Exclusive Q&A on Insurance and Risk Management with Alexander J. Oddy

Can you outline the current insurance and risk management landscape in your jurisdiction?
 
2016 has been a year of fundamental change for English insurance contract law.  There have been significant regulatory developments too, discussed later on.
 
Insurance Act 2015
 
On 12 August 2016 the long-awaited Insurance Act 2015 (the "2015 Act") came into force paving the way for the most significant change to English insurance contract law in over 100 years.
 
The aim of the 2015 Act is to address the perceived imbalance in the law in favour of insurers which is said to put the English market at a competitive disadvantage.  In particular, it updates the statutory framework for insurance contracts in the following areas:
 

• The duty to disclose risk information to insurers before entering into a contract of insurance has been replaced by a "duty of fair presentation" which requires policyholders to undertake a reasonable search of information available to them and defines what a policyholder knows or ought to know.

• The single remedy of avoidance for a breach of the duty of good faith has been replaced with a range of proportionate remedies.

• A breach of warranty no longer automatically takes the insurer off risk.  The 2015 Act makes warranties "suspensive conditions" whereby the insurer's liability is suspended while the insured is in breach of warranty but can be restored if the breach is subsequently remedied.

• Non-compliance with a warranty or other term which relates to a particular type of loss should not allow the insurer to escape liability for a different type of loss upon which the non-compliance would have had no effect.

Enterprise Act 2016
 
The Enterprise Act 2016 (the "Enterprise Act") received Royal Assent in May 2016. Among other reforms, the Enterprise Act changes English law's approach to remedies for late payment of insurance claims and now gives policyholders a potential right to claim damages in the event of late payment.   The provisions will come into effect on 4 May 2017, and will apply to every contract of insurance made after the provisions come into force.
 
Third Parties (Rights against Insurers) Act 2010
 
On 1 August 2016, the Third Parties (Rights against Insurers) Act 2010 ("2010 Act") finally came into force and replaced the original 1930 Act of the same name (although the 1930 Act will still apply in certain circumstances).
 
The 2010 Act provides for a less complex procedure for a third party claimant to claim directly against the insurer of an insolvent individual or corporate defendant. The new law will improve the position of third parties with claims against insolvent policyholders.
 
Have there been any recent regulatory changes or interesting developments?
 
The UK has voted to leave the European Union ("EU"). Since the result became known, there has been discussion as to what this means for the insurance and reinsurance sector and how insurers and reinsurers might preserve their access to the single market.
 
Withdrawal from the EU does not of itself mean that UK insurers and reinsurers will not be able to do business in European Economic Area ("EEA") states. It is possible that a special arrangement will be agreed (either for a transitional period or indefinitely) allowing UK firms continued access to EEA markets on a similar basis to that enjoyed at present, presumably on the basis that reciprocal rights to enable EEA insurers and reinsurers to access the UK market are agreed. Subject to this, however, UK insurers and reinsurers will not be able to carry on insurance activities on an EEA-wide basis as a matter of right (albeit subject to the necessary formalities), flowing from the UK's membership of the EU. Instead, how they are able to access the EEA Market will depend in part on rules contained in the Solvency II Directive ("Solvency II"). To the extent not addressed under Solvency II, it will be up to individual EEA states to determine the conditions on which access is given to UK insurers and reinsurers.
 
The loss of these "passporting" rights will be equally relevant to the cross-border activities of insurers and reinsurers coming from the EEA into the UK. It is more difficult to advise EEA firms on their position in this regard because (in the absence of a reciprocal arrangement as envisaged above) this will depend on the regime that the UK decides to introduce in place of Solvency II rules. In practice, it is inconceivable that EEA firms will be prevented from doing business in the UK, but the precise terms on which they will be able to conduct cross border activities are likely to depend on the exit negotiations and on requirements for reciprocity agreed between the UK and the EU in that context.
 
How frequently should an organisation renew their policies and review their strategies?
 
