ABA Section of Business Law

ABA Section of Business Law
Business Law Today
September/October 1998

Insuring Against Catastrophe

Underwriters should act now to prevent insolvency later

Hammond is an associate at LeBoeuf, Lamb, Greene & MacRae, LLP, in New York City. This article does not necessarily represent the opinions of the firm or any of its clients.

When Y2K hits, the insurance industry will likely be called on to cover the losses.

Preparations undertaken by insurers today could pay extremely valuable returns when the claims start rolling in. That is not to suggest that insurers should abandon their insureds by excluding Year 2000 losses on a wholesale basis, but to highlight the urgent need for them to actively address the issue on a case-by-case basis. The insurance industry must adopt strict underwriting parameters relative to the extent to which Y2K exposures can be prudently insured. It may be commercially irresponsible for the industry to approach the problem any other way.

Hundreds of comprehensive resources are available on the Internet and elsewhere that address the problem as it affects almost every economic sector. In general terms, the problem is relatively simple and involves two broad areas that will require remediation.

The first area involves the inability of the programming in most computer systems, whether in software or hardware, to accurately process date-related codes after the Year 2000. The problem arises because most business application software programs written over the past 20 years use two digits to specify the year, rather than four. Thus "00" may be read as "1900."

The second area involves the inability of some embedded microcontrollers or chips in virtually every type of mechanical equipment imaginable to accurately respond to electronic instructions. The problem arises because some mechanical equipment, like machine tools, measuring instruments, computerized valves and various types of production equipment, is controlled by tiny chips that also use two digits to specify the year. Any mechanical equipment that has a date-sensitive function is potentially at risk.

Malfunctions in both the programming and embedded chip areas will result in either "soft" or "hard" crashes. In a "soft" crash, the computer or equipment continues to operate but does so in a defective manner. A "hard" crash simply refers to a total computer or equipment shutdown that cannot be readily restored. "Soft" crashes generally pose a more serious threat because erroneous decisions may be made or defective products manufactured based on misinformation or faulty instructions before the crash is discovered. These types of malfunctions could generate losses, which could trigger potential coverage obligations under virtually every type of insurance.

General liability policies typically cover third-party losses that an insured becomes legally obligated to pay because of bodily injury and tangible property damage caused by an occurrence. Corrupted data electronically transmitted by an insured to third parties could result in malfunctions and shutdowns within the third parties' organizations. Embedded-chip failures in machinery could also cause third parties to sustain bodily injury and property damage.

Most general liability policies exclude coverage for bodily injury or property damage that is either expected or intended from the standpoint of the insured. Insurers will likely argue that the bodily injury or property damage arising out of a Year 2000 failure was expected from the standpoint of the insured for several reasons. Computer programmers and chip manufacturers intentionally used two-digit date codes and therefore must have reasonably expected failure at the century date change.

The heightened publicity of the Year 2000 problem and the deluge of materials in the popular press concerning the potentially devastating impact further bolsters the position that the insured expected the consequences of the two-digit programming. Insureds will likely counter by focusing on their subjective awareness as well as the lack of foreseeability of the specific harm resulting from a Y2K failure.

First-party property insurance potentially could be triggered by first-party property loss arising out of the malfunctions. In addition to any potentially applicable exclusions like the cost of replacing or restoring computer records, the central coverage issue that will arise under first-party property policies will be fortuity. It is generally recognized that a loss must be fortuitous or occur by chance to be subject to insurance. Insurers will argue that the insured's awareness of the risks associated with the century date change render the consequential loss to be nonfortuitous and therefore not subject to coverage. Insurers will argue that an objective standard should be used in this analysis while insureds will contend that the proper focus is the insured's subjective awareness of the problem. Most property policies also exclude loss arising out of a situation that is inherent in the nature of the property or constitutes a latent defect. Insurers may argue that defects in the programming of systems and equipment of the insured are inherent in the nature of the property and therefore excluded.

