Академический Документы
Профессиональный Документы
Культура Документы
Introduction
Shareholders within several companies recently victimized by data security breaches have
launched lawsuits against the enterprises boards, claiming that executive management
breached its fiduciary duty by failing to ensure that the companies implemented
adequate security measures. What could be a developing legal trend raises the specter
that no less than their personal wealth is at stake for directors and officers who do not
exercise appropriate oversight of their organizations cyber risks. Citing a litany of alleged
information technology missteps, negligence and shortsightedness, the shareholders
argue that the defendants lack of attention to data security made their organizations
particularly vulnerable to data thieves.
Always hunting for new litigation opportunities, the plaintiffs bar very well could view
these lawsuits as templates for shareholder actions against other organizations targeted
by cyber criminals. With studies showing that the number and cost of cyber attacks
against commercial enterprises are risingand more so in the financial institutions and
banking sector than in othersdirectors and officers at banks today cannot afford to
ignore these developments.
Executive management at banks, however, also can use this shareholder litigation to their
advantage. Those lawsuits provide directors and officers some clear guidance on the level
of data security protection they should be pressuring their own organizations to adopt to
protect themselves against cyber criminals.
Organizations that suffer data security breaches already face the expense of restoring
their data security, reconstituting corrupted data and, as statutes in 47 other states
plus the District of Columbia mandate, notifying their customers and clients that their
personal information has been compromised. In addition, although they generally are not
legally required to do so, these organizations typically provide credit monitoring services
to their customers in an effort to maintain, or regain, their goodwill.
Overall, according to the Ponemon Institutes 2014 Cost of Data Breach Study: Global
Analysis, the average cost of a corporate data breach is $3.5 million, a 15 percent
increase compared to Ponemons findings in 2013.2
A significant factor that is driving up those costs is the growing volume of data
security incidents. That number is exploding, according to a survey conducted by
PricewaterhouseCoopers in cooperation with magazines CIO and CSO.3 In that survey,
Data breaches pose huge risks for bank directors and officers
9,681 corporate executives from companies of all sizes in 115 countries reported that
each of their organizations faced 3,791 security incidents on average over the 12 months
prior to February 2013. That is more than 10 incidents every day and reflects a nearly 27
percent increase from the number reported in the year-earlier survey and a 48 percent
jump from the 2012 survey results. Those events included any adverse incident that
threatens some aspect of computer security, not only successful major data breaches,
the studys authors explain.
The numbers were even worse for financial institutions. Those survey respondents
reported not only a 22 percent higher rate of incidents4,628 annually on average, or
nearly 13 incidents each daybut also an alarming 169 percent increase over the prior
years results.
Among the financial institution respondents, 42 percent were from North America. Some
43 percent of the respondents represented either mid-sized or small organizations, and 41
percent represented large institutions. The size of the remaining respondents was unknown.
Financial institutions, like all organizations, could face even greater challenges in
mitigating cyber risk in the near future. A U.S.-like law that would impose notification
responsibilities on organizations that suffer data security breaches but also impose stiff
financial penalties on those deemed lax in their efforts to safeguard data likely will be
in place in the European Union by 2016.4 But the law would reach far beyond Europe,
because it would apply to all organizations operating there, not just those headquartered
within its borders. Moreover, many other countries are in the process of enacting or likely
will adopt comparable measures to maintain their trading status the European Union,
suggests broker executive Christopher Keegan, a senior managing director at Beecher
Carlson in New York, and law firm Baker Hostetler, which has studied data privacy laws
around the world.5
8. PricewaterhouseCoopers
Data breaches pose huge risks for bank directors and officers
The list of plaintiffs allegations include that one or both of the companies:
Failed to take reasonable measures to prevent a security breach by, among other
things, failing to comply with the PCI Data Security Standard.
Relied on computer servers with an operating system that was so badly out-of-date
that its security software had not been updated for three years. As a result,
customers credit card information was stored unencrypted.
Had no internal controls designed to either detect a security breach or report it in a
timely manner.
