a transfer point that is more in line with your specific risk appetite and organizational goals. Among other things, determine what percentage impact to financial metrics such as earnings before income tax and depreciation, operating cash flow, or shareholder equity would be considered “material events”. Review your loss history and determine which losses occur with regularity and are predictable (hint, they aren’t really risks if they happen regularly). Then look at losses that could be reasonably likely but expensive to insure, at which point you may have to determine the cost trade-off. Finally, look at catastrophic exposures across your company which you absolutely must insure, unless your company has a riverboat gambler mentality (in which case, may the odds be ever in your favor).
By being proactive in determining your risk appetite and transfer points, you should be better able to understand your risk profile for purposes of business decision-making. Understanding your risk profile, as opposed to blindly transferring all of your risks to an insurer, can put you in a better position to reduce exposure across your business functions. This can also have the added benefit of reducing costs. Using the example above, a financial study of your risk appetite may conclude that a $1 million deductible would be more in line with your specific risk appetite and organizational goals. The premium cost of a $1 million attachment point is much less than one with a $250,000 attachment point.
3. Understand your insurance policies from a big picture perspective
I’m always amazed by the number of companies who do not know what is in their insurance policies and simply hope they are covered in the event something happens. I’ve seen many other companies who have had losses and didn’t realize those losses could have been covered by their policies. In fairness, insurance contracts are often legalese beasts that are decipherable primarily by sophisticated lawyers. You need to make sure the policies you purchase align with your specific business functions and needs. Enlisting counsel to analyze, select and negotiate your insurance program within the framework of your specific operations can be that ounce of prevention worth a metric ton of cure.
I recently worked with a product manufacturer with its primary factory based in the Philippines and suppliers based in two other Asian countries. The company shipped product from the factory to its U.S.-based warehouse via ocean cargo. However, a review of their insurance policy revealed that it only covered events in the United States and territories, as well as Canada. This meant if their factory shut down, they could not recover lost business income resulting from the delayed production. Even if the coverage territory included this factory, there were exclusions for earthquakes, tsunamis, floods and labor/strike issues, effectively eliminating a large number of risks that could occur in the Philippines. Moreover, the policy only covered the company’s “direct suppliers,” which would likely have excluded disruptions at the material suppliers. To top it all off, there was no marine cargo policy in place, so shipments lost at sea (the only way they transported product from the factory to their warehouse) would not be covered.
The importance of having a big picture understanding of your insurance policies cannot be understated. Where are your manufacturing operations, and to what extent does your policy respond to natural disasters and geo-political/labor risks that may arise in such locations? How sophisticated are your supply chain, logistics and distribution networks, and is your business interruption coverage protecting them? Does your cyber insurance policy adequately address the number of electronic data records you are storing, including customer data and credit card information taken as part of direct-to-consumer sales? Do you have cyber-terrorism coverage in place given the rise in state-sponsored cyberattacks? What exclusions could disrupt coverage you expected? Is your policy occurrence-based or claims-made, triggering specific claim notification obligations? Do you have overlapping coverage in more than one policy that could trigger sticky “other insurance” clauses? Again, these are just a handful of questions that should serve as a starting point. There may be many inquiries applicable to your particular business.
It is always important to begin a new fiscal year on the right foot. Taking these three steps should provide sustainable opportunity to navigate the top business risks of 2018 (and beyond) with more confidence. As always, we’re here to help.
"The waiting is the hardest part." - Tom Petty
In Part 3 of this series, we discussed the wonderful world of legalese in insurance contracts (including cyber policies), the Wild West of cyber insurance, and how vague and ambiguous language in those policies can result in the loss of insurance proceeds. In this installment, we’ll take a look at how you can be blindsided by the waiting periods and business interruption periods which may exist in your cyber policy.
First, let’s look at the waiting periods. Some cyber policies provide coverage immediately following impairment to your network systems due to a cyberattack or data breach. Others provide that coverage does not kick in until 12 hours after such an impairment, with some policies even requiring up to a 24-hour waiting period. Think about that for a moment. Depending on your operations, especially if you sell through web-based direct-to-consumer channels, the first 24 hours of network interruption is critical and could result in substantial exposure. The insurance you bought, and which you expected to cover you, may not actually be there when you need it the most.
