The risky business behind live events

By Denny Jacob for Property Casualty 360

In the U.S., the world’s largest market for live events, revenue from events of all types are expected to show an annual growth rate of 8.8%, resulting in a market volume of $16.7 billion in 2022, according to a report from Take1 Insurance.

When it comes to live events like concerts or sporting events, many consumers till prefer to actually ‘be there’ in the moment. Even as technology advances — particularly with virtual reality (VR) — attendees tend to prefer live experiences for the sense of community and a level of authenticity that VR is unlikely to offer.

Recent incidents in 2017, however, have displayed the nefarious side to such events. From the Fyre Festival — which cost investors $26 million in losses — to the Route 91 Harvest Festival — projected to cost insurers more than $1 billion — live events are one disaster away from economic ruin.

“I think this could be a seminal moment in the insurance world,” says Scott T. Carroll, program director for Take1 Insurance’s entertainment division.

Live events have plenty of exposures

There are three main exposures in the world of live events, according to Matt Helm, contingency practice leader at CFC Underwriting: cancellation, liability and property.

Cancellation is effectively an instance of business interruption and is treated fairly similarly. They can occur due to adverse weather, performers not arriving and the threat or act of terrorism.

“If there is a threat of terrorism, the first call of action might be to add more security or run an area sweep — with cancellation as a last resort,” says Helm. “The terrorism (act or threat) also might not necessarily be at the event venue, but in the surrounding area and therefore impact whether an event can continue.”

Additionally, Helm says there is “a growing conversation around cyber exposure for live events,” but notes “the industry has yet to really see claims to this effect.”

Some examples of possible targets via cyber attack during live events could be:

  • Electronic wrist bands (with cash and personal details attached);
  • Computer systems going down (meaning tickets can’t be checked, or lighting and display systems not functioning properly); and
  • Transmission is disrupted (meaning performances or sporting events aren’t able to broadcast)

3 ways to mitigate risks

Live-event producers and the vendors and service providers that support them can follow a set of principles to mitigate and minimize the changing array of risks faced by that industry sector.

  1. Assess: Stay alert to the most dangerous challenges facing live-event products today. Compare what’s been taking place with your own situations. For instance, the report notes, a catastrophic fire in 2003 at a nightclub in West Warwick, R.I., uncovered a number of problem areas that other event producers could and did address, including the location, condition and markings of exits.
  2. Implement: A number of resources for live-event safety have emerged in the wake of various disasters. The Event Safety Alliance (ESA) has created guidelines event producers can follow to minimize risk. Its Event Safety Guide is the most widely used operational practices currently available in the live-event industry.
  3. Insure: Insurance is the single biggest factor in the aftermath of an adverse incident, thus it ought to be one of the first to be considered ahead of time. But coverage can become tricky, particularly with mass shootings. Companies and individuals who experienced business losses stemming from those events could look to the federal government’s Terrorism Risk Insurance Program Reauthorization Act (assuming they had opted for it in the first place) only if the incident was declared a terrorist act. And even if their losses met that condition, those losses would have to have exceeded a minimum of $5 million in aggregate loss.

Unseen costs

Most of the attention post-disaster has focused on monetary awards resulting from lawsuits and settlements. While unsurprising, they often don’t tell the whole story.

Event production vendors looking to protect themselves must focus on tools of the trade — sound systems, cameras and entire production trucks, among others — because they can be rendered unavailable for periods of time. Until they are either released by authorities or become available to be evaluated and declared total losses, service providers and vendors — as well as the venue themselves —experience a degradation of their ability to generate revenue and absorb the costs of these business interruptions.

The world of live events has changed — much for the better, but dangers still lurk. Risk management around live-event production also must change to ensure that attendees, vendors and venues themselves are safe and secure.

You can read the article on Property Casualty 360 here

Spot Market Purchase Causes Supply Chain Problems

Manufacturers often have a complicated production process involving multiple materials and components incorporated into a finished product. Further issues can arise where the manufacturer’s product is a small component, part of a far more complex product.

Product quality, supply issues, production breakdown and human errors can all cause complications in a supply chain. Not only will this result in delayed production internally, but it will also have a knock on effect with connected suppliers.

In this product recall case study, we explore how a steel casting manufacturer opted to use the spot market to fill a product shortage but suffered severe consequences as the supplier had not been vetted or verified.