Business interruption insurance, often included within the coverage afforded under a first-party property insurance policy, covers losses sustained by an insured because of an event that causes a failure in the insured's ability to operate its business. Like property insurance, fortuity and defects inherent in the nature of the property will likely be common coverage defenses asserted by the insurers. Most business interruption coverages also limit the coverage to losses arising out of a "suspension" or total shutdown of business operations. Therefore, coverage issues will also arise to the extent a Year 2000 failure causes operational inefficiencies as opposed to a total shutdown of operations. Subrogation will also play a major role as respects all first-party coverages to the extent a third party is responsible for the loss causing failure for the insured.

Directors and officers liability insurance generally covers loss arising out of third-party claims by shareholders against company management and is an area of particular concern with respect to Year 2000. These claims are typically either made on behalf of the company to recover losses arising out of the management's breach of duties owed to the shareholders or made directly against management by investors for deficiencies in the company's public disclosures after a drop in the stock price. Year 2000 losses at a company will draw attention to the adequacy and reasonableness of the Year 2000 remediation efforts undertaken as well as the company's public disclosures.

The extent to which directors and officers will be held responsible for losses largely depends on whether the steps undertaken by them to achieve Y2K compliance shield them from liability by virtue of the business-judgment rule. Some examples of management action that may raise issues relative the application of the business-judgment rule include:

• Management totally fails to take any action relative to Year 2000 compliance.
• Management prepares a comprehensive Year 2000 remediation plan but it is not fully implemented by the century date change because of management's failure to act in a timely manner.
• Management's Year 2000 compliance plan yields no failures but was instituted at such a late date that the costs associated with the creation and implementation of the plan are far greater than they would have been if management had addressed the problem at an earlier date.
• Management implements a Year 2000 plan in a timely manner, but the plan is inadequate and fails to remediate key sectors of the company's systems or other exposure areas because of the retention of incapable outside consultants or because of sole reliance on an understaffed or inexperienced internal IT staff.
• Management implements a Year 2000 plan in a timely manner that was adequate when initially conceived but neglected to continuously keep itself up to date regarding Year 2000 issues, resulting in a failure to address newly discovered exposures, which ultimately cripple the company.

Directors and officers may also be subject to claims under federal and state securities laws for material misrepresentations or omissions in a company's financial statements and public disclosures regarding Y2K costs and liabilities, including certain contingent liabilities. Investors would argue that the disclosure failures misrepresented both the company's financial position and the related actual, as opposed to current, market value of its stock. Such causes of action are usually styled as securities-fraud claims but typically include causes of action for negligent misrepresentations.

Public companies are required to file an annual report on Form 10-K and quarterly reports on Form 10-Q with the Securities and Exchange Commission. According to Reg. S-K, Item 303, each such annual report and quarterly report must include a section entitled "Management's Discussion and Analysis of Financial Condition and Results of Operations" (MD&A). Instruction 3 to Item 303(a) provides that: The discussion and analysis shall focus specifically on material events and uncertainties known to management that would cause reported financial information not to be necessarily indicative of future operating results or of future financial condition. This would include descriptions and amounts of (A) matters that would have an impact on future operations and have not had an impact in the past, and (B) matters that have had an impact on reported operations and are not expected to have an impact on future operations.

On May 12, 1997, the SEC issued a statement as part of its "Current Issues and Rulemaking Projects" release concerning the potential obligation of public companies to disclose information in their annual reports and quarterly reports about their year 2000 problems. Any public company that knows that the costs of addressing the problem or the consequences of incomplete or untimely resolution of the problem represents a known material event or uncertainty that would affect future financial results, or cause reported financial information not to be necessarily indicative of future operating results on future financial condition, is required to disclose this event and uncertainty in the MD&A section of its annual report and quarterly reports.

