Insurance — Do You Know What’s in Your Bank’s Policies?

There are many different types of insurance — directors and officers (D&O), employment practices liability (EPLI), and general liability, to name a few. Unfortunately, many clients do not know what is in their policy or policies, including what is covered, their deductibles or retention, or, in some unfortunate cases, that they have no policy at all.

This article attempts to help you answer some simple questions about what to look for when you are buying a policy and what to look for in a current policy when you need to use it. It is not an attempt to promote any particular policy, as each policy has to be read in light of the specific facts at issue.

Buying the cheapest — you may get what you pay for.

In too many cases, we find that clients have simply purchased the cheapest policy they can find. The reasons for this vary. Maybe the client asked for the cheapest policy, maybe the agent simply got the client the cheapest policy, or maybe there was no real conversation at all between the insured (client) and the agent except to “get some insurance.”

This is never an issue — until it is. By way of example, let’s say a lawsuit is filed against you that should kick in your D&O or EPLI policy. You then turn the lawsuit over to your agent for defense and coverage. And then, one of several increasingly common scenarios occurs. You discover that your deductible or retention is very high, e.g., the first $100,000 is on you. Or you discover that many employment cases could be resolved or dismissed for less than that, and that for a little more on the front end, you could have had a lower deductible. Or you discover that what you purchased does not cover alleged fiduciary breaches by your directors and officers, and you could have purchased that coverage if you had asked.

You also might discover that you could have purchased, for a small additional amount, wage and hour coverage that would have covered the overtime lawsuit you were just served, but no one ever specifically talked with the agent about that. You also might discover that the attorney you have worked with for years will not be able to handle the case because there is no “choice of counsel” in the policy. In many cases, spending 30 minutes with your agent (and probably an attorney who has experience working with you) could have resolved these issues — that now are out of your control.

The point is, spending the necessary time with your agent (and attorney) is something that should be done before any policy is purchased or renewed. This allows you to express what you want and consider the options available. It also allows you to avoid issues such as not being able to use the attorney of your choice.

Do you have a claims-made or an occurrence policy?

While each policy and case must be examined individually, generally, an occurrence policy covers claims arising from acts or incidents that occurred during the policy period. This means that if the incident occurred during the policy period and the policy was in effect and in good standing, the claim will be covered, even if you get sued over that incident after the policy has expired.

Claims-made policies are entirely different animals. Claims-made policies generally cover only claims made during the policy period. The claim must also be reported to the insurer as required by the policy.

Generally, claims-made policies are cheaper, as they usually provide coverage for a shorter period of time. Again, however, be aware of “going cheap.” Claims-made policies that are not renewed or are canceled — and for which tail coverage is not purchased — can create exposure for an incident that occurred during the policy period. This can happen, for example, if you simply let the policy lapse and a year or so later someone files a suit against you that would have been a “claim” under your claims-made policy but it was not reported when the policy was effective. It can also occur if you change insurers.

The above is a very general description, and any discussion about the type of policy you should buy or what to do when you renew is beyond the scope of this article, but you should absolutely consult with your agent (and likely your attorney) about any specific needs or concerns you know of prior to purchasing or renewing any policy.

Do you have coverage and defense, or just defense?

Be aware that some policies provide for attorney’s fees and costs to defend claims made against you as well as coverage for any settlement or judgment against you. Some policies, however, only provide for attorney’s fees and costs. Again, this goes to what type of policy you want, what you can afford, and knowing the risks of what you have versus what you do not have.

I have had the unfortunate situation where a client thought they had a policy providing coverage and defense, but the policy provided only defense. The matter involved multiple plaintiffs and conflicting witness testimony that made dismissal of the case prior to any trial impossible. While the resolution of the case was not substantially out of line for the average federal court employment case, the money came directly from the client’s pocket because the policy only provided for defense costs, not coverage for any settlement or verdict. When questions arose about why that type of policy was provided by the agent, it was clear the client had only told the agent to “get some insurance” and made no specific requests.