Next, the length of business interruption coverage in cyber policies can vary quite a bit. What is business interruption you ask? Briefly, most insurers will cover lost income for a certain period of time resulting from an interruption to your business due to a cyber event. As with the waiting periods discussed above, business interruption indemnity periods can vary drastically from policy to policy. Failing to understand your exposure to such losses and the coverage provided in your particular policy can have devastating consequences to your company.
Consider that some insurers cover business interruption losses only up to 30 days. Others may provide up to 60 or 120 days. Others still may offer a full 12 months of coverage from the date of the cyber event. Some of these policies further provide that such coverage may be limited in the event the network system is restored in less time. Some policies even provide that coverage will not be triggered until you have taken “reasonable” steps to minimize or avoid the business interruption event (remember that vague and ambiguous language from Part 3).
Let’s say your business makes consumer products and a significant portion of business comes from direct-to-consumer sales through your website. You have a cyber policy with a 24-hour waiting period that provides business interruption coverage up to either (1) the time when your system is restored, or (2) the time when the interruption in business income ceases, whichever is earlier. Your company suffers a cyberattack on Cyber Monday, and you immediately begin losing online sales as a result. You are ultimately able to neutralize the malicious software and restore your system in 22 days.
Under this scenario, your policy would not provide coverage for lost Cyber Monday income as a result of the 24-hour waiting period, nor would it cover expenses incurred in executing your rapid response plan to assess and neutralize the threat during this critical period. Fortunately, you should have coverage for some of the significant holiday business losses suffered as a result of the cyberattack. Unfortunately, that coverage will be limited to the 21 days after the waiting period (hint, there would likely be measurable continuing business interruption well afterward, especially if there is publicity surrounding the attack). Worse yet, what if the insurer determines that your response and mitigation steps were not reasonable? You may find that even the limited 21-day coverage period could be in jeopardy.
Long story short, it is important to have robust discussions with your IT and finance departments, among others, to determine how your company could be affected by a cyberattack or data breach. Be prepared to discuss issues such as system restoration and recovery timeframes, as well as the full scope of business losses which could occur both immediately and over time. Then take a look at your cyber policy.
If the cyber policy is not adequately covering your business (or the language is not clear), you should negotiate away problematic language as much as possible and also consider purchasing additional coverage to patch up any holes. Consider also getting confirmation from your insurer that your response plan is in fact "reasonable". Make sure to also share cyber hygiene training and other risk mitigation steps you perform in-house, as there should be premium savings for doing so. If there isn't, perhaps consider other insurance carriers at renewal who do respect and reward such steps. In any event, do all of these things before suffering a cyberattack or data breach, which could be catastrophic to your business. As always, we’re here to help.
"You keep using that word. I do not think it means what you think it means." - Inigo Montoya
In Part 2 of this series, we discussed the need to have (and understand) PCI DSS coverage as part of your cyber insurance program, especially if you conduct on-line business. In this installment, we’ll take a look at the wonderful world of legalese in cyber insurance contracts, containing mountains of vague and confusing language no doubt crafted by teams of lawyers incapable of writing in plain English.
For purposes of transparency, I am a lawyer and have been guilty of drafting complex commercial contracts and insurance provisions incorporating this awful language that rightly stereotypes us. The reason for this probably begins with the bloodless lobotomy that is called law school. During these three years, we endured a re-education leading to the magical ability to conceive of every possible outcome to a situation that could lead to loss. This ability was sharpened after clients began hiring us to prepare or revise contracts in order to help them get the best of the deal with their counterparts, leading to a competitive desire to “win” the drafting battle.
