Massachusetts Reinsurance Bar Association Thank You To Our Sponsor Breakfast | 8:00 – 8:30 am Massachusetts Reinsurance Bar Association MASSACHUSETTS REINSURANCE BAR ASSOCIATION RESHAPING REINSURANCE Seventh Annual Symposium October 8, 2015 Harvard Club – Back Bay Boston, Massachusetts WELCOME! Massachusetts Reinsurance Bar Association Keynote Address Dr. John Seo Fermat Capital Management LLC Massachusetts Reinsurance Bar Association Understanding InsuranceLinked Securities Steven Morris Senior Reinsurance Counsel, Liberty Mutual Insurance Any views or opinions expressed herein do not necessarily reflect the views of Liberty Mutual Insurance. Overview • What is an ILS? • How do they work? • What makes them different from traditional reinsurance? • What are the key components? o Triggers o Costs – External Service Providers o Reset Options o Loss Mechanics o Redemption / Collateral Release 6 ILS Definitions “Insurance-linked securities (ILS) are products of the rapid development of financial innovation and the process of convergence between the insurance industry and the capital markets.” NAIC “Insurance-linked securities are broadly defined as financial instruments whose values are driven by insurance loss events. Those such instruments that are linked to property losses due to natural catastrophes represent a unique asset class, the return from which is uncorrelated with that of the general financial markets.” Wikipedia “Insurance Linked Securities transfer a specified set of risks (insurance risks) from a sponsor to investors. ILS have payouts linked to insurance losses and it is an effective way for investors to diversify their portfolio since insurance loss has little correlation with the other financial markets (equity, fixed income).” NASDAQ Privileged & Confidential 7 Typical ILS Investor • Large Institutional Investors: e.g. Hedge Funds; Public Pension Funds • Diversified: – Cat Bond investments represent a small percentage of the investor’s overall portfolio – Used essentially as an uncorrelated hedge against traditional equity and bond market losses 8 Types of ILS Options • • • • Cat Bonds Side Cars Collateralized Reinsurers Industry Loss Warranties Privileged & Confidential 9 Basic Cat Bond Structure Ceding Company Sponsor Interest Reinsurance Premiums Reinsurance Claims Liquidation of Assets to Pay Claims SPV Reinsurer Return of Collateral Principal Cash from Sale of Notes Cat Bond Investors Cash from Sale of Notes Collateral Account Trust 10 Basic Sidecar Structure Ceding Company Sponsor Reinsurance Premiums Reinsurance Claims Liquidation of Assets to Pay Claims Debt Investors Sidecar SPV (Reinsurer) Return of Collateral Equity Investors Cash from Sale of Notes/ Equities Collateral Account Trust 11 Cat Bonds v. Traditional Reinsurance • Pricing o Different pricing considerations – investors v. traditional reinsurers o Transaction Costs – need to account for additional transaction costs o Multi-Year Pricing – avoids both positive and negative market fluctuations • Market Capacity – e.g. Florida Hurricane • Diversifying Sources of Capacity 12 Key Components • Costs – External Service Providers • Triggers • Reset Options • Loss Mechanics • Redemption / Collateral Release 13 Costs – External Service Providers • • • • • • Underwriters Lawyers: deal counsel; underwriter’s counsel; offshore counsel; indenture trustee’s counsel; Modeling Firm Modeling Agent Reset Agent Administrator • • • • • • • • • • Directors Indenture Trustee Paying Agent Secured Site Provider Independent Auditor Interest Calculation Agent Claims Reviewer Loss Reserve Specialist Escrow Agent Rating Agencies 14 Types of Triggers 1. Indemnity: Indemnifies ceding company for actual losses on an excess of loss basis; e.g. $100M x $500M 2. Modeled Loss: Indemnifies company if loss exceeds certain modeled loss amounts for specific event 3. Indexed to Industry Loss: Trigger is based on total industry loss, not cedent’s loss 4. Parametric: Trigger based on certain aspects of natural events; e.g. wind speed and radius of storm 5. Parametric Index: Parametric triggers and payments based on location of storm using cedent’s modeled losses for that location 15 Annual Resets • Reset (Attachment Point/Limits/Coupon): o Exposures reviewed annually using Model o Cover is Reset so Premium Aligns with Risk o Services provided by Modeling Firm, Modeling Agent, Reset Agent 16 Reset Options • Fixed Reset: Same Expected Loss to Noteholder; same Attachment Point (adjustment made to Percentage of Layer Reinsured by Bond and to Limit) • Alternative Fixed Reset: Same Expected Loss to Noteholder; same Percentage of Layer