Bert Wells, Cristina M. Shea and Adrienne N. Kitchen | Reed Smith
In this podcast, Bert Wells, Cristina Shea and Adrienne Kitchen of Reed Smith’s Insurance Recovery Group delve into the critical topic of insurance coverage for supply chains, highlighting the significant risks and disruptions that can impact global logistics. This episode explores how events like political instability, cyberattacks and natural disasters can disrupt supply chains, and highlights the essential role insurance plays in mitigating these risks. The team shares real-world examples of supply chain disruptions and the insurance lessons learned from these cases, emphasizing the importance of understanding risks and ensuring adequate coverage.
Transcript:
Intro: Hello, and welcome to Insured Success, a podcast brought to you by Reed Smith’s Insurance Recovery lawyers from around the globe. In this podcast series, we explore trends, issues, and topics of interest affecting commercial policyholders. If you have any questions about the topics discussed in this podcast, please contact our speakers at insuredsuccess@reedsmith.com. We’ll be happy to assist.
Adrienne: Welcome to Insured Success. My name is Adrienne Kitchen. I am a senior associate in Reed Smith’s Insurance Recovery Group. Joining me are Bert Wells, a partner from our New York office, and Cristina Shea, a partner in San Francisco. Today, we’re talking coverage for supply chains. Supply chains are relationships between a seller or manufacturer of goods and the supplier of those goods or things like the materials incorporated into products, raw materials, component parts, things like that. Supply chains can be disrupted by numerous things, whether price changes, transportation or storage failures, labor shortages, political instability, man-made physical losses to plants like fires, storage facilities, stores or cyber attacks, all of which pose a significant risk to businesses. A disruption in any part of the chain can cause losses in other parts of the chain. Insurance has become central to managing risk in global supply chains and logistics, particularly as they grow increasingly complex and vulnerable to disruption. Some types of insurance that may help cover losses to supply chains are contingent business interruption, supply chain, and trade disruption or cyber insurance. Other coverage types may cover some potential gaps in these insurance types. Global supply chain risks also is a focus of national policy and security. Cristina, would you like to discuss some of those?
Cristina: Yeah, thank you, Adrienne. So focusing on the U.S. first, you know, going back about, I don’t know, 12 years or so, the U.S. Department of Homeland Security really started to recognize and understand the importance of securing the global supply chain. And along with that was recognizing, you know, its vulnerabilities and how it was susceptible to external forces. So to ensure that the global supply chain continued to function smoothly, the Obama administration adopted a national strategy in 2012. And that was designed to bolster and support the efficiency, I guess, of the insecurity of the global supply chain and ensure that it was able to withstand evolving threats. And then, you know, during the pandemic, the strain on the global supply chain really, it was, you know, front and center. It was under a microscope. And following the pandemic, the Biden administration really greatly enhanced some of that implementation of that strategy. And they took that program and addressed some of the acute supply chain crisis that had arisen due to the pandemic. And in the context of that, the Biden administration created a council on supply chain resilience and it implemented the use of the Defense Production Act that allowed U.S. Manufacturers to start creating essential medicines in the U.S. in order to mitigate some of the drug shortages. And all along throughout both the Obama and the Biden administration, the real focus has been on implementing security measures to shore up the supply chain and to protect its infrastructure. And then similarly, the European Union has been developing its own regulatory initiatives that have gone, you know, hand in glove with a lot of the U.S. initiatives as well.
Adrienne: Thank you, Cristina. Recent cyber attacks highlight the scale and vulnerabilities related to the supply chain concerns. So now let’s discuss some recent examples that have hit the news. Bert, would you like to start off?