The result is contract language that can at times be overbroad, vague, ambiguous and confusing, especially to the lay reader. Under the law, such language in insurance contracts is typically interpreted in favor of the insured party and against the insurer depending on the circumstances. However, that doesn’t mean the insurer won’t attempt to steer such a provision in its own favor first, especially where there could be millions of dollars in insurance proceeds on the line. An unwary insured party would ultimately have to file a lawsuit against the insurer, and then hope the court agrees that the language was problematic such that it should be interpreted against the insurer. Those lawsuits cost a lot of money, take a lot of time, and many times lead to the opposite result.
Sit down and take a close look at your insurance policies if you dare. You will find a complex document containing numerous pages of legalese forms and small print understandable primarily by sophisticated lawyers. Failure to negotiate or clarify this language can be dangerous, especially in the Wild West of cyber insurance where there are numerous carriers providing varying coverage, and the cyber/legal landscapes are much less developed. Al Berman of the Disaster Recovery Institute was correct in stressing the need for legal counsel in selecting cyber insurance given the wording of policies.
Let’s say your insurance policy excludes "claims arising out of, based upon, or in any way related to any actual or alleged fraud against you." This has multiple problems, which we’ll break down in order. First, the phrase “arising out of, based upon, or in any way related to” is overbroad and could expand far beyond the scope of what the insurer is really trying to exclude. For the sake of clarity, if an insurer is seeking to exclude coverage for claims of fraud against you, then it should just speak plain English and exclude “claims for fraud against you.”
The follow-up phrase “actual or alleged” is likewise overbroad. Good lawyers will craft a complaint asserting numerous alternative theories of liability, many times to leverage early settlement positions. For example, lawyers may include in such a list a claim that you engaged in fraud through your actions and they will be pursuing punitive damages as a result. Depending on your policy, that fraud allegation may have just lost you insurance coverage, even if such as claim is without merit. In order to avoid this problem, consider requesting that such claims can only be excluded upon “final non-appealable adjudication by a court of competent jurisdiction” (i.e., a court of law determines that you were in fact fraudulent). Then make sure there is language ensuring you still have coverage for the remaining non-fraud claims permitted under the policy.
Long story short, your policy language will have changed from excluding “claims arising out of, based upon, or in any way related to any actual or fraud” to “claims of fraud against you, pursuant to a final non-appealable adjudication by a court of competent jurisdiction.” In the end, a more level playing field with your insurer results.
This is just one example, and you’ll find these language issues in most types of insurance, not just cyber insurance. There are many other phrases (don’t even get me started on “reasonable and necessary expenses”) which can blindside you if you haven’t gone through your policy with counsel. Make sure to do this well in advance of signing on the dotted line and paying your premium, as there is much less incentive to negotiate language after receiving your funds. As always, we’re here to help.
“Everybody has secrets, the trick is just finding out what they are.” - Lisbeth Salander
In Part 1 of this series, we discussed the importance of understanding your company’s exposure in the event of a cyberattack or data breach, and making sure your cyber insurance policy limits reflect that exposure. In this installment, we’ll take a look at the importance of understanding your Payment Card Industry Data Security Standards (PCI DSS) exposure as part of your cyber insurance coverage.
If you are a brand or manufacturer that sells products via online direct-to-consumer channels, then you likely take credit/payment card and other confidential information from consumers (e.g., name, address, telephone number, e-mail address, personal preferences) to process these transactions, as well as username and password information. In order to do so, you must comply with PCI DSS, a series of complex requirements developed by the PCI Security Standards Council (consisting of Visa, MasterCard, American Express, Discover, and JCB) to ensure merchants are securing their customers’ account data.
Failure to comply with PCI DSS can have disastrous consequences to your business, so it is important to understand how the process works. After a customer inputs his or her credit card and personal information to process a transaction on your website, your system will forward this information to a payment processor. The processor will then contact the credit card company and the customer’s bank for authorization to complete the transaction. If authorized, the funds will be transferred and deposited into your business account.
All of this happens because of several contracts among the parties, most notably: (1) the membership contract between the credit card company and your bank; and (2) the contract between your bank and your company. In the event your company suffers a data breach and customer and card information is compromised, the credit card company may require your bank to pay PCI DSS fines and assessments if non-compliance is found. Of course, the MSA will require your company to reimburse the bank for those fines and assessments, which can be significant, ranging from $5,000 to $500,000 per month and $50 to $90 per customer compromised.
