archive-com.com » COM » A » ACEGROUPACCESS.COM

Total: 122

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • ACE Group: One of the World’s Largest Multiline Property and Casualty Insurers
    Executive Risk Cyber Risk Specialized Risk Investor Information Media Center News Releases Media Contacts In the News ACE AND CHUBB ARE NOW ONE ACE has acquired Chubb creating a global insurance leader operating under the renowned Chubb name Learn more about this historic combination RISK INSIGHT FROM THE CHUBB PERSPECTIVE Get the Chubb Perspective on a variety of insurance and reinsurance topics Learn more RINGING IN THE NEW Chubb leadership rings the NYSE opening bell on Tuesday January 19 2016 signaling the launch of a new day of trading and a new Chubb Learn more THE CHUBB CLASSIC FEBRUARY 8 14 2016 A stellar field of Champions Tour professionals compete at the TwinEagles Club in Naples Florida Learn more ACE and Chubb Are Now One Getting the Chubb Perspective Ringing in the New The Chubb Classic The New Chubb Chubb is the world s largest publicly traded property and casualty insurer With operations in 54 countries Chubb provides commercial and personal property and casualty insurance personal accident and supplemental health insurance reinsurance and life insurance to a diverse group of clients Chubb Insured SM Latest News February 05 2016 Chubb Global Markets appoints marine team leaders February 04 2016 Chubb Announces Leadership Team for ESIS Inc February 04 2016 Chubb names Continental Europe country presidents Chubb Limited Reports Legacy ACE Fourth Quarter and Full Year Results Legacy ACE achieved record full year P C combined ratio and underwriting income in 2015 Integration plans are on track including expense and growth related initiatives Read more ACE Completes Acquisition of Chubb Adopts Chubb Name and Launches New Chubb Brand ACE Limited has completed its acquisition of Chubb creating the world s largest publicly traded property and casualty insurance company ACE has adopted the Chubb name globally and has launched the new Chubb

    Original URL path: http://acegroup.acegroupaccess.com/ (2016-02-13)
    Open archived version from archive

  • Chubb Ethics Helpline
    Companies Chubb Mobilassurance Perspectives Multinational Risk Environmental Risk Executive Risk Cyber Risk Specialized Risk Investor Information Media Center News Releases Media Contacts In the News style display none Home Contact Us Chubb Ethics Helpline A A A The Chubb Ethics Helpline Reporting a Violation The Chubb Ethics Helpline is a free confidential service you can call 24 hours a day if you have questions or concerns about ethics or integrity at Chubb We maintain the Chubb Ethics Helpline to make it easy for people inside and outside the company to report violations or potential violations of Integrity First The Chubb Code of Conduct If you have information about any actual or potential violations of Integrity First The Chubb Code of Conduct or about any actual or planned wrongdoing or unethical behavior involving the company or any of its employees please call the Chubb Ethics Helpline To call the Chubb Ethics Helpline In the United States and Canada call 1 888 475 8995 toll free In the European Union access dialing instructions here All other non EU countries access dialing instructions here For claims customer service matters or complaints involving your insurance policy with Chubb please refer to your policy documentation

    Original URL path: http://acegroup.acegroupaccess.com/contact-ace/chubb-ethics-helpline.aspx (2016-02-13)
    Open archived version from archive

  • Chubb: Risk Management Services is a Property and Casualty Insurance Offering for Businesses
    Life Taiwan Non Life Thailand Vietnam WORLDWIDE For Individuals Families Life Insurance Accident Health Insurance Home Auto Personal Property For Businesses Property Casualty Insurance Accident Health Insurance Life Insurance Reinsurance Small Mid Sized Companies Chubb Mobilassurance Perspectives Multinational Risk Environmental Risk Executive Risk Cyber Risk Specialized Risk Investor Information Media Center News Releases Media Contacts In the News style display none Home For Businesses Property Casualty Insurance Risk Management Services A A A For Businesses Property Casualty Insurance Risk Management Services Solutions for Large Multinational Companies Excess Surplus Lines Accident Health Insurance Life Insurance Reinsurance Solutions for Small Mid sized Companies Chubb Mobilassurance RISK MANAGEMENT SERVICES Use our Worldwide Locator to find offices in your area Contact Us for more information ESIS Inc provides a wide range of risk management products and services around the world ESIS takes a balanced approach that integrates advanced clinical resources and business intelligence to deliver superior results ESIS services include Workers compensation auto and general liability claims management Professional and product liability claims management Global claims management programs in the Americas Europe and Asia ESIS Medical Impact SM enhanced medical program model Analytics in Action data analytic approaches Global RiskAdvantage our proprietary risk management information system A Construction Industry practice with experts who are sharply focused on helping reduce claim frequency and construction loss costs Catastrophe claims management Health safety and environmental consulting Integrated disability management Recovery services This general product description is informational only It is neither an offer to sell nor a solicitation to purchase any particular insurance product Coverages may not be available in all jurisdictions and may be available only through appropriately licensed brokers Refer to the Licensing Information document for a chart of the jurisdictions in which each Chubb subsidiary is licensed 2016 Chubb Terms of Use Licensing Information

    Original URL path: http://acegroup.acegroupaccess.com/for-businesses/property-casualty-insurance/risk-management-services.aspx (2016-02-13)
    Open archived version from archive

  • Chubb: Solutions for Large & Multinational Companies is a Property and Casualty Insurance Offering for Businesses
    more transparently and more cost effectively Led by senior Chubb executives and staffed with professionals at the top of their fields Chubb Global Accounts brings best in class service dedicated client and claims relationship management the power of our unique global network plus our intuitive Chubb Worldview technology together in one integrated package And we do so in a way that ensures a straightforward and streamlined experience for you at all points Solutions where you are wherever that may be We have extensive operations in 54 countries and territories and a network that spans 200 countries all performing under exacting measured and published service standards Combined with our product breadth and financial strength this means we can help you manage risk anywhere in the world with confidence In fact the more complex your exposures the more valuable our capabilities Enhanced service Client relationship management Easier for you Companies and risk managers today face an increasingly complex array of risks But for organizations that span geographies those risks are interconnected and magnified That thought was top of mind when we created Chubb Global Accounts Our goal is to make managing your insurance program as easy as possible and we structured the division that way Our global multidisciplinary network is dedicated to providing you your team and your broker with comprehensive support in all areas of your program at all times It s a complete approach that spans borders lines of business and service areas seamlessly There s nothing easy about managing a global insurance program We just make it easier for you Claims relationship management Coordinated real time and responsive Much of what you ll find in Chubb Global Accounts stems from our ongoing dialogue with clients and their brokers That s especially true when it comes to claims Our claims relationship management for multinational companies is now coordinated by senior claims executives at home and abroad It s staffed by seasoned claims professionals locally and supported by consistent protocols and processes globally We put the dialogue on claims where it should be at the heart of the client relationship throughout the lifecycle of the insurance contract And when a claim occurs wherever it occurs we ll manage it consistently and accurately and we ll resolve it efficiently Global service Published standards transparency and accountability Our Global Accounts service team ensures timely and consistent administration of your program With leading edge technology and our expansive network we manage globally and execute locally We adhere to demanding performance and delivery standards so your Chubb experience will always be superior and consistent in terms of quality accuracy and efficiency Legal and regulatory monitoring Local knowledge drives compliance In today s ever changing regulatory climate your insurance partners simply must understand local rules and customs Our international multidisciplinary teams have you covered With local experts around the world we stay on top of evolving legal and regulatory conditions in real time so you can always be aware of the requirements that affect your program