Immediately after the attack, issued false and misleading statements about the
significance of the security breach. It initially denied, but later admitted, that
customers debit card PIN numbers had been stolen. It also suggested the security
breach affected far fewer customers and over a shorter period that it actually did.
Damaged its reputation by hiding the true extent of the attack in order to prevent
scaring away customers, causing a drop-off of holiday-season revenue.
Gave customers a false sense of security and further harmed them by failing
to provide the timely information they needed to mitigate the risk to their
personal information.
Created more bad will and further harmed customers by bungling its offer of aid
after finally alerting customers and offering credit-monitoring services. In attempting
to generate favorable public relations by disclosing how it was providing these
services, the company created an opening for other identity thieves to scam the
companys customers. In emails, the identity thieves posed as the company and
obtained the customers payment card information.
Understood, because of the findings of a well-known independent 2007 report on
data security, the risk and likely ramifications of a massive security breach.
The shareholders are demanding that the defendants reimburse their companies for the
harm the executives allegedly caused and that the companies harden their data security
systems. Specifically, the plaintiffs demand that the defendants directors and officers
cover their organizations remediation costs, including the cost of notifying affected
customers and clients and establishing credit-monitoring services for them, as well as the
organizations costs to investigate the breaches internally and to respond to the resulting
regulatory inquiries and consumer class-action lawsuits.
In addition, the plaintiffs are asking for the disgorgement of compensation paid to the
individual directors and officers and payment of plaintiffs attorney fees.
A retailers data security breach highlights the importance of directors and officers also
ensuring that their organizations have solid vendor management controls in place.
Financial institutions can help to mitigate vendor risks through a combination of contract
provisions and insurance.
In addition, many federal regulatory agencies have opined on vendor risk and how banks
can manage it, including the:
Data breaches pose huge risks for bank directors and officers
Federal Reserve Board, in its December 2013 guidance, Managing Outsourcing Risk.
Office of the Comptroller of the Currency, in its October 2013 guidance on thirdparty relations.
Federal Financial Institutions Examination Council, in its October 2012 discussion on
information technology service providers.
Consumer Financial Protection Bureau, in its April 2012 bulletin.
Securities exposure
Data breaches also increase directors and officers exposure to regulatory action and,
potentially, securities class-action lawsuits.
The derivative lawsuits filed against the retailer and hotel/resort chain are instructive,
particularly their demands for reimbursement of the companies costs to respond to
various state and federal investigations. In one instance, the data breach has become the
subject of a lawsuit filed by a federal regulator. While regulatory activity is trouble enough
for a company, it oftenas was the case hereprecipitates a derivative action.
The two derivative lawsuits also spend considerable time reciting numerous privacy laws
designed to protect consumer information as well as various disclosure requirements as evidence
that the defendants were aware of the significant risk associated with a cyber breach.
As further evidence that the defendants were aware of that risk, both lawsuits point to
the companies financial statements. In those documents, the companies provide risk
disclosures on data breaches and represented that their internal controls were sufficient
to guard against them, the plaintiffs state.
The focus on disclosure is important. In October 2011, the Security and Exchange
Commissions Division of Corporate Finance issued guidance stressing that registrants
may be obligated to discuss cyber risks and incidents under a number of disclosure
requirements or when necessary to ensure that other required disclosures are not
misleading.9 The sections of the financial statement in which registrants may be obligated
to make those disclosures are:
Risk Factors, if that information would be a critical factor in investors decision making.
Managements Discussion and Analysis of Financial Condition, and Results of
Operations, if those risks and incidents were materially costly; the consequences
associated with any incident are material; that information indicates an important
trend; or those risks and incidents create significant uncertainty for the organization.
Description of Business, if an incident has affected the organizations product,
service, customer relations, suppliers or competitiveness.
Legal Proceedings.
Financial Statement Disclosures.
Disclosure Controls and Procedures. If a cyber incident could affect the quality of
those disclosures, then management has to consider whether those disclosures have
been rendered ineffective.
