Our Conversations section features in-depth interviews with leading figures in risk management. Mark Siwik, founder of SandRun Risk, conducts this conversation with Felix Kloman, a longtime student, thought leader, and writer in the field.

Felix is a graduate of Princeton University, 1955 with an AB in History. He is a fellow of the Institute of Risk Management (London), a past director of the Nonprofit Risk Management Center, a past and founding director of the Public Entity Risk Institute, and a charter member of the Society of Risk Analysis. In 1994, he received the most prestigious award that the Risk & Insurance Management Society (RIMS) bestows on an individual: The Harry and Dorothy Goodell Award for outstanding achievement in the field of risk management.

Please share a little bit about your life and journey in the field of risk management.

After two years’ service in the U. S Navy in the Far East, I began work in an insurance brokerage in Philadelphia in 1957 and, almost immediately, read Russell Gallagher’s article on risk management in the Harvard Business Review. Gallagher and other leaders of the day started pushing me toward the idea that simply buying insurance was only one step in preparing for an unknown future, and an expensive one at that!

Gallagher’s ideas so intrigued me that after 13 years of insurance brokerage in Philadelphia and New York, I helped create a small consultancy in Connecticut, Risk Planning Group, focusing on the development of this new idea – that risk management is a much broader and more challenging field than the expertise required to design and sell commercial insurance. In 1984, we merged our small firm, now some 24 people, into Tillinghast (today Willis Towers Perrin) - an international management consulting firm, with which I remained until retirement in 1994.

I started writing about the myriad aspects of risk management in 1974 in Risk Management Reports (its publisher, editor and frequent writer), continuing as its sole writer to 2007, some 33 years. Then, in 2005 I tried to summarize my thinking in a book of essays, Mumpsimus Revisited, followed by another in 2008, The Fantods of Risk. Even today, I remain a student of this idea, sharing insights, criticisms and applause with an informal international group of other “students,” a “risk management group.” Our intent is to look at the evolution of risk management over the past 400 years and explore possible new goals, new standards, new understandings and new tools.

Looking back on your career, what professional values are most important to you and how did these values influence your work?

As a lifelong student of risk management, I have simultaneously been an advocate of the field and a skeptic. My three guiding values are doubt (question everything), curiosity (is there another or better answer?), and constant inquiry. These values led, naturally, to a wide and catholic reading. Who knows where you might stumble on a refreshing new idea?

These guiding values are necessary for learning to change our mind from time to time. For many years, I defined risk management as a discipline for living with the possibility that future events may cause harm. In the early 1990’s, when teaching at the University of St. Gallen, in Switzerland, a graduate student questioned my definition, arguing that outcomes could be more as well as less favorable than expected. The discussion led to an epiphany: I realized that my early insurance training led to an undue focus on possible negative outcomes.

I suppose this bias toward thinking about negative outcomes is that our field pays great attention to negative end results or losses. In fact, the insurance industry has developed over some two-hundred years to deal with these after-the-loss situations. Insurance is a half-way technology because it is an after-the-fact effort to correct our inability to prevent loss.

My student reminded me that it is equally important to explore decisive technologies that can anticipate and influence events for the better. Such technologies focus on continuous improvement, elimination of waste, and conservation of resources. My student also reminded me that we are all teachers in risk management and that we should “teach important things” as reflected in the following passage:

. . . life is best lived ‘with one eye cocked toward Comedy and the other eye skewed toward Tragedy,’ and that ‘out of this feat of balanced observation emerges Humour, not as foolish amusement or an escape from reality, but as a breadth of perception.’ (1)

Our discussion seems consistent with the ideas of the Thomas Friedman, the Pulitzer Prize columnist of the New York Times. Friedman argues that we live at a time when lifelong employment requires lifelong learning. A key to lifelong learning is being radically inclusive in our learning – learning from and with as many relevant people, processes, disciplines, organizations and technologies possible. Do you think Friedman is right and, if so, what are the implications for students of risk management?

Tom Friedman’s term of radical inclusiveness (from Thank You for Being Late, Farrar, Straus & Giroux, 2016) is especially applicable to what we now call “risk management.” The idea of dealing more intelligently with uncertainty, while a natural part of the inquiry of the human brain since Homo sapiens has existed, developed primarily as an offshoot of insurance in the early 1960s. Its focus was the possibility of adverse events, primarily financial, treated naturally only by buying insurance. Internal auditors and accountants later adopted the idea, favoring the importance of the work of auditors. For both segments, the key focus was the response of corporate stockholders. But both groups failed the test of “radical inclusivity.” Few, if any, considered the broader arena of “stakeholders” or even the entire world! That has changed, at least somewhat. The current thinking seems to have moved away from the idea of “risk management” toward consideration of a variety of ways in which we, as individuals, groups, and organizations, can learn to prepare more intelligently for the ever-present possibility of surprise. The results of surprise can vary widely from positive to neutral to negative, in both quantitative and qualitative terms. The idea now seems to be to build both flexibility and resilience.

Is “risk management” both an outmoded and confusing term? Can we “manage” risk? I suspect the best we can do is try to manage ourselves and our organizations, always imperfectly. Does the term “risk” unnecessarily focus us on only negative outcomes? Shouldn’t we also anticipate favorable results? By seeing only the negative, do we miss opportunities? And to whom should we be responsible? Is a focus only on shareholders far too narrow? These questions lead to the idea that the processes for dealing with uncertainty must be a part of every discipline in the organizational structure. No more “silos,” even though these are entirely natural. I prefer the term “castles” and castle in inhabited by people hiding in a defensive structure. “Silos” are merely storage facilities, without human habitation. Radical inclusivity is one way to tear down castles that stifle collaborative and life-long learning.

