Looking forward to presenting again at the Oregon State Bar. This year's Lunch and Learn topic will be, Preventive Law 101: Minimizing Business and Legal Exposure. For those of you unable to attend the Lunch and Learn on April 17, 2019, the course will be available online as well. Check it out!
“The time to repair the roof is when the sun is shining.”
- John F. Kennedy
If you have business operations in the Hail Belt regions of the United States, pay close attention to the 5th Circuit’s decision earlier this month in Certain Underwriters at Lloyd’s of London v. Lowen Valley View, L.L.C. In that case, a hotel filed a lawsuit against its insurer in the U.S. District Court for the Northern District of Texas for refusing to cover hail-related roof damage under a commercial property insurance policy.
The District Court agreed with the insurer’s argument that: (1) several hail storms had struck the vicinity of the hotel in the years preceding its claim; (2) only one of those storms fell within the relevant coverage period; and (3) the record lacked reliable evidence permitting a jury to determine which of those storms, alone or in combination, damaged the hotel. The 5th Circuit affirmed the ruling, determining the hotel’s engineering report—opining that the subject storm was the “most likely” cause of the damage—was not sufficient.
So Where (or When) Do We Begin?
Many commercial property policies contain provisions that any lawsuit against an insurer must be filed within one year following the “inception of loss,” otherwise it is barred. In other words, the “inception of loss” date starts the one-year clock ticking. The question then becomes, when exactly is that date?
The Wisconsin Supreme Court hit this issue head-on in the case of Borgen v. Economy Preferred Ins. Co. In its 1993 opinion, the Court determined that the phrase “inception of loss” in the context of hail damage rules out an interpretation which could postpone the starting point to the time when the insured discovered or should have discovered the loss. In other words, “inception of loss” means “the date of the specific hail storm,” not “the date I discovered the hail damage.”
There are only a handful of federal and state cases addressing this issue, with the majority of them either Borgen or its Wisconsin progeny. See also Des Longchamps v. Allstate Prop. & Cas. Ins. Co. (“Des Longchamps does not (and, indeed, cannot) deny that the loss to his property began on June 29, 2012 when the derecho’s winds and rain hit Washington D.C. This means that his claimed October hurricane damages are irrelevant (contractually speaking) to the timeliness question.”).
Practical Effect of These Cases Read Together
Let’s say you operate a business in Plano, Texas, and have a commercial property policy with a January 1 renewal date. You’ve noticed some recent leaks over the last week in your eight-year-old roof. Based on this discovery, you enlist a roofing contractor to investigate further. You're advised the roof needs to be replaced due to the existence of hail damage, so you submit a claim to your insurance carrier. Now, consider Plano has had at least 14 significant hail strikes since your roof was installed:
Storm Date Min. Hail Size Range (Max)
4/6/2018 1.50” (up to 2.00”)
4/11/2016 1.50” (up to 2.50”)
3/23/2016 1.25” (up to 2.00”)
8/17/2012 1.00” (up to 1.50”)
6/13/2012 1.75” (up to 3.00”)
Based on Borgen, the relevant “inception of loss” date would be the most recent June 6, 2018 hail storm and each specific storm prior to that. This would mean any claims potentially implicating the April 21, 2017 and earlier events could be time-barred (assuming your prior year policies contain that pesky one-year filing limitation mentioned above). To make matters worse, given the number of equivalent hail strikes over the course of years, you will likely have an uphill battle under Lowen Valley View in attributing the recent 2018 storms to a loss under your current policy.
Even if it were somehow possible to assign each item of roof damage to a particular hailstorm—and further that statute of limitations issues would not limit recovery almost entirely—the number of storms create another problem. With 14 storms occurring over the life of your roof, the insurer could argue in favor of 14 separate occurrences, which in turn would mean having to go through 14 separate deductibles before you ever saw a single dollar of insurance proceeds. Depending on the amount of your deductible, this could mean you won't recover any insurance proceeds even if the claim was somehow covered in principle.
So Now What?
These rulings, read together, put the onus on business owners in the Hail Belt to conduct at least annual roof inspections to determine the existence of any roof damage potentially attributable to a particular insurance policy. It further puts the onus on business owners to understand the claim process, and to absolutely know the deadline for filing a lawsuit.
If you do have a claim and are running up on the deadline, seek an agreement from the insurer to toll (or extend) the deadline while trying to resolve the claim amicably. They shouldn’t have any problem with this, and make sure the agreement is documented (hint: now would be a good time to have discussed the claim and strategies with coverage counsel).
Long story short, be proactive with your property insurance as opposed to reactive. As always, we’re here to help.