    Original URL path: http://acegroup.acegroupaccess.com/for-businesses/property-casualty-insurance/solutions-for-large-multinational-companies.aspx (2016-02-13)
    Open archived version from archive

  • Excess & Surplus Lines is a Property and Casualty Insurance offering for Businesses from Chubb
    Risk Executive Risk Cyber Risk Specialized Risk Investor Information Media Center News Releases Media Contacts In the News style display none Home For Businesses Property Casualty Insurance Excess Surplus Lines A A A For Businesses Property Casualty Insurance Risk Management Services Solutions for Large Multinational Companies Excess Surplus Lines Accident Health Insurance Life Insurance Reinsurance Solutions for Small Mid sized Companies Chubb Mobilassurance EXCESS SURPLUS LINES Use our Worldwide Locator to find offices in your area Contact Us for more information Chubb offers excess and surplus commercial P C lines distributed through wholesale brokers around the world Westchester distributes excess and surplus lines property casualty environmental professional liability and inland marine products in North America Chubb Global Markets is one of the foremost specialty insurers in the London market Chubb Global Markets works closely with the London market brokers to offer a comprehensive range of specialty products to local and international clients Chubb Global Markets products include coverage for aviation environmental liability financial lines property energy political risk trade credit marine and accident health This general product description is informational only It is neither an offer to sell nor a solicitation to purchase any particular insurance product Coverages may not

    Original URL path: http://acegroup.acegroupaccess.com/for-businesses/property-casualty-insurance/excess-surplus-lines.aspx (2016-02-13)
    Open archived version from archive