What do these ideas about life-long learning and radical inclusivity mean for mantras like the one that the role of risk management is to reduce the cost of risk?

The cost-of-risk concept is a good example of the need for life-long-learning. Way back in 1962, Douglas Barlow, a thoughtful Canadian, suggested that insurance buyers out to start a register called “total cost of risk.” This register included self-funded losses, insurance premiums, loss control costs, and related administrative costs, totaled and then compared to revenues, assets and equity. It was an attempt to move away from simply adding up insurance premiums. Many insurance buyers tried it and many of us happily cooperated with organizations such as the Risk & Insurance Management Society (of which Doug was a one-time President) in producing lengthy analyses of numerous American and Canadian companies who willingly shared their cost-of-risk data with us.

Looking back, the idea was inherently flawed because it was not “radically inclusive.” It dealt (really) only with the costs over which the insurance buyer had some control. It paid no attention whatsoever to other financial, political, reputational losses. And, above all, it never recognized that rapid and intelligent responses that cost money could not only erase some losses, but also bring in a stream of new income and profits. And that many situations were actually opportunities.

Measuring total cost of risk also misses the point that risk management should contribute to building and maintaining the confidence of stakeholders in the organization. Trust, the most important asset of any organization, is difficult to measure. It can change momentarily and be radically different from one group of stakeholders to the next. Yet this is and must be the focus of an organization. Trust and confidence come first. Capital assets, earning power, and management credit lines are all secondary.

What three or four books on risk management would you recommend that a business leader be familiar with and why?

To understand, if imperfectly, how we human beings can deal more intelligently with life’s inevitable surprises, we must first begin with our behavior. So, topping my list is Daniel Kahneman’s Thinking, Fast and Slow (2011). But don’t stop with it: follow the latest in behavioral science and economics. Michael Lewis’s The Undoing Project (2016) explains how Amos Tversky and Daniel Kahneman came to their discoveries in psychology, all of which affect how we respond to uncertainty. For the past of “risk management,” read Peter Bernstein’s immortal Against the Gods: The Remarkable Story of Risk (1996) and Nassim Taleb’s The Black Swan (2007). Then to see at first hand all the confusion and unnecessary complexity that have infected the field of risk management, try John Fraser and Betty Simkins’ Enterprise Risk Management (2010). But these are simply the views of a single observer. Look far afield!

This is the first of a three-part series from Hennes Communications on risk management in the age of social media.

How fast is social media at reporting on events – including events that your organization might consider a crisis? Faster than you.

Consider a situation involving a school in Westfield, N.Y., that we stumbled upon. Here’s the first paragraph of a story from the Westfield Republican: 

“Parents need to realize that we will never be able to notify them of an incident before it hits social media,” Ripley Central School District Board of Education President Robert Bentley stated at the board’s regular meeting.

The incident involved a minor school bus mishap with no injuries. What jumped out at us was the board of education president’s brutal honesty in acknowledging a reality of these times:  We will never be able to get you information before you read it on Twitter or Facebook. 

And the board president is probably correct. That means the people you care about the most – your key stakeholders – are more likely than ever to find out something about you – especially if it’s bad – via Facebook, Twitter or some other social media outlet before you can tell them.

Now do you think it’s important from a risk management and crisis communications standpoint to have a strategy and plan for how you’re going to communicate on social media when the bad thing inevitably happens to you?

Kenneth Trump’s job is school security, planning for school emergencies, school crisis consulting and more. His company, National School Safety and Security Services, is based in Cleveland and he’s nationally known. Trump feels the school officials’ pain.

“Social media presents today's school administrators with one of the greatest challenges they face in their leadership roles,” Trump says. “Rumors, misinformation, fake news, school-community politics and critical incidents can all play out in social media. School administrators, who are used to maintaining tight control of their school operations and their communications messaging, are increasingly finding themselves challenged and frustrated in today's social media world.”

The old formula applies in the new social media age: Bad news travels fastest. 

“When a school security incident strikes, school leaders often find themselves playing ‘catch-up’ under the best of circumstances,” Trump says. “Whether it is a critical incident like a school shooting or a controversial forceful intervention with a student by a school police officer, information and misinformation that used to spread in hours and days now spreads in seconds and minutes.”

The fundamentals of effective crisis and risk management also still apply: Plan before the crisis hits.

“While there is typically a gap in time between when social media buzz starts and school leaders officially communicate, strong planning and preparation by school administrators and their communicators can help tighten that messaging gap,” Trump says.

At Hennes, we counsel clients to get involved on social media now – before the crisis. 
 
“Smart school leaders,” Trump says, “can use social media to proactively communicate on school safety with their school community on their many safety, security and emergency preparedness initiatives. By getting out front and communicating about school safety when there is not a crisis in their districts, school leaders can define themselves as the best source for credible information if a security incident does actually occur in their schools.”

Schools may be in a particularly vulnerable position on social media given the investment and interest parents and students have, the many challenges schools can face and the overwhelming presence of social media among students. 

But social media is now front and center for virtually every type of crisis – and must be part of risk management strategies and plans.

Here are some of our basic guidelines for effective risk management using social media before the crisis:

• Know where your audience lives. Are the people who care most about your organization more likely to be on Facebook, Twitter, Instagram, your own website, all of the above? You can’t get to your key stakeholders during a crisis if you don’t know where they are. 
• Secure your accounts. Make sure your social media accounts aren’t subject to being hacked or hijacked.
• Make sure that the people overseeing your digital communications and social media accounts have a direct line to senior leadership. And make sure your board understands your social media operations and strategy. 
• Break down any silos so that the legal team works closely with your communications and marketing teams, particularly the social media communications staffers. 
• Establish social media guidelines. Do your employees understand expectations about what to say and when to say it on your Facebook pages and Twitter feeds? And what about their personal social media outlets?
• Build a following, promote interaction. If your social media followers trust you before the crisis, it’s a lot more likely they’ll trust you during it. 