Reinsured by Bond; same Limits (adjustment to Attachment Point) • Variable Reset: Same Reinsurance Cover (Attachment Point, Limits and Percentage of Layer Reinsured); adjustment is made to the Noteholder’s Expected Loss through a variable coupon (interest rate change) 17 Fixed Reset Year 1 Reset Year 2 • Same EL (same premium, same coupon) Bond • Same AP Bond Gap in Coverage • Different % and Limits 18 Alternative Fixed Reset Year 1 Reset Year 2 • Same EL (same premium, same coupon) Bond • Same % • Same Limits Bond Gap in Coverage • Different AP 19 Variable Reset Year 1 Reset Year 2 • Different EL (premium adj., coupon adj.) Bond • Same % Bond • Same Limits • Same AP 20 Loss Mechanics Claims Reviewer Event Notice • Reinsurer • Claims Reviewer • Loss Reserve Specialist • Ratings Agency Proof of Loss Claim • Reinsurer • Claims Reviewer • Loss Reserve Specialist Loss Reserve Specialist Loss Payment Calculates loss payment & principal reduction Notice of Loss Payment Calculates Loss Reserves Loss Reserve Certificate • Reinsurer • Trustee • Ceding Company • Ceding Company • Reinsurer • Trustee • Payment Made from Collateral • Interest Payments Reduced Loss Reserves • Interest Payments Reduced • Loss Reserves monetized at end of Extended Redemption Period 21 Redemption / Draw-down Rights • Return of Collateral • What happens when there is an Event with Undeveloped Losses? – Cat Bonds – Liabilities Commuted after Final Extended Redemption Period Ends – Collateralized Reinsurers – “Buffer Factors” Buffer Loss Factor Table Number of Calendar Months Since Date of Loss Occurrence Windstorm Earthquake Other 0 to 6 X% X% X% > 6 to 9 X% X% X% > 9 to 12 X% X% X% > 12 to 15 X% x% X% > 15 to 18 X% X% X% Thereafter 100% 100% 100% 22 Massachusetts Reinsurance Bar Association Thank You To Our Sponsor Morning Break | 10:00 – 10:15 am Massachusetts Reinsurance Bar Association How Alternative Capital is Impacting an Industry Panelists: Judith Klugman | Sean McCarty | Tony Ursano | Swiss Reinsurance Company Ltd. AON Securities Inc. TigerRisk Partners Moderator: Elaine Caprio Caprio Consulting LLC | Massachusetts Reinsurance Bar Association Coverage In The Age Of Data Breaches Panelists: Anna Stafford John Derwin Jessica Park | | | Senior Counsel, Travelers Counsel, Liberty Mutual Sugarman, Rogers, Barshak & Cohen, P.C. Moderator: John Love | Robins Kaplan LLP CyberFirst® A powerful modular approach to offering cyber insurance coverage solutions Technology Errors + Omissions Communications + Media Liability Network + Information Security Liability Expense Reimbursement Why Commercial General Liability Coverage Isn’t Always the Answer – Property damage requires physical damage to, or loss of use of, tangible property; data is not considered tangible property – Property damage to “impaired property” is not covered – Financial loss claims – standard CGL policies require bodily injury, property damage, advertising injury or personal injury to trigger coverage What is Errors and Omissions Liability? • Intended to cover liability for financial injury to a 3rd party arising from: – Failure of the insured’s product or service to function as intended or expected – An error, omission or negligent act • Who needs it? – Any company that provides a product or service that if it should fail may result in financial harm to a third party customer What is Network and Information Security Liability? • Intended to cover financial injury to a 3rd party arising from: – Certain wrongful acts relating to network or information security • Who needs it? – Any company that promises to protect information of others (if even for a short time) – Any company that uses a computer in the course of business Travelers Network and Information Security Liability • Coverage Grant – Failure to prevent the transmission of a computer virus – Failure to provide any authorized user of your web-site or your computer or communications network with access to such website or such computer or communications network – Failure to prevent unauthorized access to, or use of, data containing private or confidential information of others – Failure to provide notification of any actual or potential unauthorized access to, or use of, data containing private or confidential information as required by any security breach notification law that applies to you Travelers Communications and Media Liability • Coverage Grant – Unauthorized use of any advertising material, or any slogan or title, of others in the advertising of the business, premises, products, services, work, or completed work of others – Infringement of copyright, title, slogan, trademark, trade