COVER FEATURE l REPUTATIONAL RISK
it gives the organization some idea of where they are from a
reputation standpoint.”
TRANSFERRING THE RISK TO INSURANCE
Corporations have been concerned about reputational dam- age for years; even so, not many insurance solutions are avail- able on the market to cover it.
“There are specialized units within insurance companies (alternative risk teams) that create parametric products,” says Eskins. “Ultimately, the client and the insurer agree to the val- ue of the reputation (via an agreed model). You will agree to what types of events will trigger the policy. You will agree to what amount or level of financial loss would need to take place before the parametric trigger in the policy kicks in. And then, upon the conditions being met, you get to a payout of policy proceeds.”
These specialized products are “generally be taken up by larger, sophisticated organizations with well-resourced enter- prise risk management teams/units,” says Eskins.
There isn’t a large robust standalone market for reputation- al risk, in part because of the issue of quantification. That said, cyber policies have evolved to the point of addressing reputa- tional damage associated with a data breach. “From a cyber perspective, there is a reputational harm insuring agreement,
which is essentially a business interruption insuring agree- ment,” says Eskins. “This factors in the loss of business in- come or earnings as a result of a cyber event that causes you negative publicity, thus leading to a financial loss without a technological disruption to the business, such as a loss of rev- enue. This is a separate insuring agreement that is selectively being quoted on cyber policies now. Insurers are looking to charge for this, although without a meeting of the minds in ad- vance, the utility of the coverage can rightfully be questioned.”
MITIGATING REPUTATIONAL RISK
Ultimately, risk managers may choose not to transfer the risk to insurance, preferring the time-honoured way of mitigating risk in-house. That comes from having well-established poli- cies and procedures in place and making sure that employees know what to do in the event of a major blow to the company’s reputation. Cyber insurance provides an example.
“I think it’s really important that when companies have a cyber breach, they have a procedure in place,” say Gardiner. “And I think it’s very important that that procedure be known within the company. I think it’s got to be practised. Companies have to do a tabletop exercise at least once a year to make sure they know who is going to do what. The insurance policy is just a safety net.”
30 September 2019 | Canadian Underwriter