To sum up, it is unfortunately common that when purchasing insurance of any kind, insureds do not actively engage their agent (or ask for any advice from their attorney) about what types of policies and coverage they may need. This creates many issues (deductible, choice of counsel, lack of coverage, etc.) that likely could have been avoided. There is no guarantee that any issue could be avoided, as no one knows what type of claim or claims might be made in the future, but spending the necessary time on the front end could save many headaches on the back end if your agent gets as much specificity as possible from you.

AUVSI and DOD’s Defense Innovation Unit Announce Collaboration for Cyber Standards for Drones

The Association for Uncrewed Vehicle Systems International (AUVSI), the world’s leading trade association for drones and other autonomous vehicles, announced a collaboration with the Department of Defense’s (DOD) Defense Innovation Unit (DIU) to further commercial cyber methodologies to design a shared standard. AUVSI’s effort is meant to expand the number of vetted drones that meet congressional and federal agency drone security requirements.

This pilot program would extend relevant cyber-credentialing across the U.S. industrial base and assist the DOD and other government entities in streamlining and accelerating drone capabilities across the board. Overall, this collaboration will help make the drone industry more secure. The program will work with numerous cybersecurity firms to conduct technical cyber assessments before the DIU, DOD, and other government entities conduct additional vetting as necessary.

Currently, the Blue UAS (Unmanned Aircraft Systems) Cleared List has 14 drones on it and 13 more drones are scheduled to be added. The Blue UAS Cleared List is routinely updated and contains a list of DOD-approved drones for government users. These drones are section 848 FY20 NDAA compliant, validated as cyber-secure and safe to fly, and are available for government purchase and operation. However, even with these additions, the demand for additional cleared drones with new capabilities and technology has outpaced the DIU’s ability to scale the program. This collaboration seeks to close that gap and offer cybersecurity certification in close cooperation with the DIU. With off-the-shelf drones serving as critical tools to help conduct diverse government operations, partnership with AUVSI and cybersecurity experts will make it easier for government users to use commercial technology and achieve effective operations in a secure manner.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Defense Department Takes Aim at Anticompetitive Mergers in Defense Industry

Government says market concentration poses a national security risk.

In 1990, the Department of Defense could turn to 13 companies to produce tactical missiles, eight to make fixed-wing aircraft, and another eight to build ships. Now there are only three missile and three aircraft makers, and only two surface ship builders. There were eight satellite manufacturers in 1990; today there are only four. Tanks and other tracked vehicles are now made by a single company.

Such market consolidation is potentially harmful for the usual reasons, such as less innovation, higher prices, and a lower level of customer service. But when that customer is the DOD, having only one or a handful of defense equipment makers, suddenly critical military missions, military and civilian lives, and national security are put at risk, “[P]articularly in cases where the existing dominant supplier or suppliers are influenced by an adversary nation ….”

That is the worrisome assessment contained in a report issued by the DOD which is following up on President Biden’s July 2021 executive order, titled “Promoting Competition in the American Economy.” DOD is just one of the agencies now responding with plans to evaluate their respective competitive landscapes and to make recommendations to restore productive rivalries.

If market consolidation suggests harmful anticompetitive conditions, then the defense industry’s merger history should send up multiple flares. “Since the 1990s, the defense sector has consolidated substantially, transitioning from 51 to 5 aerospace and defense prime contractors,” the report says.