Bert: Yes, thanks, Adrienne. In fact, it’s not limited to cyberattacks. In fact, disasters of various physical sorts are also very much a reason for supply chain interruptions that cause loss. And I want to speak for a moment about the tragic collapse of the Francis Scott Key Bridge in the port of Baltimore in March of this year, 2024. And as our listeners will no doubt remember, that not only shut down the bridge itself, but prevented entry and departure from the port of Baltimore by shipping traffic. So it had an obvious and an immediate and extreme impact on parties that were shipping materials into or outside the port of Baltimore, which is not only a major port on the East Coast of the United States, but as I understand it, probably the largest port in terms of handling automobile deliveries to the East Coast. So it’s a very significant interruption in supply chains for those that were expecting some material to pass through the port itself or that for some reason needed to rely specifically on the Francis Scott Key Bridge, although there were other routes around the missing bridge for vehicular traffic. And in this connection, I’d like to mention two types of coverage that are often found in property insurance policies that could well relate to the Key Bridge collapse and cover losses that arose from it. I think the most obvious example is the so-called ingress / egress coverage that is found in many property policies, which is intended to protect a policyholder that can no longer enter or depart its premises. And it’s triggered if there’s a physical loss or damage to a property that is used to access the premises of the policyholder, preventing that access. So in the Port of Baltimore case, although this is a very obvious kind of coverage to apply, and it very directly applies, it would be a relatively limited number of policyholders that lost ingress and egress, let’s say, specifically through the bridge or specifically through the port. That is, businesses that had properties actually in the port that could not get access to shipping or departing. Thinking, though, about the broader impact of the loss of the bridge on parties that transship materials through the port and don’t necessarily have properties adjacent to the bridge or the port, there’s another type of coverage that is found in many property insurance policies called contingent business interruption insurance. The purpose of contingent business interruption coverage is to protect the policyholder from losses that arise when there’s a physical loss, that is to say, loss of or damage to physical property at the premises of someone else in the supply chain that gives rise to a loss. And an example here might be a party that was trying to ship automobiles to a dealership, let’s say, through the Port of Baltimore, which could no longer gain access that way or had to wait months for access to additional inventory of automobiles. The idea of contingent business interruption is that one of your suppliers has suffered a physical loss and therefore the type that’s covered in the insurance policy and that there are ensuing losses to business income, for example. Well, an interesting facet of this is who exactly is the supplier of the services at the Port of Baltimore? And does that supplier constitute a supplier for purposes of insurance? This was a question that came up in a case by a caption, Archer-Daniels-Midland versus Phoenix Assurance several years ago, in which it was held that various authorities that managed the Mississippi River in that case were indeed suppliers for purposes of insurance. And here, we would expect that entities such as either the state of Maryland or the Port of Baltimore, which is one of its agencies, or the federal authority responsible also for keeping the port open, might be considered a service provider, therefore triggering contingent business interruption for this particular collapse of access through the port and across the bridge. Adrienne, did you want to talk about Colonial Pipeline?
Adrienne: Yes. Thank you, Bert. That was an interesting discussion and interesting issues that you might not expect. So the Colonial Pipeline attack in May 2021 was one of the first high-profile corporate cyber attacks that originated with a breached employee password as opposed to a direct attack on the company’s systems. The Colonial Pipeline originates in Houston, and it carries gas and jet fuel to the southeastern U.S. and delivers about 45% of all fuel to the East Coast. In May 2021, a threat actor called DarkSide penetrated Colonial Pipeline’s network security using a compromised VPN password. The threat actors stole some 100 gigabytes of data and infected Colonial’s network with ransomware. In response, to contain the attack and due to fears the DarkSide might have information that would allow them to carry out further attacks on vulnerable parts of the pipeline, Colonial shut down its operations. That’s a flow of more than 100 million gallons of fuel every day across thousands of miles of pipeline. It caused fuel shortages along the eastern seaboard, led to fuel prices hitting a seven-year high. The attack also led to emergency declarations by several states and the federal government and some various agencies. On May 9th, the Federal Motor Carrier Safety Administration issued a regional emergency declaration for 17 states and D.C. President Biden declared a state of emergency temporarily suspending the amount of petroleum products that could be transported by road and rail domestically. Ultimately, with FBI oversight, Colonial Pipeline did pay the ransom. It was some $4.4 million. DarkSide then provided a tool to restore the system, but it took quite a while to get everything back in working work. Six days after the initial attack, Colonial Pipeline was able to restart operations, and three days after that, operations had returned to normal. Although the DOJ recovered $2.3 million of the Bitcoin used to pay the ransom, Colonial Pipeline also suffered significant losses – investigation costs, loss of income from the multi-day shutdown, reputational damage, class actions alleging negligence and violations of consumer protection laws. One lesson learned from these attacks is the importance of various kinds of insurance, including cyber. Cristina, what are some other lessons learned from the trenches?
