While the Sony cyber attack has put the spotlight on sophisticated external attacks, a new report suggests that insiders with too much access to sensitive data are a growing risk as well.

According to the survey conducted by the Ponemon Institute, some 71 percent of employees report that they have access to data they should not see, and more than half say this access is frequent or very frequent.

In the words of Dr. Larry Ponemon, chairman and founder of The Ponemon Institute:

This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences.”

While the focus in recent weeks has been on the risk of external attacks, the Ponemon study finds that data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks they present.

Some 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

In a workplace environment where employees are under pressure to deliver more, faster, cheaper, it’s easy to overlook security risks in the name of efficiency.

Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half believe their companies strictly enforce security policies related to use of and access to company data.

The flip side is that businesses need to be reticent of going to the other extreme, limiting data that their employees or customers need.

Some 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs. And 68 percent say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Ponemon interviewed 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees in a range of industries including financial services, public sector, health and pharma, retail, industrial and technology and software.

More on insider threats in this I.I.I. paper on cyber risks.

Natural catastrophes and man-made disasters cost insurers $34 billion in 2014, down 24 percent from $45 billion in 2013, according to just-released Swiss Re sigma preliminary estimates.

Of the $34 billion tab for insurers, some $29 billion was triggered by natural catastrophe events (compared with $37 billion in 2013), while man-made disasters generated the additional $5 billion in insured losses in 2014.

Despite total losses coming in at below annual averages, the United States still accounted for three of the most costly insured catastrophe losses for the year, with two thunderstorm events and one winter storm event causing just shy of $6 billion in insured losses (see chart below).

sigma_prel_cat_estimates_fig1

In mid-May, a spate of strong storms with large hail stones hit many parts of the U.S. over a five-day period resulting in insured losses of $2.9 billion – the highest of the year.

Extreme winter storms at the beginning of 2014 caused insured losses of $1.7 billion, above the average full-year winter storm loss number of $1.1 billion of the previous 10 years, sigma said.

Total economic losses from disaster events in 2014 reached $113 billion worldwide, according to sigma estimates, and around 11,000 people lost their lives in those events.

Ongoing events and revisions to estimates for previous ones may further change the 2014 loss outcomes, sigma noted, as this data includes updates to source data made by 28 November 2014 only.

More on global catastrophe losses from the I.I.I. here.

There’s an interesting moment in a report on the current state of cyber security leadership from International Business Machines Corp (IBM).

For those who haven’t seen it yet, the report identifies growing concerns over cyber security with almost 60 percent of Chief Information Security Officers (CISOs) saying the sophistication of attackers is outstripping the sophistication of their organization’s defenses.

But as security leaders and their organizations attempt to fight what many feel is a losing battle against hackers and other cyber criminals, there is growing awareness that greater collaboration is necessary.

As IBM puts it: “Protection through isolation is less and less realistic in today’s world.”

Consider this: some 62 percent of security leaders strongly agreed that the risk level to their organization was increasing due to the number of interactions and connections with customers, suppliers and partners.

Despite this widespread interconnectivity that drives modern business, security leaders themselves aren’t sufficiently collaborative, IBM says.

Just 42 percent of organizations that IBM interviewed are members of a formal industry-related security group. However, 86 percent think those groups will become more necessary in the next three to five years.

Instead of focusing on just their own organizations, security leaders need to take a “secure the ecosystem” approach, IBM concludes.

A sidebar highlights one company’s experience and approach to collaboration and how the key to being more secure is being more open.

For some practical strategies to address cyber risk in your business check out this I.I.I. presentation.

What a difference a year makes. Towers Watson’s most recent Commercial Lines Insurance Pricing Survey (CLIPS) shows that commercial insurance prices rose again by 3 percent in aggregate during the third quarter of 2014, drawing a line after five consecutive quarters of moderating price increases.

The chart below compares the change in price level reported by carriers on policies underwritten during the third quarter of 2014 to those charged for the same coverage during the third quarter of 2013.

Towers-Watson-CLIPS-Chart-Third-Quarter-2014

Towers Watson noted:

Price changes reported by carriers mark a pause in the moderation of price increases observed in the prior five consecutive quarters, following increases of between 6 percent and 7 percent, as reported in the second half of 2012 and first half of 2013.”

Price increases were fairly similar to those reported one quarter ago for most lines, but continued moderation in workers compensation and some specialty lines was offset by flat pricing in property.

The employment practice liability line, followed by commercial auto reported the largest price increases, Towers Watson said. Price increases for most lines fell in the low single digits.