The insured, a privately-owned steel casting manufacturer with a portfolio of standard castings and custom-made products, specialises in carbon steel flanges. This sector of its business has an annual revenue of USD 25,000,000 and makes up 40 percent of the overall company revenue. The flanges are used in consumer products such as automobiles, fridges and HVAC units. The manufacturer has been in operation for 30 years.

FAULTY PRODUCTS DISCOVERED
The insured was first notified of a problem by its customer, an automotive component manufacturer in Michigan. The component manufacturer had performed some pressure tests on the supplied steel flange and discovered that the steel snapped at very low temperatures (which mimic conditions in Northern Michigan during winter).

The insured had not retained any samples from that production lot and requested that the customer return any stock available so it could investigate the issue with the flange. Due to a logistical mistake, the customer initially sent back rods from a prior production lot, which added on a three-week delay to the investigation. When the correct steel was returned, the insured ran various physical tests which confirmed that it was far more brittle than expected.

Metallurgical analysis then revealed that the carbon composition of the steel was higher than intended, which was the cause of the increased brittleness. The steel casting manufacturer traced the raw material used in that production lot to determine how many days of operation are affected with the faulty produce. This also indicates where the faulty produce would have used been by other companies in the supply chain. The tracing exercise showed that the particular raw material in question was purchased on the spot market after the insured’s usual
supplier was not able to fulfil requests over a four day period. The insured very rarely uses spot markets, but on some occasions it is necessary and is quite common in the industry.

The complaint from the component manufacturer was the only issue raised directly to the insured, and was addressed by shipping replacement steel and a small payment to cover expenses – an overall cost of USD 35,000. However, because the carbon composition of the affected batches was in breach of what most customers considered an acceptable range agreed, the insured decided to notify all of the customers who may have purchased parts made with the substandard steel.

ESTIMATING THE LOSS
Rather than offer refunds for the faulty steel, which would have topped USD 450,000 and more than depleted the insured’s cash reserves, the insured instead offered to replace the steel. However, given the time delay between the sale and the defect notification, many of its customers had already incorporated the flange into their products and instead claimed for financial compensation from the insured citing the following unexpected costs:

  • Cost of disposed products due to incorporation of faulty flange
  • Costs of removing components which incorporated
    faulty flanges from in-progress and finished vehicles
  • Credits charged for future purchases
  • Loss of sales, as one customer lost a contract with a
    large car manufacturer due to this issue
  • Various administration costs

The amount claimed against the insured by its customers totalled USD 3,500,000, and the insured was legally liable for these costs according to their supply contract with the customers, as well as common law (i.e. the insured was negligent).

The insured did not have sufficient cash reserves to satisfy even a third of these claims, especially as they needed to purchase raw materials to continue operating and fulfilling other orders. Additionally, three new customers filed lawsuits and the insured’s in-house lawyer required the help of external counsel who charged USD 450 per hour and required a USD 20,000 retainer.

PRODUCT RECALL POLICY AND RECALL EVENT LIABILITY
As a result of the recall, the insured suffered a significant financial and reputational loss, and the viability of the business was under threat due to the impact on cash flow. Luckily, the insured’s product recall policy included an extension for recall event liability, which covered their legal costs for compensation and lawsuits, as well as any sums which they were legally obligated to pay. The purchase of the policy ensured the survival of the business and
safeguarded their cash flows, ensuring they could continue purchasing supplies and conducting business as usual.

The companies and circumstances in this case study are fictional, but the scenarios are realistic and reasonable based on our experience.

You can print and share the case study here.

Top Risks Facing Financial Institutions

Financial institutions have changed significantly over the last decade – from utilizing technology in new ways to stay competitive and drive efficiencies, to adapting business practices in light of the global financial crisis and recent narrow interest margin markets.

As these businesses evolve, they’re faced with a new range of exposures that can result in significant and lasting commercial costs, and traditional exposures come to light in a different context. Crime has also changed for these businesses, with a growing number of attacks against financial institutions taking place online and through digital means.