  • ACE in the U.S. - A Leading Global Insurance Organization
    Five Benefits of Cloud Computing Reduced Infrastructure Costs Computing power is provided to cloud subscribers for a fraction of what it would cost to produce on their own And like the electric grid few companies can afford the computing capacity that a cloud provider practicing economies of scale can offer So the cloud eliminates the need to invest in standalone servers and software that are capital intensive but not in use a majority of the time It is important for risk managers to recognize that in the not too distant future a majority of companies both large and small will utilize the cloud for some aspect of their business The cloud can also help eliminate or reduce such overhead costs as management IT personnel data storage real estate bandwidth and power It is important to note that cost saving can vary depending on the deployment and delivery model selected For example infrastructure savings are generally greater when leveraging public cloud implementations as opposed to private cloud implementations Another cost savings occurs in the area of upgrades As computing resources become obsolete they must be replaced in order to ensure operational efficiency Additional cost savings occur through cloud providers absorbing the expenses associated with software upgrades hardware upgrades and the replacement of obsolete network and security devices Maintaining a computing infrastructure requires repetitive capital investment as the cycle of obsolescence repeats itself and does so essentially forever The cloud can reduce the costs associated with obsolescence by transferring some of those costs to the cloud provider Capacity Scalability and Speed Three additional key benefits of the cloud lie in its ability to deploy capacity scalability and speed A cloud subscriber no longer has to purchase more computing capacity than is needed at any given time since the cloud is exponentially scalable One example of this can be found in the retail industry At the start of the holiday season in 2013 online traffic for retailers increased 200 percent in desktop use and 400 percent in mobile use 3 Maintaining this level of computing capacity year long is both expensive and wasteful In fact the excess capacity that Amazon experienced once it had developed its own cloud network was a large reason they became a cloud provider themselves 4 Cloud computing enables businesses to ramp up their capacity during peak times then ramp back down to appropriate levels during the year Like the utility of electricity the cloud can stretch or shrink according to the varying needs of individual subscribers And by leveraging the cloud enterprises no longer have to invest time in the purchase and set up of hardware software and other resources required for an expansion of existing services or the development of new services With the availability of on demand cloud resources new configurations can be up and running within hours This is particularly valuable because innovation regardless of the size of the enterprise springs from constant experimentation and the ability to try out new ideas Cloud resources provide the means to innovate without extreme investments in computing technology They also provide the freedom to expand existing services without the fear of either wasting resources with overcapacity or having insufficient capacity to meet business requirements Security and Backup Public cloud computing is built on a backbone of data security in combination with geographic redundancy for maximum availability To ensure both cloud providers invest heavily in physical as well as data security Most enterprises would be hard pressed to reproduce the physical organizational and technical security teams employed by major cloud providers And most enterprises would not be able to install security teams at multiple locations in order to provide redundancy In fact many enterprises first foray into cloud computing was to leverage cloud storage through data replication or encrypted backup solutions Because of the numerous data centers and high availability technology that cloud providers maintain they are able to provide these services far better than a single enterprise Availability Geography and Mobility A major driver of cloud usage is its ubiquitous availability Cloud technology offers access via the Internet to anything stored in the cloud at any time and from any location in other words anything at anytime anywhere Consumer applications like Dropbox and iCloud are good examples of how useful and popular always on and always available applications have become Customer Relationship Management CRM software applications like Salesforce and Microsoft CRM further illustrate how leveraging the cloud in this case through mobile technology can greatly benefit organizations SaaS applications like these have become vital to sales representatives and in a relatively short time Regulatory Compliance Another major enterprise benefit of the public cloud is the fact that many of the security requirements of regulatory compliance frameworks are normal attributes for cloud providers For instance data backups along with power redundancy system testing network monitoring and penetration testing are all standard operations for cloud providers And many cloud providers have offerings that assist customers in meeting regulatory or industry requirements such as the Payment Card Industry Data Security Standard PCI DSS or the Health Insurance Portability and Accountability Act HIPAA Hidden Benefits In a competitive global economy the market advantage goes to organizations with strong technical leadership those that are leveraging the latest technology resources But there are two additional cloud benefits that most overlook The first is that when an enterprise migrates its resources to the cloud this frees their IT executives time to focus on growing the business by thinking and acting strategically instead of being saddled with the day to day oversight of in house technology maintenance 5 The second benefit is that while migrating data systems is one of the most challenging aspects of a corporate merger cloud based systems make that migration much easier and less time consuming BYOD Bring Your Own Device to Work Bring Your Own Device or BYOD refers to the cost effective and employee friendly policies some companies have adopted allowing employees to bring their own smartphones tablets and laptops to work then use them to access privileged company information and applications There are good reasons why a company would permit this Electronic devices personally owned by employees are often newer and more advanced than the equipment deployed by IT departments And companies can save money by no longer having to buy and license second or third devices for their employees for example smartphones in addition to desktop computers or smartphones and laptops in addition to desktops Of course companies should consider the risk implications of allowing access to corporate data via employees personal devices devices over which the company exercises little or no control Here are five specific risks that should be addressed prior to rolling out a BYOD policy 18 Unknown Third Party Access via Mobile Apps When employees download mobile apps for their personal use they also allow unregulated third party access to any corporate information stored on their devices These mobile apps may be pre infected with malware that can exfiltrate sensitive company information from their devices Lack of Monitoring Companies will want to have as much control over BYOD devices as possible including capturing data leakage and usage This results in a constant tension between employee privacy and the company s risk containment measures logging and monitoring data in use and data in transit Device Management This employee company tension is especially clear with regard to device management policies These policies might range from limiting which devices are supported to determining whether or not BYOD devices will be subject to a device management program to requiring pass words and additional security are needed Companies may also determine the need to use remote wipe capabilities where a single incorrect login could mean that all of an employee s personal data not just company data is instantly erased Data Management and Compliance Companies subject to compliance obligations may find it not only difficult to convince auditors that their data is adequately protected but also difficult to provide validation with evidence As a result information security teams will need a documented list of data management policies along with a list of third parties and their data storing devices Merging Personal and Company Time Employees relying on their own devices at work tend to access their personal email and applications more readily thus increasing the likeli hood of engaging in personal activities on company time Part III What are the Risks of Cloud Computing We ve looked at the groundbreaking changes that cloud computing makes possible along with the substantial benefits it offers business so now we ll turn to the risks of this new technology By way of illustration smartphones that allow us to access email send text messages access Facebook and surf the Internet all cloud computing functions have become virtual extensions of ourselves In our personal and work lives they let us perform in seconds a whole range of tasks that used to require far more time and physical effort But when a smartphone is lost or stolen we lose not just a telephone but also an essential key to every area of our lives our portal to the world that is available to us online That said accessing Amazon with your smartphone wouldn t if there were an interruption of service yield the same consequences for you that it would for a company relying on the cloud to access its data and keep it safe For you it would be an annoyance and an inconvenience For a company a cloud outage or data breach would be a disaster the cost to business could be considerable As a result being aware of all the potential risks and practicing due diligence when hiring cloud providers are steps that are more than recommended they are essential Top Five Risks of Working with Cloud Service Providers Contracts One of the most significant yet frequently overlooked risks of cloud computing lies in the cloud biased contracts offered by cloud providers Risk managers have historically worked with their legal departments to negotiate service provider contract terms to be less vendor friendly and to mitigate any losses caused by service providers by holding the providers financially responsible But cloud providers haven t been willing to offer the usual indemnification limitations of liability or other terms particularly pertaining to privacy and data security There are a number of reasons cloud providers cite but the most prevalent are that these additional duties and obligations threaten the lower price model for cloud computing and since cloud providers don t know what their data subscribers are storing on the cloud they can t be held liable for segregating and securing subscriber data Regardless of the reason many cloud providers are not only unwilling to take the financial risk contractually they transfer that risk back to their subscribers Being aware of all the potential risks and practicing due diligence when hiring cloud providers are steps that are more than recommended they are essential Unfavorable terms in cloud agreements may increase the risk for customers Key definitions including for example the definition of security incident may not be broad enough to trigger appropriate incident response obligations and address a customer s regulatory requirements Most cloud providers will also push back when customers attempt to contractually require specific security measures or even more general reasonable security standards Customers may also want to contractually limit the subcontractors and sub cloud providers that a cloud vendor utilizes to store or process the customer s data Without these limitations a customer may find that its data is two or three steps removed from the primary cloud vendor The failure to negotiate robust incident response and security and forensic assessment rights can also pose risk In this context cloud providers should be viewed as an extension of the customer s IT environment and customers should attempt to obtain as much control as possible contractually If a cloud provider suffers a breach that impacts the customer s information but that provider does not have a contractual duty to provide notice