name, trade dress, service mark, or service name in your covered material – Plagiarism or unauthorized use of literary or artistic format, character or performance in your covered material • Covered Material – Any material in any form of expression, including material made known in or with any electronic means of communication, such as the Internet Patent infringement or misappropriation of Trade Secret are not covered What is Expense Reimbursement Coverage? • Intended to cover insured loss associated with: – Certain wrongful acts or first party incidents associated with data breach types of events • Why is it important? – Businesses can incur loss due to attempts to misappropriate or misuse information in their care – Managing these first party expenses is important to mitigate further harm to insured or customers First-Party Expense Reimbursement Coverage Can Include: • Security Breach Notification & Remediation • Crisis Management Services • Business Interruption & Additional Expenses • Extortion • Computer Program & Data Restoration • Computer Fraud • Funds Transfer Fraud • Telecommunications Theft CASE LAW DEVELOPMENTS • Coverage under traditional CGL policies – Coverage B • Coverage under cyber policies Case Law Developments – Traditional CGL Policies • Coverage B – “personal and advertising injury” • Common Themes: – Was there “publication?” – Was the “publication” done by the insured? – Was there violation of a right to privacy? • Exclusions Recall Total • Recall Total Information Management, Inc. v. Federal Ins. Co., 147 Conn. App. 450 (2014) – No “publication” where computer tapes were taken, but data on the tapes was not accessed – Triggering data breach notification statutes was not a substitute for a “personal injury” The Sony Case • Zurich American Ins. Co. v. Sony Corp. of America, NY Sup. Ct. Index No. 651982/2011 (March 10, 2014 Order). – Found “publication” where hackers “opened the box” and let out private information, but – Not perpetrated by the insured, so no coverage. – Appealed in April 2014; appeal withdrawn / case resolved in April 2015. Urban Outfitters • OneBeacon America Ins. Co. v. Urban Outfitters, Inc., 21 F. Supp. 3d 426 (E.D. Pa. 2014), aff’d, 2015 WL 5333845 (3d Cir. Sept. 15, 2015). – “Publication:” need dissemination to the public at large, not just use by the collector – Right of “privacy”: interest in secrecy, not interest in seclusion (e.g., freedom from junk mail) American Economy Ins. Co. v. Aspen Way Enterprises, Inc. • D. Mont., 1:14-cv-00009 (Sept. 25, 2015 Orders granting summary judgment for insurers) • “Publication:” transmission to “at least a third party,” if not the public-at-large • Recording and Distribution Exclusion applied Metro Brokers, Inc. v. Transportation Ins. Co. • 2013 WL 7117840 (N.D. Ga. 2013), aff’d, 603 Fed. Appx. 833 (March 5, 2015) – First-party claim under Businessowners Property Coverage Form – No coverage under Forgery & Alteration Endorsement for EFT transfers by hackers – “Malicious code” exclusion also applied – use of virus by the hackers Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC • E.D. Va., 1:13-cv-00917 (Aug. 7, 2014 Order) – Insuring agreement: injury arising from “electronic publication of material that . . . discloses information about a person’s private life” or “gives unreasonable publicity to a person’s private life” – District court found: “publication” satisfied where materials were available for viewing online, even if no third party actually accessed them and even though the insured took no affirmative act to place the private information before the public Case Law Developments - Cyber Policies • Published decisions are limited; not all involve cyber-specific issues • Much variability in policy language and underlying facts Columbia Cas. Co. v. Cottage Health System • C.D. Utah, 2:15-cv-03432 (Filed May 7, 2015) – Alleged breach: storage of medical records on system accessible via internet search – Claims-made coverage for “Privacy Injury Claims” – Seeks to apply exclusion: loss arising from insured’s failure to “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance. . . .” Federal Recovery Services • Travelers Prop. Cas. Co. of America v. Federal Recovery Services, Inc., 2015 WL 2201797 (D. Utah May 11, 2015) – “CyberFirst” policy – Technology Errors and Omissions Liability Form – No coverage for allegations that data processor intentionally withheld customer’s data – Policy covered only errors, omissions, or negligence; complaint alleged intentional conduct Universal American Corp. v. National Union Fire Ins. Co. • 25 N.Y.3d 756 (Ct. App. NY June 25, 2015) – “Computer