Spot Market Purchase Causes Supply Chain Problems

Manufacturers often have a complicated production process involving multiple materials and components incorporated into a finished product. Further issues can arise where the manufacturer’s product is a small component, part of a far more complex product.

Product quality, supply issues, production breakdown and human errors can all cause complications in a supply chain. Not only will this result in delayed production internally, but it will also have a knock on effect with connected suppliers.

In this product recall case study, we explore how a steel casting manufacturer opted to use the spot market to fill a product shortage but suffered severe consequences as the supplier had not been vetted or verified.

The insured, a privately-owned steel casting manufacturer with a portfolio of standard castings and custom-made products, specialises in carbon steel flanges. This sector of its business has an annual revenue of USD 25,000,000 and makes up 40 percent of the overall company revenue. The flanges are used in consumer products such as automobiles, fridges and HVAC units. The manufacturer has been in operation for 30 years.

FAULTY PRODUCTS DISCOVERED
The insured was first notified of a problem by its customer, an automotive component manufacturer in Michigan. The component manufacturer had performed some pressure tests on the supplied steel flange and discovered that the steel snapped at very low temperatures (which mimic conditions in Northern Michigan during winter).

The insured had not retained any samples from that production lot and requested that the customer return any stock available so it could investigate the issue with the flange. Due to a logistical mistake, the customer initially sent back rods from a prior production lot, which added on a three-week delay to the investigation. When the correct steel was returned, the insured ran various physical tests which confirmed that it was far more brittle than expected.

Metallurgical analysis then revealed that the carbon composition of the steel was higher than intended, which was the cause of the increased brittleness. The steel casting manufacturer traced the raw material used in that production lot to determine how many days of operation are affected with the faulty produce. This also indicates where the faulty produce would have used been by other companies in the supply chain. The tracing exercise showed that the particular raw material in question was purchased on the spot market after the insured’s usual
supplier was not able to fulfil requests over a four day period. The insured very rarely uses spot markets, but on some occasions it is necessary and is quite common in the industry.

The complaint from the component manufacturer was the only issue raised directly to the insured, and was addressed by shipping replacement steel and a small payment to cover expenses – an overall cost of USD 35,000. However, because the carbon composition of the affected batches was in breach of what most customers considered an acceptable range agreed, the insured decided to notify all of the customers who may have purchased parts made with the substandard steel.

ESTIMATING THE LOSS
Rather than offer refunds for the faulty steel, which would have topped USD 450,000 and more than depleted the insured’s cash reserves, the insured instead offered to replace the steel. However, given the time delay between the sale and the defect notification, many of its customers had already incorporated the flange into their products and instead claimed for financial compensation from the insured citing the following unexpected costs:

  • Cost of disposed products due to incorporation of faulty flange
  • Costs of removing components which incorporated
    faulty flanges from in-progress and finished vehicles
  • Credits charged for future purchases
  • Loss of sales, as one customer lost a contract with a
    large car manufacturer due to this issue
  • Various administration costs

The amount claimed against the insured by its customers totalled USD 3,500,000, and the insured was legally liable for these costs according to their supply contract with the customers, as well as common law (i.e. the insured was negligent).

The insured did not have sufficient cash reserves to satisfy even a third of these claims, especially as they needed to purchase raw materials to continue operating and fulfilling other orders. Additionally, three new customers filed lawsuits and the insured’s in-house lawyer required the help of external counsel who charged USD 450 per hour and required a USD 20,000 retainer.

PRODUCT RECALL POLICY AND RECALL EVENT LIABILITY
As a result of the recall, the insured suffered a significant financial and reputational loss, and the viability of the business was under threat due to the impact on cash flow. Luckily, the insured’s product recall policy included an extension for recall event liability, which covered their legal costs for compensation and lawsuits, as well as any sums which they were legally obligated to pay. The purchase of the policy ensured the survival of the business and
safeguarded their cash flows, ensuring they could continue purchasing supplies and conducting business as usual.

The companies and circumstances in this case study are fictional, but the scenarios are realistic and reasonable based on our experience.

You can print and share the case study here.

Cyber claims case study: Software shutdown

Cyber claims case study: Software shutdownThis month’s cyber insurance claims case study tells the story of a property management company that fell victim to a ransomware attack, putting an end to their primary software system.

Fortunately, their CFC cyber insurance policy helped to cover the costs of implementing a new software system, including large-scale data re-entry, as well as the shortfall in income caused by customers cancelling their contracts as a result of the cyber event and the service performance issues that stemmed from it. Read the full case study here.