"Let's take extra care to follow the instructions or you'll be put to sleep."
- President Business, The LEGO Movie
Let’s say your company makes products and is sued by a group of individuals claiming they were injured by one of those products.
If you’re like most companies, you would notify your insurance carrier and then hope you have insurance coverage for those lawsuits. Assuming you do, you get a letter from a law firm the insurance company hires for you and then periodically provide information and documents when asked . . . you may even give a deposition if you’re lucky! Otherwise, you stay out of the mix and let this lawyer represent your company’s interests until a letter comes notifying you the case has been settled. No worries, right? WRONG!
Behind the scenes, the insurer is paying the fees for your lawyer (known as “panel counsel” since they are chosen from a panel list acceptable to the insurer). The insurer is also controlling the defense strategy for your company, including when and how to settle the case. Your insurance policy permits the insurer to do this, and also requires your cooperation, so this is perfectly normal. However, if you are not managing this panel counsel, you could find yourself blindsided with higher premiums than expected at renewal.
A Brief Case Study
Let me give you an example based on a matter I recently concluded for a manufacturing client. This company was one of several defendants which had been sued by the estate of an individual who was killed in an accident. Fortunately, this company was insured, so it forwarded the lawsuit to the insurance carrier, which in turn assigned panel counsel to defend the company. So far, so good.
A couple months into the lawsuit, I was called by the head of the company after he received a copy of a 20-page status letter prepared by the panel counsel to the insurer. He was confused since his company had an agreement with a third party supplier, requiring that supplier to accept full responsibility for defense and any damages to the extent of any defect claims involving my client’s products. Given my background and experience with insurers and managing claims and litigation, he wanted me to review and provide guidance.
Here’s where it got dicey . . . panel counsel acknowledged the supply agreement in the report but buried it low in the list of “to-do” action items, recommending instead extensive discovery, at least 20 depositions, retaining and deposing multiple experts and then preparing and filing a couple motions for good measure. To make matters worse, panel counsel opined in the report that our mutual client could be found 15% – 25% liable for the death at trial, and that damages could well exceed $5 million.
Your Panel Counsel Can Adversely Affect Your Premiums
Let me tell you a little bit about how insurance adjusters generally set reserves. When a lawsuit comes in, the adjuster will set defense cost reserves (e.g., attorney fees, discovery costs, experts) based on panel counsel’s recommended strategy. The adjuster will also set loss reserves based on the anticipated settlement or trial value at different mile-markers in the case. Of course, the adjuster relies on panel counsel’s periodic status letters to determine these reserves.
In my client’s case, a reasonable adjuster could have reviewed panel counsel’s 20-page letter and, based on the suggested strategy and exposure, set initial defense cost reserves of at least $50,000 with another $250,000 to $500,000 in loss reserves. This, of course, in addition to the $10,000+ already spent in the initial review and preparation of that 20-page status letter. This was my client’s first claim related to an alleged product defect. Had the adjuster in fact reserved this way, my client’s insurance premiums could have skyrocketed for the upcoming renewal period.
Effectively Managing Panel Counsel
After reviewing the status letter, followed by a brief outburst of expletives, I calmed down and called panel counsel to introduce myself as managing counsel for the case on behalf of the company. We discussed the current strategy and exposure assessment in light of the exculpatory supply agreement. After explaining the harm that could potentially be done to our mutual client at renewal, panel counsel ultimately agreed that the best course would be to immediately tender defense to the third party supplier, performing only necessary discovery items afterward. In the event the supplier balked, it would be sued and we would seek summary judgment given the clear and unambiguous language of the contract.
Having agreed to this new strategy, I requested panel counsel forward the insurance adjuster a status letter downgrading anticipated loss exposure to $0 given indemnity. All of this was set in motion within 24 hours of that phone call, the case was tendered to the third party which was later brought into the case. As a “happily ever after,” the case settled at mediation with nothing paid by my client and minimal defense costs incurred in the interim. At renewal, the insurance premium increased only nominally as a result of the claim . . . things could have been a lot worse.
It's a Team Effort
Don’t get me wrong, the insurer’s relationship with panel counsel is important and necessary, as insurers need to be able to predict outcomes of lawsuits as much as possible in order to make business decisions on behalf of their insured businesses (and themselves!). However, if these lawsuits are not also managed by counsel solely representing the insured’s interests, this dynamic can lead to excessive defense costs, exposure to unnecessary strategies and improper liability and damages assessments. All of this can lead to adverse reserving by the claims adjuster and, ultimately, skyrocketing premiums or worse . . . loss of insurance coverage altogether.