of the breach remediate and cooperate then the customer may not be able to reduce its legal risk and comply with regulatory obligations Finally without significant bargaining power or competitive leverage it is very difficult to get cloud providers to agree to indemnification and unlimited liability for privacy and data breaches Cloud provider contracts typically start with a limitation of liability both a monetary limit and consequential damages disclaimer that is often inadequate to cover a customer s potential losses in the wake of the cloud provider s data breach Without adequate contractual recourse customers can find themselves being hit with the full liability of a data breach that technically was not their fault Loss of Control Another significant risk that cloud computing presents is a general loss of control over data transferred to the cloud and network availability outsourced to the cloud For instance in a more traditional IT setting organizations have the ability to assess and adjust their systems so they are compliant with applicable regulations and standards For instance an organization sending data to a cloud provider located in a member country of the European Union EU must follow the requirements of the EU Data Protection Directive 95 46 EC 6 But an organization can be deemed noncompliant if their data was transferred to a jurisdiction that violates that rule And since many cloud providers use data warehouses located in multiple jurisdictions compliance represents an increased risk Further the ever changing regulatory landscape itself increases the risk of violation 7 Recent events at the National Security Agency NSA and concerns abroad about U S technology companies housing non U S resident data have only amplified that potential risk 8 Another control risk amplified in the cloud is data forensics Should a breach occur on a system it is important to forensically determine what data may have been compromised but the cloud presents a number of challenges for that effort First the cloud provider may limit access or simply not allow your forensic examiners into the cloud environment Second in a public cloud your data may be intermingled with data from other companies making it difficult to do a simple investigation Third this could result in additional legal challenges in accessing the data as your data may be shared with an organization or organizations that restrict third party access A key to limiting legal and operational risk associated with cloud provider data breaches is the customer s ability to independently conduct a forensic investigation of the incident which typically includes taking an image of potentially compromised computers Additional loss of control concerns within the cloud can include In a cloud environment you don t get to choose your neighbors a factor that can impact both your risk and your productivity For example if your data is stored in the same infrastructure as a retailer you can experience the same issues they do during the holiday season even if it has nothing to do with your core business 9 As outages by cloud providers are becoming more common an organization relying upon a cloud provider to access the critical data that operates its network may lose considerable control should their cloud provider experience an outage Many SaaS cloud providers lack the technology to operate their cloud environment instead they outsource their infrastructure to a third party IaaS cloud provider This provider of the provider arrangement can make it difficult to keep track of regulatory compliance requirements data incident reporting contractual liability and the list goes on Aggregation Risk A frequently highlighted benefit of cloud computing is the increased security level it provides and for most companies this is a valid benefit However just as most companies choose to deposit their money in large banks because of the security they offer doing so also increases the risk of more sophisticated criminal attacks since the aggregated wealth of a large bank is far greater than the individual wealth of a single company Criminals have access to highly skilled professionals funding and the patience to organize well devised attacks George Clooney and Brad Pitt depict this type of collaboration well in the movie Ocean s Eleven where they join together to take down three casinos The world of cyber crime is no different as advanced attacks often referred to as Advanced Persistent Threat APT attacks against large highly sophisticated technology companies and other institutions continue to increase The cloud creates a new aggregation exposure that organizations have never faced before At the same time aggregation risk is another reason why cloud providers are reluctant to offer more favorable contracts to their subscribers Cost The most common benefit that organizations highlight for their adoption of cloud computing is the reduction in technology costs and no one can dispute the up front savings the cloud offers organizations Potentially though there are a number of hidden costs with cloud computing that many may not have considered For example what are the costs associated with transferring your data and network to another cloud provider Once a company s data resides on the cloud it becomes increasingly reliant on its provider cloud providers know this and could easily make moving to another provider difficult Another benefit of the cloud that actually contains a hidden cost lies in the area of regulatory compliance While many cloud providers deservedly tout their compliance with certain standards as a key benefit and a potential costs savings there is the easily overlooked responsibility and related cost of conducting vendor due diligence since most regulations and standards hold the organization responsible for their vendor s malfeasance or non compliance So while you may outsource your data or network to a third party you can never outsource your risk or liability Many organizations have also found that subscribing to one cloud is not enough And here s why services provided through a cloud provider involve connections over the Internet which is subjected to periodic congestion and outages Cloud services can also be degraded by malicious attacks on it or on an upstream supplier One way for organizations to lessen these risks is through the service redundancy provided by contracting with multiple cloud providers 10 Finally each risk identified earlier under Loss of Control most notably data forensics can also contribute to an increased cost for the cloud Other costs that need to be considered include further legal expenditures and tax implications as well as audit and oversight Data Security Data security is a key benefit that many cloud providers rightly cite as part of their marketing efforts since data security can benefit many companies not able to invest significant resources in securing their own data and systems However as just mentioned outsourcing all your data to a single provider also creates aggregation risk And what many organizations unfortunately fail to recognize is it s their responsibility to secure their data before sending it to the cloud as cloud providers generally will not guarantee the security of data stored in their cloud In fact as also mentioned earlier under Contracts most cloud providers will limit their contractual exposure entirely Equally important is the fact that most statutes and regulations hold the data owner typically the organization with a direct relationship with an individual s personal information responsible for any breach or mismanagement of that data See sidebar opposite Big Data Big Data Analytics Finally as the use of Big Data and data analytics continues to grow so does the value of the personal information that organizations store in the cloud At the same time the definition of what constitutes personal information or other unique identifiers also continues to expand This is important for organizations that are storing Personally Identifiable Information PII on the cloud to note now because what might not be considered PII today may be five or ten years from now For example earlier this year California expanded the definition of personal information in its breach notification statute to include a user name or email address in combination with a password or security question and answer that would permit access to an online account 11 As a result when that data isn t properly secured today it could expose the organization when new statutes or regulations require the protection of such things as zip codes device IDs and so forth But it s important to keep in mind that it is the combination of all these elements that could potentially result in greater risk Part IV Making Cloud Computing Work for your Company Balancing the Benefits and Risks of the Cloud When organizations decide to migrate data to the cloud they usually focus on the dazzling benefits Value can be realized through reduced costs the ability to access data from anywhere being able to redirect IT staff away from daily nuts and bolts tasks to mission critical initiatives and much more Alas every cloud benefit has an accompanying cloud risk Too often organizations overlook or ignore those risks by failing to consult risk management professionals before moving ahead Big Data Big Data Analytics Big Data refers to data sets that are too large for typical business database software tools to capture store manage and analyze Cloud providers offer cost effective scalable solutions for enterprises interested in developing Big Data analytics programs to provide improved customer service better business opportunities or detect fraud Even large banks and healthcare systems find that developing such programs is impossible in house both because of infrastructure limitations and because limited budgets can t meet the resource costs needed up front for Big Data analytics So the cloud plays a significant role in the development deployment and optimization of Big Data applications Here are a few examples of Big Data in action 19 Insurer United Healthcare leverages Big Data to detect potential cases of medical fraud and identity theft It does so by looking at speech to text call center data to mine potential attrition candidates those who don t sound like happy clients and propose remedies Intermountain Healthcare a Utah based system of 22 hospitals 185 health groups and an affiliated insurer leverages Big Data analytics with outcomes analyses of more than 90 million electronic health records They study the relationship between treatments and outcomes hoping to improve existing medications and develop new ones Morgan Stanley leverages Hadoop to implement the Big Data analytics they use to analyze customer financial goals and provide better investment opportunities while also providing improved web and database log analysis for their IT division An organization about to send its precious data to the cloud needs to use the same level of due diligence that it would when constructing a building in an earthquake zone That analogy is apt because there are many risks and control issues that need consideration if an organization wishes to mitigate as many pitfalls as possible We don t have room to discuss all of them here but we ll look at the core areas deserving of careful consideration by any enterprise contemplating a cloud migration privacy by design and culture shared security and related responsibilities control and liability and due diligence and vendor management programs Privacy by Design and Culture Privacy has become an essential human right protected by laws statutes and regulations throughout the world Migration into the cloud environment should be an extension of privacy by design principles 12 already in use since organizations should incorporate privacy requirements during their development of new systems products and services Many in fact are asking their Chief Privacy Officer CPO or Chief Information Security Officer CISO to perform a Privacy Impact Assessment13 a process which helps identify and reduce the privacy risks of products and services under development In the same vein organizations should choose the data and applications that when migrated to the cloud will increase their efficiency and connectivity But while making those choices they should use data classification to identify organize and secure all sensitive data prior to actually migrating data and applications into the cloud It may also be prudent to start with data and applications that pose a low privacy and data security risk and are not business critical before moving to higher privacy risk applications especially