Social media can be a tremendous asset to anyone concerned about their own or their organization’s reputation. But you must understand it and embrace it. Or take your chances.

This three-part series from Hennes Communications will continue in upcoming editions of the SandRun Risk newsletter. Upcoming chapters will deal with confirmation bias and litigation communications in the age of social media. Portions of these stories appeared previously in the Hennes Communications newsletter. Thom Fladung worked at newspapers for 33 years before joining Hennes. For more on how to effectively communicate amid a crisis or reputation-challenging event, contact Hennes Communications and ask about social media training sessions. ​

Insurance is an important asset. ​Corporate transactions invariably involve insurance.  It could be a contract with certain insurance requirements both in types of insurance and amount of limits, or the valuation of insurance assets as part of a sale or acquisition of a company. No matter what the corporate transaction, there are certain aspects of the insurance asset that should not be ignored.  Here’s just a few to remember:

1. Some insurance policies require the policyholder company to provide the insurance carrier with notice of any corporate transaction that will result in a change in ownership or control.  If a company is contemplating a merger, acquisition or divestiture, it is important that all insurance policies be reviewed to make sure that requirements in the insurance policy are met and determine if the contemplated corporate transaction impacts the coverage in the policies.
2. In an acquisition, the buyer should review all of the seller’s insurance policies, both historic and current.  That review should include the amount of limits, the exhaustion of limits, solvency of the coverage, scope of coverage and policy provisions that may impact the availability of coverage. Historic policies, particularly those written on an occurrence basis, are valuable for providing coverage for long-tail claims.  Similarly, the buyer should thoroughly review the seller’s liabilities, as well as review the seller’s historic and pending claims, and fully understand the seller’s risk profile.  Loss runs should be obtained from either the seller, the seller’s broker and/or the seller’s insurers.  
3. When dealing with an acquisition or divestiture, the buyer and seller should consider purchasing Representation and Warranty insurance to protect themselves from losses resulting from unintentional and unknown breaches of any representations and warranties that the seller provided as a part of the deal.  
4. In an acquisition, buyers should review the seller’s historic insurance policies to determine whether those policies contain anti-assignment provisions.  In most states, insurance policies automatically transfer from the seller to the buyer by operation of law in a state’s merger statute.  However, in a few states (Hawaii and Oregon), consent from an insurance carrier is necessary to transfer a policy.  Also, the buyer should obtain complete copies of all of the seller’s insurance policies and preserve them by scanning and saving them electronically, as well as preserving the originals in a fire-proof cabinet.  
5. In negotiating contracts, one party often asks to be named as an “additional insured” or the other party’s insurance.  Those parties added as an additional insured should review the policies and determine the scope of the coverage available.  
6. With a merger, acquisition or other transaction event, policyholders should consider providing a “Notice of Circumstance” to those insurance carriers whose policies are about to expire.  Policyholders should also consider purchases a “Tail Policy” which is an insurance policy that provides the policyholder with coverage for claims involving wrongful acts that occurred before the transaction, but are not made until several years after the transaction.  

Companies should work closely with their risk manager and their insurance consultants to ensure that they are properly protected in the various corporate transactions at issue. The risk manager and insurance consultants can provide much needed review, analysis and advice regarding the insurance coverage and its impact on the transaction. 

Companies that understand and appreciate the value of insurance in the corporate transaction are better protected in the long run.  

With Brian Hemlock of TCI of NY, Mark and I will have the pleasure of speaking about Lean Risk Management at the annual Lean Management seminar in Savannah.  We'll share the Lean Risk Management journey that our client has been on over the last couple of years.  Please join us and learn how Lean Risk Management can be applied to your company as well.  

​The Verizon 2017 Data Breach Investigation Report is out and the news is grim.  The Report collected data from sixty-five (65) organizations throughout the world and analyzed 42,068 incidents and 1,935 breaches from 84 countries.  The top three industries targeted for cyber breaches are financial services, healthcare and the public sector.  Here are just some of the Report’s highlights:

• Cyberespionage and ransomware attacks are increasing.  There was a 50% increase in ransomware attacks.
• Malware continues to be a problem.  51% of the data breaches involved malware.
• Criminals are still using phishing as a technique to get access to a victim’s computer.  One in 14 users fall victim to a phishing attack.
• Pretexting through emails and phone calls targeting financial departments is on the rise.
• Smaller organizations, those with less than 1000 employees, were 61% of the victims analyzed.
• 62% of breaches involved hacking.
• 81% of hacking-related breaches involved stolen or weak passwords.

​Companies can protect themselves by putting a cyber plan in place.  That cyber plan should include: (1) training employees on how to spot and report questionable emails; (2) promptly patching computers with all security updates and encrypting emails and other data; (3) having and following a back-up plan for all of company data; and (4) putting data loss prevention controls in place to identify and prevent improper transfer of data by employees. 
​
These are just a few recommendations that companies should follow in protecting against cyber breaches.  The Verizon 2017 Data Breach Investigation Report is long, but worth the read by risk managers and consultants advising on cyber breaches.

