Bernie Steves is the Managing Director of Aon’s Crisis Management Practice based in Chicago, IL. Bernie is recognized as one of the world’s leading product recall, contamination, and food borne illness insurance specialists. With more than thirty years’ experience in this specialty risk management class, he works with some of the largest companies in the United States and Canada to address product recall, contamination, and food borne illness exposures. Bernie’s background includes years of experience from both the underwriting and specialty brokering disciplines having specialized in this field since 1987.
Bernie started his career in 1987 as an underwriter at AIG and worked to develop the first product recall policies available in the insurance market. Throughout his career as an underwriter, he was intimately involved in the writing of these policies and introduced coverage enhancements that widened the application of these specialty policies beyond food and beverage products to include non-food consumer goods and automotive parts. As Bernie broadened his career into the specialty broking field in 2000, he introduced and developed new concepts into product recall policies including third party recall liability, government recall and adverse publicity.
He is a frequent author and speaker on the topics of product contamination and recall insurance. His Emerging Trends in Product Recall and Contamination Risk Management Review has been published annually since 2010. Bernie is a graduate of the University of Arizona and holds a Master of International Management from the American Graduate School of International Management (Thunderbird). He completed his International HACCP Certification from the North Carolina State University in 2017. Bernie is a licensed insurance producer and a licensed surplus lines insurance producer and a 2016 Risk & Insurance® Power Broker® award recipient.
As “hacking” vulnerabilities seem to be affecting our daily lives more and more, the potential risk of recall due to a “product hack” are increasing.
This leads to the question, “How vulnerable are certain products to hacking?” We can look at this question in two ways; first, how vulnerable is the manufacturing process to a potential cyberattack that could compromise the safety of the products, and two, how vulnerable is the end-product itself to being hacked. The answer of course, depends on the type of product.
Certain products, particularly food and beverage products, may be vulnerable to a cyber contamination during the manufacturing process. Situations where computer aided production processes are vulnerable to manipulation are plausible. For instance, temperature or cooking changes or even refrigeration temperature changes during storage or distribution could lead to a product being unsafe. Moreover, any manipulation of quality control testing procedures by changing thresholds or simply turning off certain safeguards during the production process can also leave a product unsafe.
Similar scenarios, although perhaps less likely, are also plausible for non-food products. However, non-food products, unlike food and beverage products, have the heightened exposure of being “hacked” once in the consumers hands. The automotive industry with more than 50 million vehicles on the road have some internet connectivity that is particularly concerning in this respect. In fact, in 2015, Chrysler was forced to recall about 1.4 million vehicles which were vulnerable to remote manipulation by hackers.
Perhaps even more frightening are potential hacks of medical devices. Medical devices are increasingly connected to the Internet as hospital networks and other medical devices provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase the risk of potential cybersecurity threats. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. As recently as this summer, the FDA warned patients that certain insulin pumps were being recalled due to potential cybersecurity risks.
Implantable medical devices can cause yet even greater concern. In 2018, certain software used for pacemakers, implantable defibrillators, cardiac resynchronization devices and implantable cardiac monitors were identified as being vulnerable to an individual with malicious intent to update and manipulate the software.
For medical and healthcare products, the U.S. Food and Drug Administration (FDA) works closely with several federal government agencies including the U.S. Department of Homeland Security (DHS), members of the private sector, medical device manufacturers, health care delivery organizations, security researchers, and end users to increase the security of the critical cyber infrastructure in the U.S. The FDA encourages medical device manufacturers to address cybersecurity risks to keep patients safe and better protect the public health. This includes monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices once they are on the market.
In relation to food and beverage products, in 2016, the FDA issued The Final Rule on Mitigation Strategies to Protect Food Against Intentional Adulteration requiring facilities to prepare and implement food defense plans. This rule specifically addresses and provides vulnerability assessments to deliberate contamination.
The National Highway Traffic Safety Administration (NHTSA) collaborates with other governmental agencies, vehicle manufacturers and suppliers in addressing vehicle cybersecurity risks. NHTSA promotes a multi-layered approach to cybersecurity by focusing on a vehicle’s entry points, both wireless and wired, which could be potentially vulnerable to a cyberattack. In-house cybersecurity research at the Vehicle Research and Test Center (VRTC) explores the cybersecurity risks of today’s vehicle electronic architectures and seeks to establish principles and guidance that could improve the cybersecurity posture of passenger vehicles through applied research.
The Consumer Product Safety Commission (CPSC) has also set a framework to address cyber risk in consumer products. The purpose of this framework is to provide an overview of technology-neutral best practices to ensure consumer product safety in the design and deployment of devices, software and systems used with Internet-connected consumer products.
As product recall policies are currently written, we would anticipate that they would respond to covered events caused by cyber incidents under the “malicious product tampering” insuring agreement included under most of these policies. There is, however, an exception where certain policies may specifically exclude “malicious” incidents. This exception normally only occurs under non-food recall policy policies.
It is important to note that certain exclusions may be invoked by carriers to deny claims depending on the specifics of the situation. Further, some recall policies may include exclusions for electronic data and/or software. These exclusions should not apply to a computer related error in the manufacturing process.
Insurance carriers are just now beginning to clarify their positions on cyber-related recall losses. One carrier, Allianz, has recently taken the view that it will provide affirmative “cyber event contamination” and “cyber event defect” coverage under both its Product Contamination Insurance and Product Recall Insurance policies. These policies specifically include coverage for these events as an insuring agreement. Other carriers, including the Lloyd’s market are in the process of issuing their formal opinions. While a recall policy may respond in some instances, it is also important to note that other policies may also be triggered.
Too often, recall management has a low priority within a company. It’s put in its own box, locked away, only to be applied, or even discussed, when a product must be pulled off the market. We want to change that.
The Expert Solutions Spotlight is our way of sharing perspectives from our strategic partners – lawyers, insurers and risk managers and crisis communications experts across industries – on product safety issues that have potential to influence a company’s view on recalls and crisis management. In some cases, the connection is obvious but the perspective is new. In others, we will raise questions that you may have never considered in the context of recall management. That’s our intent.
Stay on top of the latest in Recalls with Expert Solutions! Our Quarterly Recall Index insights keep you up-to-date with recall trends, while our blogs and Expert Spotlight provide timely information from industry specialists.Subscribe Now
Stericycle Expert Solutions focuses on helping customers by providing proven, customer-centric, scalable services that protect people and brands, promote health and safeguard the environment.Find Out More
If you're ready to get started with our extensive suite of services then contact us today. We have a team of experts ready to assist you!Contact Us today