Now consider our discussion in Part 1 about how sub-limits can erode your aggregate limit. Let’s say you have an aggregate cyber insurance limit of $3 million, with a PCI DSS fines/assessment sublimit of $2 million. Your system is breached and numerous customer records are compromised. It is determined you were non-compliant in securing customer data, and are therefore required to pay substantial fines and assessments under the MSA, maxing out your PCI DSS sublimit in the process. This would leave your company with only $1 million in insurance proceeds to cover investigations, expensive notification costs, business interruption, customer lawsuits, and responding to regulatory inquiries. Needless to say, the result could be catastrophic to your business.
Even worse, you may think you have purchased PCI DSS coverage only to be blindsided by the insurer telling you later that there was in fact no such coverage. I have worked with multiple clients that purchased cyber insurance explicitly providing coverage limits for PCI DSS fines and assessments, as well as specifically covering these items throughout the policy. However, upon analyzing the policy and coverage, we discovered the insurers had tucked a small endorsement at the end of the policy excluding coverage based on liability arising from MSAs and other payment card agreements. In other words, there was no coverage for the only contracts where PCI DSS fines and assessments could be found. Fortunately, we discovered this issue prior to any cyberattack or data breach event and have been able to take steps to remedy the discrepancy.
In sum, make sure you talk to your IT personnel to make sure you have appropriate levels of PCI DSS coverage as part of your cyber insurance, in addition to making sure the appropriate aggregate limit is in place. You can also work with IT to establish a compliant framework for securing customer payment data, minimizing exposure to fines and assessments. Finally, you need to make sure your cyber policy is actually covering your PCI DSS exposure. Just ask P.F. Chang’s how important this coverage can be. As always, we’re here to help.
In Part 3 of this series, we’ll discuss how vague and ambiguous language in your cyber insurance can result in loss of insurance proceeds, and how you can fix that language.
"I just can't get enough." - Depeche Mode
Cyber security is without question one of the greatest threats facing businesses in the coming years. This is especially true for manufacturers in the Athletic & Outdoor and Consumer Product industries, who typically have troves of confidential records and information stored electronically. These risks are magnified given the industries’ increased focus on direct-to-consumer sales strategies, which necessarily involve taking and storing confidential customer data such as names, addresses, phone numbers, and bank/credit information.
In addition to practicing good cyber hygiene, it is important for your company to have adequate cyber insurance in the event of a cyberattack or data breach. First-party cyber insurance can help with costs incurred to recover lost or damaged data, notify customers of the breach, credit monitoring services, and public relations. Third-party cyber insurance covers legal defense costs in the event of lawsuits against your company for data breach, settlements and judgments, and regulatory fines and penalties.
Many companies are pretty good about making sure they have some level of cyber insurance in place, but it is astounding how many do not know exactly what specific coverage and exclusions exist in their policies. The increasing likelihood of harm to your company of an attack or breach (especially if you’re a small business), coupled with the catastrophic consequences of those attacks, means buying cyber insurance without fully understanding what you bought is putting a bandage on a bullet wound.
In this first installment, we’ll take a look at the importance of understanding the aggregate limit and sub-limits of your cyber insurance coverage. According to the 2017 Ponemon Institute Cost of Data Breach Study, the average cost of a data breach to a company is as follows: (1) $1.9 million if less than 10,000 records compromised; (2) $2.8 million if 10,000 to 25,000 records compromised; (3) $4.6 million if 25,001 to 50,000 records compromised; and (4) $6.3 million if more than 50,000 records compromised. In the United States, malicious data breaches cost companies an average of $244 per compromised record.
First and foremost, work with IT personnel to assess the size and scope of a potential data breach on your company. Get a handle on the number of research and development records, employee information, business-to-business and individual customer data, and other confidential records and information that could be damaged or stolen. Then go back to your cyber insurance policy and determine whether the aggregate policy limit protects you. If not, you may need to consider more coverage. Many insurance underwriters use benchmarking to determine appropriate limits, which includes cyber insurance. Such benchmarking may not apply to your particular situation and leave you vulnerable to damages well above your limit of coverage.