Cristina: So just using, you know, real world examples that we have handled here for our clients, we have a client that manages supply chains for restaurants around the world. And one of that that client’s key business associates had a breach of their network systems and through that breach the threat actor was able to access our client’s network system and caused a complete shutdown of its network and a shutdown of its supply chain throughout Europe and the U.S. So the client itself had a cyber policy and we filed a claim under that policy. The problem here was that the losses were in the $13 to $14 million range, but the policy had a deductible of $15 million, meaning the client had to cover the first $15 million of its losses before coverage under the policy would kick in. So then we looked at some of the agreements between our client and its business associate or vendor. And through those agreements, the vendor was supposed to have added our client as an additional insured under its own policies. So effectively, that would have allowed the business associates policies to cover our client. But it turned out that the business associates insurer had canceled its policies the year before the incident. And the business associate either didn’t realize that or realized it and didn’t tell our client. But either way, our client was not able to recoup the benefits under those policies either. Long story short, our client had an interest in maintaining its business relationship with that vendor. So we ended up reaching a settlement with them, but it was a long protracted process. It really put a strain on the business relationship and it was a real distraction to both businesses. So, you know, I think that’s a really good example of some lessons that we all learned from that. Number one being it’s really important to understand, for every enterprise to understand where your risks lie, understand financially how much it’s going to cost you if your systems are down for two days, two weeks, two months, and then determine whether your deductibles are set at the right place and whether additional policy limits are needed. You know, some companies make an intentional decision to set high deductibles and cover the first, whatever, $15 million, $20 million in the event of this type of breach. But, you know, that’s fine if there’s a certain logic to that for some businesses. But other businesses often buy policies straight from a broker without understanding the, you know, what the implications are and how it would look in effect if they were to have some sort of breach and disruption of their supply chain. And I think the other important lesson here to be learned is that if you are a business that has entered into these business associate agreements with vendors that require the vendor to insure you, those should be reviewed annually just to make sure that everybody still understands what is supposed to be provided under those agreements and that everything that was intended to be provided, like in this case, being an additional insured, is still intact and still effective.
Bert: That’s a great point. And I would add that just, I’m sure you’ve seen this too, that in many business associate or counterparty relationships, you’ll see requirement of notice if insurance is canceled, as well as a requirement that it be maintained. Although a breaching party in one respect might breach in another respect as well. So that’s no guarantee that the insurance will remain in place.
Cristina: Yeah, you know, my recollection is, Bert, that they did have an obligation under this agreement to notify, but it wasn’t entirely clear that anybody at the vendor knew that the insurance that was supposed to be provided to our client had actually been canceled. So again, it was a massive distraction and they’d wanted to maintain this business relationship. So we tried to get past it as quickly as possible.
Bert: Well, continuing with the theme of sort of lessons learned from client experiences, I’d like to briefly share the experience of a client that I won’t name that is in the consumer products industry. It supplies retailers, its product is in constant demand, and it operates or leases warehouses across the country in order to be able to continually restock retailers with their requested orders. Well, this is a classic complex supply chain scenario in which retailers are connected to the manufacturer through a distribution network passing through warehouses. And among the facets of that distribution system is something that seems very prosaic, a piece of software that tells warehouses what products to pick and what pallets to pack them on and what trucks to load them into and in what order. And my client was in the unfortunate position of having adopted an update to its picking and packing software, well having i should say having written it having designed it and having tested it extensively in what they call in the trade a sandbox to ensure that there were no glitches or bugs in that software so that it would operate properly when rolled out to numerous warehouses across the country. And lo and behold, the sandbox, I guess, wasn’t big enough, didn’t have enough sand. And when the software was rolled out, it froze. It offered nothing to the warehouses, no guidance at all. So warehouses across the country found themselves inundated with orders from retailers, but no capacity to fill them efficiently at all. And in some cases, just completely unable to fulfill the orders. This is a classic story of for want of a nail, the shoe was lost. For want of a shoe, the horse was lost. For this client, the consumer products manufacturer, this was an eight-figure loss, even though it took less than a week to get most of the warehouses up and running again. But fortunately, in its cyber insurance, it had selected an option, which many policyholders don’t pick, in my experience, an option for a type of coverage called system failure coverage. And this is exactly the moment that system failure coverage is called for. There’s no cyberattack here. There was no malicious intent. Instead, an accidental operation of the system. Indeed, an accident with the software that occurred after extensive testing, which was believed to be sufficient for the purpose, resulted in the freezing of a wide swath of operations and a big loss for the client. Anyway, as I say, fortunately, they had good coverage. They had this system failure feature in their cyber coverage. The deductibles and the waiting period, the time waiting period that also acts as a kind of deductible before such a loss can be collected, were actually rather small. So we were able to prepare a proof of loss and with a very significant demand for that client that was squarely within the scope of coverage. So the lesson learned is simply think about the options. These things cost additional money, but consider, too, the risk that you as a policyholder may face for the failure of a critical piece of software. And that additional premium you may ultimately decide is very worthwhile. Well, Adrienne, we spent a lot of time talking about examples so far. Why don’t we get into some of the coverage types that are available for the many different ways that supply chain disruptions can manifest themselves? Would you like to tackle that?