Data breaches pose huge risks for bank directors and officers
The derivative lawsuits focus on financial statement disclosures about cyber risk,
allegations of insufficient internal controls, as well as the allegations of a potential
decrease in earnings could be fodder for a securities class-action lawsuit.
To raise a securities class-action claim, a plaintiff generally must allege that the defendant
knowingly, or with reckless disregard for truthfulness, made a false statement of material
fact and that the plaintiffs relied upon it, causing the plaintiffs damage. Typically, plaintiffs
allege that they purchased securities based on representations in a companys financial
statement and that the plaintiffs suffered damages when the companys share price
dropped after revelations that those representations were misleading or false.
The derivative lawsuits appear to allege all the essential elementsexcept for an actual
drop in share pricenecessary to raise a securities class-action lawsuit.
Given the increasing frequency of data security breaches and the greater emphasis on
disclosure and management of internal controls, directors and officers should expect to face
securities class-action lawsuits in the wake of a breach, if it triggers a market reaction.
Insurance protection
While directors and officers can be a driving force in their organizations efforts to fend
off data thieves, data security experts warn that cyber criminals will not be discouraged
easily. In the event of a successful attack, executive management who has demonstrated
strong oversight of their organizations cyber risk controls would have a strong argument
that they and the entity took all reasonable steps to safeguard customer data and,
therefore, should not face regulatory penalties or shareholder litigation.
Still, shareholders may sue. Even if a court eventually dismisses the case because the
board had done all it could to ensure that the organization had robust data security,
the cost of a defense could be significant. So besides ensuring that they are meeting
their fiduciary duties relating to cyber risk, executive management should ensure they
are comfortable with the amount of directors and officers liability insurance their
organizations have purchased.
Conclusion
Cyber criminals are relentless. Studies show they will attack an organizations data
security system multiple times daily in many ways from different areas of the globe in an
attempt to steal customers personal data.
In an environment in which customer data is increasingly under attack, banks must take
extraordinary steps to remain competitive and compliant with numerous regulations and
statutes. Managing cyber exposure must be a critical element of every organizations risk
management philosophy.
Moreover, directors and officers have to do more than merely trust that their
organizations will be vigilant, because shareholders demand strong board leadership on
data security.
Because its not just if an attack is going to occur, but when.
Data breaches pose huge risks for bank directors and officers
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures
herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to
reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein
is not intended to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs and policies. We
do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies
and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed
to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The
subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any
insurance policy.
Zurich
1400 American Lane, Schaumburg, Illinois 60196-1056
800 382 2150 www.zurichna.com
2014 Zurich American Insurance Company
Hailstorms are a pervasive problem throughout the United States and can wreak havoc
on commercial roofing systems. Understand the composition of hail-resistant roofs in
the event that repair or replacement is needed.
One of the major loss costs
of any hailstorm is a roof.
Hail damage can be traumatic
to a business operation.
Mike Cincinelli, CAT team manager,
Zurich North America
HAILS FORCE:
Minimal to
no damage
Significant
damage
Severe
damage
ROOF REPAIRS
DAMAGED EQUIPMENT
Expensive rooftop equipment like damaged
HVAC units or solar panels might need to
be replaced.
PREVENTATIVE MAINTENANCE
HVAC hail guards can
protect expensive-to-replace
condensers from damage.
Enlist a professional
roofing contractor for
an annual inspection.
Deciding what
opportunities to
fund, which risks
to protect
The critical role of enterprise risk
management in strategic decision making
By Linda Conrad
Director of Strategic Business Risk
Zurich Global Corporate
Table of contents
nterprise risk management (ERM) as a strategic
E
planning and profitability tool
10
10
11
13
Failure to either anticipate growth opportunities or plan for negative events can have
serious consequences on business operations, including loss of customers, inadequate
asset protection, failure to meet regulatory requirements, lower profitability and share
price. How can the senior management of an organization be more aware of their
potential risks both the upside and downside? Recently, there has been an intensifying
interest in enterprise risk management, or ERM, as a tool to enable organizations to
consider the potential impact of all types of risks on their processes, products, services,
activities and stakeholders. In short, an effective ERM approach can help an organization
make the most efficient use of its capital. By determining what growth opportunities to
fund, and what potential risks need budget support, an organization can better ensure it
will meet its business objectives today and into the future.