The key takeaway points are as follows:

  • Cyber insurance policies have historically offered relatively short indemnity periods under the business interruption section – usually 3-6 months as standard. However, it is becoming increasingly clear that the operational impact of a cyber event can be felt for much longer than a 3-6 month period would allow for.
  • In this instance, the full reputational impact of the cyber event was not felt until after the 3-6 month indemnity period that you would find on many cyber insurance policies. The policyholder had a 12-month indemnity period in place and this enabled them to pick up the majority of their business interruption loss under the policy. Had the insured only had a 3 month indemnity period, however, they would not have been covered at all, as all of the cancelled contracts fell outside of this period.
  • Businesses that receive their income on a contractual basis could be more exposed to BI losses, as the cancellation of monthly or annual contracts could very quickly result in sizeable financial losses being incurred. Businesses that receive their revenue in this way should consider factoring this in when selecting an appropriate limit for their policy.
  • Having legacy systems in place could also increase a business’s exposure to a cyber event. The fact that this insured used a superannuated software system meant that they were especially vulnerable, as it soon became clear that it was not possible to restore their software and resume their normal service. Other businesses might have had their server encrypted in just the same way, but if they were using modern software packages they would most likely have recovered much more quickly.

Read the full case study here.

Want to learn more about business interruption and indemnity periods? Read the first post in our BI blog series here.

Cyber Claims Case Study: Reputational Repercussions – Online Retailer Grapples with Data Breach

This month’s cyber claims case study tells the story of an online retailer that had to notify over 90,000 customers following a breach of credit card details, leading to a damaged reputation and subsequent income loss. To find out how our policy responded, read the full case study here.

The key takeaway points are as follows:

  • As businesses become increasingly dependent on their computer systems to perform critical elements of their operations, it comes as no surprise that financial losses due to system outages are becoming both more frequent and severe. However, brokers and their clients shouldn’t focus solely on system outages when it comes to business interruption.
  • Often referred to as consequential reputational harm, business interruption as a result of a data breach is starting to impact many organisations and can be equally as disruptive as a system outage. In such cases, even though an insured may not have suffered any meaningful system downtime, they can suffer serious reputational harm in the eyes of their customers and suppliers, resulting in a subsequent drop-off in income.
  • The financial impact of a cyber incident can be long-lasting and the value of having longer indemnity periods in cyber policies is becoming increasingly apparent. The insured’s policy with CFC had a 12-month indemnity period in place, but many cyber policies only offer 3-6 month indemnity periods as standard. In this case, had the policyholder only had a 3 month indemnity period, they would only have been eligible to claim for three months’ worth of lost profits rather than 12.

Although the insured was based in the US, the importance of having reputational harm cover will become increasingly relevant to most organisations outside of the US as well. The notification requirements introduced by the GDPR, the Notifiable Data Breaches Scheme in Australia and the Digital Privacy Act in Canada will mean that notifying customers of data breaches will become more common and the risk of consequential reputational harm will increase.

Read the full case study here.

Cyber Claims Case Study: Beyond the breach – hospital faces huge operational disruption

Healthcare providers, like any business, are exposed to a range of cyber exposures, including malware attacks, which can have a devastating impact on their operations, especially in relation to system damage and business interruption costs.

In this month’s cyber claims case study we have reviewed a malware attack at a small hospital and how our policy assisted with making the hospital operational again. While many cyber policies exclude physical property and hardware replacement costs, the hospital’s cyber policy from CFC provided cover for these items.

Here are a few key points from the case study:

  • Healthcare organisations have often seen their cyber risk as being primarily about data breaches, but the impact of other cyber events like malware attacks can be just as severe.
  • Any business that relies on computer systems to operate can have a substantial exposure, particularly when it comes to system damage and business interruption costs.
  • Some cyber insurance policies only cover data breaches, but it’s important to also consider operational interruption costs that could be incurred by a destructive malware
    event.

Read the full case study here and look out for our next Cyber Claims Case Study next month

Cyber Claims Case Study: The importance of cover for data re-creation

Cyber risk often touches companies in unexpected ways. In May 2017, an engineering firm learned this when it lost access every last piece of data it held. This included all of the firm’s technical drawings, prints and complex design specifications.

We’ve created a in-depth case study about the event and how our policy helped calculate and cover the financial loss associated with total data re-creation. Here are a few takeaways:

• Even if an organisation is not storing personal data, they are still likely to have cyber exposures.

• Any business that relies on computer systems to generate or store business critical information is vulnerable to cyber risks if they lose or are unable to access their digital files, and purchasing a cyber insurance policy that provides appropriate cover is a key way of managing these risks.

• There is a key difference between data recovery and data re-creation. Lots of cyber policies will only cover the cost to recover data from back-ups, not the cost to re-create data. CFC’s cyber policy provides cover to re-create data from scratch.

Read the full case study by clicking on the link below, and stay tuned for more Cyber Claims Case Studies, now coming to you monthly.

Read the full case study here