Next, look at your cyber insurance sub-limits, which are part of and not in addition to your aggregate limit. Your aggregate policy limit is the absolute most an insurance company will pay in the event of a breach, and these sub-limits can dramatically eat away at this overall limit. For example, you may have sub-limits in place for items such as: (1) costs related to computer forensics costs; (2) crisis management and PR costs; (3) customer notification costs; (4) reimbursement of regulatory violations; and (5) fines or assessments related to Payment Card Industry Data Security Standards (PCI DSS), which we will discuss more in the next installment. In the event of a data breach, each of these on its own could significantly erode your overall limit of coverage. If more than one is maxed out—and you then have stare down the barrel of numerous customer lawsuits arising from the data breach—the results could be catastrophic to your company.
In sum, make sure to understand the extent of your company’s exposure in the event of a cyberattack or data breach. Then make sure your cyber insurance aggregate limit and sub-limits are aligned with that exposure. Finally, make sure your employees are practicing good cyber hygiene to minimize the likelihood of an occurrence. As always, we’re here to help.
In Part 2 of this series, we’ll discuss the need to have (and understand) PCI DSS coverage as part of your cyber insurance program, especially if you conduct on-line business.
“Nothing like popcorn to suck up noxious gases. Although I prefer butter and salt myself.” - Captain Planet
In Part 2 last week, we explored Vietnam’s trade regulations and relationships, as well as some sourcing and pricing issues your company should consider when making the decision to go with a Vietnam-based manufacturer. Given the importance of corporate responsibility, this installment will highlight potential social and environmental issues you could face, and some steps which can be to taken to “do more good,” and not just “do less bad.”
Excuse Me, I Believe You Have My Stapler.
As we mentioned in Part 1, Vietnam’s government has been providing incentives to investors to establish operations in “especially difficult socio-economic” areas, including rent and tax abatements, as well as duty elimination and deferral of losses. These areas are typically the poorest areas of Vietnam, and, as explained by the Ministry of Industry & Trade during the 2016 Annual Footwear Conference which I attended, the hope is that increased investment in those areas could lead to development of roads, stores, schools, medical clinics, housing, clean water and other needs for these impoverished communes and villages. Ultimately, the goal is for Vietnam to grow and flourish through continued development and prosperity, resulting in happiness for its people.
Companies considering investment in Vietnam, for their part, should likewise embrace this goal through the development and implementation of high labor standards. This includes obvious prohibitions against child and forced labor, but companies should further develop and implement policies to ensure Vietnamese workers are free from discrimination, receive appropriate wages, work in healthy and safe factory environments, and are permitted the opportunity to bargain collectively without undue influence and interference from management.
Policies should also be put in place to ensure opportunities for vocational training, as well as career advancement for Vietnamese laborers. This is especially the case for U.S. companies who contract with third-party manufacturers based in another country which may have prejudices against the Vietnamese laborers, or are perceived as exploiting them. During the Footwear Conference, one LEFASO representative even commented that the education and quality of the Vietnamese labor force was not optimal, no doubt stoking pre-conceived notions of expat managers from other Asian countries, who may be less inclined to view Vietnamese workers as potential supervisors or managers themselves.
U.S. companies investing in Vietnamese production should develop and implement robust strategies to protect and promote Vietnamese workers. These companies should not be afraid to take decisive actions to the extent factory leadership fails to live up to these high standards. In this way, companies will not only “do less bad” by preventing unfortunate things from happening to Vietnamese workers in the workplace, but will further “do more good” by promoting the importance of opportunities for these workers to develop, advance, and flourish in leadership positions of their own. Wishful thinking? Maybe, but brands should be innovating on the corporate responsibility front, not just in making products.
The Sky People Have Sent Us a Message . . .