those that touch highly sensitive private information For example only 21 percent of ACE s Professional Risk policyholders are storing sensitive records on the cloud and when they do the vast majority are encrypting that data These precautions are all the more important because technology companies tend to capitalize on new capabilities as soon as they are available and only address privacy and security issues once a regulation demands the installation of controls This is obviously a risk filled situation Implementing privacy by design into the organization does more than benefit the products and services of the organization It also has as a tremendous influence on the culture of its employees There is no better tool for managing risk than the people that support the processes and technologies that have been implemented For example another segment of cloud services that employees are utilizing are personal cloud storage services such as Google Drive Dropbox or iCloud Sometimes referred to as Bring Your Own Cloud BYOC 14 these services are often used by employees to store share and collaborate on documents on the cloud making it easier for them to work on documents from work and personal devices An organization that has properly embedded privacy and security by design principles into its culture will have privacy conscious employees that are far less likely to place sensitive data at risk into such services Shared Security and Related Responsibilities Risk managers need to keep in mind the fact that data privacy and security responsibilities begin within their own organization before continuing into the cloud Vital security controls can be overlooked if the allocation of security responsibilities between the organization and the cloud provider isn t fully understood Think of the security responsibilities divided between an office space tenant and an office building landlord as analogous to those of an organization and a cloud provider To allocate responsibilities correctly risk managers should Understand the type of cloud service being utilized as security responsibilities will vary depending upon whether it is SaaS Platform as a Service PaaS or IaaS Ensure that the organization has mapped its security capabilities as well as its current responsibilities For example healthcare organizations will need to map HIPAA requirements while all organizations that process credit card payments will need to map their PCI Payment Card Industry requirements Outline the security controls available on the cloud platform they intend to use This is particularly important as it will be very difficult to assess the risks of moving to the cloud if a cloud provider under consideration isn t fully transparent about their security and privacy capabilities Clearly identify which security responsibilities will transfer to the cloud provider and which responsibilities will remain with the organization For example if your organization has traditionally conducted penetration testing or data encryption will those responsibilities become your cloud provider s your continued responsibility or a shared responsibility Geographic redundancy is often touted as a strong security benefit by cloud providers but organizations should assess how cloud providers will deploy this redundancy and whether it meets the organization s disaster recovery or business continuity needs while also keeping data compliance in mind For instance cloud providers should simultaneously update information throughout their redundancies but also segregate them to properly to ensure minimal downtime In the event that one data center becomes adversely affected this segregation will ensure the backup server location is not impacted as well Also geographic redundancy may assist with redundancy but as noted in Part III it also increases regulatory risk as transferring data across borders may violate local privacy requirements So it is important to fully understand which data centers will be utilized and whether the data being stored in the cloud is subject to any geographic restrictions Organizations relying on cloud providers also need to prepare for cloud outages with a backup plan maintaining their own systems to run business critical applications just as they use backup generators during electricity power outages In the end risk managers should review their backup policies making sure they are updated to reflect the features and services available through the cloud provider Finally though the cloud can make it easier to comply with regulatory requirements if your organization is in a heavily regulated industry like healthcare or financial services it s wise to conduct a full compliance assessment to ensure that your cloud provider is using proper compliance programs It s also a good idea to ask an independent third party to confirm your cloud provider s compliance with governing regulations 15 Smaller organizations will usually not have the negotiating power to conduct full audits of a cloud provider However due to mandatory business associate agreements for the healthcare industry we are starting to see a small segment of cloud providers that are willing to negotiate vendor agreements in order to better accommodate cloud subscriber s compliance needs Risk managers should confirm that the cloud provider they entrust with their critical business applications sensitive personal and corporate data and security is receptive and willing to partner with them in meeting regulatory and compliance challenges They should also be prepared to make the difficult recommendation of not using the new technology if it sacrifices sound risk management principles Control and Liability While companies must sacrifice some element of control in order to utilize the benefits of cloud computing there are best practices that can help mitigate the security as well as the financial risks associated with this loss of control First since organizations have the most control over their data prior to migrating to the cloud they should assess their potential cloud providers to determine whether they are focused on security privacy and transparency For example risk managers need to know whether the entire cloud platform is being run by the cloud provider directly or if aspects of the cloud have been outsourced to another sub cloud provider Not all cloud providers are created equal in providing such transparency and risk managers should be involved in assessments of cloud providers and determining the scope of services and the types of data that will be transferred to the cloud in order to minimize the impact to network security and privacy related risks There are a number of standards that have and continue to be developed to assist organizations in assessing the quality of cloud providers 16 Risk managers need to keep in mind the fact that data privacy and security responsibilities begin within their own organization before continuing into the cloud Second once the organization has chosen one or more cloud providers the data assessment encryption and proper encryption key management will be the best options for controlling data access for most companies But before determining which data set to encrypt as noted in Part III it s important to realize that today s definition of personal information or corporate confidential information may be very different than definitions five or ten years from now and maybe sooner depending on the nature of the company s business industry or regulatory activity In light of continually changing privacy and data security regulations around the globe organizations storing online usernames and passwords historically and going forward have to reassess their risk in failing to encrypt that information Since many cloud providers include some form of encryption as a part of their offering encryption may prove a cost effective option for organizations In fact according to ACE s Professional Risk policyholder data 73 percent of policyholders that are transferring sensitive data to the cloud are encrypting that data As a best practice organizations should place their encryption keys in a secure environment one completely segregated from the cloud through their own encryption key management program or a third party Organizations should also be vigilant about monitoring traffic and activity in their cloud environment to maintain proper control of their data And while it remains a challenge to negotiate contractual terms with cloud providers many are willing to provide enhanced monitoring and security services that benefit the organization For instance some cloud providers are willing to provide logs that indicate activity by the cloud provider and its employees in the organization s cloud environment Third although it continues to be difficult negotiating indemnification and limitation of liability provisions in contracts with cloud providers organizations are having more success negotiating rights to audit and access the cloud platform or infrastructure especially in the event of a breach Cloud providers have generally emphasized the shared security approach and understand that companies using its infrastructure platform or services have non negotiable regulatory obligations Moreover in light of increasing regulatory and privacy concerns associated with migration to the cloud organizations should negotiate separate contracts to satisfy and protect their business needs as well as their regulatory and privacy needs This will help both parties focus on important but often unrelated issues present in contracts related to services and contracts related to compliance For example cloud providers often analyze their clients data and while it may constitute a relatively small part of the total services offered service contracts request broad consent not only to store but also to manipulate and analyze that data These activities can trigger privacy and data security concerns Having a separate contract will allow organizations to better define what the cloud provider can and can t do with their data Fourth organizations should have an exit strategy both to maintain control over their data and to respond to the potential for unpredictable cost fluctuations Without a proper and quick exit strategy a two year contract duration is just not a good strategy organizations may be locked into a single proprietary cloud provider even if that provider no longer meets the organizations business or financial needs 8 Often the costs associated with migrating between cloud providers and the gravity of the stored data will make it difficult if not cost prohibitive to move to another provider In devising an exit strategy organizations should Budget for relocation during the initial migration to ensure that the organization has the financial capacity to move between cloud providers when necessary Plan both a quick exit strategy and a long term strategy In light of infrastructure and application reliance on a cloud provider it will be a challenge to effectuate a timely transfer to another provider unless the company has taken proactive steps prior to the initial migration into the provider s cloud Consider consistent monitoring and management procedures such that the organization can evaluate whether the current provider continues to meet its business needs Diversify between private and public clouds to ensure that the organization will maintain some control over business critical applications and data Be sure to understand how the cloud provider will treat the organization s data upon termination of the contract shards of data could remain with the provider in perpetuity Organizations should confirm that the retained data cannot be reconstituted and that it does not pose an ongoing data security risk for the organization Due Diligence and Vendor Management Programs In the end creating a privacy by design culture having clear shared responsibilities with your cloud provider and establishing the proper control and liability is not sufficient you also need to implement the proper due diligence and vendor management program Increasingly cloud customers are developing formal due diligence processes and vendor management programs to assess and manage the cloud related risks referenced in this paper In fact many regulatory bodies including financial regulators enforcing the Gramm Leach Bliley Act GLBA now scrutinize organizations vendor management programs to ensure that regulated personal data and other sensitive information is protected and handled properly when in the hands of cloud providers and other vendors While approaches may vary most vendor management programs contain common elements including a preliminary