Long story short, don’t simply hand off your case to the insurer and then forget about it. Review status letters before they are sent to the insurer. Understand the litigation strategies being developed and implemented, as well as potential loss exposure. Don't be afraid to question how these things could affect your existing insurance coverage. In sum, manage the case with a critical eye and, if commercially feasible, retain a lawyer looking solely out for your company’s best interests to assist. As always, we’re here to help.
“On board were the Twelve: the poet, the physician, the farmer, the scientist, the magician and other so-called gods of our legends.”
- "Atlantis" by Donovan
It is no surprise that companies are aggressively mobilizing to address and combat risks of cyberattack and data breach. According to The Global State of Information Security Survey 2018 from PwC, at least 56% of responding global executives reported having some form of overall information security strategy in place. In a referenced report, PwC highlights the importance of making sure diverse stakeholders are involved in developing and implementing those strategies, including “business, technology and risk management leaders—as well as the CEO and CFO.”
This “it takes a village” perspective not only applies to mitigating internal cyber risks but should also be applied to transferring cyber risks to insurance carriers. This begs the question, “Who should be part of your corporate cyber insurance team?” Here are a few suggestions to help you get the ball rolling:
At least one information technology (IT) representative with knowledge of the enterprise-wide systems used, data storage practices and technology vendors is obviously critical. Such a representative should be able to estimate the number of confidential records being stored that are subject to potential breach and access, which in turn can assist in determining how much insurance you should purchase. This information can also help assess the number of records which could be subject to potential coverage sub-limits which could blindside you if unprepared.
You will want make sure this individual also has a strong grasp of the company’s operational technology (OT) issues as well, especially to the extent of supply chain, logistics and other physical processes vital to corporate success. For example, consider a cyberattack which results in delayed delivery of important production planning information to your primary factory. Along those lines, the IT/OT team member can provide valuable guidance toward insurance considerations such as acceptable business interruption limits and length of waiting periods, further assisting with harmonizing insurance procurement with existing enterprise-wide business continuity strategies (hint, your company should have these in place).
As PwC astutely reports, there is something to be said for including a C-suite representative on the team. The CFO (or perhaps COO) should provide sufficient project visibility and accountability, as well as access to departments and representatives ensuring a thorough investigation prior to pulling the trigger on an insurance carrier and coverage. And the CFO likely has control of the company purse strings, so it's probably a good idea to get this person engaged early for budgeting purposes . . . especially if there could be glaring holes in your cyber insurance program.
Your CFO/COO team member can also be helpful in providing an overview of contracting practices within the company. Keep in mind your company likely has enterprise-wide contracts with suppliers, vendors, distributors, customers and/or clients. Your company may have unwittingly (or wittingly) assumed certain liabilities under these contracts, including liability for losses to these third parties in the event of a cyberattack or data breach involving your system. You need to know what is in these contracts in order to identify and select appropriate cyber insurance carriers, and then tailor your insurance limits, sub-limits and coverage appropriately.
3. Cyber Insurance Broker
A brokerage firm with a well-developed cyber practice should be able to provide effective access to this insurance market. With 60+ cyber insurance carriers offering stand-alone policies, and the cyber landscape still largely underdeveloped with varying policies, there are ample opportunities to identify brokers who can work with your company to access appropriately-capitalized insurers.
A firm with an established cyber presence should also have relationships with underwriters who can provide guidance on opportunities to reduce costly premiums across multiple prospective carriers. For example, if you were one of the 56% of responding executives mentioned above, there should be some level of premium savings for such efforts.
Last, but certainly not least (I’m sure there’s a lawyer joke in there somewhere), you should include on your team sophisticated counsel who can review and analyze your company’s complex contracts and insurance policies to identify and triage potential gaps in your cyber coverage. Counsel can further assist to the extent of any vague and ambiguous language in the insurance policy needing clarification (hint, you’ll want to do this before your sign on the dotted line and pay premium).
Counsel should be able to effectively synthesize the information provided by your company as part of the initial audit (via IT/OT, CFO, COO and other company representatives) and then work with your broker representative to identify, negotiate and then select the appropriate cyber insurance carrier and policy language tailored to your risk profile as much as possible.
Best practice involves utilizing your team all year, evaluating and adapting, as the cyber landscape is continually changing. This should include regular attention to your insurance coverage . . . so don't wait until renewals or make this a once-a-year conversation! As always, we’re here to help.
“Don’t talk to me about contracts, Wonka, I use them myself.”