More recently, the SEC's Staff Legal Bulletin No. 5 on Year 2000 Disclosure, originally released on Oct. 8, 1997, was revised and re-released on Jan. 12, 1998 and: provided more specific guidance under the existing Commission rules and regulations because of the importance of the Year 2000 issue and some uncertainty expressed by members of the accounting and legal professions regarding what should be disclosed, remind public operating company . . . to consider their disclosure obligations relating to anticipated costs, problems and uncertainties associated with the Year 2000 issue.

The bulletin goes on to address "Specific Disclosure Considerations," including:

• Disclosure is required if a company has not yet assessed its Year 2000 issues.
• To the extent an assessment has been made, the determination of whether or not to disclose should be based on whether Year 2000 issues are material to the company's business, operations or financial condition, without taking into consideration any countervailing measures undertaken by the company like remediation programs or contingency plans.
• If disclosures are required, they must be "reasonably specific and meaningful," not boilerplate.

Law firms specializing in securities class action litigation will be carefully scrutinizing the public disclosures of any company whose stock price falls because of a Year 2000 failure and the regulations and guidelines set out above will be the basis for any claims regarding the deficiency of such disclosures.

Coverage disputes will likely focus on misrepresentation issues to the extent management had knowledge of potential or actual Y2K claims and failed to disclose this to the insurers during the renewal process. It has also been suggested that fortuity may be raised by D&O insurers as a coverage defense. Insurers may claim that providing coverage for losses arising out of wrongful acts that management knew would occur before they actually do is contrary to the fundamental nature of insurance as well as public policy. In this regard, it may be asserted that Year 2000 claims are not covered because of a lack of fortuity: The insured was aware of the problem and chose to ignore it. Insureds would likely take the position that management's failure to act under these circumstances is precisely what the directors and officers policy is intended to cover.

Errors and omissions policies cover loss for which the insured becomes legally obligated to pay as a result of negligent errors and omissions in the performance of professional services. Professionals who would be exposed to liability in the event of a Year 2000 malfunction include electronic data processors, computer services as well as telecommunications-design professionals for failure to design or remediate systems adequately. Accountants and lawyers also face exposure for failure to advise their clients adequately in connection with public disclosures and contingent liabilities. Like the D&O policy, coverage issues that may arise include prior knowledge, misrepresentation and lack of fortuity.

Fidelity bonds and commercial crime insurance policies primarily cover first-party loss arising out of employee dishonesty and often provide coverage extensions for loss arising out of computer crimes. The major Year 2000 threat here is an increased criminal exposure from both internal and external sources.

Programming failures could create criminal opportunity for those that are predisposed to such conduct. A programming failure could compromise an insured's computer system, thereby presenting opportunities for unauthorized access to accounts from internal and external points resulting in unauthorized financial debits, transfers or margins. Physical security measures may fail because the programming that controls their performance malfunctions resulting in open vaults, unlocked doors and disabled alarm and surveillance systems.

On-site IT workers who may be predisposed to criminal conduct if the opportunity presents itself may also pose a serious threat. For example, an internal IT worker may be aware of a pending Year 2000 catastrophe that will imminently fall on his employer who was either not properly advised or did not act on such advice. The IT worker knows that if he converts company or customer funds on Dec. 31, 1999, his deed may go unnoticed for some time given the company-wide system failure that will take place on Monday morning.

In addition to the criminal opportunity presented, a programming failure could also result in "loss of property," including money and securities, because of noncriminal computer malfunction resulting in "misplacement" or "mysterious unexplainable disappearance," another area that potentially triggers coverage obligations under most fidelity and commercial crime policies.