In addition to these social-based issues, it should go without saying that footwear production can lead to undesirable environmental outcomes, such as air and water pollution through toxic emissions and chemicals used in production. Your company should develop strategies to ensure that your Vietnam-based factory has air pollution control mechanisms, air and water quality monitors, and wastewater treatment facilities all in place, especially if the factory is located in one of the areas of “especially difficult socio-economic conditions,” where surrounding communes and villages could be adversely affected. Your company should also partner closely with the factory to establish an in-house department tasked with day-to-day monitoring and innovation as far as types of chemicals used in production, to the extent chemicals are necessary. Controls and benchmarks should be developed and regularly reviewed to ensure ongoing implementation and long-term success of the program.
There’s also little dispute that Vietnam has a lot of rain, especially from May to October in the northern and southern regions. This provides the opportunity to incorporate rainwater harvesting as part of your strategic factory vetting process. This rainwater can be used for functions such as toilet flushing and irrigation, heating and cooling, and can be further filtered and purified to complement potable water sources . . . all of which results in a significant reduction of net water usage. Factories incorporating wastewater treatment facilities can provide further water recycling and efficiency benefits.
The persistent hot sun in Vietnam likewise provides the opportunity to evaluate factories based on whether they have invested in solar-based energy sources, or still rely on lower cost coal. Aside from the obvious environmental reasons cutting against the use of coal, the low costs may not last as long as originally expected given Vietnam’s growing economy and increasing energy consumption. Coupled with the emergence of China as the global leader in solar power, and the economic partnership between China and the ASEAN region (including Vietnam), the cost-benefit of this renewable energy source should be re-evaluated.
From a compliance standpoint, trade agreements and economic partnership agreements are now even requiring environmental and social standards be met. Be prepared, as many Vietnam-based facilities may not be equipped to meet such requirements, or even interested in doing so. During the Footwear Conference, the same LEFASO representative relayed concerns about meeting European Union trade agreement restrictions on certain chemical substances typically used in manufacturing.
However, this doesn’t mean your company shouldn’t be incorporating such analyses into vetting potential production candidates. Doing so, and then partnering with your selected factory on proactively addressing these issues, can first and foremost positively impact Vietnam’s environment and ultimately its people. From the perspective of your business, you can improve brand connection with consumers by demonstrating that appropriate priorities are in place when making the business decision to manufacture in Vietnam. On the back end, these steps can help minimize reputational, regulatory and business interruption risks you may face. As always we're here to help.
“Invention, my dear friends, is 93% perspiration, 6% electricity, 4% evaporation, and 2% butterscotch ripple.” - Willy Wonka
In Part 1 last week, we discussed Vietnam’s vision for the global stage as a footwear manufacturing power, and the extent to which it is really ready for such a mantle. This week, we’ll explore Vietnam’s trade regulations and relationships generally, as well as some issues your company could face without some level of involvement in the production process.
Blue Horseshoe Loves Anacott Steel
Let’s get right to it . . . Vietnam favors trade generally as far as footwear is concerned. From a regulation standpoint, the Vietnam Trade Promotion Agency (VIETRADE) is a sub-agency of the Ministry of Industry and Trade and has set forth Rules and Regulations on Trade, including taxation, which explicitly state that “[e]xports are promoted in Vietnam” and that “taxes are only levied on certain commodities, mainly natural resources such as minerals and forest products.” Regulation 4.2.1(a). On September 1, 2016, the Law on Import and Export Duties went into effect, expanding the scope of favorable duty treatment to materials, supplies and components imported for the manufacturing of export products, including footwear.
In addition to this favorable regulatory scheme, Vietnam is a member of the ASEAN trade bloc, along with member countries Brunei, Indonesia, Malaysia, Philippines, Singapore, Thailand, Laos, Myanmar and Cambodia. Either directly or through ASEAN, Vietnam is currently a member of at least 16 free trade and/or economic partnership agreements, most notably with the EU, China, India, Russia, Japan, Korea, Australia and New Zealand, Hong Kong, Israel, and Chile.
Follow the Rules or Follow the Fools
These free trade agreements impose certain rules of origin and regional value content (RVC) restrictions which require that a certain percentage of the shoe’s free on board (FOB) or related value comes from materials which originate in the trade area. Some of these rules have stricter requirements than others.