- “Square Deal” Sam Beauregarde
If you are a product brand, you’ve probably been required to enter into many agreements with everyone from manufacturers to distributors, payment processors to financial institutions and vendors of all shapes and sizes. Hopefully you’ve had the opportunity to review and understand these contracts, as landmines may exist within that labyrinth of legalese mumbo-jumbo which can affect the insurance you have purchased for your business. In this article, we’ll look at a few of these, particularly in the context of your cyber insurance policy.
BLT, Hold the Mayo
First, these contracts may require that you add another business to your insurance policy, otherwise known as an “additional insured.” This means that your new partner is able to enjoy coverage under your insurance policy, and at your cost (hint, insurers typically require additional premium for adding insureds to a policy).
Second, these contracts may also require that you hold certain minimum levels, or limits, of coverage. Beware these contracts may have varying minimum limits, which could affect the levels of insurance you purchase in order to stay compliant across all contracts.
Third, your contracts may also require different types of coverage. For example, one vendor may require that you carry commercial general liability and worker’s compensation insurance. Another may require you to carry cyber insurance. Yet another may require commercial auto liability coverage. Make sure you have all appropriate lines of coverage in place in order to stay compliant with your business partners.
Something About Making an Ass of U and Me . . .
In addition to adding businesses to your policy, as well as keeping minimum levels and types of coverage, these agreements may also require you to assume certain liabilities of your new business partners. This is especially true if you sell products online and will be taking confidential customer data and payment card information which could be stolen by bad guys.
To the extent your business partners could be blamed for such an event by their customers, clients or investigators, they may incorporate “tender of defense and indemnification” provisions into the contracts, effectively passing this responsibility to you. More specifically, if they are sued by their customers or clients or are investigated as a result of a cyberattack or data breach involving your system, they may be able to contractually force you to pay their costs of defense such as lawyer fees, settlements and judgments.
But what does this mean, and how does it affect you? Hopefully you have a cyber insurance program in place with first- and third-party coverage for cyberattacks or data breaches. As we discussed back in December, first-party cyber insurance can help with costs for recovering lost or damaged data, notifying customers, credit monitoring services and public relations, as well as lost business income from network interruption. Third-party cyber insurance covers legal defense costs in the event of lawsuits against your company for data breach, settlements and judgments, and regulatory fines and penalties. Things can change, however, if those legal defense costs come from your business partner tendering defense or requesting indemnification under the contract.
Cyber insurance policies generally exclude from coverage (i.e., insurers will not pay) liabilities assumed by contract, including those contracts you enter into with vendors and other business partners. Let’s say your company is the victim of cyberattack or data breach occurs and numerous records are compromised. A series of claims, lawsuits and investigations ensues. Several of your vendors wind up being sued and subsequently tender their defense and investigation costs to you under the respective contracts.
Under this scenario, you should be covered to the extent you undertake crisis response measures to minimize reputational harm to you and your vendors as a result of the cyber event. You should also be covered for lawsuits and investigations aimed directly at you. However, you may not be covered to the extent of your vendors’ tender of defense and indemnification costs, since those are assumed liabilities which are excluded under your cyber policy.
Make sure you review your contracts to determine what cyber-related liabilities you are assuming. To the extent possible, negotiate those contract provisions in advance with your business partners. Of course, success on this front may be dependent on bargaining leverage given the relative size of your company compared to your partner. In the alternative, consider having your insurance carrier create carve-outs for these contracts. There may be some additional premium paid, as the insurer will not want to undertake those risks without some cost for doing so. Then take a look at the adequacy of your limits and sub-limits of your full cyber coverage program, given the potentially catastrophic consequences of a cyber event.
Long story short, read and understand the agreements with your business partners, understand the liabilities you are assuming in those contracts, and then assess and react to the effects of those liabilities on your insurance program. As always, we're here to help.
"By failing to prepare, you are preparing to fail." - Benjamin Franklin
It's here. Allianz has released its 2018 Risk Barometer, identifying the top global business risks facing companies according to 1,911 risk experts from 80 countries. Not surprisingly, business interruption/supply chain disruptions, cyber events and natural catastrophes took the top three spots (these were numbers 1, 3 and 4, respectively, in both 2016 and 2017). In order to ring in the new year on the right foot, here are three things you can do internally to minimize your company's exposure to some of these business risks:
1. Develop and implement cross-functional policies and procedures
Consider developing and implementing policies and procedures across your primary and support activities. You can work with cross-functional departments to establish robust controls involving factory performance, regulatory and trade compliance, sales and marketing practices, market corrective actions and recalls, workplace behavior, cyber hygiene, litigation readiness and record retention. Then take the next step of educating your workforce and managers on a regular basis to ensure these tailored best practices are indeed being practiced. For example:
Business interruptions along your supply chain: consider quality, cost, accuracy, delivery and sustainability controls to determine performance of your factories and logistics vendors against certain benchmarks, as well as implementing business continuity procedures in the event one of your factories, suppliers or distributors goes down.