DOD offers five general recommendations to increase defense industry competition, saying it should:

  • Strengthen Merger Oversight. When a merger threatens DOD interests, DOD will support the Federal Trade Commission and Department of Justice in antitrust investigations and recommendations involving the defense industry.
  • Address Intellectual Property Limitations. Certain practices surrounding intellectual property and data rights have been used to limit competition in DOD purchasing and to induce “vendor-lock” and other undesirable results. DOD says it will identify its long-term intellectual property needs early in the bidding process. This should ensure that intellectual property is a key factor in evaluating competitive awards, and a negotiation objective in sole-source awards and when contracting with vendors willing to provide the government the intellectual property and rights it needs.
  • Increase New Entrants. To counteract the shrinking list of contractors, DOD says it will work to attract new entrants to the defense marketplace by reducing barriers to entry. This will be accomplished through small business outreach and support. DOD says it will use “acquisition authorities” that will give it the flexibility to adopt and incorporate commercial best practices to reduce barriers and attract new vendors.
  • Increase Opportunities for Small Businesses. DOD will increase small business participation in defense procurement, with an emphasis on increasing competition in priority segments of the defense industry.
  • Implement Sector-Specific Supply Chain Resiliency Plans. DOD calls for greater resilience in the supply chain for five priority sectors: casting and forgings, missiles and munitions, energy storage and batteries, strategic and critical materials, and microelectronics.

In June 2021, Bradley Martin, Ph.D., a retired Navy captain now with the RAND National Security Supply Chain Institute, wrote of the dangers of the defense industry’s shift to practices that make resupply of military equipment “highly questionable” should demand for equipment suddenly spike.


Abrams Main Battle Tank manufactured by General Dynamics, the sole producer of tanks and other tracked combat vehicles for the Department of Defense. Photo from General Dynamics’ website.


“If evaluated solely against meeting steady-state demand, the military operational supply chain works as it should,” Martin wrote. “The problem is not performance relative to incentives. Rather, the problem is that the existing guidance does not lead the system to conduct analyses and make decisions needed to support the highly demanding combat operations likely in a conflict with a major power. As a result, the ability of this system to properly support the joint force in the event of major conflict is at best untested and could be highly problematic.”

Recent Public and Private Actions

In addition to the government’s focus on the overall industry, it has been taking action to address specific instances of alleged and potentially anticompetitive behavior. In one instance, a private class action quickly followed.

In January, the FTC sued to stop Lockheed Martin Corp.’s $4.4 billion acquisition of Aerojet Rocketdyne Holdings Inc., marking the first time in decades the government opposed a defense industry merger. (Read FTC Sues to Torpedo Lockheed’s $4.4 Billion Aerojet Acquisition.)

The FTC noted that Aerojet, which reported more than $2 billion in 2020 revenue, is the last independent U.S. supplier of defense-critical missile propulsion systems. If the deal were to go through, the FTC said, “Lockheed will use its control of Aerojet to harm rival defense contractors and further consolidate multiple markets critical to national security and defense.”

Lockheed leads the pack of the largest defense contractors in the world. It is one of the leading suppliers of missile technology in a concentrated group that includes Raytheon Technologies, Inc., Northrop Grumman Corporation, and The Boeing Company. All are missile system prime contractors to the Department of Defense. The FTC says these companies are intermediaries between the U.S. government and the missile supply chain, including subcontractors like Aerojet.

In December 2021, a federal grand jury in Connecticut returned an indictment charging a former manager of leading aerospace engineering company Pratt & Whitney, Inc., and five executives of outsource engineering suppliers for participating in a long-running conspiracy to restrict the hiring and recruiting of employees among their respective companies. (Read Aerospace Execs Indicted for Conspiracy to Limit Worker Pay and Job Prospects.)

The conspiracy is said to have affected thousands of engineers and other skilled workers in the aerospace industry who perform services in the design, manufacturing, and servicing of aircraft components for both commercial and military purposes. According to the felony indictment, unsealed in U.S. District Court for the District of Connecticut, six individuals conspired with others to allocate employees by agreeing not to hire or solicit professionals from each other’s ranks.

Following the indictment, a jet engine mechanic formerly employed by Pratt & Whitney filed a class action suit in federal court in Connecticut against the company and five outsource engineer suppliers. The plaintiffs seek damages because of the alleged conspiracy to suppress labor costs and hamper employees’ career prospects using illegal no-poach agreements in violation of antitrust laws.