Another increased exposure to fidelity and commercial crime insurers comes form IT service contractors. Year 2000 has generated a tremendous demand for IT workers. In February 1998, the New York Times reported that there were 360,000 job openings for IT professionals and that the number is increasing rapidly. As Y2K draws closer, there will be more and more IT service contractors retained by insureds, which may be subject to coverage to the extent the applicable definitions of "employee" have been modified. The Gartner Group, a Stamford, Conn. consulting firm, has reported that the Y2K problem is "causing a lack of programmers, and people are hiring anybody." Year 2000 consulting firms have recently been forced to outsource remediation abroad, particularly to Russia and India. The Gartner Group has suggested that employee background checks have become virtually nonexistent and there is an increasing risk of "back doors" being programmed in to proprietary systems to avoid computer security measures in the future.

Whether or not the claim scenarios set out above will result in covered losses under the coverages discussed above or elsewhere, it is clear that the potential for a high volume of serious claims against various lines of insurance could be a reality in the event of failures. The most prudent course is for insurers to carefully underwrite their risk and clarify the extent of the coverage they are willing to provide. To effectively underwrite Year 2000 exposures, insurers must understand that certain risk factors may be specific to particular regions or industries as well as understand the general chain of causation of most Y2K failures.

In terms of geography, some generalizations are possible. The United States is generally viewed as the most advanced country in the world in terms of readiness. This is not to say that the United States will not experience its fair share of problems but merely to suggest that it is more advanced than other countries.

England is generally considered to be roughly six months behind the United States. Despite this, England may ultimately fair better than the United States because of Prime Minister Tony Blair's aggressive public-awareness campaign. Blair appears to have accepted the notion that serious failures will occur and is formulating nationwide contingency and disaster recovery plans. He has also been instrumental in raising Year 2000 to the top of the G-7's agenda. Interestingly, England is not participating in the first phase of the Euro conversion. Some speculate that England views the tasks of resolving the technological issues associated with the Euro conversion as too difficult and complex to undertake in concert with Year 2000 remediation.

Continental Europe's fixation on the Euro conversion appears to have negatively affected its efforts. It is generally understood that Continental Europe is between nine months and one year behind the United States. Within Continental Europe, Germany is viewed as somewhat behind its counterparts. Japan's preoccupation with its own prolonged recession appears to have slowed the start of Y2K remediation. There is mounting concern that Japan's efforts are too little too late, especially in the banking and finance sectors. Latin America and the rest of the Third World are perceived to be far behind the rest of the world but the impact may not be as significant as other areas because these regions are less dependent on technology.

It is more difficult to identify specific industries that may be more exposed to Year 2000 failures than others because heightened industry awareness is not necessarily an indication that the industry will escape exposure. For example, the banking and finance sectors have been diligently working on Year 2000 compliance measures for some time, but the complex integrated nature of the systems involved as well as the nature and value of the underlying transactions at issue increase the opportunity for failure. Certain sectors of the banking and finance industry, such as community banks, credit unions and finance and leasing companies are generally viewed as behind the other sectors of this industry.

Manufacturing and production facilities are now considered to be one of the sectors that are the most heavily exposed to Year 2000 failure. In addition to the extensive programming remediation that is also required in other sectors, manufacturers are faced with the daunting task of identifying and replacing noncompliant embedded chips in noncomputer machinery and electronic circuitry. There are virtually thousands of these chips in every manufacturing facility; they must be located, inventoried, assessed and replaced, if necessary.

The inventory and assessment phase alone will require that much of a plant's equipment must be physically opened and examined, whether or not it was ever designed for such intrusion. The failure to identify and remediate a single noncompliant chip could freeze an entire production facility.

Third-party dependencies are also a major exposure for manufacturers. "Just in time inventory" production necessitates the near 100 percent efficiency of suppliers. A single supply failure because of a Year 2000 failure at the supplier or at his supplier and so on could also shut down a facility.

Regardless of the region or industry at issue, Y2K exposures faced by any insured appear to derive from two general categories of failures, internally or externally caused failures.

