Middle-Market Acts of Madness

It’s been 15 years since Al-Qaeda terrorists shocked the world and attacked the World Trade Center and the Pentagon. Since then the world has changed. A lot.

Although high-profile venues in large cities such as New York and Washington, D.C., remain on terrorist hit lists, the trend recently has been toward attacks of a smaller scale in locations such as a nightclub in Orlando, Florida, and a community center in San Bernardino, California.

“The events of the last year in San Bernardino and Orlando demonstrate the potency of the terrorist threat, a threat no longer concentrated solely on large urban and iconic locations as it had been in the period immediately following 9/11,” says David Cohen, senior policy and global political risk advisor for Starr Companies. “The terrorist threat that we face today is one that can come to the doorsteps of any town or city in the United States and any location within them.”

“The landscape has changed,” agrees Tarique Nageer, a terrorism specialist with Marsh. “People are still trying to do serious damage to infrastructure and buildings, but most of the recent attacks have been against softer targets where security is less apt to be as strong as for the well-protected buildings. Getting to the softer targets is easier for the bad guys right now.”

Cohen, a former deputy director for operations at the Central Intelligence Agency who led the New York City police department intelligence division under Mayor Michael Bloomberg, says the shift in focus still advances the agenda of global terrorists.

“The global media coverage given to such an event, however small or limited in scope, serves as a megaphone in demonstrating that they can reach into the heart of America,” Cohen says. “Unlike in the past where the threat was concentrated, it is now widely dispersed and can strike any city, locality, any target, hard or soft.”

And while terrorism has increasingly become a global issue, the United States has seen additional violence at home due to urban riots, racial protests and mass shooting incidents in locations ranging from a church in Charleston, South Carolina, to the streets of Ferguson, Missouri; Baltimore, Maryland; and Dallas, Texas.

The workplace is not immune to this threat. Large companies most likely have a full suite of coverages that address all contingencies in the event of an attack, but that might not be the case with midsize companies unaware of their vulnerability or the gaps in their coverage.

Many organizations are assessing their exposure to and coverage for indirect losses and business interruption risks associated with acts of terror, according to a 2016 Marsh Insights report on terrorism.

Filling the Gap

According to the FBI, there were 200 mass shooting incidents between 2000 and 2015, with 60 alone in the three years after the Dec. 15, 2012, shootings at Sandy Hook Elementary School in Newtown, Connecticut. The Marsh terrorism report noted that small-group and so-called “lone wolf” terrorist attacks indicate a shifting tack in terrorism.

Terrorist attacks associated with the variously named Islamic State of Iraq and the Levant (ISIL) are also on the rise worldwide. An August report by the National Consortium for the Study of Terrorism and Responses to Terrorism found there were, on average, 46 ISIL-related terrorist attacks per month worldwide between May and

December 2013, but that monthly figure more than doubled in the following two years—to 106 in 2014 and 102 in 2015. The study reported eight ISIL-inspired attacks in the United States between 2013 and 2015.

“What we saw here at Starr is that these perils are actually increasing and a lot of exposed businesses out there did not have the proper coverage in place,” says Reggie Gibbs, an expert in political risk, kidnap for ransom and extortion, and cyber and terror response for Starr Companies. “These are not the big players—the multinational firms or brand names. These companies are in smaller cities. They are middle-market companies across all sectors that probably did not believe they had any need for security coverage [and didn’t] have comprehensive programs to deal with this. Our idea was to fill that gap.”

In April, Starr launched its Cyber and Terror Response policy, which provides first-party property and third-party liability coverage in three separate areas: (1) political violence, riots and civil commotion, and acts of terrorism; (2) workplace violence involving a shooting, be it a disgruntled employee, a spouse/significant other or a politically motivated individual; and (3) cyber liability for companies that suffer any sort of cyber breach. Currently, the policy covers only U.S. domestic risks.

“We are bringing these three perils together in one policy,” Gibbs says. “All of these hazards may be covered in different policies these companies have, but there are gaps. This policy wraps around all those other policies to give clients a worst-case coverage against all those perils. We don’t know of any other insurance company that covers all of these in one product.

“Most of these middle-market companies have what is required of them—the basic property policy, general liability, workers compensation, auto. But in property policies, you are typically going to have an exclusion for political violence or a very narrow definition for political violence. The same thing for terrorism. A lot of property policies exclude terrorism unless you purchase terrorism risk insurance, but TRIA requires events to be certified by the federal government, and that hasn’t happened since 9/11.”