Companies should develop and maintain a risk management program for addressing their cybersecurity risks.  Besides knowing the federal, state, and local laws and regulations, companies should thoroughly access their own cybersecurity risks through a risk assessment.  The assessment should include: 
 

• Defining the system
• Identifying and classifying critical cyber assets
• Identifying and documenting the electronic security perimeters
• Performing a vulnerability assessment
• Assessing risks to system information and assets
• Selecting security controls
• Monitoring and assessing the effectiveness of controls using pre-defined metrics
• Developing and implementing effective cybersecurity policies
• Determining the level of understanding of employees with respect to cybersecurity and whether training is needed

 
Recently, the American Bar Association Cybersecurity Legal Task Force created a Cybersecurity Checklist.[1] 
Companies that suffer a data breach incur significant costs including but not limited to, forensic investigation costs, breach notification costs, credit monitoring costs, crisis management costs, lost business, and legal/litigation costs.  To protect themselves, companies can purchase a specialty insurance policy referred to as “Cyber” insurance.  Cyber insurance policies can provide coverage for first-party (cyber crime) coverage as well as third-party (cyber liability) coverage.  They can provide coverage for direct loss and legal liability with resulting consequential loss caused by cyber security breaches. Cyber insurance policies are usually claims made and can be very expensive, although the costs have come down as more carriers have entered the market.  Depending on the policy, there is an ability to insure notification costs, credit monitoring and other direct expenses covered if there is a data breach EVEN if there is never a liability claim.  Regulatory fines and penalties are endorsable.  Some insurance carriers provide crisis management, a call center, and other services to the policyholder when cyber insurance s purchased. 
 
A cyber insurance policy should provide coverage for the following first-party costs[2]:

• Legal and forensic services to determine whether a breach occurred and to assist with regulatory compliance if a breach is verified
• Notification of affected customers and employees
• Electronic information restoration
• Customer credit monitoring and identity protection services
• Crisis management and public relations to educate the company’s customers about the breach;
• Business interruption expenses, such as additional staff, rented or leased equipment, third-party services, and additional labor arising from a coverage claim;
• Public relations firm fees to restore reputation and mitigate damages
• Regulatory fines
• Cyber extortion reimbursement for perils including credible threats to introduce malicious code, pharm and phish customer systems, or corrupt, damage or destroy their computer system.
• Systems failure and administrative error

Similarly, a cyber policy should provide coverage for the following third-party costs[3]: 

• Judgments, settlements or civil awards
• Electronic media liability, including infringement of copyright, domain name, trade name, service mark or slogan
• Potential employee privacy liability as well as network security and privacy liability

 
Even companies that purchase cyber liability policies may end up in a coverage dispute with their insurance carriers.  See Travelers Prop. Cas. Co. of Am. v. Fed. Recovery Servs., No. 2:14-CV-170, 2015 U.S. Dist. LEXIS 62185 (D. Utah 2015) (complaint had to contain allegations of negligence to trigger duty to defend); Doctors Direct Ins., Inc. v. Bochenek; 38 N.E.3d 116 (Ill.Ct.App. 2015) (no coverage under cyber claims endorsement for TCPA or consumer protection claims); Columbia Cas. Co. v. Cottage Health Sys., 2015 U.S. Dist. LEXIS 93456 (C.D. Cal. July 17, 2015); and P. F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No., CV-15-01322-PHX-SMM, 2016 U.S. Dist. LEXIS 70749 (D. Ariz. 2016).
 
It is important for companies to carefully analyze their risks and make sure that the cyber policy that they purchase to cover those risks actually provides the coverage needed for the company’s risks.  It is important that companies review the cyber policy wording carefully to make sure that it meets their business needs.  Some policies are better written than others. 
 
 
 


[1]See http://www.americanbar.org/content/dam/aba/images/law_national_security/Cybersecurity%20Task%20Force%20Vendor%20Contracting%20Checklist%20v%201%2010-17-2016%20cmb%20edits%20clean.pdf

[2] See “Department: Technology: Risky Business: Why Lawyers Need to Understand Cyber Insurance for Their Clients”, Shawn Tuma and Katti Smith, 78 Tex. B.J. 854 (December 2015); and “Department: Law Practice Solutions: Everything You Need to Know about Cyber Liability Insurance But Never Knew to Ask”, JoAnn Hathaway, 95 MI B.J. 42 (December 2016).

[3] Id.

Data breaches have resulted in hundreds of millions of data records being illegally accessed.  Home Depot, Target, Michael’s, TJ Maxx, Snapchat, Facebook, Twitter, Sony, Kmart, Apple’s iCloud, First Commonwealth Bank, and P.F. Chang’s are just a few of the companies that have reported a major data breach.  The Russian hacking of the Democratic National Committee during the 2016 Presidential campaign may have impacted the election.  Similarly, DDos (Denial of Service) attacks have targeted banks and other financial service providers.

Companies may receive lawsuits seeking damages as a result of a data breach.  Claims of invasion of privacy, lost or stolen data, loss of use of computers, misappropriation of confidential business information, etc. can cost companies thousands of dollars to defend. Governmental and regulatory actions related to data breaches are also common. When faced with a data breach or an electronic data loss, many companies may look to their commercial general liability (“CGL”) policies and first-party property policies for coverage.  A dispute often arises between the insurance carrier and the policyholder regarding the availability of coverage.[1] 

