Journal of Political Risk, Vol. 5, No. 4, April 2017
By Sean Jordan
With much of the risk management world’s collective attention focused on cyber and privacy exposures recently, kidnap and ransom exposures tend to fly under the radar, relatively speaking. However, companies of all types, whether they are established multinational entities, newly expanding organizations, or simply companies that occasionally send their employees abroad, should educate themselves on where the greatest kidnap and ransom (K&R) exposures lie and what they can do to mitigate their risks. Interestingly, an examination of the risk reveals some key similarities and parallels to certain cyber and privacy risks that have recently become prevalent.
Kidnap and Ransom Risks Around the World
According to Jim Krampen’s December 5, 2016 article in Treasury & Risk, “Do You Need Kidnap and Ransom Protection?”, there are 15,000 to 20,000 reported kidnappings per year across the world. With an estimated 70 percent to 90 percent of kidnappings going unreported, the true figure is obviously a disturbing amount higher.
Krampen goes on to cite Mexico, Haiti, Brazil, the Philippines, India, Colombia, and Venezuela as the countries in which kidnapping for ransom is most prevalent. Speaking more broadly from a regional perspective, South American kidnappings have actually dropped as a proportion of global kidnappings in recent years, with kidnappings in Africa and Asia Pacific seeing a corresponding proportional rise. Overall, an estimated $500 million to $1 billion is paid in ransom around the world each year.
An unfortunate global trend in kidnap and ransom risks has been the increased targeting of middle to upper-middle class victims, as opposed to extremely high-wealth individuals. Typically held for a shorter period of time, and for a smaller ransom demand, these individuals become victims of what are known as “express kidnappings.” The smaller ransom demands, paired with the quick timeline from kidnap to release, encourage a higher rate of payment from the victims’ contacts, a lower rate of reporting to authorities, and less media attention. In turn, these factors contribute to an alarmingly effective business model for the criminals, which has caused express kidnappings to skyrocket.
Here we see the first parallel with regard to cyber liability, specifically in the comparison of kidnap and ransom incidents to ransomware incidents. In the event of a ransomware attack, criminals typically take control of an entity’s critical data (or render its website or computer systems inoperable, or both), demanding a ransom payment in return for an encryption key or other solution to regain access of the data or computer system. While ransomware demands may initially be for an exorbitant sum of money, they are more often than not negotiated down to an amount that the involved parties are more willing to pay in order to move past the ordeal, similar to the relatively small ransoms paid as part of express kidnappings. Much like cyber criminals are increasingly targeting small to medium-sized businesses, kidnappers are more frequently victimizing middle to middle-upper class individuals, as alluded to above. Furthermore, ransomware demands are often paid out in Bitcoin due to the difficulty of tracking the transactions, another similarity to express kidnappers’ ability to avoid media attention and legal scrutiny while flying under the radar. In short, express kidnapping’s emphasis on quantity over quality is right in line with the explosion of ransomware – get what you can, and move on to the next target. In an underwriter’s language, the exposure is trending towards more significance from a frequency perspective than a severity perspective.
Underwriting Challenges and Insurance Options
As alluded to above, a serious problem of underreporting complicates the task of underwriting kidnap and ransom risks, especially with regard to express kidnappings. To use a simple comparison, contrast the risk of fire damage to an insured property with the risk of kidnapping of an insured businessman. There is no doubt as to when an insured home or commercial property suffers significant fire damage. Sometimes there are potential moral hazards, like insurance fraud, that may cast doubt on the legitimacy of subsequent claims, but even in those cases the loss is reported, statistics are gathered, and an ever-growing database of claims information can offer fairly reliable insight into the frequency with which such losses will (a) occur and (b) require payment from an insurer.
On the other hand, the 70 to 90 percent of kidnappings that go unreported make the lives of K&R underwriters much more complicated. An individual or business that is insured for kidnapping risks likely has a much higher chance of reporting the incident and seeking reimbursement, so underwriters writing business in a relatively untapped geographical area (where historical loss data may be minimal and hard to rely on) must take the reported local rate of kidnappings with a hefty grain of salt. Chances are that the actual rate of kidnappings is much higher, and must be priced for accordingly. Of course, this factor can in turn be balanced out by the fact that associates of the kidnapped individual may be intimidated into staying quiet and not reporting the incident, meaning the insurer never pays out. These factors, combined with the relatively low take-up rate and loss data associated with the coverage in general, all contribute to the balancing act that K&R underwriters must perform.
All this being said, K&R coverage remains a very affordable option. As reported in Frank Zuccarello’s June 2, 2015 article in Risk Management Magazine (“Understanding Kidnap and Ransom Risks”), an annual policy featuring a $5 million limit and including the services of a crisis management team costs about $2,000. Of course, travel to high risk areas will come with an extra premium cost – “three- to five-times more,” in Zuccarello’s estimation.
