Responses to my last message about the need to safeguard against cyber attacks by foreign governments, many of which are printed below, were interesting, and frankly not what I expected. Implicit in some of the responses seems to be the assumption that a cyber attack initiated by a major world power will be similar to the issues we've had with hackers and viruses in the past. However, given the huge investments certain world powers are making in offensive cyber weapon development, the nuisances of the past are likely to pale in comparison with, for example, a cyber attack against the United States by China.

Failure to have safeguards for businesses in place could very well result in a Black Swan event more crippling than the Pearl Harbor surprise attack. I don't intend to be Chicken Little with this, but the risk deserves serious consideration by the risk management community and our government.

Moving to another subject, I am proud to announce a new publication from IRMI: Claims Operations: A Practical Guide. Written by a 30-year claims veteran, this book addresses both fundamental claims handling issues and claims operations. The 450-page book is available in print, on IRMI Online, or on Sage/ReferenceConnect. Find more information on IRMI.com.

Lastly, let me remind you that early-bird registration for the IRMI Construction Risk Conference ends in just 2 days—on August 27. This means that the fee will increase by $100 for everyone, and contractors or project owners who have attended before will lose the 25 percent discount. We've put together an excellent program for you this year. Check out the agenda and speakers or register on IRMI.com.

Thank you for subscribing to IRMI Update.

Have a great day!

Jack

Jack P. Gibson, CPCU, CRIS, ARM
President
International Risk Management Institute, Inc.

IRMI Featured Publication

Make Your Job Easier

Information is the key to success in our challenging industry. You can easily add any IRMI publication to your resource library in either IRMI Online, or Vertafore Sage/ReferenceConnect. Did you know IRMI publishes nine resources just for commercial liability? See a full list of all IRMI references by name or topic, or call IRMI Client Services today at 1–800-827–4242.

Risk Tip

Preserve Coverage Continuity with Claims-Made Policies

For claims-made professional liability policies, there are three dates (beside the policy period) pertinent to determining whether coverage may apply. Failure to properly manage and coordinate these tricky dates will lead to serious gaps in coverage. Following are some general rules of the road that will steer you around these coverage holes.

Retroactive Date: This is the date after which a wrongful act must be committed to be eligible for coverage. Once an insured has coverage in place, the retro date should never become more current. There are only a couple of exceptions to this rule—change of ownership or excessive claims activity such that the insured can only get terms with a current retroactive date.

Pending or Prior Litigation Date: If litigation is filed or pending before this date, the claim will not be eligible for coverage. This date is usually set the first time an insured buys coverage. Any future replacement insurer has the right to advance the date to the first time it covers the insured. However, if you ask the insurer to match the expiring date, it will usually comply. This is an important date to keep an eye on because there may be litigation filed against the insured but not yet served, or there might be "pending litigation" (not a defined term) of which the insured is unaware.

Continuity Date: If the insured knows of a wrongful act or a circumstance likely to arise in a claim prior to this date, the wrongful act or circumstance will not be covered. This can be interpreted as a "knowledge" date. Any time the insured changes insurers, ask that the date match the expiring policy. Some insurers will do so willingly, upon proof of prior coverage and substantiation of the requested date. Others will require loss runs or a no-loss/no-circumstance warranty. If the insured cannot provide a warranty with absolute certainty, it's best not to change insurers.

By: Chris Christian, CIC, RPLU
Vice President/Senior Broker, US Risk Brokers
Nashville

GET PUBLISHED IN IRMI UPDATE: Send us a practical tip (less than 300 words) for identifying and managing risks, buying insurance, managing claims, or filling gaps in insurance coverages. We'll acknowledge your contribution as we did for Chris. Submit an IRMI Update risk tip.

What's New in Your IRMI Library

There Is No Need to Require AI Status on Auto Policies

One of the unnecessary requirements often included in contracts is for one of the parties to add the other to its auto policy as an additional insured (with an exception or two, such as an auto lease). The latest supplement to Contractual Risk Transfer includes a discussion explaining why this contract requirement wastes people's time unnecessarily. It includes a discussion of endorsement CA 20 48 promulgated by Insurance Services Office, Inc. (ISO), to respond to these requirements (some risk professionals call this a "placebo endorsement" for obvious reasons). If you subscribe to Contractual Risk Transfer, be sure to check out this updated discussion: IRMI Online or Sage/ReferenceConnect.

Learn more about Contractual Risk Transfer on IRMI.com if you don't currently subscribe.

For summaries of other new and updated information in your IRMI library, go to What's New on IRMI Online or What's New in Sage/ReferenceConnect.

New Expert Commentary

There are 1,001+ risk management and insurance articles on IRMI.com. Below you'll find summaries of some recent additions with links to the articles.