Ukraine Invasion Demonstrates ‘Rapid Escalation’

Combined with Russia’s invasion of Ukraine and the alarming specter of a widening conflict, security supply chain expert Bradley Martin’s assessment that the industry may not be set up to address a spike in demand for military equipment illustrates why the DOD’s plan to improve competition in the defense industry is an urgent one.

“The Ukraine crisis shows that situations can rapidly escalate, potentially leading to situations where spikes in demand might occur in largely unexpected ways,” Martin told the MoginRubin Blog. “If the U.S. had to deal with an expanded conflict in Europe, such as might occur if Russia were to threaten a NATO ally, DOD could reallocate munitions and supplies for some period, but expanding production and inventory over a longer period would be very challenging. This would likely be exactly the kind of conflict where low-standing issues with supply chains would show themselves, sometimes in unexpected ways.”

Defense is just one of several industries seeing increased scrutiny from enforcers. Healthcare also has been a focus of late (see our article regarding FTC’s action to stop a New England hospital merger). The technology sector is getting attention, too. As we wrote in February, chipmaker Nvidia called off its vertical acquisition of Arm Ltd. following an FTC challenge to the dealA recent Treasury Department report on the alcoholic beverage industry foreshadows greater attention from the FTC and DOJ regarding deals in that sector.

In October the FTC said it was bringing back its policy of routinely restricting anticompetitive mergers, putting “industry on notice” that it will require aggressive acquirers to obtain prior approval “before closing any future transaction affecting each relevant market for which a violation was alleged, for a minimum of 10 years.” The agency is clearly making good on its promise.   

Edited by Tom Hagy for MoginRubin LLP.

© MoginRubin LLP
For more articles about antitrust, visit the NLR Antitrust Law section.

Weapons in the Cyber Defense Arsenal

In May 2017, the world experienced an unprecedented global cyberattack that targeted the public and private sectors, including an auto factory in France, dozens of hospitals and health care facilities in the United Kingdom, gas stations in China and banks in Russia. This is just the tip of the iceberg and more attacks are certain to follow. As this experience shows, companies of all sizes, across all industries, in every country are vulnerable to cyberattacks that can have devastating consequences for their businesses and operations.

The Malware Families

Exploiting vulnerabilities in Microsoft® software, hackers launched a widespread ransomware attack targeting hundreds of thousands of companies worldwide. The vector, “WannaCry” malware, encrypts electronic files and locks them until released by the hacker after a ransom is paid in untraceable Bitcoin. The malware also has the ability to spread to all other computer systems on a network. On the heels of WannaCry, a new attack called “Adylkuzz” is crippling computers by diverting their processing power.

The most prevalent types of ransomware found in 2016 were Cerber and Locky. Microsoft detected Cerber, used in spam campaigns, in more than 600,000 computers and observed that it was one of the most profitable of 2016. Spread via malicious spam emails that have an executable virus file, Cerber has gained increasing popularity due to its Ransomware-as-a-Service (RaaS) business model, which enables less sophisticated hackers to lease the malware.

data security privacy FCC cybersecurityCheck Point Software indicated that Locky was the second most prevalent piece of malware worldwide in November 2016.  Microsoft detected Locky in more than 500,000 computers in 2016. First discovered in February 2016, Locky is typically delivered via an email attachment (including Microsoft Office documents and compressed attachments) in phishing campaigns designed to entice unsuspecting individuals to click on the attachment. Of course, as the most recent global attacks demonstrate, hackers are devising and deploying new variants of ransomware with different capabilities all the time.

The Rise of Ransomware Attacks

The rise in ransomware attacks is directly related to the ease with which it is deployed and the quick return for the attackers. The U.S. Department of Justice has reported that there was an average of more than 4,000 ransomware attacks daily in 2016, a 300 percent increase over the prior year. Some experts believe that ransomware may be one of the most profitable cybercrime tactics in history, earning approximately $1 billion in 2016. Worse yet, even with the ransom paid, some data already may have been compromised or may never be recovered.