Sometimes the battle is over whether there is a privacy violation or a publication such that there would be coverage under CGL policies.[2]  See Zurich Am. Ins. Co., v. Sony Corp. of Am., 2014 N.Y. Misc. LEXIS 5141 (2014); Hartford Cas. Ins. Co. v. Corcino & Assoc., 2013 U.S. LEXIS 152836 at *12 (C.D. Cal. Oct. 7, 2013) (the court rejected the insurance carrier’s argument that the personal injury coverage excluded claims for disclosure of personal data of hospital patients, and observed that “medical records have been considered private and confidential for well over 100 years at common law”); Recall Total Info. Mgmt. v. Fed. Ins. Co., 83 A.3d 664 (Conn. App. 2014), aff’d 115 A.3d 458 (Conn. 2015); Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp.3d 765 (E.D. Va. 2014); Pietras v. Sentry Ins. Co., 2007 U.S. Dist. LEXIS 16015 (N.D. Ill. Mar. 6, 2007); Valley Forge Ins. Co. v. Swiderski Elec., Inc., 860 N.E.2d 307 (Ill. 2006); Zurich Am. Ins. Co. v. Fieldstone Mortgage Co., 2007 U.S. Dist. LEXIS 81570 (D. Md. Oct. 26, 2007); Park Univ. Enter., Inc. v. Am. Cas. Co., 442 F.3d 1239 (10th Cir. 2006); Columbia Cas. Co v. HIAR Holding, LLC, 411 S.W.3d 258 (Mo. 2013). 

Often the battle is over whether there has been “property damage”.  In many insurance policies “Property Damage” is defined as “physical injury to tangible property, including all resulting loss of use of that property” and “loss of use of tangible property that is not physically injured.”[3]  Insurance carriers argue that electronic data is excluded from the definition of tangible property.  See Arch Ins. Co. v. Michaels Stores, Inc., No 12-00786 (N.D. Ill. Feb. 3, 2012).  Many courts find that data does not amount to “tangible property” because computer information lacks physical substance.  See Ward Gen. Servs. Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 556-57 (Cal. App. 4 Dist. 2003) (where a computer crash, due at least in large part to human operator error, resulted in data loss, the court held that there was no physical loss or damage.  The court held that data loss was simply a “loss of organized information . . . (such as client names and addresses).  . . .” concluding that such information “cannot be said to have a material existence, be formed of tangible matter, or be perceptible to the sense of touch”).  See also America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89,93-98 (4th Cir. 2003) (the court concluded that “physical magnetic material on the hard drive is tangible”, but concluded that software and data was not tangible); Liberty Corp. Capital Ltd. v. Security Safe Outlet, Inc., 937 F. Supp.2d 891 (E.D. Ky. Mar. 27, 2013); Cincinnati Ins. Co. v. Prof’l Data Servs., Inc. 2003 U.S. Dist. LEXIS 15859 (D. Kan. July 18, 2003); AFLAC, Inc. v. Chubb & Sons, Inc., 581 S.E.2d 317, 319 (Ga. Ct. App. 2003).  But see Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185, 2000 U.S. Dist. LEXIS 7299, at 6 (D. Ariz. April 18, 2000) (holding that there was physical damage when information stored on random access memory was destroyed); Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. Minn. 2010) (Insurer had duty to defend lawsuit alleging that a virus caused computer to be unusable, even though the insurance policy excluded “software, data, or other information that is in electronic form” from the definition of “tangible property”); NMS Servs., Inc. v. The Hartford, 62 Fed. Appx. 511, 514 (4th Cir. 2003) concurring opinion of Judge Widener; Centennial Ins. Co. v. Applied Health Care Sys. Inc., 710 F.2d 1288 (7th Cir. 1983) (because it was possible that the losses arose from damage to the customer’s tangible property, the duty to defend was triggered); See Southeast Mental Health Ctr., Inc., v. Pacific Ins. Co., 439 F.Supp.2d 831, 837-39 (W.D. Tenn. 2006); Lambrecht & Assoc., Inc. v. State Farm Lloyds, 119 S.W. 3d 16, 25 (Tex. App. 2003); Retail Sys. Inc. v. CNA Ins. Co., 469 N.W.2d 735 (Minn. Ct. App. 1991); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380, slip op. at 3-4 (2d Dist. Ct. N.M. May 24, 2000), rev’d in part on other grounds 46 P.3d 1264 (N.M. Ct. App. 2002).
 
In first-party property policies, there must be “physical loss or damage” to the covered property for coverage to be triggered.  Many first-party property policies contain a broad definition of “Covered Property” that includes all “personal property owned by” the insured.  However, software and data may not constitute “personal property” and as such, may not be covered under the policy.  Several cases have addressed data losses under first-party property policies.  In Ward General Insurance Services, Inc. v. Employers Fire Insurance Co., 114 Cal. App.4th 548 (2003), the insured suffered a computer crash which resulted in a significant loss of electronically stored data.  The insurer denied coverage.  The court found that the loss did not result in “direct physical loss of or damage to” property and that the data stored on a tangible medium was not tangible.  Other courts have found coverage under first-party property policies.  See NMS Servs., Inc. v. The Hartford, 62 Fed. App’x 511 (4th Cir. 2003) (the court found property damage to hacked computers per a business interruption endorsement); Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. 2003) (the court found property damage to hacked computers per a business income endorsement); American Guar. & Liab. Co. v. Ingram Micro, Inc., No. 99-185, 2000 U.S. Dist. LEXIS 7299 (D. Ariz. April 18, 2000)(the court found coverage and held that “physical damage” is not restricted to the physical destruction of the computer, but also includes loss of access, loss of use and loss of functionality).

