Exclusive Q&A Insurance and Risk Management with Rachel Levitan

What risks are most likely to affect businesses, and which of these would have the biggest financial consequences were they to occur?
 
The risks may be divided into two categories:
 
(a) Acts of God – Hazards of Nature, earthquake, floods
 
(b) Manmade acts – fire, burglary, theft, embezzlement, cyber risks
 
The risks in (a) are catastrophic risks which may lead to a total collapse and loss of the business as a whole and its rehabilitation may require a long period. Even the individual person can protect himself vis a vis these risks at a very low level (e.g. in Japan which is very well prepared for earthquakes, the tsunami which occurred following the earthquake caused by the Fukushima disaster). Therefore, the insurance for businesses should be for very large amounts which should also take into account   the period of rehabilitation.
 
The risks in (b) except for fire, are not total loss risks and the emphasis should be placed on safety and protective measures to avoid the risk and a constant examination thereof during the period of insurance (for example:  change and/or update of the sprinkler system and changes in firewall as a security against cyber attack, and constant audits and inspections in order to uncover embezzlement). For these risks the insurance should take into account the ability to rehabilitate the business and whether  partial operation thereof is possible, etc.
 
The steps to be taken should be in accordance with the nature of the business of the client e.g. if the client has a big fleet of cars, there is less need to insure damage to the cars but rather insure against damage to third parties.
 
As to the cyber risks, it has become more and more common that the biggest assets of the business are the human resources and the information of the business. A big risk is any harm caused to the information data, loss or theft of the data or an unauthorized use thereof.
 
How should different types of risk be audited and governed?
 
The audit of the various risks is in accordance with the nature thereof, however any business should map out the risks and ask, for example in cyber risks, who may have access to the information from within the business or from outside. As to measures for avoiding the risks, the business should install security and safety systems, should give instructions to the employees, and control an audit on their work after setting written work procedures. Any business should prepare tools to handle any such risks and mitigate the damage. This also should be done according to written procedures and insurance.
 
The control and audit should be carried out constantly and a responsible employee or committee should be appointed for this object and of course these operations should be regularly inspected by the management.
 
 What role can insurers have in enforcing improvements in cyber security risk management?
 
In cyber risks the insurers may have accumulated information concerning the ways to secure against these risks and they should transfer this know-how to the insureds by setting requirements for safety tools, security and inspection.
 
I may suggest that any insured who introduces such a plan should be encouraged by a reduction in the premium. Seminars for clients and newsletters sent by email are a very effective way through which the insurer may assist the insured in managing this risk.
 
What procedures should a firm take when out-sourcing or contracting work which contains important data and security, and are there any legal or regulatory requirements that need to be taken into account?
 
In any dealing with an external supplier who receives sensitive information from the business, it is very important to ensure that the information is held by the external supplier in a secure mode and that he is able to protect the information. As to private businesses, they owe the basic duties of privacy, fiduciary duty towards clients, a duty of care, etc. A specific regulation under Privacy Law provides that the duty to secure the information, applies to both the original data holder and the service provider.

Regarding institutional investors and banks. In August 2013 (with effect from July 2014) the Ministry of Finance, the Department of Capital Market, Insurance and Saving, issued a directive of “outsource in Institutional Investors” which set rules for the use of outsourcing in these entities. Under these rules any Institutional Investors’ entity should establish a policy for outsourcing its activity which would set ways of control and survey of the activity by the service provider under written agreement which ensures confidentiality, data security, periodical audits etc. The rules apply to Banks, Insurance Companies, Pension Funds etc.
 
Can you talk us through the process of structuring multi-national insurance programmes?
 
The steps towards building such an insurance coverage would be first of all to carry out a risk analysis and an examination of the needs in each of the countries which are relevant to the insurance. Secondly, scrutiny of the applicable laws (especially in the field of employment laws, pensions, privacy protection, etc.) which vary from state to state. Thirdly, one should check the legal requirement in respect of insurance in any of the states: Whether the insurer should be locally domiciled, or whether the policy may be issued by a foreign insurer and what policies are common in each of the countries. For example, whether it is common to insure a product on an occurrence basis or on a claims-made basis.
 
Above all this, one should check the advantage of having a global policy, both in regards to premium and wording of the policies compared with local policies with a second layer of a global policy which contains a drop down element.

Rachel Levitan, LLM is the founder and senior partner at Levitan, Sharon & Co Law Offices.The firm is a leading specialist in insurance and reinsurance matters.The law firm handles all aspects of insurance and reinsurance matters.
In the last five years Adv. Levitan has focused mainly on advising insurance and reinsurance companies regarding complex D&O and BBB matters, as well as advice on reinsurance topics.Adv. Levitan has advised both reinsurance and local cedents

Rachel can be contacted on +972 3 6886950 or by email at rachell@levitansharon.co.il