To better understand this changing landscape, we’ve outlined the top risks facing financial institutions today:

 

Social engineering and funds transfer fraud

Some of the most frequent cyber claims made by businesses in the past year involved funds transfer fraud and some form of social engineering. Funds transfer fraud is often carried about by criminals leveraging fraudulent emails or phone calls to request the transfer of funds from a legitimate account to their own. In some cases, fraudsters will pose as a senior executive appearing to give urgent instructions to a junior employee. While financial institutions have greater control processes, including separation of responsibilities, both banks and their clients are at risk of falling victim to these types of attacks, and as long as they continue to prove successful, we expect this threat to grow in both frequency and severity. Financial institutions should consider employee training on these newer forms of fraud, including how to identify phishing emails. Banks should also be concerned about their customers’ susceptibility to social engineering fraud, and should consider education campaigns where relevant.

 

Adherence to post-crisis regulation

Following the mortgage crisis in 2007-2008 and the subsequent global financial crisis, the regulatory burden for banks has increased significantly. This brings additional costs when meeting these new requirements, along with higher potential penalties if an institution fails to comply. In many instances, resultant fines and penalties following regulatory failures are uninsured or uninsurable. Financial institutions should seek cover where regulatory enquiry costs and expenses are covered.

 

Falling prey to predatory banking

Financial institutions have found themselves in a narrow interest margin environment, which means the pressure on banks to generate revenue from non-interest earnings is intense. In some cases, the desire to drive revenue through new or existing products has led to instances of selling inappropriate products to consumers, resulting in significant consumer claims. Institutions must ensure that their products are suitable and that they meet the needs of the consumer and the consumer’s expectations. It’s also important for institutions to ensure their remuneration policies do not inadvertently encourage the miss-selling of products. The fallout from consumer protection scandals can be costly not only from a legal and regulatory standpoint, but also in terms of damage to the brand.

 

Reputational damage

Predatory banking is only one type of behaviour that can bring reputational harm to financial institutions. Large institutions can suffer backlash for a variety of misdeeds made public, for instance the failure in anti-money laundering controls by Wells Fargo or HSBC, who were hammered in the media for their behavior. On a smaller scale, for regional and community-based institutions, the power of social media can mean that reputational damage spreads far faster than ever before.

 

Systemic instability

Nearly a decade later, the effects of the global financial crisis are still being felt by financial institutions around the world. Recent concerns over Deutsche Bank’s operational cut backs and stock price decline have shown there is still uncertainty around the performance of even the biggest financial organizations. Additionally, recent instability in Europe – particularly in Italy and Spain, as well as the still incomplete Brexit negotiation – could have effect elsewhere, including the US, where European headquartered institutions such as Deutsche Bank, Barclays and HSBC are systemically significant institutions.

 

Challenger banks and new technology

The traditional banking model is increasingly challenged by newcomers trying to use technology to replace existing processes and disrupt the status quo. In the UK and Europe, challenger banks are gaining steam and traction among younger generations and early adopters. In the US, there are few online-only challenger banks, but there is increasing competition from payment processors, online non-bank lenders and other providers who are edging their way towards areas conventionally controlled by banks. The risk for traditional institutions will not only be economic, but they will also need to provide more services to their clients to ensure they are competitive and relevant, and they may need to reassess their cyber exposure as they put more systems online.

CFC introduces medical billings cover for US healthcare providers

Comprehensive policy provides protection against allegation of healthcare fraud and abuse, includes cyber and privacy cover

London, 12 September 2018 — Specialist insurance provider, CFC, has introduced a new product to its growing suite of healthcare insurance solutions available to US healthcare providers.

Allegations of healthcare fraud and abuse by government entities and private payers are more prevalent than ever before. CFC’s new Medical Billings insurance covers the defense costs of actual or alleged billings fraud as well as expenses arising from an independent audit on billing practices following an allegation of fraud.

Timothy Boyce, US Healthcare Team Leader at CFC, comments: “Since the formation of the False Claims Act, allegations of healthcare fraud and abuse have increased exponentially. Healthcare providers have to navigate a challenging and often confusing set of reimbursement guidelines which has seen the rate of billing errors rise above 30 percent. Our new Medical Billings product has been specifically designed to provide comprehensive protection following billing error allegations by the federal government, private payers or regulatory investigations.”

The policy also offers reimbursement for fines and penalties arising out of a range of medical regulatory violations including HIPAA-related fines and penalties, Stark law, EMTALA and Federal False Claims and Social Security Acts.