Financial results show that a robust risk culture can be the basis for improved profitability.
A study by FERMA in 20121 found that firms with advanced risk management practices
exhibited stronger EBITDA and revenue results over the past five years than did those
with emerging risk cultures. Review of over 800 firms in 20 countries concluded that:
75% more firms with advanced risk management practices had EBITDA growth
of over 10%
62% more firms with advanced risk management practices showed revenue
growth of 10%
The study validates that creating an active risk culture can directly correlate to stronger
financial results, as the entire firm becomes more aware and accountable for the
potential obstacles standing in the way of success.
The wide array of economic, geopolitical, environmental, technological, supply chain
and other risks of the last decades have heightened the call for a more rigorous risk
management approach to business resiliency by organizations. Events like Enron and
BP, the recent credit crisis, and catastrophes like the Asian tsunami, the Thai floods or
Superstorm Sandy have led to the emphasis on the need to embed and enhance risk
management practices. A renewed focus on enterprise resilience can help in prioritizing
capital toward optimizing the risk/reward balance. This requires applying a risk lens and
techniques to both minimizing disruptions and maximizing growth. A resilient enterprise
is better able to anticipate surprises, recover from disruptions, adapt to changing
conditions and leverage emerging opportunities. The goal is simple: funding the right
amount of the right risks at the right time, to help turn risk into results. How to attain
this goal is the business objective of Enterprise Risk Management.
Corporate boards, facing heightened regulatory and ratings scrutiny, are beginning to
insist that management provide sophisticated reports linking risks to their impact on
an organizations objectives. Many boards are also more engaged in the oversight of
managements risk monitoring processes to determine whether the risks assumed to meet
performance objectives are embraced throughout the organization and within established
limits. Also of interest to boards is how managements response to existing risks have
either helped or hurt the long-term strategies of the organization.
As early as 2001, the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) began efforts to develop a framework that could be used by
corporations to evaluate and improve their organizations enterprise risk management.
As defined by COSO, enterprise risk management is a process, effected by an entitys
board of directors, management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.2
In 2004, the New York Stock Exchange issued corporate governance rules that require
audit committees of listed corporations to discuss risk assessment and risk management
policies. Executive compensation arrangements are a key area of regulatory attention
because there is concern that these arrangements may have encouraged excessive risktaking in the past, where there has been an undue emphasis on performance without
due consideration of risks.
In 2008, Standard and Poors (S&P) began assessing ERM processes as part of its
corporate credit ratings analysis. S&P reports that in their reviews with rated issuers in
U.S. and Europe, they have discovered a wide range in the level of adoption, formality
and engagement of ERM3. In particular, S&P noted that:
Silo-based risk management, focused only at the operational managers level,
continues to be prevalent.
Companies with a true enterprise-wide approach to ERM appreciate the importance
of going beyond only quantifiable risks and increasingly understand the importance
of emerging risks.
Companies often facilitate their ERM execution via separate structures, with
associated roles and responsibilities clearly defined.
In July 2009, the SEC proposed rules that would require management to increase its
disclosures of information that describe the overall impact of compensation policies on
risk-taking. The proposed rules would also require disclosure in a proxy statement about
the boards role in the companys risk management process, and the effect that this has
on the way the company has organized its leadership structure. The SEC believes that
disclosure should provide information about how a company perceives the role of its
board and the relationship between the board and senior management in managing the
risks facing the company. SEC Chairman Mary Schapiro stated, I want to make sure
that shareholders fully understand how compensation structures and practices drive an
executives risk-taking. The Commission will be considering whether greater disclosure
is needed about how a company and the companys board in particular manages
risks, both generally and in the context of setting compensation.