Property Insurance Captives—A Funding Primer—Don Riggin explains why, when, and how a captive can structure its funding for property risks.
Stress-Free Claims Adjusting—While there is no single panacea for dealing with stress, Elise Farnham offers a variety of techniques that can help.
Impact of Healthcare Legislation on Health Insurance Companies—Jeff Balcombe says to weigh the potential increase in policyholders against the negative effects of the Affordable Care Act.
"Arising Out of": How Strong Is the Connection?—Courts are not consistent in their interpretation of this critical phrase, as Steve Rawls illustrates.

Your View

Cyber Security: Who's in Charge?

In IRMI Update 233, we asked readers for their views on whether defending against cyber attacks by foreign powers or terrorist organizations should be the responsibility of the public, the private sector, or a bit of both. Below are some of the responses we received.

Having researched this exact topic, I believe that it is imperative that the federal government use all of its resources to protect, not only our utilities, but other areas of business defense against "cyber attacks." But I, too, have the concerns about privacy invasion by the government. Therefore, I believe a part of the development of a defense system by the federal government should require that this be a monitoring, assistance, backup system for what other security the utility companies may have. It should have specific controls about the "involvement" of the federal government, including exact guidelines [things that must occur] before the federal officials could become the decision-makers on behalf of the utilities.

If this is left up to the individual utility companies, I believe the various systems will have gaps, weaknesses, lack of coordination, inconsistencies, and we might never have a workable system of defense against outside cyber attacks. [Think SEMCI!]

—Bobbie R. Duke, Producer,
INSURICA Insurance Management Network, Oklahoma City
Jack, you pose an interesting question regarding whether it should be left up to individual companies or the federal government to develop defenses against all forms of cyber attacks. My view is that individual companies would do a better job than the federal government. The past and current performance of the U.S. Postal Service, the FCC, the SEC, the FDA, FEMA and Congress does not inspire confidence that we will be (1.) safer, or (2) more effectively/efficiently protected if we turn 100 percent of the responsibility over to the feds. The federal government has even decided to abandon the space program! Why do we fear, that if left up to the private sector, that perhaps the necessary steps won't be taken? Aren't there plenty of examples where standards are set and must be met and maintained to obtain and maintain a contract to provide goods and services? I wouldn't rule out a public/private partnership in this area. However, I'll trust the private sector to move more quickly and come up with better solutions to cyber threats than the federal government would do on its own.

—Robert A. Sedillo, Owner/Principal Consultant,
Sedillo Risk Services, Redmond, WA
Despite the obvious problems with governmental "interference" in private business, it is likely that only the government has sufficient resources and reach to implement a security program such as this. The problem is that, even the government is not immune—as evidenced by the breaches they themselves have experienced.

—Donna Mercadante, Sr. Vice President,
Bollinger, Inc., Short Hills, NJ
I truly believe they should leave it to the individual companies. We would be willing to accept suggestions, but we can decide what is right for our Company.

—Sheryl G. Cooper, Marketing Account Executive,
HRA Risk Services, LLC, Birmingham, AL
So you think that private companies are incapable of providing the protection they require to stay in business and provide the services for which they are in business and for which they get paid? How absurd. The great advances in technology came from private companies without any prodding from government, and new technology is being created every day. The tragedy is that private companies may not provide the security they need because they were assured that the government would handle that. I wouldn't rely on the government to do anything. In any event, how would you expect the government to create a system to protect everyone when there are literally thousands of different systems out there? Who knows better how to protect my stuff than I do?

—Jan MIller, Vice President,
RCM&D, Baltimore
This one is a tough call. If the government is funding any of the private companies for the exposures that would put them under cyber attack, then by all means, they need to be protected by the government. That being said, where do we draw the line with the government's involvement in the private sector?

The private sector needs to be proactive in protecting itself and those they put at risk by their actions. For what I have seen lately is an increased laziness. We are now placing more and more trust in what "they" say and taking less responsibility for our own interests. We are failing to educate ourselves in many aspects of government and rely on various sources, i.e., media reports to keep us apprised of the day-to-day activities. In my opinion, this needs to stop, and we need to take responsibility for our own actions and protection.

—Jackie Peace, Producer,
North Star Insurance Services, LLC, Seattle
It is one thing for the government to protect the military and the infrastructure of the country, such as the electrical grid, but quite another to have the government in control of all the private electronic networks in the country.

If the government can protect your private IT systems, it can take over your business as well, or shut you down, as by having a "switch" to cut off access to or shut down the Internet.

This is another disturbing move toward real total government control, i.e., totalitarianism.

—Harry N. Kinzy, Attorney,
SettlePou, Dallas
Privacy concerns exist now more than ever in light of the use and scope of the Patriot Act. The Fourth Amendment of the U.S. Constitution protects us from surveillance without probable cause. The Patriot Act has certainly changed the standard for probable cause from narrowly an interest of national security to a broader cause including domestic criminal activity. We must preserve that which protects our personal freemdoms in the Bill of Rights and limit government monitoring specifically to actions that demonstrate a threat to national security. Modern government defense programs are needed, but they should only be allowed to investigate citizens whose actions warrant investigation as a clear threat to national security.

—David Hinkley, Manager,
Hinkley Insurance, LLC, Adams, NE

IRMI Update