Systems Fraud” rider: “loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer program within, the Insured’s Proprietary Computer System. . . .” – No coverage for fraudulent Medicare claims – fraudulent access to system vs. submission of fraudulent content Doctors Direct Ins., Inc. v. Bochenek • 2015 IL App. (1st) 142919 (Aug. 3, 2015) – Cyber claim endorsement: liability resulting from a “Cyber Claim” for a “Privacy Wrongful Act” – “Privacy wrongful act:” breach of statute “associated with the control and use of personally identifiable financial . . . information” – No coverage for alleged violation of Telephone Consumer Protection Act – not associated with control, use of personal information Massachusetts Reinsurance Bar Association Thank You To Our Sponsor Lunch & Printed Materials | 12:00 – 1:00 pm Massachusetts Reinsurance Bar Association WORKSHOP 2015 Nile.com On-line shopping, Cyber Risk & Reinsurance NILE.COM • World’s second largest on-line retailer • Liability Program – – – – Issued by Captive “Up The River Insurance, Inc.” $1M primary $9M XS of $1M first layer excess $90M XS of $10M second layer excess • Reinsurance – First excess layer - All insured losses excess of $2MBermuda Re (management & control) – Second excess layer – All insured losses excess of $25M – Internet Re Nile.com • Data Breach – Hackers gain access to Nile’s “cloud” – Obtain financial information of “Alpha” members – 10 million members potentially compromised • Claims – Alpha Customers – Breach of privacy – Damaged credit ratings – Fraudulent credit card charges • Claims – Credit Card Companies – Seek to recover cardholder non-payments Massachusetts Reinsurance Bar Association Thank You To Our Sponsor Afternoon Refreshments | 2:45 – 3:00 pm Massachusetts Reinsurance Bar Association A Fresh Perspective on Mediation of Reinsurance Disputes Michael Frantz: Munich Reinsurance America, Inc., Sr. Vice President & Claim Dept. Manager Jeff Kichaven: Jeff Kichaven Commercial Mediation, Principal Mediator Patricia Taylor Fox: American International Group, Deputy General Counsel (Reinsurance) Elaine Caprio: Caprio Consulting LLC, President (Co-Coordinator) Wm. Gerald McElroy, Jr.: Zelle Hofmann Voelbel & Mason LLP, Sr. Partner (Moderator & Co-Coordinator) FACT PATTERN FOR MEDIATION PANEL • The fact pattern for the mediation panel is based on the same facts regarding Nile.com (Nile) and the hacking event utilized during the interactive workshop. There are, however, some variations in the insurance and reinsurance facts. The full fact pattern to be used is set forth below and in the succeeding slides. The portions of the fact pattern which are identical to those used in the interactive workshop are set forth below in red font. • Nile is the world’s second largest online retailer. Nile has a CGL insurance program made up of a primary layer and two excess layers of liability insurance. The CGL coverage is written on typical ISO forms and includes coverage for “personal and advertising injury.” This coverage extends to the injury arising out of “oral or written publication, in any manner, of material that violates a person’s right of privacy.” • Total limits of coverage are $1 million primary, $10 million first layer excess and $100 million second layer excess. Up the River Insurance, Inc. (“Up The River”) issued the primary and excess liability policies. Both excess layers of insurance are reinsured by Internet Re. The reinsurance agreements require “prompt notice of any claim likely to implicate this agreement.” The reinsurance agreements expressly do not cover ECO (extra-contractual obligations) or XPL claims (i.e., claims in excess of the policy limits). FACT PATTERN FOR MEDIATION PANEL • Hackers entered Nile’s data processing cloud and downloaded financial information, including credit card numbers of all of the Nile Alpha Members. Nile Alpha Members pay an additional fee which gives them special deals and free shipping. • There are approximately 10 million Nile Alpha Members worldwide. Nile learns of the security breach and promptly notifies Up the River Insurance of the potential liability exposures. Simultaneously, Nile notifies all of its Alpha members by email and issues a press release alerting the media to the security breach. Within days, Nile starts receiving demands from Alpha members. They fall into three distinct groups: generic claims for breach of privacy, claims for impact to credit ratings, and claims for fraudulent credit card charges. The news media reports that class actions have been filed against Nile for breach of privacy and the unauthorized distribution of confidential