The risk is even greater if your ransom-encrypted data contains protected health information (PHI). In July 2016, the U.S. Department of Health and Human Services, Office of Civil Rights (HHS/OCR) advised that the encryption or permanent loss of PHI would trigger HIPAA’s Breach Notification Rule for the affected population, unless a low probability that the recovered PHI had been compromised could be demonstrated. This means a mandated investigation to confirm the likelihood that the PHI was not accessed or otherwise compromised.

Ransomware Statistics

According to security products and solutions provider Symantec Corporation, ransomware was the most dangerous cybercrime threat facing consumers and businesses in 2016:

  • The majority of 2016 ransomware infections happened in consumer computers, at 69 percent, with enterprises at 31 percent.

  • The average ransom demanded in 2016 rose to $1,077, up from $294 in 2015.

  • There was a 36 percent increase in ransomware infections from 340,665 in 2015 to 463,841 in 2016.

  • The number of ransomware “families” found totaled 101 in 2016, triple the 30 found in 2015.

  • The biggest event of 2016 was the beginning of RaaS, or the development of malware packages that can be sold to attackers in return for a percentage of the profits.

  • Since January 1, 2016, more than 4,000 ransomware attacks have occurred − a 300 percent increase over the 1,000 daily attacks seen in 2015.

  • In the second half of 2016, the percentage of recognized ransomware attacks from all malware attacks globally doubled from 5.5 percent to 10.5 percent.

The Best Defense Is a Good Offense

While no perfectly secure computer system exists, companies can take precautionary measures to increase their preparedness and reduce their exposure to potentially crippling cyberattacks. While Microsoft no longer supports Windows XP operating systems, which were hit the hardest by WannaCry, Microsoft has made an emergency patch available to protect against WannaCry. However, those still using Windows XP should upgrade all devices to a more current operating system that is still fully supported by Microsoft to ensure protection against emerging threats. Currently, that means upgrading to Windows 7, Windows 8 or Windows 10.

Even current, supported software needs to be updated when prompted by the computer. Those who delay installing updates may find themselves at risk. Microsoft issued a patch for supported operating systems in March 2017 to protect against the vulnerability that WannaCry exploited. Needless to say, many companies did not bother to patch their systems in a timely manner.

Ransomware creates even greater business disruption when a company does not have secure backups of files that are critical to key business functions and operations. It also is important for companies to back up files frequently, because a stale backup that is several months old or older may not be particularly useful. Companies also should make certain that their antivirus and anti-malware software is current to protect against emerging threats.

In addition, companies need to train their employees on detecting and mitigating potential cyber threats. Employees are frequently a company’s first line of defense against many forms of routine cyberattacks that originate from seemingly innocuous emails, attachments and links from unknown sources. Indeed, many cyberattacks can be avoided if employees are simply trained not to click on suspicious links or attachments that could surreptitiously install malware.

Last but not least, companies should consider purchasing cyber liability insurance coverage, which is readily available. While cyber policies are still evolving and there are no standardized policy forms, coverage can be purchased at varying price points with different levels of coverage. Some of the more comprehensive forms of coverage provide additional “bells and whistles” such as immediate access to preapproved professionals that can guide companies through the legal and technical web of cybersecurity events and incident response.

Other cyber policies afford bundled coverages that may include:

  • The costs of a forensics investigation to identify the source and scope of an incident

  • Notification to affected individuals

  • Remediation in the form of credit monitoring and identity theft restoration services

  • Costs to restore lost, stolen or corrupted data and computer equipment

  • Defense of third-party claims and regulatory investigations arising out of a cyberattack.

 

This post was written by Anjali C. Das, Kevin M. Scott and John Busch of Wilson Elser Moskowitz Edelman & Dicker LLP.data security privacy FCC cybersecurity