The Terrorism Risk Insurance Act of 2002 (TRIA) created a temporary federal program that provides for a transparent system of shared public and private compensation for certain insured losses resulting from a certified act of terrorism. But because recent terrorist attacks weren’t certified, including those in Orlando, which left 50 people dead including the shooter, in San Bernardino, in which 14 were killed, and the 2013 Boston Marathon bombing that killed three spectators and wounded more than 260 others, they would not be covered even if a policyholder had TRIA coverage.

“In our conversations with brokers, many insureds believe they are covered for any act of terrorism because they have purchased TRIA,” Gibbs says. “If these entities do not have coverage under other policies that pick up non-certified acts of terrorism, they are not covered.”

And costs associated with hate crimes, such as the church shooting that left nine people dead in Charleston, likely fall outside coverage in existing policies as well.

“Most property policies are just first-party coverage,” Gibbs explains. “They cover property damage. But political violence usually is going to be excluded in a standard property policy. If there is some narrow coverage in an underlying property policy, our policy will stand in excess, so the insured would have additional coverage for many things they have in existing policies. Coverages they don’t have, such as third-party liability and business interruption, would be picked up and covered. That’s definitely one of the plusses of our policy.”

Violence is also not covered in typical workers comp policies or is limited to instances of an employee assaulted on the job by a customer or colleague. They typically don’t cover personal conflicts or third-party aggression.

“We found that a lot of insureds are surprised by the fact that workers compensation generally is such a narrow coverage when it comes to workplace violence,” Gibbs says. “Usually when you have stalking or an outright act of assault, it is not going to be between two employees. Our workplace violence coverage also has additional features, such as temporary relocation options, business interruption due to instances of workplace violence, crisis counselors and a loss of life benefit paid in addition to what is mandated by law under workers compensation.”

Cyber Is Growing

The cyber coverage in the policy addresses three separate areas: third-party lawsuits from a network security failure; expenses associated with addressing a data breach or security failure; and cyber extortion if a hacker is able to put ransomware on a company’s network and demands payment to keep information from being compromised.

“The primary focus of this product is to address various types of crises that may occur at a small or midsize company,” says Annamaria Landaverde, national cyber practice leader and professional liability underwriting manager for Starr.

A large company may be able to deal with the fines, lawsuits and expenses of a cyber breach “and be back in business tomorrow,” she says, “but this type of crisis can materially affect small organizations and impair their ability to get back on their feet and recover.”

The extortion coverage is particularly important because incidents involving ransomware are increasingly common even though there has not been much media coverage of this aspect of cyber crime.

“The reason you don’t hear about it more,” she says, “is that when an extortion attempt is made, law enforcement is immediately involved, and generally those extortion amounts are paid and not disclosed to the public. Organizations have to disclose to the public when non-public personal information is compromised, but they are not required to disclose when they are extorted. An organization is going to do everything in its power to avoid disclosure, because they don’t want a repeat of that breach.”

Another trend that contributes to the lack of publicity about ransomware is smaller extortion demands.

“Many hackers are making smaller extortion demands in an effort to keep law enforcement away,” Landaverde says. “If they demand $10,000, the FBI may not spend much time on the case, but if they demand $1 million, the FBI will be knocking on your door. So ransom demands are becoming smaller but much more frequent.”

Randy Hampton, executive vice president and cyber specialist with Axon, a managing general underwriter, agrees that cyber ransom incidents are becoming much more common, with midsize companies increasingly the targets.

“I think we are seeing a lot more cyber ransom incidents where hackers are seizing whole computer systems,” Hampton says. “And they are going to much smaller companies than we have seen in the past. These are not the Targets of the world, but smaller, middle-sized companies. My personal opinion is everybody will be affected by a cyber event—cyber ransom, credit card theft, some form of phishing. All companies will be affected by this somehow.”

Hampton expects policies like Starr’s will eventually be mainstream. But most companies today are not buying them unless brokers are aggressively presenting them. And, he says, a lack of knowledge makes many brokers uncomfortable with the product and more likely to simply suggest errors and omissions protection.

Landaverde and Gibbs say they have found many brokers were not aware of the gaps in coverage offered by traditional policies for cyber crime as well as property, general liability and workers comp.

“This is a brand new product, so we’re in a market education process,” Gibbs says. “We have been spending a lot of time with our broker partners discussing how our policy differs from existing policies. We are focusing on gaps in workplace violence coverage, the difference between TRIA coverage and coverage for non-certified terrorist attacks and other violence, as well as cyber liability coverage.”

He notes a very positive response from brokers, who have helped Starr understand the mindset of business owners while sharing their real-life solutions to crises.