Companies that suffer a data breach incur significant costs including but not limited to, forensic investigation costs, breach notification costs, credit monitoring costs, crisis management costs, lost business, and legal/litigation costs.  To protect themselves, companies can purchase a specialty insurance policy referred to as “Cyber” insurance.  Cyber insurance policies can provide coverage for first-party (cyber crime) coverage as well as third-party (cyber liability) coverage.  They can provide coverage for direct loss and legal liability with resulting consequential loss caused by cyber security breaches. Cyber insurance policies are usually claims made and can be very expensive, although the costs have come down as more carriers have entered the market.  Depending on the policy, there is an ability to insure notification costs, credit monitoring and other direct expenses covered if there is a data breach EVEN if there is never a liability claim.  Regulatory fines and penalties are endorseable.  Some insurance carriers provide crisis management, a call center, and other services to the policyholder when cyber insurance is purchased.  It is important that companies review the policy wording carefully to make sure that it meets their business needs.  Some policies are better written than others. 
           
Cyber breaches can be risky for businesses.  A good risk management plan, along with appropriate insurance, can help businesses successfully maneuver coverage obstacles in the event of a cyber breach.  Cyber policies[4], commercial property policies and CGL policies are just a few of the sources of coverage to evaluate.  Depending upon the circumstances, policyholders should also review their crime policies[5], directors & officers’ liability policies and their errors and omissions or professional liability policies.  Some insurance policies may not include exclusions and other language to limit coverage for cyber breaches.  Should a cyber-breach occur, it is worth reviewing various policies carefully to see what coverage, if any, may be available. 
 
 
 


[1] An excellent article that discusses insurance coverage for cyber attacks is “Viruses, Trojans, and Spyware, Oh My! The Yellow Brick Road to Coverage in the Land of the Internet” by Roberta D. Anderson, 49 Tort & Ins. L.J. 529 (Winter, 2014).  See also “Claims Made and Insurance Coverage Available for Losses Arising Out of or Related to Electronic Data”, by Jeffrey S. Price and Justin D. Wear, 51 Tort & Ins. L.J. 51 (Fall, 2015) and “Insurance for Cyber Risks:  A Comprehensive Analysis of the Evolving Exposure, Today’s Litigation and Tomorrow’s Challenges”, by Gregory D. Podolak, 33 Quinnipiac L.Rev. 369 (2015).

[2] The 2007 and later ISO insurance forms contain an exclusion for privacy-related laws. 

[3] The current standard ISO form and other ISO forms since December 1, 2001 specifically exclude “electronic data” from the “property damage” definition.  Sometimes endorsements add the coverage back to the policy.  It is important to review the insurance policy carefully.

[4] Cyber extortion policies are also available on the market.

[5] See Retail Ventures, Inc. v. Nat. Union Fire Ins., 691 F.3d 821 (6th Cir. 2012), where the claim was submitted under a computer fraud rider to a Blanket Crime Policy and the court found that the data breach loss “resulted directly from the hacking, and an exclusion for loss of confidential information did not apply to the loss of customer information; Medidata Solutions, Inc. v. Fed. Ins. Co., Civ. Action, 2016 U.S. Dist. LEXIS 178501 (S.D.N.Y 2016); Bitpay, Inc. v. Mass.Bay Ins. Co., Case No. 1:15-cv-03238 (N.D. Georgia Mar. 17, 2016); Ameriforge Group, Inc. v. Fed.Ins. Co., Case No. 4:16-cv-00377 (S.D. Tex. 2016); Principle Solutions Group, LLC v. Ironshore Indem., Inc.,Case No. 1:15-cv-04130 (N.D. Georgia Aug. 30, 2016); and Taylor & Lieberman v. Fed. Ins. Co., 2015 U.S. Dist. LEXIS 7935 (C.D. Cal. 2015).

What is a policyholder to do when it puts its insurance carriers on notice of a claim, but the insurance carrier does not acknowledge coverage and leaves its policyholder to its own devices to defend and settle the claim, Then ater claims that the policyholder breached the insurance policy by defending and settling the claim without its consent?  In Sanderson v. Ohio Edison Co., 69 Ohio St.3d 582 (1994, the insurance carrier was given notice of the suit, but took the position that coverage was not available under the policies, and refused to defend the suit or participate in any settlement negotiations. The policyholders settled the claim by admitting liability and allowing the court to determine the amount of damages.  The Ohio Supreme Court held “Where an insurer unjustifiably refuses to defend an action, leaving the insureds to fend for themselves, the insureds are at liberty to make a reasonable settlement without prejudice to their rights under the contract.  By abandoning the insureds to their own devices in resolving the suit, the insurer voluntarily forgoes the right to control the litigation and, consequently, will not be heard to complain concerning the resolution of the action in the absence of a showing of fraud, even if liability is conceded by the insureds as a part of settlement negotiations.” Id. at 587. 

Even if the voluntary payments condition applies, whether an insurance carrier is released from its coverage obligations may depend on whether it was prejudiced by the alleged violation.  See, e.g., Ferrando v. Auto-Owners Mut. Ins. Co., 98 Ohio St.3d 186, 781 N.E.2d 927, syllabus (2002) (defenses based on violation of consent-to-settle provisions may be rebutted by proof that the insurance carrier was not prejudiced); Abercrombie & Fitch Co. v. Federal Insurance Co., 370 Fed. Appx. 563 (6th Cir. 2010). 