Sen. Charles Schumer, D-N.Y., introduced the Shareholder Bill of Rights Act of 2009
that would require corporations to establish a risk management committee comprised
of independent directors. Additionally, the U.S. Treasury Department is considering
requiring compensation committees of public financial institutions to disclose strategies
for aligning compensation with sound risk management. While this focus is on financial
institutions, the link between compensation structures and risk-taking has implications
for all organizations. Ratings agencies and analysts have also taken a keener interest in
governance efforts.
Also in 2009, a new international standard was published, ISO 310004, that clarifies
and builds on the risk principles set out in the Australia and New Zealand standards
developed in 2004 (AS/NZS 4360:2004). The ISO 31000 defines the application of a risk
management framework as a set of components that provide the foundations and
organizational arrangement for designing, implementing, monitoring, reviewing and
continually improving risk management throughout the organization. The ISO 31000
standard and risk management organizations such as RIMS or the IRM also offer
step-by-step guidance for establishing or expanding an ERM framework to assist
organizations in improving risk oversight to help protect profitability.
In May 2013, S&P announced an update on their efforts with the following
announcement: Elements of enterprise risk management that we highlighted as
important in our ratings on non-financial companies more than five years ago has now
completed a migration to our broader assessments of management and governance
(M&G). Following new M&G criteria published on November 13, 2012, we have not
completed an assessment process across our global portfolio of almost 4,000 nonfinancial companies worldwide. S&P uses the management and governance score to
modify its evaluation of an enterprises business risk profile, a key component of its credit
rating. Worldwide, Standard & Poors assigned management and governance scores to
3,868 companies: only 8% were strong, and 32% were satisfactory, while 57%
were fair, and 3% weak5.
Clearly, the need to create a robust ERM framework is something no senior executive
team can ignore today. Risk management has moved beyond just the purview of the
CFO, accounting, or legal department to become an enterprise-wide responsibility. Today,
a limited approach to identifying, assessing and monitoring risks is not enough.
Business continuity management deals with factors that may cause significant business
disruption or may damage the organizations reputation. It emphasizes preparing the
organization for and bringing the organization back from a threatening event. In other
words, business continuity management is an application of risk management in the
context of threatening risks and emphasizing a timely recovery after an incident.
Enterprise risk management, on the other hand, sets down a structured framework for
the organization to identify, rank, and control all the risks concerned. The purpose of this
broader assessment is to create a more resilient business one that is better prepared to
adapt to changing conditions and leverage emerging opportunities, as well as anticipate
surprises and recover from disruptions. Effective enterprise risk management goes hand in
hand with a business resilience process by creating a proactive infrastructure for dealing
with risks systematically, holistically and successfully.
Event
Productivity
1
2
Normality
Business Recovery
Emergency
Salvage and
Restoration
with Business
Continuity
Management
3
Willingness of
customer to wait
1
2
3
Time
A 360-degree ERM process can help organizations meet these strategic objectives:
Protecting the capital base An ERM review can potentially drive meaningful
financial benefits including reduced cost of servicing debt, improved access to
capital and cost of capital.
Enhancing value creation and contribute to optimal risk return profile ERM
can increase probability of the upside, and decrease the probability of a downside.
Supporting corporate decision-making process For senior management, ERM
can demonstrate its incorporation of risk information as a decision-making process,
especially for rated companies that need to score well on the S&P ERM assessment.
Protect reputation and brand by promoting a sound culture of risk
awareness ERM can increase investor confidence through proven management
accountability for risk.
Zurichs report on applied risk management developed for risk managers after the credit
crisis summarized the lessons learned from the failures of those companies that did not
perform a strategic, risk management process:
1. Understanding individual risks are not enough Organizations must account
for inter-linkages and remote possibilities
2. Extreme events must be factored in The world does not follow a normal, even
distribution, and Black Swans can appear at any time
3. Determine the corporate risk appetite The strategic function of ERM is to guide
corporations in determining their choice of trade-offs between risk and reward
4. Quantitative models are important, qualitative judgments are imperative The
arsenal of risk management tools is lengthy, but models cannot replace judgment
5. A risk culture starts at the top To entrench risk management across an
organization takes a strong, top-down approach applied across the organization
Corporate downsizing
Change in leadership
Corporate reorganization and rebranding
Enterprise risk management
Cloud computing/cyber security and privacy
Sale of business units
Business continuity, crisis response and safety
Turning risk into a competitive advantage may require a cultural shift toward greater
risk accountability. A cultural shift may be needed to improve the understanding and
management of risk throughout your organization, and to drive critical corporate
communication between the C-Suite and Board and employees. Failing to address issues
of risk management head-on can expose your firm to the blindside of risk, potentially
costing you money and causing you to miss growth opportunities in critical areas.