Internally caused failures are failures within an organization resulting from Year 2000 failures also within the organization. An organization's exposure to internally caused failures would appear to be susceptible to relatively accurate underwriting through the use of detailed Y2K underwriting questionnaires and other supplemental information requests. Presuming there are adequate resources available, including time, any organization is able to eliminate or at least substantially mitigate its exposure to internally caused Year 2000 failures because the risk of malfunctions that would cause such failures are within the exclusive control of the organization.

Externally caused failures are failures within an organization resulting from Y2K failures outside of the organization, namely, at third parties that the organization relies on to successfully operate its business. The ability to accurately underwrite an organization's exposure to externally caused Year 2000 failure is less clear because the malfunction risks that would cause these failures are not within the exclusive control of the organization. In order to effectively underwrite an organization's blanket exposure to externally caused failures, an underwriter must not only review relevant information regarding the organization's remediation efforts but must also assess the exposure to Year 2000 failure of virtually all the third parties on which the organization relies to continue its own operations. Unfortunately, the analysis does not stop there because these third parties are also dependent on other remote parties and so on and so on.

Thus, it would appear that the extent to which an organization's exposure to externally caused Year 2000 failure can be accurately underwritten depends largely on where the loss-causation chain stops. It may be possible to gather sufficient information regarding specific third-party business partners of an organization so that the externally caused Y2K failure coverage could be offered on a limited basis, i.e., by scheduling specific third parties to a policy.

It would appear, however, that the more prudent approach to offering such a coverage grant would be to limit it to externally caused failures at the organization that are caused by internally caused failures at the specific third-party business partners of the organization. Otherwise, the underwriter would be required to analyze the Year 2000 exposure of remote third parties that are not in privity with the insured organization. This would not appear to be a commercially reasonable option.

One other thing that should be considered regarding a limited extension of Year 2000 coverage for externally caused Year 2000 failures is the extent to which an insurer will be able to rely on information presented by the organization regarding the Year 2000 status of its third-party business partners since the information may not be coming to the insurer first hand.

Some believe that the insurance market will harden as the Year 2000 approaches and suggest that insureds would be best served to address their insurance concerns as soon as possible if they have not already done so. Despite the relatively late date, many insurance options still exist for insureds that are able to demonstrate that they are diligently working to achieve Year 2000 readiness.

Silence appears to be the route that many insureds have chosen. An insured could renew coverage as expiring: No Year 2000 exclusions and no affirmative statement of Year 2000 coverage. The main risk associated with this approach is that the insurer could raise coverage issues such as the ones discussed above to preclude or mitigate its coverage obligations.

To the extent that an insured could demonstrate that it is an exceptional Y2K risk, it could attempt to work with its insurers to draft a policy specifically incorporating coverage for its Year 2000 exposures. This option generally is only available for those insureds that are well on their way to compliance.

At least one commercial insurer has prepared a form policy that expressly incorporates coverage for claims that arise out of Year 2000. Though not necessarily warranted, some skeptics have suggested that this approach is intended to bolster the insurer's contingent coverage position that the traditional forms were never intended to cover claims arising out of Year 2000 problems. Coverage under these forms should be carefully scrutinized to determine the extent to which the insured may be purchasing more restrictive coverage than was previously afforded under the traditional form.

Other insurers offer monoline or single-risk Year 2000 policies that cover certain exposures after the prospective insured undergoes a thorough Y2K audit at its own expense. Some of these products involve actual risk transfer while others are finite risk arrangements whereby the insured pays an extremely high premium for the coverage, usually 75 to 80 percent of the policy's limit of liability.

Depending on the region and industry, the impact of the Year 2000 will most likely fall somewhere between the dud and catastrophe scenarios. For the insurer, the downside of proper preparation today is wasted time and effort and, possibly, loss of market share in the event business is lost because of restrictions in coverage for certain types of Y2K risks.

The upside could be solvency in the Year 2000 and beyond as well as the ability to gain market share because of the insolvencies of insurance companies that did not properly prepare themselves for the century date change.

For the insured, there is only an upside to working with insurers to determine which coverage option will best afford the necessary protection.