    Original URL path: http://acegroup.acegroupaccess.com/ace-perspectives/cyber-risk/featured-privacy-network-security-cloud-computing-is-your-company-weighing-both-benefits-risks.aspx (2016-02-13)
    Open archived version from archive

  • ACE in the U.S. - A Leading Global Insurance Organization
    each member of the EU had transposed provisions of the ELD into their own national laws However the manner in which the ELD has been transposed varies significantly between member states In addition to the ELD many EU member states have also implemented additional environmental laws at the national or sub national level For example Germany has imposed additional environmental laws on a number of industries relating to air quality waste management soil protection and noise pollution This has resulted in different regulatory systems and therefore different liability risk exposures for companies operating across EU states Australia The legal framework for environmental protection in Australia is complex with responsibility for environmental issues shared amongst the federal state and local levels of government Each state in Australia has a different environmental protection regime Since the Montara incident in 2009 there has been an increasing focus in Australia on how the marine environment may be affected by the offshore and shoreline industries Recent amendments to offshore petroleum greenhouse gas storage act amendment Compliance Measures no 2 act 2013 Cth impose an obligation on all petroleum title holders to maintain financial assurance which can be provided by way of insurance including surety bonds sufficient to demonstrate they have capacity to respond to and clean up after any pollution incident before a licence to undertake a petroleum activity will be granted There is also an extensive regulatory regime that applies specifically to Australia s mining industry particularly in Western Australia and Queensland In Western Australia new legislation has been introduced that will establish a Mining Rehabilitation Fund MRF whereby a pooled industry fund will be created to rehabilitate land affected by mining operations where the original operator does not fulfil its mine rehabilitation and closure obligations China The overall framework for China s environmental legislation is the Environmental Protection Law which was promulgated by the standing Committee of the National People s Congress NPC on 26 December 1989 The law provides basic principles general requirements and legal responsibilities for the protection of wildlife and control of pollution The Environmental Protection Law sets out three types of offences The normal category offences will result in administrative penalties If the conduct also causes damage to other enterprises and individuals the party that committed the environmental damage shall also be subject to pay compensation to the affected enterprises and individuals For the most serious offences where there is proof of wilfulness or negligence criminal liability will be triggered In accordance with Article 41 of the Environmental Protection Law an enterprise that has caused an environmental pollution hazard shall bear the obligation to eliminate it Chinese law does not specify the extent of rectification If the enterprise fails to eliminate the damage it shall face civil liability which may include cessation of the infringement restoration of original condition and elimination of dangers The environmental protection law is expected to be revised in the near future for the first time since 1989 The second draft which has been released for consultation increases public disclosure requirements ensures public participation in impact assessments and raises potential penalties In addition the Law on the Prevention and Control of Atmospheric Pollution and the Law on Environmental Impact Assessment are expected to be revised in the near future The agencies of the State Council and local governments promulgated a number of rules and regulations dealing with the management and supervision of environmental protection There have been a number of major legislative changes to environmental liability law in China in the past few years Amendment VIII issued by the Standing Committee of the NPC has been in force since 1 May 2011 Amendment VIII increases environmental liability exposures by broadening the scope of pollutants and lowering the threshold for conviction of crimes for environmental pollution In order to enforce Amendment VIII the Supreme People s Court together with the Supreme People s Procuratorate promulgated the Interpretations on Certain Issues Concerning the Application of Law in Handling Criminal Cases of Environmental Pollution which entered into force as of 19 June 2013 further regulating crimes of environmental pollution India India boasts of a very exhaustive legal framework in the area of environmental protection Under a two tiered structure policy and law is formulated by the central government and the respective state governments and implementation is carried out by several central state and local agencies and instrumentalities Until the catastrophic Bhopal gas disaster in 1984 limited attention was given to environmental issues in India by legislators the executive and the judiciary However the 1984 incident in which the leak of lethal methyl isocyanide gas claimed over 5000 lives and injured over half a million people compelled stakeholders to bring in tougher laws improve accountability and ensure better enforcement over the years jurisprudence in this area has significantly evolved particularly in light of pressure from non governmental organisations and the judiciary The Environment Protection Act 1986 is the umbrella legislation in India and is supported by specific legislation for pollution prevention and control forest conservation and wildlife protection Indian environment statutes chiefly employ a system of licensing permits environment impact assessment environmental clearances and criminal sanctions to preserve natural resources and regulate their use All enterprises whether owned by Indian residents or non residents are required to obtain statutory clearances relating to pollution control and environment protection if applicable for setting up an industrial project for over 40 categories of industries including industrial activity related to petrochemicals petroleum refineries cement thermal power plants bulk drugs fertilisers dyes paper etc there are also emission and discharge standards for several industrial activities In recent years Indian Courts have been more vigorously enforcing the polluter pays principle by heavily penalising corporations for violations and breaches launch of criminal sanctions against directors and senior management has also compelled corporations to take necessary steps for compliance risk management and mitigation Brazil The legal framework that governs environmental pollution in Brazil encompasses several infra constitutional laws and regulations the main statutes being the National Policy on the Environment the National Policy on Water Resources the National Policy for Solid Waste Oil Law New Brazilian Forestry Code and the Environmental Crimes Law The legal framework which governs environmental pollution in Brazil encompasses several infra constitutional laws and regulations Liability for environmental damage in Brazil can be assessed in three different spheres civil administrative and criminal It is worth noting that the federal state and municipal governments have concurrent competency to levy administrative fines for the same infraction at the same time The civil liability regime for damage caused to the environment or to third parties is one of joint strict liability i e the polluter and its insurer as well as any other guarantor or party involved in the pollution incident are jointly liable for damages independent of fault The recoverability of damages in Brazil is proportional to the severity of the damage pursuant to the principle of full responsibility provided under Article 944 of the Civil Code which states simply that the indemnification is measured by the extent of the damage As regards administrative liability the Environmental Crimes Law establishes that the administrative liability regime for environmental damage is also one of strict liability In the event of oil pollution the administrative penalties can vary from simple warnings to fines in total up to R 50 million approximately US 30 million per infraction in addition to the seizure of any vessel suspension of activity restriction of rights and loss or restriction of tax benefits amongst others Insofar as the criminal liability regime for environmental damage this is based on the fault of the causing agent and varies from fines to imprisonment the suspension of activities of the company in Brazil the rendering of community services funding of environmental projects contributions to environmental and cultural public entities amongst others Criminal liability can also be attributed to corporate entities in Brazil Pursuant to Brazilian law the construction installation expansion and operation of any establishment or activity that uses environmental resources and that is deemed actually or potentially polluting or capable of causing any kind of environmental degradation are subject to environmental licensing Brazilian authorities are also focusing their attention on improving the internal oil and gas legislation in order to organise the sector and protect not only the country s economy but also the environment Other emerging markets Rapid urbanisation industrialisation and