Then One Day In Happy Valley – Captive Anchors Penn State’s ERM Program
As is our annual tradition, members of CIC Services, LLC attended the Captive Insurance Companies Association (CICA) International Conference in Scottsdale, Arizona March 6-8, 2016. CICA is the world’s largest domicile neutral captive insurance association. The conference includes a strong legal and regulatory update, covers trends in the industry, and provides excellent case studies for the formation and operation of captive insurance companies. The conference also places significant emphasis on Enterprise Risk Management (ERM).
One of the conference sessions included a very informative case study on Penn State’s Captive Insurance and Enterprise Risk Management Programs. The case study was covered by Gary Langsdale, University Risk Officer for Penn State University. Penn State’s journey was somewhat unusual, as its captive program initially focused only on core risk. Gary explained the migration in thought from a commercial and captive insurance program to an Enterprise Risk Management (ERM) program.
Penn State is the flagship land-grant university in the Commonwealth of Pennsylvania. However, the university is not owned by the state. Penn State has 93,000 students on 20 campuses and includes a staff of 25,000 full-time faculty and staff, plus another 15,000 part-time employees. The university also owns two hotel / conference centers, and a very large football stadium. Insurable risks abound.
Penn State formed the Nittany Insurance Company, a captive, in 1992 to primarily serve as a funding vehicle for hospital professional liability insurance. In the early 2000s, the program was expanded to include general liability, auto and other coverages to include deductible reimbursement coverages for master insurance programs and other “one-off” policies. For example, Gary pointed out that Penn state has a trained police dog. Replacing a police dog costs $50,000, so the highly trained canine has been insured by the Nittany Insurance Company.
Penn State expanded its risk management approach in 2005, when the university adopted an Enterprise Risk Management (ERM) posture. The Nittany Insurance Company has played an important role in the university’s ERM program, serving as a primary funding source for many risks. Langsdale pointed out that the program began in 2005 as a “great partnership between the Internal Audit Director & the Risk Officer.” They interviewed every unit leader, asking the question “what keeps you awake at night?” They then put together an ERM Risk Council, with mid-level managers across the University. This council developed a list of 55 risks specific to our institution. Interestingly, Gary noted that there had been some resistance to taking an ERM approach at the university. His next slide was titled, “Then One Day In Happy Valley” and simply pictured the image below.
ERM is about preparing for the unexpected, and the unexpected happened at Penn State, when Jerry Sandusky, an assistant coach for its legendary football program, was accused and convicted of 45 counts of child sexual abuse. In the wake of the scandal, the university hired former FBI Director, Louis Freeh to direct them in an overhaul of their operations, ethical practices and risk management program. The university adopted over one hundred recommendations for improvements, including a specific recommendation to improve the ERM program, including Board of Trustees involvement in understanding risks.
Mr. Langsdale made it clear that ERM is taken very seriously and the ERM and captive programs have expanded. One of the places that their program has expanded has been cyber risk. Gary pointed out that cyber risk is particularly difficult at an Institution of Higher Education, where “open computing,” collaboration and resource sharing are highly valued. IT networks are decentralized, and despite all the good advice, entities’ networks operations don’t always follow “best practices.”
Cyber threats are a big challenge and growing. On average, every day, Penn State IT blocks 22 million overtly-hostile computer intrusions. On the average day, 170,000 email accounts on over 100 separate systems receive 3.2 million emails, and 93 million spam emails are blocked. The university’s IT networks are connected to over 3 million devices, many of which are not owned or controlled by Penn State. It had been standard practice at PSU (and most other universities) to identify students and employees by their social security numbers. This practice has been modified by most as well. Gary also pointed out that, “when cyber insurance became more generally available, we quickly concluded that insurers were not interested in covering a large research institution with such an open computing philosophy.” The university covers cyber risk in its captive program.
Langsdale explained that Penn State’s ERM program employs a “carrot and stick” approach to combat cyber risk. A key feature of the coverage is a two-tiered deductible: If a unit employs certain “good practices” advocated by IT Security Operation Services, but has a breach anyway, the unit pays a $25,000 deductible. The university captive covers the rest. However, if a unit did not employ “good practices,” and that led or contributed to a breach, the unit pays a $100,000 deductible. The university captive covers the rest.
As a result, firewalls have been more reliably installed, maintained and patched. Security software is updated in real-time, and software contracts are routinely scrutinized and security requirements are included. Gary noted that, “actual compromises have decreased significantly in frequency… and release of social security numbers have declined from 10,000 at a time to 5-10 in an isolated instance.”
Clearly, Penn State’s ERM program is going a long way toward keeping things happy in Happy Valley. ERM and captive insurance programs aren’t just for large institutions or companies. Small and mid-market companies face many of the same challenges. In fact, a cyber breach or unexpected calamity can be even more detrimental to a small or mid-market business than the child sexual abuse scandal was at Penn State. For small business, ERM with a captive insurance program is often the most powerful step a business owner can take to ensure survival.