Insurance carriers often raise the voluntary payment argument to try and defeat coverage for CERCLA claims presented to them by their policyholders.  Most courts that have addressed the voluntary payments issue have found that the severe penalties to be incurred by non-compliance in a CERCLA action renders a policyholder’s “voluntary” participation to be “damages” and not “voluntary” at all. See e.g., SnyderGeneral Corp. v. Century Indem. Co. 113 F.3d 536, 539 (5th Cir. 1997) (Texas law); Hazen Paper Co. v. U.S. Fid & Guar., 555 N.E.2d 576 (Mass. 1990); Farmland Indus., Inc. v. Republic Ins. Co., 941 S.W.2d 505 (Mo. 1997).
​
In Maryland Casualty Co. v. Wausau Chem. Corp., 809 F. Supp. 680 (W.D. Wisc. 1992), the insurance carriers argued that they were not obligated to provide coverage to their policyholder, Wausau Chemical, for response costs pursuant to the 1990 consent decree because the insurance policies at issue contained language that "the insured shall not, except at his own cost, voluntarily make any payment, assume any obligation or incur any expense," and that by agreeing to take remedial measures under the consent decree, Wausau Chemical breached this provision. Wausau Chemical responded that claims by the EPA can hardly be termed "voluntary" because of the consequences that await potentially responsible parties who decline to participate in negotiations and force the EPA to remediate the site itself and sue later to recover costs. These consequences include punitive damages penalties of up to three times the cleanup costs, see 42 U.S.C. §§ 9606(b), 9607(a), and civil penalties of up to $ 25,000 per day, see 42. U.S.C. § 9604(e)(5)(B) (1992). Wausau Chemical argued that the only realistic alternative for a potentially responsible party is to engage in settlement negotiations and agree to perform remedial actions. The court agreed with Wausau Chemical:   

                            The legislative history of CERCLA provides evidence that the stiff penalties for failure
                            to negotiate with EPA were intended to make the primary force behind cleanup
                            efforts voluntary settlements, rather than drawn-out litigation.  See H.R. Rep. No. 253,
                            99th Cong., 2d Sess., pt. 1 at 101 (1985) ("negotiated private party actions are essential
                            to an effective program for cleanup of the nation's hazardous waste sites and it is
                            the intent of this Committee to encourage private party cleanup at all sites"). To hold
                            that such settlements are "voluntary" for purposes of an insurance policy exclusion
                            would frustrate the intent of Congress. . . .

                            In failing to take any affirmative steps to intervene at that point, the insurers could
                            not attempt to exclude coverage now because the agreement was "voluntary." See
                            Broadhead v. Hartford Cas. Ins. Co., 773 F. Supp. 882, 895 (S.D. Miss. 1991)("it is generally
                           recognized that once an insurer denies coverage and liability, the insured has the right
                           to settle with its claimant rather than proceed to trial"); Chemical Applications Co. v. Home
                           Indem., 425 F. Supp. 777, 779 (D. Mass. 1977) ("an insurer who refuses to defend a suit
                           at all may not assert that the insured's reasonable settlement was unauthorized [under a
                           voluntary payment exclusion clause]"). Because the insurers responded to notice of
                           the Potentially Responsible Party letter by expressing their intention to remain
                           uninvolved and deny coverage at all costs, forcing Wausau Chemical to go it alone,
                           they cannot now assert that a cost-saving settlement was voluntary and was excluded
                           under the policy.
Id. at 695-696.   

The primary purpose of policy provisions prohibiting a policyholder from making a voluntary payment, i.e., settling a claim without the insurance company’s consent, is to prevent fraud or collusion between the claimant and the policyholder.  The voluntary payment issue cannot be used as a defense to defeat coverage when a policyholder is required to take action to protect its own interests for many months before its insurance carrier made a decision on coverage.  In CERCLA actions, a policyholder cannot refuse to meet with or work with government environmental protection agencies merely because the insurance carrier has been unable to decide on coverage for several months.  Insurance carriers will be hard pressed to prove fraud and collusion by their policyholder under these circumstances. 

Insurance companies often use the words “tendering” a claim.  They argue that policyholders must “tender a claim” by using exactly the right words in order to obtain coverage under the insurance policies.  Specifically, they argue that until the claim is “tendered,” they do not have a duty to defend the policyholder.  They often define “tender” as notice of the claim against the policyholder, AND being asked by the policyholder to defend it, AND being given the opportunity to take over the control of the policyholder’s defense.
 
Despite the use of the phrase “tendering the claim”, no insurance policy requires that the policyholder “tender” a claim, a suit, or an occurrence.  Insurance policies simply require “notice,” not “tender.”  As one court wrote, the adoption of a “tender” requirement as demanded by the insurance companies would do nothing other than provide a “loophole through which the insurer may escape a lawful contractual obligation.”  Federated Mut. Ins. Co. v. State Farm Mut. Auto Ins. Co., 282 Ill. App.3d 716, 668 N.E.2d 627 (1996)[1].  If insurance carriers wanted to condition performance of their duties under the insurance policy on a requirement of “tender,” they should have included specific language in their insurance policies.  If they did not include “tender” language in their insurance policy, they cannot create a loophole to avoid coverage. 
 
Numerous other courts have held that policyholders do not have to specifically request a defense or indemnity of a claim when they provide notice to their insurance company.[2]  See Cincinnati Companies v. West American Insurance Company, 183 Ill.2d 317 (Ill. 1998)[3]; Employers Ins. of Wausau v. Ehlco Liquidating Trust, 186 Ill.2d 127 (Ill. 1999); 14 COUCH ON INSURANCE 3D ¶200.35 (1999)(“In general, a tender of defense occurs once an insurer has been put on notice of a claim against the insured”); White Mountain Cable Constr. Corp. v. Transamerica Ins. Co., 137 N.H. 478 (1993)(“In order to tender the defense, the insured need only put the insurer on notice of the claim”); Sampson v. Transamerica Ins. Co., 636 P.2d 32,44 (Cal. 1981)( the court rejected Transamerica’s argument that it did not refuse to defend the lawsuit because the insured never demanded a defense as “sheer sophistry”); Towne Realty, Inc. v. Zurich Ins. Co., 201 Wis.2d 260 (1996); New NGC, Inc. v. ACE Am. Ins. Co., 105 F. Supp.3d 552 (W.D. N.C. 2015 (the duty to defend arises when the insurer receives notice of the underlying action); Kraus-Anderson Constr. Co. v. Transp. Ins. Co., 2011 Minn. App. Unpub. LEXIS 324 (Minn. App. 2011)[4]; Cobb v. Empire Fire & Marine Ins. Co., 488 So.2d 349, 350 (La.Ct. App. 1986); Widener Univ. v. Fred S. James & Co., 371 Pa. Super. 79 (1988); Huntsman Advance Materials, LLC v. OneBeacon Am. Ins. Co., 2012 U.S. Dist. LEXIS 19053 (D. Idaho. 2012); Ash Grove Cement Co. v. Liberty Mutual Ins. Co., 2011 U.S. Dist. LEXIS 65755 (D. Or. 2011); One Beacon America Ins. Co. v. Fireman’s Fund Ins. Co., 175 Cal. App.4th 183 (Cal. App.2 Dist. 2009)[5].   In Home Insurance Company v. National Union Fire Insurance Company of Pittsburgh, Pennsylvania, 658 N.W.2d 522, 532 (Minn. 2003), the court reasoned:
 