Cyber events: consider implementing enterprise-wide cyber hygiene practices to minimize exposure to cyberattacks and data breaches.
Employment practices: consider developing and implementing an anti-discrimination, bullying and harassment policy, a return to work policy for injured employees to minimize instances of malingering, as well as succession planning procedures in the event of the departure of a manager or executive.
Marketing and sales practices: consider implementing a process where draft print and online materials are first routed cross-functionally to ensure the appropriateness of claims as well as regulatory compliance.
Of course, this is just a small handful of examples, and there may be many others applicable to your particular business.
2. Work with your CFO and Risk Department to determine appropriate risk transfer levels
Your insurance carrier may tell you that it is willing to insure you at a certain level. For example, it may tell you that it will provide $10 million in coverage subject to a $250,000 deductible. That means the insurer’s obligation doesn’t trigger until your company has paid the first $250,000 in losses related to a particular insurable event. In other words, the insurance company is dictating to you what your risk transfer point should be.
Consider instead working with your CFO and Risk Department to determine a transfer point that is more in line with your specific risk appetite and organizational goals. Among other things, determine what percentage impact to financial metrics such as earnings before income tax and depreciation, operating cash flow, or shareholder equity would be considered “material events”. Review your loss history and determine which losses occur with regularity and are predictable (hint, they aren’t really risks if they happen regularly). Then look at losses that could be reasonably likely but expensive to insure, at which point you may have to determine the cost trade-off. Finally, look at catastrophic exposures across your company which you absolutely must insure, unless your company has a riverboat gambler mentality (in which case, may the odds be ever in your favor).
By being proactive in determining your risk appetite and transfer points, you should be better able to understand your risk profile for purposes of business decision-making. Understanding your risk profile, as opposed to blindly transferring all of your risks to an insurer, can put you in a better position to reduce exposure across your business functions. This can also have the added benefit of reducing costs. Using the example above, a financial study of your risk appetite may conclude that a $1 million deductible would be more in line with your specific risk appetite and organizational goals. The premium cost of a $1 million attachment point is much less than one with a $250,000 attachment point.
3. Understand your insurance policies from a big picture perspective
I’m always amazed by the number of companies who do not know what is in their insurance policies and simply hope they are covered in the event something happens. I’ve seen many other companies who have had losses and didn’t realize those losses could have been covered by their policies. In fairness, insurance contracts are often legalese beasts that are decipherable primarily by sophisticated lawyers. You need to make sure the policies you purchase align with your specific business functions and needs. Enlisting counsel to analyze, select and negotiate your insurance program within the framework of your specific operations can be that ounce of prevention worth a metric ton of cure.
I recently worked with a product manufacturer with its primary factory based in the Philippines and suppliers based in two other Asian countries. The company shipped product from the factory to its U.S.-based warehouse via ocean cargo. However, a review of their insurance policy revealed that it only covered events in the United States and territories, as well as Canada. This meant if their factory shut down, they could not recover lost business income resulting from the delayed production. Even if the coverage territory included this factory, there were exclusions for earthquakes, tsunamis, floods and labor/strike issues, effectively eliminating a large number of risks that could occur in the Philippines. Moreover, the policy only covered the company’s “direct suppliers,” which would likely have excluded disruptions at the material suppliers. To top it all off, there was no marine cargo policy in place, so shipments lost at sea (the only way they transported product from the factory to their warehouse) would not be covered.
The importance of having a big picture understanding of your insurance policies cannot be understated. Where are your manufacturing operations, and to what extent does your policy respond to natural disasters and geo-political/labor risks that may arise in such locations? How sophisticated are your supply chain, logistics and distribution networks, and is your business interruption coverage protecting them? Does your cyber insurance policy adequately address the number of electronic data records you are storing, including customer data and credit card information taken as part of direct-to-consumer sales? Do you have cyber-terrorism coverage in place given the rise in state-sponsored cyberattacks? What exclusions could disrupt coverage you expected? Is your policy occurrence-based or claims-made, triggering specific claim notification obligations? Do you have overlapping coverage in more than one policy that could trigger sticky “other insurance” clauses? Again, these are just a handful of questions that should serve as a starting point. There may be many inquiries applicable to your particular business.
It is always important to begin a new fiscal year on the right foot. Taking these three steps should provide sustainable opportunity to navigate the top business risks of 2018 (and beyond) with more confidence. As always, we’re here to help.