For example, the ASEAN trade agreement with Australia and New Zealandrequires that at least 40% of the FOB value of shoe materials originate in one of the membership countries to that agreement, which includes Vietnam. However, the ASEAN-Indian trade agreement only requires 35% of materials to come from member countries. The Trans-Pacific Partnership (TPP), which the U.S. exited, would have required 45% of materials to come from one of the member nations.
Your company should take steps to ensure your Vietnam-based production facility is in compliance, especially if the facility is producing for export to multiple countries and differing RVC rules could apply. This is important given concerns expressed by Vietnam’s leather, footwear and handbag trade group (LEFASO) during the 2016 Vietnam Footwear Conference about the ability of Vietnamese factories to satisfy these varying requirements. Your company should have a working familiarity with the trade agreements which could be in play, and then develop strategies to ensure your factory is taking all steps to ensure that RVC requirements across the board are being satisfied.
I’m Gonna Pop Some Tags
In addition to these RVC requirements, your company’s desire to produce low-cost product in Vietnam could trigger anti-dumping regulations in other countries. Vietnam has been a member of the WTO since January 11, 2007, and is therefore automatically subject to the Agreement on Implementation of Article VI of the General Agreement on Tariffs and Trade of 1994 (the “Anti-Dumping Agreement”). Product “dumping” occurs when manufacturers export a product to another country at a price either below the price charged in its home market or below its cost of production. It is a predatory type of pricing which can be implemented to increase market share in a foreign market or to drive out competition.
For example, assume China exports footwear to Brazil for $50. However, China is selling the same shoes in its own country for $60, and manufacturers in Brazil also make similar shoes for $60, but are not able to compete with China’s $50 price. Brazil’s government could say that China is dumping its product in Brazil in order to drive out competing manufacturers, and then issue “anti-dumping” measures such as an increased duty of $10/pair imported from China. This measure would make the shoes from China and Brazil the same price ($60) and in turn protect local industry. Anti-dumping measures can also be non-tariff based, such as certain registry requirements, customs codes, or limiting the number of customs houses.
This example is not by accident, as Brazil has accused China of anti-dumping in the past and has levied anti-dumping measures accordingly. In particular, from March, 2016 onward, Brazil’s Ministry of Development, Industry and Foreign Trade advised that a surcharge of 10.22US$/pair would be applied to footwear imported from China. Vietnam is not currently subject to such duties. However, Brazil has imposed such measures in the past against Vietnamese imports and has recognized Vietnam as a non-market economy, leading to heightened suspicion and attention.
In addition to Brazil, Vietnam is subject to blanket anti-dumping measures levied by Mexico. These anti-dumping policies restrict the importation of footwear and are designed to combat unfair competition from exporting countries. In particular, Vietnam is now subject to a 25% — 30% tariff until January 31, 2019. There are also several non-tariff requirements in place, such as a decreased number of customs houses assigned to deal with footwear imports, and notice and audit requirements. Notwithstanding these measures, in February, 2016, Mexico and Vietnam established a joint committee on economic, trade and investment cooperation, and continue to build trade ties between them.
Summing up, in addition to making sure you are adhering to RVC requirements, your company should be strategic in FOB pricing and exporting practices, including researching pricing in export countries and understanding any anti-dumping measures in place which could affect your company. Of course, there are numerous other trade-related issues your company should also be considering, including on the corporate responsibility front. As will be discussed in the next installment, your responsibilities to society and the environment should be front and center as far as your Vietnam-based operations are concerned. As always, we're here to help.
“You’re in the great game now. And the great game is terrifying.” - Tyrion Lannister
A major theme of “Game of Thrones” has been the seismic impact Daenerys Targaryen and her three dragons have had on that fictional world since Robert’s Rebellion. In the real world, as explained by Ezra Vogel a quarter century ago, Japan and four little dragons (Taiwan, South Korea, Hong Kong and Singapore) had their own seismic impact on global manufacturing following World War II. Of course, China has since assumed the position of world’s largest manufacturer, and has held a particularly strong foothold (no pun intended) in the shoe manufacturing business. However, there is another fast-growing dragon on the world footwear stage. Vietnam has not only become a top 5 producer but has significant export capabilities to boot (okay, that pun was intended). The question then becomes whether Vietnam is really ready to fill those shoes (no more puns, I promise). There is much more than just low production and labor costs you should be considering if you’re on the fence about manufacturing there.
