For many, 2016 was an interesting albeit risky year.

In a well-publicized incident during the 2016 electoral cycle, acampaign official was embarrassed by the admission that he hadunwittingly clicked on a phishing email, which may have opened awindow to a significant security breach. In a completely separateseries of events, a well-known restaurant chain saw its brand undergo a seriesof tarnishing revelations regarding the difficulties withcontrolling certain bacteria during food preparation.

Both of these cases shared something in common: an initial orinherent risk as well as a larger exposure or series of follow-upeffects. In addition, they were both indicative of the kinds ofcomplex risks found in a fully networked and globalized economy. Itmight be instructive to look at a few recent trends in emergingrisks and consider why they may continue or even strengthen.

Cyber risk

Cyber risk is ever-evolving. Because everysecurity system is vulnerable, no cyber security policy isconsidered fully comprehensive. The constantly changing nature ofcyber risk threats means that while coverage can be written forknown risks, these are in a constant state of flux and the nextattack will have a different wrinkle.

For this reason, there is no established standard cyberinsurance form utilized by carriers in the commercial insurancemarket. Although most policies provide third-party liabilitycoverage as well as first-party coverage for loss or damage toproperty, there is a wide variation in other needed coverages. Morespecifically, businesses need to know whether coverage is provided,and at what level, for:

• regulatory actions

• incident response costs

• credit and identity monitoring

• transmission of viruses

• business interruption and extra expenses

• extortion expenses

• data loss and restoration

The constantly evolving nature of cyber risk translates into anequally fluid landscape when it comes to claims management. Indeed,the challenge with any loss resulting from new forms of securitybreaches is to determine what different exposures or additionalexpenditures are allowable under the current policy language.

A separate area of complexity resulting from discovery involvesdetermining the responsible party for the cause of the loss as wellas ascertaining whether options exist for subrogation of a thirdparty. Additionally, pinpointing as clearly as possible the exacttiming and trigger of the incident is critical in calculating lossof income.

All of these challenges and more make cyber risk a sophisticatedweb of complexities which will continue to morph in unpredictableways in the future.

(Photo: Shutterstock)

Reputational damage

Considered from one angle, reputational damage is like any other source ofrisk, which can affect the corporate bottom line and growth. Assuch, it should be considered in the same context and at the sametime as other sources of exposure that require strategicapproaches.

However, it is also distinctly different. Unlike many risks,reputational damage is difficult to predict. In many cases, it mayalso be difficult to quantify the financial impact of exposure,a priori, to reputational damage. This difficulty iscompounded by the fact that reputational damage is most oftenconsidered a secondary risk to a larger primary risk; in fact,reputational damage can often be costlier in the long run than theprimary risk.

From the standpoint of claims management, the key is being ableto separate out what portion of the loss is under the primarycoverage, and what passes to the secondary coverage. For example,an actual product liability issue can be of short duration.However, a second category of vulnerability often flows fromtoday's complex regulatory environment. Oversight by governingbodies – whether HIPAA, Dodd-Frank, Consumer Protection Agency orother – means increased scrutiny, which can cause direct expenses.Even the types of cyber breaches mentioned above, which haverecently plagued national and international retailers, can havelasting deleterious effects.

It is important to realize that crisis management, whilenecessary, is inadequate as a single strategic response.Unquestionably, it is critically important to think through thevarious audiences that must be reached in the event of apotentially reputation-damaging crisis, and formulate the properresponses to them. Having such a plan in place ensures thatresponses and protocols will employ pre-approved statements bothduring and following any crisis event.

And yet, a more robust and fully functional approach toreputational damage must attempt to quantify the magnitude ofexposure and distinguish between primary and secondary spheres ofcoverage.

Related: 10 insights into how small-business owners perceivecyber risk

(Photo: iStock)

Supply chain interruption

Growth of the global economy has resulted in more outsourcingand dependence on foreign manufacturing and products. Less apparentis that lengthier supply chains have multiplied exposure to a widespectrum of events, many of which are either uncommon in thedomestic environment or of recent derivation.

Risks associated with fires and floods, even earthquakes and volcanic eruptions have always been with us,even without climatic volatility. Yet, in addition to plantexplosions, customs issues and product seizures, global unrest hasproduced a panoply of new and evolving risks that include borderclosures, embargoes and blockades, and terrorist attacks, as wellas closures of roads, railways and airports; strikes and riots; andthreats of political violence and insurrection.

Such threats often occur in combination and can produce astaggering variety of loss categories. These normally begin withloss of income and product replacement costs. To these may be addedthe extra expenses of expediting product or service replacement, aswell as increased purchasing costs. In worst cases, damages canextend to relocation costs or the negotiation and mediationexpenses that attend contractual differences with replacementsuppliers.

The sheer proliferation of variables can prove daunting toclaims managers. Supply chain losses typically involve dealing withdifferent entities or authorities in various legal jurisdictionssimply to determine precise dating of events, as well as othermitigating factors in order to determine the amount of loss. Thedetermination of which additional costs or contingent expensesqualify as intended is of critical importance and depends on aprecise and careful reading of existing insurance agreements andpolicy language.

Related: Here's how business interruption insurance isevolving

(Photo: Shutterstock)

Legislative/regulatory change

The most recent decade has been characterized by increasedactivity in new laws and regulations as well as changes to existingstatutes and rulings at both the federal and state level. Whilesuch activity invariably accompanies changes in administrations,examples in the last few years include new OSHA requirements andchanges in labor laws that affect hours of service and how overtimeis paid.

It is difficult to understate the potential corporate exposureto regulatory change, either at the executive or legislative level, particularlyafter an election. While the current thrust may be towardderegulation, it would take an adept prognosticator to attempt todetermine how this might play out.

The Affordable Care Act stands out as an avatar of the potentialeffect of regulatory change. Behind that obvious example, clearlythe decisions and authority of many agencies, including but notlimited to the EPA, OSHA, EEOC and the Departments of Labor andTransportation, have all seen heightened activity in the lastdecade. Their rulings have been accompanied by stiff fines andpenalties, as well as aggressive prosecution for noncompliance.

Dealing with foreign governments brings its own forms ofexposure unique to the countries or jurisdictions in which one isdoing business. All of these, especially with the ongoing globalpolitical volatility, can produce vulnerability to quick changes inadministrations resulting in unreasonable demands and abruptinterruptions to normal business operations.

While the liabilities cannot be predicted, losses can includereduction or temporary cessation of income resulting fromregulatory and administrative changes themselves, as well as legalexpenses resulting from challenging administrative actions ordefending corporate actions. In addition, fines and penalties canalso often be anticipated, as well as additional expenses forcompliance. Yet another category of expense may accrue from theefforts of dealing with foreign governments or relocation ofproduct or supplies following action by a governmental body oragency.

A spate of claims handling challenges can result. The firstorder of business is a forensic gathering of details to determinewhen the insured was first affected by the legislative orregulatory change. Only after this has been accomplished is itpossible to determine even the amount of loss of income. A morerobust estimate of loss will depend on determining which additionalexpenses are covered according to the definition of coverage in thepolicy. Even then, further challenges remain, including thegathering of information involving foreign exposure regarding exactdates and details of the circumstances and events triggering theloss.

No claims strategy can be regarded as sufficient without takingall of these factors into account to determine the full magnitudeof exposure to regulatory change.

Related: Marsh's top 10 financial & professional markettrends for 2017

Jeff Ellington ([email protected])joined Atlas Insurance Management in 2011 and is a vice presidentwith the firm. As an insurance professional with over 30 years ofcombined experience, he has worked in multiple facets of thecommercial insurance industry, including sales, marketing,underwriting and management.