Commercial property data indicated no rate change following a slight price decrease one quarter ago. When comparing account sizes, price increases were more moderate for large and specialty accounts than small and mid-market accounts, Towers Watson added.

Insurance Journal has more on this story here.

For the most recent survey, data were contributed by 43 participating insurers representing approximately 20% of the U.S. commercial insurance market (excluding state workers compensation funds).

 

 

More news keeps tumbling in the wake of the recent cyber attack at Sony Pictures Entertainment—Sony’s second major hacker attack in three years—and it’s not good.

The fact that the breach has exposed employee information ranging from salaries to medical records to social security numbers to home addresses, not to mention five yet-to-be-released Sony movies, causing a major shutdown of the company’s computer systems, appears to break new ground.

First up, the Wall Street Journal says the attack revealed far more personal information than previously believed, including the social security numbers of more than 47,000 former employees along with Hollywood celebrities like Sylvester Stallone.

According to the WSJ:

An analysis of 33,000 Sony documents by data security firm Identity Finder LLC found personal data, including salaries and home addresses, posted online for people who stopped working at Sony Pictures as far back as 2000 and one who started in 1955.”

And:

Much of the data analyzed by Identity Finder was stored in Microsoft Excel files without password protection.”

Aren’t most businesses run in Excel?

A well-timed piece over at the New York Times Bits Blog makes the point that companies that continue to rely on prevention and detection technologies, such as firewalls and antivirus products, are considered sitting ducks for cyber attacks.

Bits Blog cites Richard A. Clarke, the first cybersecurity czar at the White House, who says:

It’s almost impossible to think of a company that hasn’t been hacked—the Pentagon’s secret network, the White House, JPMorgan—it is pretty obvious that prevention and detection technologies are broken.”

So what approaches are working?

According to the Bits Blog post, experts say the companies best prepared for online attacks are those that have identified their most valuable assets, like Boeing’s blueprints to the next generation of stealth bomber or Target’s customer data.

Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.”

Breach detection plans and more secure authentication schemes, in addition to existing technologies, are the key to being better prepared.

Insurance too, is seen as a vital preparedness step.

Earlier this week, a top U.S. regulator said banks should consider cyber insurance to protect themselves from the growing financial impact in the wake of cyber attacks.

Let’s hope companies take heed.

As of December 2, the Identity Theft Resource Center (ITRC) reports that 2014 has seen 708 data breaches, exposing 85.1 million records (this list includes the Sony attack, listing the number of records exposed at 7,500).

Those figures are even higher than 2013, when the total number of data breaches and records exposed, soared.

More on the potential fallout and growing identity theft threat facing consumers here.

I.I.I. president Dr. Robert Hartwig shares his thoughts on the passing of his predecessor Gordon Stewart:

The Insurance Information Institute lost one of its own last week with the passing of its former president, Gordon Stewart, at the age of 75. Like many, I was deeply saddened to hear of his passing when his wife, Zanne, called me the day before Thanksgiving. That said, there is no question that his was a life that was very well and very fully lived.

I had known Gordon since 1998 when he hired me as the Institute’s economist and was privileged to work alongside him until his retirement in 2006, handing over the reins to me at that time. From my very first meeting with him—my interview—I knew that Gordon was different. During that first meeting we must have spoken for nearly two hours—during only a fraction of which did we discuss nitty gritty insurance issues. The conversation leapt from insurance to domestic and global economic concerns of the day to politics to fine art, to theater and classical music and back again. Gordon could manage to segue with ease between incredibly diverse topics and in the process always leave you a little smarter than you were before the conversation. He could also leave you scratching your head. How does this man know all this stuff? Why didn’t I see those same connections? These were just a few of the questions I often had to ask myself. But I learned from those experiences—and that’s exactly what Gordon would have wanted.

Gordon’s passion for the arts, literature, language and history transcended his professional life. He named our servers and printers after composers. The I.I.I. offices in lower Manhattan showcased his enormous and eclectic art collection, which included everything from ancient Chinese pottery to 20th-century pop art icons like Andy Warhol. His office wall was festooned with pictures of him with presidents (all of them—dating back to Nixon), popes and potentates of every sort from every corner of the globe. Once while accompanying Gordon on a business trip to Boston he met up for dinner with the famous “French Chef,” Julia Child. On another trip, this time to Washington, he gave a free piano concert to passersby in the lobby of the Mayflower Hotel. Yes, he was a classically trained pianist, and I was spellbound by the performance (he insisted that he was merely practicing!).

ph_gordonstewartcarter

Gordon’s formal education at various institutions in the U.S. and Europe focused on history, music, art and literature. He was a master of the written and spoken word—and spoke German fluently. His intellect and passion for what he believed in made him a formidable debater and in the final analysis, a very persuasive individual. These traits served him well in his years writing speeches for President Jimmy Carter and while working in the administrations of two New York City mayors, John Lindsay and David Dinkins.