Its cyber and privacy insuring clause has been tailored to address the specific cyber exposures faced by healthcare companies and includes specific references to HIPAA and HiTECH legislation, as well as offering a separate section for extortion to address the growing threat of ransomware.

CFC’s Medical Billings product is the latest in its extensive portfolio of healthcare insurance solutions for US companies.

  • Launched last fall, CFC’s ground-breaking eHealth product now insures hundreds of US domiciled companies, offering telemedicine related services to the US military and Veterans Association in more than 70 countries. Providing a blend of medical malpractice, tech E&O and cyber, the policy is designed to eliminate the gaps present in traditional insurance offerings for digital healthcare companies..
  • CFC’s healthcare suite also includes tailored solutions for allied health and medical practitioners working in a wide range of specializations, long term care facility providers, and businesses and individuals working in the health & wellness arena.
  • A leading provider of cyber insurance, CFC launched an expanded version of its standalone cyber policy for US healthcare providers in April.

“We’re constantly reviewing the needs of the healthcare industry, as well as the changing regulatory landscape, to ensure we’re offering valuable, compelling solutions to our US healthcare insureds” adds Boyce.

For more information, please head to the Medical Billings product page.

Webinar: US Food & Beverage Recall Landscape Update

Yesterday we held a webinar which discussed the Food and Beverage Recall Landscape in the USA. 

The risk landscape for food & beverage manufacturers in the US is changing dramatically – picky millennial consumers are growing less tolerant of allergens and food quality issues, the FDA is making a push for greater efficiency and transparency in its recall process, and an increasing number of retailers and grocery stores are mandating recall insurance for their suppliers.

You can watch the webinar here and download the slides here.

Web-based corporate email compromises rapidly increasing

The CFC Incident Response team has seen a surge in cybercrime against corporate web-based email accounts, like Office 365. Criminals compromise corporate email accounts by reusing credentials from well-known public data breaches to guess employee passwords.

Once they have access, they use these accounts to perpetrate funds transfer fraud and send malicious emails. Recent cyber claims made to CFC indicate that even strong or complex passwords are often not enough to protect employee email accounts from compromise.

Enable Multi-Factor Authentication to Prevent Email Compromise

Multi-factor authentication can improve the security of web-based email accounts by requiring an additional verification step for any external connection to email (for example: a code generated by a mobile app or through an SMS message). Most email systems provide multi-factor authentication and will allow users to establish ‘trusted devices’ to reduce the inconvenience of entering a code every time they log in. CFC encourages all clients to consider implementing multi-factor authentication to improve the security of their web-based emails systems.

Additionally, it is critical that IT administrators enable the right logging in the event that your mailbox is compromised as it can help you determine if attackers have compromised your private data. Properly configured, email systems such as Office 365 even allow you to set up alerts in the event certain security conditions are met which can help you quickly catch the attacker.

By default, Office 365 has limited logging of security events, and needs to be manually configured to make the investigation of suspected compromises possible. It is strongly recommended that all of the below stages are completed to enable an effective investigation in the event of an incident.

The three phases are as follows:

  1. The Unified Audit Log search must be turned on (documentation here)
  2. Mailbox Auditing must be enabled for all accounts (documentation here)
  3. Mailbox Owner events must be enabled (PowerShell script available here, API documentation here (look for the – AuditOwner section))

Additional Resources:

If you are using Office 365 for your business, you can find more information about enabling multi-factor authentication at no cost from Microsoft’s web site here. In addition, you can find information on how to enable mailbox auditing in Office 365 here. Lastly, Office 365 has a page for assessing how secure your configuration is, called the Secure Score, which is available here

Cyber Claims Case Study: Reputational Repercussions – Online Retailer Grapples with Data Breach

This month’s cyber claims case study tells the story of an online retailer that had to notify over 90,000 customers following a breach of credit card details, leading to a damaged reputation and subsequent income loss. To find out how our policy responded, read the full case study here.