It starts by mapping each individuals pre-disposition to risk, and then aligning it with
the corporate goals. Ownership and accountability of risk can be increased through
proven management and behavioral science strategies. The process can then be made
continuous through a living risk culture dashboard, aligned to your strategic and
operational objectives.
An embedded and open risk culture can improve collaboration and encourage dialog that
can help you establish key risk indicators tied directly to key growth and performance
metrics. This positive risk culture can help you better understand your risk landscape and
build an ERM framework that addresses risk proactively to improve business resilience and
profit potential.
How can you deal with the risks that you may not even know exist? Can you
efficiently prioritize and budget resources for critical strategic and operational
risk mitigation? What is the true risk appetite of your organization? It is
challenging to incorporate risk considerations into strategic planning, budgeting, supply
chain management, business continuity or other operational activities. A company must
evaluate the risk/reward balance and also ensure risk management culture is consistent
and effective across your enterprise.
In a report, A structured approach to ERM and the requirements of ISO 31000, issued
by the Public Risk Management Association in the U.K. in early 2010, a risk management
policy structure was included that can help corporations ensure their ERM approach is
updated and disseminated throughout the organization each year. The following sections
were recommended in developing an ERM policy:
Risk management and internal control objectives (governance)
Statement of the attitude of the organization to risk (risk strategy)
Description of the risk aware culture or control environment
Level and nature of risk that is acceptable (risk appetite)
Risk management organization and arrangements (risk architecture)
Details of procedures for risk recognition and ranking (risk assessment)
List of documentation for analyzing and reporting risk (risk protocols)
Risk mitigation requirements and control mechanisms (risk response)
Allocation of risk management roles and responsibilities
Risk management training topics and priorities
Criteria for monitoring and benchmarking of risks
Allocation of appropriate resources to risk management
Risk activities and risk priorities for the coming year
10
11
12
The Conference
Board study showed
that a strong ERM
program is a factor in
increasing revenue and
shareholder value:
8
0% Increased
management
accountability
(shareholder
confidence)
7
9% Smoother
governance practices
5
9% Increased
profitability
6
2% Reduced
earnings volatility
(less volatility)
8
6% Better
informed decisions
(learn from risk
information and
mistakes)
13
Sources:
Enterprise Risk Management: Complacency is No Longer an Option, But a Practical
Start Is 2006, KPMG www.kpmg.com
Effective Enterprise Risk Management starts with a Conversation American Institute
of Certified Public Accountants, September 2009 www.aicpa.org
ISO 31000 Risk management Principles and guidelines. International Organization
for Standardization, 2009. www.iso.org
Strengthening Enterprise Risk Management for Strategic Advantage Committee of
Sponsoring Organizations of the Treadway Commission 2009, www.coso.org
Progress Report: Integrating Enterprise Risk Management Analysis into Corporate
Credit Ratings Standard & Poors Ratings Direct www.standardandpoors.com/
ratingsdirect July 2009
Christina, Diana. Dissecting the Anatomy of ISO 31000,
www.dianechristina.wordpress.com/2010/02/05/dissecting-the-anatomy-of-iso-31000/
Committee of Sponsoring Organization of the Treadway Commission. Enterprise Risk
Management Integrated Framework: Executive Summary Sep 2004
Good Practice Guidelines 2008. Business Continuity Institute
Strategic Risk Services - Zurich Services Corporation
Zurichs Strategic Risk Services helps organizations improve their business performance
through an Enterprise Risk Management approach to strategic, operational and financial
exposures. This broad, 360 view helps businesses ensure resilience, reduce total cost of
risk, protect profitability, and enhance capital efficiency.