Gordon’s deep political experience prepared him well for his time in the private sector, first with the American Stock Exchange and then with the I.I.I. Gordon was keenly aware of the power of public perception. When he became president of the Institute in 1991, the insurance industry’s approval rating was just 35 percent. By the time he retired in 2006 it exceeded 60 percent.

Retirement didn’t slow Gordon down. The fact that he remained active in the insurance world through the International Insurance Society, the Geneva Association was a great benefit to the industry. And in many ways, the pace at which he lived his life quickened. He founded an online newspaper and was able to fully indulge his passion for art, music and theater—including teaching his young daughter, Katy, to play piano.

Gordon also returned to his love of 18th century music and last fall recruited top musicians playing period instruments to perform his own arrangement of Handel’s Messiah, conducting the concert just before Christmas. He was planning to conduct this challenging piece once again this Christmas as well as Beethoven’s Eroica next June.

It is impossible to summarize the full 75 years of such an extraordinary man. Despite having known him for 16 years, my words cannot possibly do him justice. When he died he was in the midst of writing his memoirs. How I would have enjoyed reading them, end-to-end.

Gordon was an utterly extraordinary man and I had the good fortune to call him a colleague, a mentor and friend. He was someone I deeply admired and respected for so many reasons and I, as well as everyone who knew him, will miss him dearly.

As holiday shopping gets underway, several major retailers are opening even earlier this year offering the prospect of deep discounts and large crowds to an ever growing number of shoppers.

The National Retail Federation (NRF) notes that 140 million holiday shoppers are likely to take advantage of Thanksgiving weekend deals in stores and online.

Millennials are most eager to shop, with the NRF survey showing 8 in 10 (79.6 percent) of 18-24 year olds will or may shop over the weekend, the highest of any age group.

Much has been written about the risks of online shopping, but for those who still head to the stores, there are dangers there too.

The Occupational Safety and Health Administration (OSHA) reminds us that crowd related injuries can occur during special sales and promotional events. In 2008, a worker at Wal-Mart died after being trampled in a Black Friday stampede.

According to the aptly named blackfridaydeathcount.com, since 2006 there have been seven Black Friday-related fatalities and 90 injuries. As well as stampeding crowds, injuries have occurred as a result of altercations over TVs, road rage over parking spaces, shootings and distracted driving.

For employers and store owners OSHA offers comprehensive tips on how to create a safe shopping experience.

Crowd management planning should begin in advance of events likely to draw large crowds, and crowd management, pre-event setup, and emergency situation management should be part of event planning, OSHA says.

Tips include: hiring additional staff; having trained security or crowd management personnel on site; determining the number of workers needed in different locations to ensure the safety of an event; and preparing an emergency plan that addresses potential dangers facing workers including overcrowding, crowd crushing, being struck by the crowd, violent acts and fire.

For shoppers too, a personal safety and security plan is a good idea. The National Crime Prevention Council (NCPC) advises not to buy more than you can carry and to plan ahead by taking a friend with you or asking a store employee to help you carry packages to the car. Travelers offers some important tips here.

To all our readers, have a happy and safe Thanksgiving!

Reputational risk is among the most challenging to insure, says I.I.I.’s VP of Communications Loretta Worters in this timely tale of Uber shenanigans:

There’s no such thing as bad publicity, the old saying goes. But the publicity ridesharing company Uber is getting lately may not just harm its image, but can hurt its bottom line. And for a business valued by some at north of $50 billion, that’s a world of hurt!

The latest trouble for the beleaguered rideshare titan started earlier this week when SVP of Business Emil Michael was reported by BuzzFeed to have said that the company should initiate a million-dollar “smear campaign” against journalists. Worse still was CEO Travis Kalanick’s response, a rambling 13-tweet condemnation of Michael’s on-the-record screed. (To date, however, Michael still has his job.) Jumping into the fray was Uber investor Ashton Kutcher, who defended the company for “digging up dirt” on journalists.

A company’s reputation is core to its profitability and long-term competitiveness. And the challenges from social media and other interactive online platforms often force businesses to respond immediately. This in part explains why damage from reputational risk events oftentimes does not result from the initial crisis, but from how well the company responds to it.