A review of a representative K&R policy, Darwin National Assurance Company’s ForceField Kidnap & Ransom/Extortion policy (2010 edition date), illustrates some of the actual expenses that insureds can expect to be covered. As worded in the policy, coverage exists for:
- “Loss resulting directly from kidnapping or extortion” (i.e. ransom monies paid)
- Extortion may include bodily injury extortion, property damage extortion, products extortion, or trade secret extortion, all of which are defined terms within the policy.
- “Loss due to the destruction, disappearance, confiscation, wrongful appropriation or seizure of Ransom Monies, while being held or delivered, by a person authorized to do so by an Insured Entity.” (i.e. ransom money which is compromised en route to being paid to the kidnappers)
- “Expenses paid by any Insured resulting directly from a covered Risk Event.”
- Risk Events include kidnapping, extortion, wrongful detention, and hijacking, all of which are defined terms within the policy.
- “Loss due to a Personal Loss.”
- Personal Loss means loss of life, loss of sight, loss of hearing or speech, loss of use or loss of extremity of an insured person, all of which must occur as the direct result of a Risk Event.
- “Legal Costs paid” (i.e. for legal proceedings brought by an insured person and alleging a breach of duty by the insured entity during negotiation and/or hostage retrieval, or a failure to prevent the Risk Event from occurring)
While the above expenses are those that are covered by the policy form’s standard insuring agreements, K&R insurance policies virtually always offer optional coverages that can be endorsed onto the policy as well. Some of Darwin’s optional coverage options include:
- Business Interruption/Loss of Earnings due to kidnapping or extortion
- Disappearance Investigation and Expense Coverage
- Expatriate Security Evacuation Coverage
- Threat Response Extortion Coverage
This last coverage option, commonly referred to as “crisis team coverage,” is perhaps the most important, and illustrates another parallel to developments in cyber and privacy coverage options. The coverage essentially provides a team of experts, trained in crisis negotiation skills, to communicate with the kidnappers on behalf of the insured and secure the release of the kidnapped individual. This same coverage element of trained teams of negotiators is deployed in cyber and privacy policies in order to negotiate with hackers that are holding a company’s website or data hostage. Not only can trained experts negotiate a quicker release, but they can often times do it at a lower price than the original demand. Once again, understanding a hot-button issue such as cyber and privacy coverage can lend itself towards a greater understanding of K&R risks, which may be underinsured due to a lack of attention to the exposure.
As evidenced by Darwin’s policy wording and optional coverages above, which provide an accurate representation of the typical K&R provisions, coverage applies to far more than just ransom payments. The extent of losses and damages covered, particularly with regard to legal costs that can mount quickly in a heated lawsuit following the incident, makes K&R coverage a logical choice for businesses of all types. This is especially true given the low premium cost per millions of dollars in coverage.
Takeaways and Risk Management
As evidenced by this article, underwriters and insureds would be wise to take lessons from cyber and privacy liability, an insurance and risk management topic that should be fresh on their minds, and apply them to their treatment of express kidnapping risks. Hackers’ strategies in the cyber realm can offer invaluable insight into kidnappers’ strategies in the “real world.” Among the most critical lessons to be learned is that no target is too small.
Unfortunately, as K&R coverage options continue to evolve and be utilized by insureds, a side effect may be the establishing of a “deep pocket” in the eyes of kidnappers. Just as large, financially strong companies may sometimes be targeted with lawsuits simply for their ability to pay judgments and settlements, kidnappers may be encouraged to continue their practice if they are confident that their targets have the financial backing to pay demands without thinking twice. While this is largely a necessary evil that is difficult to address on a large scale, insureds should be careful to only disclose the fact that they are covered by a K&R policy when absolutely necessary.
The risk management tips associated with kidnap and ransom exposures involve little rocket science. Traveling with others, traveling in well-lit areas, and avoiding the wee hours of the late night and early morning are all wise practices, however simple they may be. Just like disclosure of K&R coverage should only be on a need-to-know basis, so too should disclosure of detailed travel itineraries. Following these simple practices can be a vast help in mitigating kidnap and ransom risks, particularly in the more dangerous regions discussed earlier in this article.
Sean Jordan, CPCU, MLIS is a research analyst with International Risk Management Institute, Inc., (IRMI) based out of Dallas, TX. His areas of expertise include professional liability (both medical and non-medical professions), employment practices liability, directors and officers liability, and cyber liability. He has published a number of articles in IRMI’s reference manuals and quarterly journals, focusing on developments in exposures as well as trends in insurance coverage options.
JPR Status: Report