14
15
Zurich
1400 American Lane, Schaumburg, Illinois 60196-1056
800 382 2150 www.zurichna.com
The information in this publication was compiled from sources believed to be reliable for informational purposes only.
All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and
procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may
serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice
and accordingly, you should consult with your own attorneys when developing programs and policies. We do not guarantee the
accuracy of this information or any results and further assume no liability in connection with this publication and sample policies
and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that
this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be
appropriate under the circumstances.
The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and
procedures ensure coverage under any insurance policy.
2013 Zurich American Insurance Corporation
Unlike hurricanes, which can be tracked days in advance of making landfall, tornadoes
can appear suddenly, allowing only a few hours for warnings of deadly storm conditions
to be issued. Occasionally, tornadoes develop so rapidly that little, if any, advance
warning is possible. And while the path of a tornado is far narrower than that of a
hurricane, tornadoes can be more destructive to homes and businesses.
The peak wind speed of a Category 5 hurricane rarely exceeds 180 miles per hour, while
an EF5 tornado has estimated wind speeds in excess of 200 miles per hour by definition
and can generate maximum wind speeds of greater than 250 mph. EF5 tornadoes can
be powerful enough to strip the bark from a tree!1
Fortunately, companies can take steps to help protect people, property and business income.
The key factors are preparedness, vigilance and rapid response to dangerous conditions.
Housing servers and other vital equipment in protected areas of a building, preferably
in tornado-resistant server rooms; and
For new construction, working with an architect or contractor to incorporate wind
mitigation techniques and high wind-rated products.
3.
Simple Tips to Reduce High Wind,
Tornado Damage, FEMA, www.fema.gov
Insurance
Most property insurance policies provide insurance protection for tornado damage to
both real and personal property. These policies also may cover costs to remove, clean
up and dispose of debris after a tornado. Companies also should consider time element
coverages, especially Business Interruption and Extra Expense, which cover lost business
profits and the additional expenses to keep a business running while insured property
is being restored or replaced. Civil Authority and Ingress/Egress coverages cover lost
business profits due to disruptions caused by the inability of customers or employees to
access a building.
5. M
anny Fernandez and Matt Flegenheimer,
100 tornadoes, 5 deaths: New early
warning puts Midwest towns on notice to
take care, New York Times, April 16, 2012
www.twincities.com
Conclusion
Tornado damage can cripple or even destroy a company, but businesses are not helpless
in the face of even the most powerful twister. Advance preparation can help business
owners and executives rest assured that both lives and property will be preserved to the
greatest extent possible, and continuity and disaster planning can contribute to a rapid and
complete rebound in the aftermath of a catastrophic event. Advance preparation, however,
can be undermined by failing to react effectively to an imminent threat. Companies need
to monitor developing weather conditions and respond quickly and decisively as soon as
severe conditions materialize. Insurance protection also is essential, and companies should
work with their brokers to guarantee they have traditional property insurance policies that
cover loss to tangible property, as well as time element coverages that help businesses
remain financially viable after a catastrophe.
Zurich
1400 American Lane, Schaumburg, Illinois 60196-1056
800 382 2150 www.zurichna.com
The information in this publication was compiled from sources believed to be reliable for informational purposes only.
All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies
and procedures. We trust that you will customize these samples to reflect your own operations and believe that these
samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended
to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs
and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in
connection with this publication and sample policies and procedures, including any information, methods or safety
suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable
safety and compliance procedure or that additional procedures might not be appropriate under the circumstances.
The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and
procedures ensure coverage under any insurance policy.
Insurance coverages are underwritten by individual member companies of Zurich in North America, including Zurich
American Insurance Company. Certain coverages are not available in all states. Some coverages may be written on a
nonadmitted basis through licensed surplus lines brokers.
2014 Zurich American Insurance Corporation