It is good practice for policyholders to review their risk management strategies on a regular basis not least to ensure that the insurance they are purchasing meets their needs and expectations for risk transfer.  The coming into force in August 2016 of the Insurance Act 2015 (the "2015 Act") places a new onus on policyholders and their risk managers to review their information gathering protocols to ensure an effective pre-contractual engagement with insurers.  While the 2015 Act is beneficial to all policyholders, only those that review their approach will realise in full the benefits that the new Act confers.
 
Under the 2015 Act the Policyholder is under a new pre-contractual duty of fair presentation.  It must disclose in a manner that is reasonably clear and accessible every material circumstance which it knows or ought to know – that requires a review of the structure and organisation of information in the presentation to insurers at a minimum. 
 
The reasonable search each policyholder will need to carry out will likely need to be articulated in a method statement and audited for completeness.  This could include enquiries of classes of individuals in the organisation, business locations, external consultants where they hold relevant information.
 
A considered approach needs to be taken as to how to gather information from the policyholder's senior management and individuals responsible for its insurance.  
 
All of these steps will need to be supported by a robust document management philosophy so that the policyholder can demonstrate at point of claim, potentially some years later when insurers scrutinise the pre-contract information and contest the claim, what was done, when and by whom. 
 
As for the efficacy of the policy itself, the insurance market's response to the 2015 Act has been the issuance of a multitude of new clauses for incorporation into policy wordings.   Some of these clauses replicate the effect of the 2015 Act, some contract out of the Act and some vary its terms.  Policyholders therefore need to build in to their operational risk assessments steps to review and validate the efficacy of the insurance policies they arrange (otherwise the risk transfer strategy is itself at risk of failure).  This will require regular and careful review of policy wordings with brokers and legal advisers.  
 
What are the biggest concerns in risk management regarding cyber security?
 
Cyber security is increasingly on the radar in the Boardroom given the increasing frequency, severity and profile of cyber incidents. The potential impacts include financial loss, reputational damage and ultimately loss of value in the business.
 
The first concern for a business is to understand the risk – which can mean different things to different people. Sophisticated risk mapping and modelling enables identification of the complex web of potential cyber incidents and impacts faced by the business, including by reference to:

• events, such as data breach or system issues, whether internally or externally
• actors, if any, involved in the incident and their objectives, e.g. a cyber terrorist; and
• impacts, such as liabilities to third parties, regulatory and criminal sanctions, defence and investigation costs and the organisation's own losses (e.g. property loss or damage and business interruption), as well as loss of goodwill as a result of reputational damage.

 
The second concern for a business is to be on the front foot. This means putting in place robust cyber security to minimise the risk of an incident and carefully considered incident response plans to minimise the impact. Timing and quality of response is critical and ideally external partners such as lawyers, forensic experts and PR consultants should be lined up in advance. Being on the front foot also means being ready for when the worst happens – as it will at some stage – by considering whether and how losses will be absorbed by the business or transferred to third parties. Insurance can have a key role here. An analytical approach is required to maximise insurance coverage for minimum spend. This starts with a detailed review of the business's existing insurance policy suite to identify the gaps in coverage and test the legal efficacy of the product – including, for example, property damage and business interruption, crime, civil liability, terrorism, public and employer's liability and D&O insurance.
 
It would be unsafe to assume that traditional policies cover all cyber risks – they don't. Options to minimise the gaps in coverage include enhancing existing policies (e.g. buy-backs to cyber exclusions) or buying tailored stand-alone cyber policies which are directed to the gaps which pose the greatest risks for the business. The market is evolving and approaches can legitimately vary.

In short, the message is simple: investing upfront in cyber risk analysis and planning is likely to enhance the value of the business in the long run.
 
Can you talk us through the risk directly relating to M&A activity?
 
The past 2-3 years has seen a marked increase in the use of Warranties and Indemnities ("W&I") insurance as a means of facilitating M&A activity.
 