intensified agricultural production and fishing in recent decades has caused severe degradation of the environment in Thailand despite over one hundred laws and more than one thousand pieces of subordinate legislation aimed at protecting its natural resources The Law Reform Commission of Thailand LRCT has a mandate to reconsider the existing legal framework with a view to recommending new laws which will be more effective at abating the continued degradation of the environment and unsustainable depletion of natural resources Time will tell what form these new laws will take Of interest public statements by members of the LRCT in early 2013 indicate a reluctance to adopt the polluter pays principle into Thai law preferring to focus on broad based stakeholder engagement 2 Most countries in the Latin American region have developed laws intended to protect land water air and natural resources adopting the polluter pays principle In Mexico Panama Colombia and Peru legislation exists which requires companies in certain industries to provide financial guarantees for environmental damage they may cause Mexico has also recently introduced legislation imposing civil liability and a requirement to pay compensation on companies that cause damage to the environment Recent Cases of Environmental Liability Montara oil spill in the Timor Sea off the coast of Western Australia 2009 On 29 August 2009 a blowout from a Montara wellhead platform in the Timor Sea off the northern coast of Western Australia resulted in an estimated 30 000 barrels of crude oil leaking into the water over a 74 day period By 3 September 2009 the Australian Maritime Safety Authority AMSA reported that the slick was 170 km from the coast of Western Australia and moving closer to the shore The slick was reported to have spread over 6 000 km2 2 300 sq miles of ocean and has been described as one of Australia s worst oil disasters The Thai state owned company PTT Exploration and Production admitted full responsibility for the incident and expressed deep regret PTTEP faced a maximum penalty of AU 1 7 million for the spill but received a discount of 25 on its fines because it entered a guilty plea to the four charges Subsequently in 2012 PTTEP was fined AU 510 000 by the Australian government for its actions in relation to the disaster a penalty intended to deter others In total the Montara oil spill is estimated to have cost PTTEP AU 319 million BP Deepwater Horizon oil spill in the Gulf of Mexico 2010 The Deepwater Horizon oil spill occurred on 20 April 2010 in the Gulf Coast of Mexico in the BP operated Macondo prospect The Deepwater horizon oil rig exploded and sank causing a sea floor oil gusher to flow for 87 days until it was capped on 15 July 2010 The total volume of the spill has been estimated at 4 9 million barrels or 780 000 m 3 and 11 lives were lost This spill is the largest marine oil spill in the history of the petroleum industry In 2012 the US Department of Justice and BP settled federal criminal charges with BP pleading guilty to 11 counts of manslaughter two misdemeanours and a felony count of lying to Congress BP also agreed to four years of government monitoring of its safety practices and ethics and the US government temporarily banned BP from new federal contracts over its lack of business integrity BP paid US 4 525 billion in the settlement in fines and other payments but further legal proceedings continue and are not expected to conclude before 2014 As at February 2013 criminal and civil settlements and payments to a trust fund had cost BP approximately US 42 2 billion In the latest installment of the Deepwater Horizon oil spill litigation the Texas Supreme Court is considering the extent to which the insurances maintained by Transocean the owner of the exploded rig naming BP as an additional insured will respond to cover BP s liabilities for the spill Toxic mine spill in Fujian China 2010 In July 2010 over 2 4 million gallons of acidic copper waste leaked from Zijin Mining s mine in Fujian China polluting the Ting River and killing 2000 metric tonnes of fish The spill was not disclosed by the company for nine days Zijin Mining was cited for seven environmental violations and was handed a criminal fine of RMB 30 million us 4 9 million for its significant environmental pollution The related officers of Zijin were sentenced to jail terms ranging from six months to three and a half years Chevron oil spill in Brazil 2011 On 8 November 2011 a 3 600 barrel leak occurred in the Frade offshore oil field which Chevron was operating in the northeast of Rio de Janeiro The Brazilian regulators said that 416 400 litres of oil leaked over the course of two weeks The National Petroleum Agency suspended Chevron s activities in Brazil until it identified the cause of the spill Several executives of the firm were also charged with crimes against the environment but these proceedings were later dismissed by a Brazilian Federal Court On 8 November 2013 Chevron agreed to pay R 95 2 million US 42 million to settle lawsuits related to the spill In addition Chevron has also paid a fine of R 42 9 million to Brazil s natural resources regulator IBAMA and R 25 6 million to the Brazilian petroleum and national gas regulator ANP according to the agreement Chemical spill in West Virginia 2014 on 9 January 2014 more than 28 000 litres 7 500 gallons of 4 methylcyclohexane methol MCHM leaked from an above ground storage tank owned by Freedom Industries into the elk river in West Virginia The quantity of MCHM released overwhelmed the water treatment plant filtration systems and West Virginia American Water issued a do not use order A state of emergency was declared with approximately 300 000 people across nine counties unable to drink bathe in cook with or wash with tap water for several days While little is known of the impact of MCHM on human health within one week of the spill more than 400 people were treated at hospitals for rashes dizziness nausea vomiting and other symptoms but none were in a serious condition On 10 January 2014 the West Virginia department of environmental protection issued a violation notice and ordered that each of freedom Industries 11 other tanks on site be emptied A federal criminal investigation has been launched as well as investigations by the US Chemical Safety and Hazard Investigation Board and the Occupational Safety and Health Administration Numerous civil proceedings have been filed against Freedom Industries and West Virginia American Water by businesses forced to close and by individuals impacted by the contaminated water On 17 January 2014 just eight days after the spill Freedom Industries filed for bankruptcy Personal Liability for Directors and Officers for Environmental Impairment In many countries there are a number of laws that expose corporate directors and officers to both civil or administrative liabilities and criminal offences The regimes are particularly complex in countries such as Australia Canada and the US In the area of environmental protection there is also a trend by legislators to enact civil and criminal offences of strict liability that is offences that are deemed to be committed by virtue of the relevant occurrence e g pollution incident alone without the need to prove intent or negligence on the part of the individual director or officer Regulators in some jurisdictions appear to be increasingly motivated to pursue individual executives for corporate wrongdoings Canada In a ground breaking case in Canada 12 former directors and officers of a publicly traded corporation have been ordered to personally fund remediation costs in circumstances where the corporation became insolvent before all remediation works were completed The case involved an aircraft parts manufacturer Northstar Aerospace Canada Inc which in 2005 had commenced voluntary remediation of a site in Cambridge Ontario and hundreds of surrounding properties which had been contaminated by chemicals that had migrated from the site The company became insolvent shortly after the Ontario Ministry of the Environment MOE issued orders against the company requiring further remediation works and requiring more than C 10 million in financial assurance In June 2012 the MOE took over the remediation works and ordered the 12 former directors and officers to personally fund approximately C 15 million of further remediation costs The directors and officers appealed but the case settled before hearing with the directors and officers agreeing to personally fund C 4 75 million in remediation costs after having already personally funded some C 800 000 in remediation costs while awaiting the appeal The United States In the United States the Environmental Protection Agency EPA is openly aggressive in its approach to prosecution of corporate directors and officers for pollution incidents stating as part of the Criminal Enforcement Program that the EPA emphasises prosecution of individual defendants as high up the corporate hierarchy as the evidence permits The US is one of the countries in which laws expose corporate directors and officers to both civil liabilities and criminal offences Some of the offences are strict liability offences to which there are effectively no defences available if the incident occurred the individual is liable irrespective of knowledge intent or capacity to influence In the US directors have been held personally liable for contaminated land as operators upon whom the liability is imposed under the relevant statute where they had some capacity to control the relevant business operation or site The European Union and Asia Pacific In the European