                     We agree with the supreme courts of Illinois, New Hampshire, and Wisconsin that sound
                     public policy does not support a rule that requires insureds to expressly request a defense
                     in order to trigger the duty to defend.  Three broad reasons support defining “tender” as
                     giving the insurer notice and opportunity to defend a covered lawsuit:  first, it clarifies
                     the duties of the parties early in the litigation; second, it acknowledges the greater
                     knowledge and sophistication of the insurer; and third, it places no significant burden on insurers.

Policyholders who are faced with a failure to “tender” argument from their insurance carrier should push back and object to the argument as one that is not supported by the language in the policy and not supported by a majority of the courts.   


[1] “Such a rule [requiring tender] requires an insured to jump through meaningless hoops towards an absurd end:  telling the insurer something it already knows.  Such a rule injects a degree of gamesmanship into the insurer-insured relationship without providing any valid corresponding benefit.  In fact, the only benefit of such a rule is to create a possibility – where none would otherwise exists- for an insurer to escape an obligation it otherwise owes its insured.”  Id. at 725.  In holding that notice of a claim triggers the duty to defend, the court noted that this rule is the result of a number of considerations: (1) the insurer is usually in a better position than even a sophisticated insured to know the scope of the insurance contract and its duties under it; (2) assurance or protection of the benefits of the insurance contact.  The insurer should not be allowed to evade its responsibilities under the policy where the insurer has actual notice of a claim against its insured; and (3) the state has an interest in having an insured adequately represented in the underlying litigation.” Id. at 726-27. 
[2] Only a few courts have held that the policyholder must tender the defense to the insurance carrier in addition to the carrier having notice.  See Goodstein v. Continental Casualty Company, 509 F.3d 1042, 1056 (9th Cir. 2007) (quoting Unigard Ins. Co. v. Leven, 983 P.2d 1155, 1160 (Wash. App. Ct. 1999); Casualty Indm. Exchange Ins. Co. v. Liberty Nat’l Fire Ins. Co., 902 F. Supp. 1235, 1239 (D. Mont. 1995); Litton Systems, Inc. v. Shaw’s Sales & Serv. Ltd. 119 Ariz. 10 (Ariz. Ct. App. 1978). 
[3] In Cincinnati, the court stated its holding as “where the [policyholder] has not knowingly decided against a [carrier’s] involvement, the [carrier’s] duty to defend is triggered by actual notice of the underlying suit.”  Id. at 329.  The court held actual notice is “notice sufficient to permit the [carrier] to locate and defend the lawsuit.”  Id.  The court further explained that notice sufficient to permit the carrier to locate and defend the lawsuit mans the carrier “must know both that a cause of action has been filed and that the complaint falls within or potentially within the scope of coverage of one of its policies.”  Id. 
[4] “We need not conclude that ‘tender’ is a magic word that is always effective to tender defense.  The district court found that Kraus-Anderson tendered defense to Evanston on a record including the January 2003 letter purportedly tendering defense, the subsequent communication between Champlin and Bishop, Kraus-Anderson’s repeated requests to receive the benefits of its policy, no evidence that Evanston ever specifically asked Kraus-Anderson whether it wanted a defense, and no evidence that Kraus-Anderson ever denied Evanston an opportunity to defend it.  On this record, we cannot conclude that the district court’s finding that Evanston was given an opportunity to defend Kraus-Anderson was clearly erroneous.”  
[5] In One Beacon, the court stated “tender should be defined only as giving the insurer notice and an opportunity to defend.” Id.  The court gave three reasons in support of its definition of tender: (1) it clarifies the duties of the parties early in the litigation; (2) it acknowledges the greater knowledge and sophistication of the insurer; and (3) it places no significant burden on insurers.  Id.  The court explained that once notice is given, “it should be the responsibility of the insurer to contact the insured to determine whether the insurer’s assistance in the suit is required.” Id.  (Internal quotations and citations omitted). “When notified of the insured’s potential liability under the suit, the insurer can simply ask the insured if the insurer’s involvement is desired, thus eliminating any uncertainty on the question.” Id. (Internal quotation and citation omitted). “This also prevents the creation of potential loopholes for insurers, and protects the bargain struck by the parties in the insurance policy. Id. “The insured paid for the insurer’s promise to defend the insured for covered claims, and the insured’s ignorance regarding the language the insured must use to invoke that coverage should not negate the bargain.”  Id.  The California court concluded that once an insured provides its insurer with notice of a claim and an opportunity to defend it, it has tendered the defense.  Id. at 203.