I had the opportunity to spend several weeks with a Vietnam-based footwear manufacturer, also attending the Annual Footwear Conference in Ho Chi Minh City. I learned quite a lot from the experience, presented to diverse audiences, and am interested in the ongoing dialogue about Vietnam’s readiness for the global footwear stage. Over the last few years, Vietnam’s Ministry of Planning & Investment (MPI), Ministry of Industry & Trade (MoIT), and leather, footwear and handbag trade group (LEFASO) have been developing short- and long-term plans to improve Vietnam’s trade advantage on the global footwear production stage. Its growth plan through 2030 involves increased focus on automation, as well as incorporating information technology into financial, operational, and logistics management systems. Vietnam also plans to begin building an international gateway port to serve as its most important port for trade, including industrial parks and trade centers, industry support centers and developed roadways leading to the gateway port.
In addition, Vietnam is enticing foreign investors to move to areas of “especially difficult socio-economic conditions” (the most remote and impoverished areas), hoping this will assist with development in those areas. Investors willing to do so could receive benefits such no rent for up to 15 years, as well as no taxes for several years followed by lower tax rates afterward. Investors would also be able to enjoy duty free transport of equipment and materials required to start the business, and the ability to defer initial business losses following investment and development. Vietnam is also quick to point to opportunities such as its own favorable trade regulations and numerous free trade agreements with major markets, brands trending toward production in Vietnam, and a long-term abundance of low cost labor given the country’s “golden population ratio” — i.e., the number of people of working age (15 to 64 years old) has increased considerably compared to non-working age.
Vietnam initially appears to be saying all the right things as far as embracing its role as a top global footwear power. However, long-term excellence requires more than just talking the talk. As noted by Vogel (and numerous commentators since), while geographic location and government support played large roles in the growth of Japan and the Little Dragons, their commitment and execution in developing roadways, ports and rails, as well as an educated population with existing skill-sets, were major contributing factors as well.
Vietnam has similar strategic coastal location benefits and government support, although it is still noticeably in a developing status from an infrastructure standpoint. Let’s say you are considering investing in manufacturing operations in an area of “especially difficult socio-economic conditions” within the Tay Ninh province. Hauling finished product by truck to Can Tho, a primary Mekong Delta sea port (less than 150 miles away) could take over five hours, much of which is over a less-than-developed roadway system. Depending on traffic and weather, the time and conditions could be worse. And you may find it difficult to entice skilled U.S. expats (especially those with families) to assist with operations in these areas, many of which are quite remote and impoverished.
Vietnam concedes there are questions about its own ability to satisfy the terms of the various free trade agreements, as well as the education and quality of its labor force, which Vietnam admits counters its “golden population” position. Vietnam has also acknowledged weaknesses in investment and manufacture such as lack of capital, technology, and high level human resources. Of course, the U.S. exit from the Trans-Pacific Partnership will likely have some additional impact, the full effects of which may not be known for some time.
A trade-friendly regulatory system, strategic trade agreements, nice incentives to foreign investors and claims about infrastructure development may be well-intentioned, but do they ring hollow? There are just too many questions right now as to whether Vietnam can effectively execute on its vision and initiatives. Vietnam will also need to be cognizant of its ongoing need to build relationships with global partner countries, and work closely with foreign investors and existing manufacturers toward innovative, sustainable, and compliant processes . . . and not just say that it will do so.
Is Vietnam truly ready for the challenge? Like finding out who will take the Iron Throne from Cersei Lannister in Season 8, we’ll just have to wait and see. In the next installment, we’ll explore Vietnam’s trade regulations and relationships generally, as well as specific production and pricing risks your company could face without some level of understanding and involvement in the process. As always, we're here to help.