    Original URL path: http://acegroup.acegroupaccess.com/ace-perspectives/environmental-risk/featured-structuring-multinational-insurance-programmes-environmental-risk.aspx (2016-02-13)
    Open archived version from archive

  • ACE in the U.S. - A Leading Global Insurance Organization
    material issue said Thomas Kim Global Risk Manager at global investment firm KKR Kohlberg Kravis Roberts Co L P together with its affiliates KKR in New York Insurance related collateral and guarantees are one of the top five insurance due diligence items 2 Obligations to Provide Collaterala Mr Kim provided an example of the financial impact of an obligation to provide collateral in the context of general liability and workers compensation We may be looking to buy a retail chain he said The target company may have thousands of employees lifting boxes and customers coming in and out of its stores on a daily basis and workers compensation and slip and fall claims can be quite frequent As risk managers it is our responsibility to understand the frequency and financial severity of such claims how to best prevent and manage occurrences and how the target company is currently valuing the ultimate cost of these claims and financing them Do they self insure these liabilities Do they buy a large deductible program from an insurance company Do they finance these liabilities through a company owned captive These are all important issues related to collateral that need to be understood prior to signing up a deal to purchase the target company In such cases the risk manager will identify strategies to contain or reduce the target s collateral obligations with an insurance broker and specialty M A insurance company Mr Kim said The insurer will want collateral typically a letter of credit to backstop these self insured financial obligations The reason is because under a deductible structure the insurer is obligated to pay losses within the deductible and then get reimbursed from the insured If an insured were unable to reimburse the insurer the insurer would be on the hook so they want collateral for those obligations He continued As we inherit the existing program from the seller we may want to review our options with an insurer to buy out the existing liabilities and thus reduce our collateral obligations The widespread use of letters of credit LOC to secure the payment of potential future losses has its drawbacks however For instance letters of credit can tie up huge amounts of the acquirer s capital it is not uncommon for a target entity s self insured financial obligations to reach into the tens of millions of dollars Mr Kim noted Both the long tail nature of workers compensation claims and the potential latency of claims illustrate the issue As an example of this distinctiveness he cited the risk of an employee who is exposed to a latent disease at the worksite and does not experience health issues for 20 or 30 years at which point he or she then files a claim for which lifetime care would be necessary Mr Kim stated That s the complication It can take a significant amount of time for the liabilities to manifest themselves and the payout could be over a long period Another nuance is the statutory treatment of workers compensation Each state has its own regulations for providing wage replacement and medical benefits to employees injured in the course of employment In certain states a company can apply to opt out of buying commercial workers compensation insurance and instead self insure the financial loss exposure Added Mr Kim States rules on posting security vary Some states require 100 percent letters of credit to match the amount of estimated total incurred losses while others do not A company that posts zero or few LOCs prior to the sale may require significant amounts of LOCs after the sale depending on the post closing capital structure Thus there may be an obligation to provide collateral not only to an insurer securing liabilities in other states but also to the state in which the target company is a qualified self insured Failing to appreciate the nuances of a collateral obligation can be problematic in a merger or acquisition Mr Kim added A letter of credit is not the only or the most efficient cost effective way of collateralizing post transaction self insured liabilities Other financial arrangements such as Loss Portfolio Transfers LPT Allocation and Assumption Agreements or even a trust account through which a private equity firm can cross collateralize its entire portfolio s aggregate self insured financial exposures are other ways to manage an acquirer s obligation to provide collateral The latter alternative can also be an effective way for an insurance carrier to secure a private equity company s surety bond obligations Each of these solutions is addressed in the next section of this report Mr Kim provided an example regarding a surety obligation in an M A situation Say a private equity firm is looking to acquire a service provider that contracts with state government entities and is required to post surety bonds guaranteeing the performance and completion of work he explained If for some reason halfway through the project the company cannot complete the contracted work then the surety bond comes into play to protect the customer from financial risk Prior to the acquisition the company may only post minimal collateral for this surety The insurer may use the acquisition as an opportunity to review the credit profile of the company and may require it to post additional collateral potentially up to 100 percent of the bond When this change is equal to millions of dollars of new collateral it can materially impact the economics of the deal Methods to Manage a Target s Collateral Obligations Loss Portfolio Transfers In seeking to ring fence the obligations imposed by a target s self insured retentions or deductible liabilities an LPT product presents optimum efficiency and cost effectiveness In seeking to ring fence the obligations imposed by a target s self insured retentions or deductible liabilities a loss Portfolio transfer product presents optimum efficiency and cost effectiveness Such products also protect from adverse loss development and can reduce the amount of collateral posted with an insurance

    Original URL path: http://acegroup.acegroupaccess.com/ace-perspectives/executive-risk/featured-web_ace_ma_wp.aspx (2016-02-13)
    Open archived version from archive