This isn’t exactly the first time Uber has “stepped in it.” However, leaving aside Uber’s occasional self-destructive missteps, how vulnerable is Uber or any other company with a capricious C-suite?

Reputational risk is among the most challenging categories of risk to manage, according to 92 percent of companies responding to a survey from ACE Group. Fully 81 percent of respondents view reputation as their most significant asset—and most of them admit that they struggle to protect it. The report also suggests that organizations need a clear framework for managing reputational risk that reduces the potential for crises, taking a multi-disciplinary approach that involves the CEO, PR specialists and other business leaders.

While Uber’s Kalanick acknowledged his company needs to repair its image, he clearly would benefit from reputational risk insurance and the expertise of a risk manager—even if that risk manager’s counsel amounts to: “dude, shut UP!”

Reputational risk is not covered under a typical business policy, but companies can purchase coverage as a stand-alone policy which typically pays fees for professional crisis management and communications services; media spending and production costs; some legal fees; other crisis response and campaign costs such as research, events, social media, and directly associated activities.

New reputation insurance products have started to emerge in the marketplace that cover financial losses caused by bad news that harms a company’s profits. For example, Aon with Zurich, Willis and Chartis among others have come out with policies that address the exposures of reputational risk and offer risk management services to help corporations keep their reputations intact.

One thing is clear: as the rideshare business grows more competitive, Kalanick will need to do better at projecting a positive image. And if he took a cue from his own product, and let somebody else do the driving for a change, Kalanick would be following the lead of many a troubled CEO before him.

For information on the insurance implications of ride-sharing, check out this handy Q&A.

If you know someone who leads an active lifestyle, you may already know what a Fitbit is. For everyone else, a Fitbit is a wearable device that tracks steps, calories, distance and even sleep.

Now it appears data from wearable devices may be admissible in court.

Forbes.com reports that a law firm in Calgary is working on the first known personal injury case that will use activity data from a Fitbit to help show the effects of an accident on their client.

According to the report, the young woman in question, who used to be a personal trainer, was injured in an accident four years ago. While Fitbits weren’t on the market back then, her lawyers believe they can use data from her Fitbit to show that her activity level has significantly decreased and is now below where it should be for someone of her age and profession.

The article suggests that “cases like this could open the door to wearable device data being used not just in personal injury claims, but in prosecutions.”

The young woman’s lawyer is also quoted saying that such data could be useful to insurers assessing questionable claims and that just as courts requisitioned Facebook for information several years ago a court order could compel disclosure of that data.

Sounds like another case where digital information has an unintended use in the courtroom.

As Congress meets in its “lame duck” session, we’re delighted to host Cavalcade of Risk #221, bringing you a flock of posts from around the insurance and risk-related blogosphere.

In our opener, Rubber, Road and Lyft: Insurance Crisis? Hank Stern of InsureBlog takes another look at the important topic of ride-sharing. Now that Lyft’s had its first fatality, he considers the insurance issues the service (and its drivers and customers) will face.

CVS Caremark is slapping an extra co-pay on members who fill their prescriptions at stores where tobacco is sold (i.e., CVS’ competitors). In CVS: Drugs, tobacco… and guns? David Williams of Health Business Blog makes the point that CVS is unlikely to extend that policy to stores that sell guns, even though it would be logically consistent.

Talking of taxing issues, in Who will pay the Cadillac Tax? Jason Shafrin of Healthcare Economist investigates a coming tax on high-cost health insurance plans. Beginning in 2018, many individuals will face the “Cadillac” tax. Will you pay it?

Meanwhile, the growing waistline of America is not only having an impact on our health, but on workers’ compensation programs. In Impact of Obesity on Workers Compensation, Michael Stack of reduceyourworkerscomp.com notes that this impact can increase the costs of common work injuries.

How risky is your job? At Workers’ Comp Insider, Julie Ferguson posts a video showing how high voltage cable inspectors work – as she says: “not a job for a hot duck.” Trigger warning for acrophobes!

Another hot topic comes from Nancy Germond of insurancewriter.com in her post Tips to avoid a dryer fire. According to the U.S. Fire Administration (USFA), about 2,900 dryer fires occur each year in the United States, causing five deaths, about 100 injuries and over $35 million in property losses annually.

Finally, there’s no ducking the importance of the TRIA issue with our own post on the future of terrorism risk insurance. The imminent expiry of the Terrorism Risk Insurance Act (TRIA) December 31 means the clock is ticking for lawmakers to find a solution before year-end.

That’s it for now. Van Mayhall at http://www.insreglaw.com hosts the next Cav.

Next Page »