Adrienne: Sure. Thank you, Bert. And thank you both. Those are great examples and demonstrate how complicated supply chain disruptions can be, the various ways insurance can be implicated, and the importance of managing risk sort of beforehand as well as after. So thank you both for those. Several policy types may provide coverage. Bert, you talked about contingent business interruption, CBI, a little bit before. You specifically mentioned that it covers suppliers, and I just wanted to add that it can also cover purchasers and properties that attract customers to the policyholder’s business. There’s also something called specialized broad supply chain insurance. And it is broader coverage than CBI for supply chain disruptions. Supply chain insurance is sometimes called trade disruption insurance. These are specialized named peril policies that generally cover the loss of net profits and costs caused by physical or political perils. They may also cover losses from risks such as natural disasters, industrial accidents, a bridge collapse, production issues, employment and labor issues, infrastructure, riots, public health emergencies, a wide range of events. And cyber insurance is also a key insurance that may cover supply chains, particularly as the businesses in the supply chain rely on the internet, rely on software to make their supply chain work. Cyberattacks like denial of service attacks, extortion, and the resulting data loss can all affect the supply chain, more so because supply chains are increasingly reliant on computer systems for continuity of operations. Cyberattacks and other cyber disruptions, like the one you mentioned, Bert, can interfere with communication among those in the supply chain. So your manufacturers and your suppliers and your shippers and your warehouses, no one can talk to one another, so the supply chain shuts down in that way. Cyber insurance may cover a supply chain disruption caused by a computer virus, a malicious attack, or the resulting data loss. Third-party cyber insurance may provide some cover to businesses further down the supply chain if a cyber attack or system malfunction affects the supply chain and the policyholder is sued or has to indemnify a third party. Other coverages may help to fill some of the gaps in the more common ones that we’ve been discussing. Things like political risk and special contingency coverage. Political risk insurance is a specialized first party insurance that covers risks in politically risky parts of the world and may expressly insure against specified perils like nationalization of property, confiscation of assets, war, things like that. Cargo Marine covers the transportation of goods over the ocean or land, as well as any damage to the conveyance. Marine insurance may provide some indirect coverage for supply chain disruptions, things like coverage for equipment, merchandise, or goods that are in transit or being stored that may not reach their destinations on time or even at all. Port blockage, for policyholders whose supply chains depend on access to navigable waters, you may get time element coverage for a loss resulting from vessels being denied access to or egress from an insured facility or other property. They’re the inability to deliver cargo from a vessel that does reach the facility if there’s an issue with the cargo delivery. Civil authority and ingress / egress coverage. Bert, you mentioned ingress / egress a bit earlier. First-party property policies generally contain civil authority coverage, which covers business interruption losses and, in some cases, necessary extra expenses caused by the orders of local, state, or federal authorities, things like evacuation orders, curfews, and highway closures. There’s also Directors and Officers coverage, which may protect board members, executives, directors, managers, and the companies they serve for claims and investigations of investors, third parties, and regulators. For instance, after a supply chain crisis, the officers and directors could be accused of failing to take proper measures to protect the business or third parties. Okay, so given how soon the U.S. election is now, we decided to play exit poll, in which our panelists will be asked a question that definitely has not been asked on any other poll, exit, or otherwise. Cristina and Bert, NASA launched Europa Clipper, its most expensive planetary probe ever, to explore an icy moon of Jupiter named Europa. Clipper’s five-year journey will include gravitational ricochets around both Mars and Earth to slingshot it into the outer solar system, where it will eventually orbit Jupiter and repeatedly fly by Europa, but not land. NASA hopes the probe will detect chemical signatures of the contents of the water ocean under the moon’s 10-mile-deep icy surface, giving clues as to whether some form of alien life may be present in that ocean. My question for you is, what type of supply chain insurance does NASA need now that this package is on its way to this distant icy moon?
Bert: Okay, well, I have some thoughts. I guess what occurs to me is that we have various suppliers here, and not just the suppliers NASA was counting on to get its probe ready in time, but I think Mars is a supplier here because Mars has to give a gravitational boost to the Clipper probe. And if Mars is a little late or a little early, that probe is not going to get exactly the gravitational boost it needs. That’s the ultimate example of just-in-time supply chain strategy, if you ask me. Now, as to whether I would have insurance for that, I don’t know. I think Mars’ appearance is probably a pretty safe bet. If NASA’s looking for insurance there, I think we should all be pretty worried.
Cristina: So I took a different approach. The way I saw this hypothetical was that if NASA is going to be navigating this ocean on the icy moon of Jupiter, then it should be looking to its marine insurer to cover the transportation and risks that are there under its supply chain.
Bert: Well, thank you. And thanks, Adrienne, for moderating this. This was everything I could have expected and hoped for.
Cristina: Yeah, thank you, Adrienne.
Adrienne: You are very welcome. And hopefully the listeners, if they have any questions, will reach out to us and they can see that we in IRG love insurance and we also have a good time in coverage disputes.
Cristina: Thanks, everyone.
Bert: Thank you.
When one of your cases is in need of a construction expert, estimates, insurance appraisal or umpire services in defect or insurance disputes – please call Advise & Consult, Inc. at 888.684.8305, or email experts@adviseandconsult.net.