information. Within 20 days, credit card companies have submitted claims to Nile following their cardholders’ refusal to honor fraudulent credit card charges made by hackers or those purchasing credit information from hackers. FACT PATTERN FOR MEDIATION PANEL • In response to Up the River’s inquiry, Nile explains that hackers accessed its data processing cloud through the portion of its website that encouraged Nile customers to become Alpha members. The page had a link that was captioned “Find out why so many Nile members are Alphas!” When members click the link, they come to a page that displays the reasons why actual Nile members became Alphas. The information comes directly from the electronic Alpha applications of current members that were linked to the site in a fashion that allowed hackers to open the entire application in the cloud and see the member’s credit card information. Nile.com says the credit card information was effectively “published” on a portion of their website. Therefore, the claims are covered. FACT PATTERN FOR MEDIATION PANEL • In response to Up the River’s inquiries, Nile discloses that it also has a stand-alone Cyber loss policy that provides $5 million in coverage for liabilities arising from malicious third parties who gain access to your electronic system for purposes of obtaining confidential financial information. The Cyber policy contains an “other insurance” provision that says it is excess to all other valid and collectible insurance that covers the same losses. Nile.com said it has not submitted a claim to the Cyber loss carrier because the CGL coverage has not been exhausted. However, at the urging of Up the River, Nile does provide notice to the Cyber loss insurer. • The claimants asserting the four categories of claims described above filed suits against Nile, which tendered the suits to Up the River for defense and indemnity. Up the River delayed sending a response despite follow-up letters from Nile about the suits. Up the River ultimately denied coverage for the suits at issue based on the trial court’s decision in the Sony case that there was no publication within the meaning of “personal and advertising injury” in the CGL policies at issue where hackers (as opposed to the policyholder) made the publication. FACT PATTERN FOR MEDIATION PANEL • Nile settled the four underlying suits for $50 million and allocated the settlement as follows: $1 million CGL, $10 million first layer excess, $3 million Cyber and $36 million second layer excess. Based on this allocation, Nile demanded that Up the River pay $47 million. Nile brought a coverage suit against Up the River when it refused to pay. In the Complaint, Nile sought a determination of Up the River’s coverage obligations with respect to the subject settlement. The complaint also asserted claims of bad faith and non-compliance with the applicable claim-handling statute. • During the pendency of the litigation, Nile produced documentation showing the risk manager’s understanding that the CGL and excess liability policies issued by Up the River did not provide coverage for cyber hacking events of the kind at issue. This was apparently why Nile had purchased a stand alone cyber policy. Based on that documentation and the Sony decision, counsel for Up the River wrote a coverage opinion to Up the River strongly recommending against paying a substantial amount to settle the dispute with Nile. Nonetheless, after acrimonious and prolonged litigation, Up the River reached a settlement with Nile requiring it to pay $40 million -- $7 million less than the amount demanded by Nile. FACT PATTERN FOR MEDIATION PANEL • Up the River ceded $10 million under the first excess policy and $29 million under the second layer excess policy to Internet Re, which denied the claim. Internet Re relied upon the following grounds for denying coverage: (1) There was no coverage for the amount paid by Up the River to resolve the bad faith claims in the underlying litigation; (2) There was no “personal and advertising injury” within the meaning of the subject policies; and (3) Nile should have allocated more of the settlement to the cyber insurance policy since it provided specific coverage with respect to the loss at issue. • Up the River and Internet Re agreed to mediate the subject dispute after negotiations to resolve the dispute failed. In the absence of an amicable resolution, the dispute will be arbitrated. THANK YOU FOR ATTENDING Massachusetts Reinsurance Bar Association SPONSORING FIRMS www.daypitney.com www.lewisbrisbois.com www.srbc.com www.princelobel.com www.robinskaplan.com www.mintz.com www.zelle.com