W&I insurance is a bespoke product which provides cover in respect of losses arising out of breach of warranties or indemnities in a sale agreement. In a buy-side policy the seller is likely to limit its liability under the SPA and the buyer looks primarily to the W&I policy for recourse, with the insurers standing in the shoes of the seller (but dis-applying the seller's limitations of liability). In a sell-side policy the seller has insurance against its own exposure to the buyer. The majority of policies now placed are buy-side (and it is those we comment on).
 
For the seller a buy side policy means that they can potentially achieve a clean exit from the transaction, allowing funds to be distributed to investors more quickly.  Although the cover under a W&I policy will not be entirely back to back to the SPA due to certain general and deal-specific exclusions in the policy, advantages for the buyer may include enhanced covenant strength and duration of cover. It may also help the buyer maintain a good relationship with the seller (an important factor if the seller continues as a business associate or even employee post-acquisition).
 
The product is sophisticated and often negotiated with legal input on all sides. Ultimately, for a buy-side policy the W&I policy will probably be the main document of recourse, and thus is of central importance.
 
A W&I policy can be placed fairly quickly (within days if necessary) although, as always there will be a trade-off between speed, quality of cover and premium.  Insurers will have legal teams to diligence the transaction and, if they are not comfortable, greater exclusions will result.
 
How difficult is the process of structuring multinational insurance programs?
 
Structuring an effective multinational insurance programme has obvious potential benefits – broader, more consistent coverage for the global organisation as a whole, potential cost savings and flexibility that enables a global company to structure its insurance programmes in a way that meets its particular needs. 
 
The complexity involved in achieving such a programme will depend on factors such as the scale of the policyholder's organisation, the number and types of jurisdictions in which it operates and its risk appetite in the face of  legal, compliance and regulatory challenges in certain territories.  Some organisations will opt to navigate their way through the maze of overlapping legal and regulatory regimes and ensure local cover is arranged in all relevant territories whereas others will rely on a centrally purchased group policy and will take out local cover only where such cover is a legal requirement.
 
Significant legal and compliance challenges arise out of the interplay between the global master policy on the one hand and the underlying local policy on the other hand which may have to be written by an admitted insurer and may be subject to a different governing law and regulatory regime.  For example:

• A multinational insurance programme may involve a master policy that is underwritten outside the UK and is subject to a law other than English law while a local policy is issued in the UK, subject to English law.  The English local policy will require a fair presentation of the risk to have been made by the insured prior to inception in accordance with the Insurance Act 2015 in circumstances where all broking was conducted overseas, possibly subject to an entirely different disclosure regime.  
• The use of DIC / DIL protection under the master policy to deal with any shortfall in the local cover will require care to ensure that local regulations prohibiting the writing of cover by non-admitted insurers are not contravened.  Some insurers have sought to address the issue by insuring the parent company's financial interest in its subsidiary.
• Global organisations also need to take care when deciding how any losses paid out under the master policy might be paid to the local subsidiary.  There may be tax implications for the local insured and legal issues may arise locally as a result of insurance monies being received in circumstances where there has been no premium paid by the local insured for the cover from which it has benefitted.

Alex is a partner in the insurance and reinsurance disputes group in the London office of Herbert Smith Freehills.  He has broad experience of acting for insurers and reinsurers as well as insureds and brokers.  This has involved advising on a wide range of coverage issues and policy disputes involving all classes of insurance and reinsurance policies.  Alex specialises in coverage disputes in the energy insurance sector.  He also handles general commercial litigation and has considerable experience of product liability claims for both claimants and defendants. 

Alex is Deputy Head of the firm's Commercial Litigation practice and leads the Alternative Dispute Resolution practice at Herbert Smith Freehills.  He is also a CEDR Accredited Mediator.

Alex can be contacted on +44 20 7466 2407 or by email at alexander.oddy@hsf.com