The key takeaway points are as follows:

  • As businesses become increasingly dependent on their computer systems to perform critical elements of their operations, it comes as no surprise that financial losses due to system outages are becoming both more frequent and severe. However, brokers and their clients shouldn’t focus solely on system outages when it comes to business interruption.
  • Often referred to as consequential reputational harm, business interruption as a result of a data breach is starting to impact many organisations and can be equally as disruptive as a system outage. In such cases, even though an insured may not have suffered any meaningful system downtime, they can suffer serious reputational harm in the eyes of their customers and suppliers, resulting in a subsequent drop-off in income.
  • The financial impact of a cyber incident can be long-lasting and the value of having longer indemnity periods in cyber policies is becoming increasingly apparent. The insured’s policy with CFC had a 12-month indemnity period in place, but many cyber policies only offer 3-6 month indemnity periods as standard. In this case, had the policyholder only had a 3 month indemnity period, they would only have been eligible to claim for three months’ worth of lost profits rather than 12.

Although the insured was based in the US, the importance of having reputational harm cover will become increasingly relevant to most organisations outside of the US as well. The notification requirements introduced by the GDPR, the Notifiable Data Breaches Scheme in Australia and the Digital Privacy Act in Canada will mean that notifying customers of data breaches will become more common and the risk of consequential reputational harm will increase.

Read the full case study here.

We Write That

We know that businesses come in all shapes and sizes, from global multi-nationals to small independent shops, and the goods and services these companies provide vary just as widely.

CFC provides insurance for companies across hundreds of sectors in over 75 countries, and while many of our clients come from what we’d consider traditional industries, we’re no stranger to the unusual.

Here’s a look at just a few of the interesting, and sometimes unexpected risks we write:

Animal Therapy
Who wouldn’t benefit from an animal cuddle? Animal therapists use animals – like horses, dogs, cats, pigs, and birds – to enhance and complement the benefits of traditional therapy, helping patients reduce anxiety, improve self-esteem and address a variety of medical conditions.

These practitioners provide a form of therapy, so they’re required to buy Errors and Omissions insurance along with General Liability, which we can cover in one policy. Animal therapy businesses will be covered under our Allied Health & Medical product.

Tequila Yoga
Yep, you read that right, tequila and yoga. Need we say more? An unconventional take on a typical yoga class, these businesses will offer a fun tipple before, during or after a workout. We guess they call that hair of the downward dog!

The availability of alcohol changes the nature of this otherwise typical fitness club risk. Many insurers shy away from risks with liquor exposures, but offering alcohol – whether tequila, wine or beer – is becoming more common at health and wellness facilities like spas. We recognize that these risks aren’t a typical liquor exposure, and can include liquor liability when underwriting these accounts.

Equine photography
For horse lovers, capturing the connection between owner and animal through photos can be just as important as capturing their yearly family portrait. These photographers specialize in working with horses to produce one-of-kind portraits and action shots.

Photographers like these need to protect themselves from claims arising out of breach of contract and intellectual property infringement. Our Media policy is purpose-built for photographers of any breed to ensure they are protected while capturing that perfect shot!

Free throw, slapshot, and hole-in-one competitions
Whether basketball, hockey or golf, one common tactic to engage eager fans is to offer a lucky spectator the chance to win a large prize (and become a local star) by making a once-in-a-lifetime shot.

We cover the financial costs should there be a particularly talented – or just plain lucky – contestant.

Microblading & Vampire Facials
Innovation abounds in the beauty business. Microblading uses tiny needles in the shape of a blade to apply a semi-permanent tattoo, promising patients better looking brows. Vampire facials (PRP therapy) on the other hand, promise anti-aging benefits by injecting the patient’s own blood back into their face.

Both these and other unique beauty treatments and procedures, are often covered under our Health & Wellness product.

For more about CFC’s insurance products or the industries we cover, click here.

Webinar Registration: Backup Breakdown

Join us on Wednesday 29 August as we explore how an engineering firm lost access to all of its data – including technical drawings, prints and complex design specifications – as the result of a cyber incident in this deep dive of our cyber claims case study. 

In this webinar, you’ll learn:

  • How a small engineering firm were impacted by the global WannaCry ransomware attack
  • How their loss was compounded by a failure in their back-ups, resulting in the firm losing 3 years’ worth of data
  • How CFC’s cyber insurance policy helped calculate and cover the financial loss associated with data re-creation

You can read the case study here.

Sign up for the session in your time zone today!

UK | 11am BST | Wednesday 29 August

Canada | 12pm EDT | Wednesday 29 August

US | 12pm EDT | Wednesday 5th September