The role lawyers have in insurance risk management during Russia-Ukraine war
Often the best courses of action are legally informed but ultimately are not legal action.
PropertyCasualty360.com sister publication The National Law Journal has launched Inadmissible, a weekly Q&A series with Washington, D.C., legal professionals. The interviews will take a short, to-the-point look at an issue at the intersection of law and politics and highlight the type of work being led by professionals in the nation’s capital.
This week, Reed Smith tech & data group partner Gerard Stegmaier discusses how growing geopolitical risk factors could impact insurance claims and subsequent litigation.
National Law Journal: What is the issue and how does it intersect with Washington, D.C., as well as global politics?
Gerard Stegmaier: In the last few years, we’ve seen a tremendous increase in state-sponsored, state-related cyber espionage, computer crime and hacking that is often politically motivated, state-sponsored, or in response to geopolitical events. What we’re seeing today is a dramatic acceleration between the relationship of global political and economic events and those types of activities. Put another way, there is a lot of hacking going on; there is a lot of computer crime going on; there are a lot of cybersecurity threat factors but the political situation is like throwing jet fuel on a campfire. And it’s creating a conflagration that’s happening very quietly amongst the cybersecurity community because when your threat level escalates rapidly your resources become constrained and you have to evaluate very carefully, almost like in emergency room triage.
What that then means is that businesses have to make choices and some of these choices are directed at how and whether they respond to threat actors. So for example, if you are doing business in a country and the whole world decides you shouldn’t be doing business in there, it might force a divestiture.
And some of those things that we’re seeing a lot in our practice is analyzing not just the legal fallout that comes through with this but the options for risk management — because at the end of the day, as lawyers, the things we do is we take all the data and help identify courses of action. And in our experience at Reed Smith, often times the best courses of action are legally informed but ultimately are not legal action.
NLJ: How have you and your firm addressed the issue?
GS: In the realm of cybersecurity we’ve seen enormous growth in insurance coverage for cybersecurity incidents, hacking and information-related loss. It’s grown dramatically in the last decade. At the same time, we begin to see coverage disputes around the sources of the threats and not only the sources, but also the kinds of damages and losses. And in the context of the current crisis in Ukraine and Russia, those things come into much tighter relief in two ways.
First, both sides are actively involved in trying to influence public opinion through propaganda, social media and those types of things. And second, businesses are responding directly to legal requirements — the economic isolation of Russia, sanctions and those things happening globally but they also are responding to that activism.
And the intersections of those things means businesses may decide there’s a risk measure on the one hand, if we stop doing business and our business was interrupted, if we did that voluntarily rather than the government ordering us to do it — but we did it for particular motivations — what does that mean?
When we think about risk management, you can identify risk, you can shift risk, you can remediate things after they happen, you can accept them or you can do a combination of those things.
And the availability of insurance is one of the most important elements to determine what your business course of action is. If you think you have insurance and you don’t, you could make a very large financial and material mistake.
And so one of the things we’re seeing is that businesses are trying to decide how to respond and how to manage those cyber risks, what operations to keep up, what to close down. And not just directly in those countries that we’re talking about but also in areas near to those states.
For example, Eastern Europe has become a very popular location for multinationals to locate tech hubs. Today, the presence of those tech hubs presents some specific risks, and relates to business continuity, so whether to keep those open and how to staff them, what to do, where to do business, they are all things that are causing businesses to look at those risk management models and the availability of insurance coverage becomes important.
NLJ: Looking ahead, what needs to be done to address these issues?
GS: One of the things, I think, that will be a lesson to come out of this, is that economic decisions around technology investment and what we call location strategies will be looked at much more carefully through a lens of the prospects for political stability and what famously has been called “political risk.”
Political risk doesn’t show up on a spreadsheet for the least-cost provider. What we’re seeing firsthand is, some of these regions have been least-cost providers and I don’t think we’ve seen necessarily assessment of political risk in those locations strategies.
The second piece of that is as the size of the pile of chips on the table grows, the incentive to fight over that pile of chips and its allocation rose in a non-linear way. To put it a different way, the bigger the pile of money, the cheaper the cost of the lawyers even if the lawyers become very expensive. When we look at towers of insurance coverage and insurance risk management, the more money that’s lost because of the current situation, the more incentive people have to not only get creative, to not only find insurance coverage, but also to deny insurance coverage that comes about in things that either weren’t foreseeable or weren’t underwritten into the risk.
Basically, the stakes get larger and the incentives grow with those larger stakes. I think, what we will see, is to the extent things become worse economically for businesses or growing out of this crisis, the harder and more difficult it will be to untangle the insurance-related risks and components. I think cybersecurity is a microcosm of that with a number of very unique features which include not only dislocation strategy element but also business decision-making around how to continue doing business and execution of business continuity plans and whether the actions under those plans result in insurable losses.
Related: