Business Risk


The April 2013 Boston bombing may have marked the first successful terrorist attack on U.S. soil since the September 11, 2001 tragedy, but terrorism on a global scale is increasing.

Yesterday’s attack by the Al-Shabaab terror group at a university in Kenya and a recent attack by gunmen targeting foreign tourists at the Bardo museum in Tunisia point to the persistent nature of the terrorist threat.

Groups connected with Al Qaeda and the Islamic State committed close to 200 attacks per year between 2007 and 2010, a number that grew by more than 200 percent, to about 600 attacks in 2013, according to the Global Terrorism Database at the University of Maryland.

Latest threats to U.S. targets include calls by Al-Shabaab for attacks on shopping malls.

And a recent intelligence assessment circulated by the Department of Homeland Security focused on the domestic terror threat from right-wing sovereign citizen extremists.

On January 12, 2015, President Obama signed into law the Terrorism Risk Insurance Program Reauthorization Act of 2015.

A new I.I.I. white paper, Terrorism Risk Insurance Program: Renewed and Restructured, takes us through each of more than eight distinct layers of taxpayer protection provided under TRIA’s renewed structure.

While TRIA from its inception was designed as a terrorism risk sharing mechanism between the public and private sector, an overwhelming share of the risk is borne by private insurers, a share which has increased steadily over time.

Today, all but the very largest (and least likely) terrorist attacks would be financed entirely within the private sector.

Enactment of the 2015 reauthorization legislation has brought clarity and stability to policyholders and the insurance marketplace once again, the I.I.I. notes.

In the week before Christmas when Congress adjourned without renewing the Terrorism Risk Insurance Act (TRIA), Jeffrey DeBoer, president and CEO of The Real Estate Roundtable, a trade group representing real estate industry leaders, said:

This law does not stop terrorist attacks. But it does disrupt terrorists’ goals of damaging our economy.”

The I.I.I. paper makes a similar point:

Since its creation in 2002, the federal Terrorism Risk Insurance Act, and its successors, have been critical components of America’s national economic security infrastructure. TRIA has cost taxpayers virtually nothing, yet the law continues to provide tangible benefits to the U.S. economy in the form of terrorism insurance market stability, affordability and availability.”

For a federally backed program, that is quite a success story.

A new report from across the pond points to a large gap in awareness when it comes to cyber risk and the use of insurance among business leaders of some of the UK’s largest firms.

Half of the leaders of these organizations do not realize that cyber risks can be insured despite the escalating threat, the report found.

Business leaders who are aware of insurance solutions for cyber tend to overestimate the extent to which they are covered. In a recent survey, some 52 percent of CEOs of large organizations believe that they have cover, whereas in fact less than 10 percent does.

Actual penetration of standalone cyber insurance among UK large firms is only 2 percent and this drops to nearly zero for smaller companies, according to the report.

While this picture is likely a result of the complexity of insurance policies with respect to cyber, with cyber sometimes included, sometimes excluded and sometimes covered as part of an add-on policy, the report says:

This evidence suggests a failure by insurers to communicate their value to business leaders in coping with cyber risk. This may, in part, reflect the new and therefore uncertain nature of this risk, with boards more focused on security improvement and recovery planning than on risk transfer. It nevertheless risks leaving insurance marginalized from one of the key risks facing firms.”

Senior managers in some of the UK’s largest firms were interviewed for the report published jointly by the British government and Marsh, with expert input from 13 London market insurers.

As a first step to raising awareness, Lloyd’s, the Association of British Insurers (ABI) and the UK government have agreed to develop a guide to cyber insurance that will be hosted on their websites.

Reuters has more on the report here.

A protracted labor dispute that continues to disrupt operations at U.S. West coast ports underscores the supply chain risk facing global businesses.

Disruptions have steadily worsened since October, culminating in a partial shutdown of all 29 West coast ports over the holiday weekend.

The Wall Street Journal reports that operations to load and unload cargo vessels resumed Tuesday as Labor Secretary Tom Perez met with both sides in the labor dispute in an attempt to broker a settlement amid growing concerns over the impact on the economy.

More than 40 percent of all cargo shipped into the U.S. comes through these ports, so the dispute has potential knock on effects for many businesses.

A number of companies have already taken steps to mitigate the supply chain threat, according to reports. For example, Japanese car manufacturer Honda Motor Co, among others, has been using air freighters to transport some key parts from Asia to their U.S. factories – at significant extra expense.

On Sunday Honda also said it would have to slow production for a week at U.S.-based plants in Ohio, Indiana, and Ontario, Canada, as parts it ships from Asia have been held up by the dispute.

Toyota Motor Corp. has also reduced overtime at some U.S. manufacturing plants as a result of the dispute.

A brief published by Marsh last year noted that a West Coast port strike or shutdown could have broad consequences for global trade, business and economic conditions.

Organizations with effective risk management and insurance strategies in place will be best prepared to manage and respond to situations that hamper their flow of goods and finances, Marsh noted.

In 2002, a similar labor dispute ultimately led to the shutdown of ports along the West coast costing the U.S. economy around $1 billion each day, and creating a backlog that took six months to clear.

Many businesses purchase marine cargo insurance to protect against physical loss or damage to cargo during transit. This type of insurance generally will not respond in the event that a strike or other disruption at a port delays the arrival of insured cargo, unless there is actual physical damage to the cargo, according to Marsh.

However, some policyholders may have obtained endorsements to their insurance policies, or purchased additional coverage to protect themselves from the effects of port disruption.

Trade disruption insurance (TDI), supply chain insurance, and specialty business interruption insurance may also provide coverage for the financial consequences of a port disruption, Marsh wrote.

A study by FM Global of more than 600 financial executives found that supply chain risk, more than any other, was regarded as having the greatest potential to disrupt their top revenue driver. FM Global’s Resilience Index can help executives evaluate and manage supply chain risk.

In what is being described as potentially the largest breach of a health care company to-date, health insurer Anthem has confirmed that it has been targeted in a very sophisticated external cyber attack.

The New York Times reports that hackers were able to breach a company database that contained as many as 80 million records of current and former Anthem customers, as well as employees, including its chief executive officer.

Early reports here and here suggest the attack compromised personal information such as names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

On a website – www.AnthemFacts.com — set up to respond to questions, Anthem noted that there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.

Anthem said the breach was discovered on January 27 and that the company is fully cooperating with the FBI investigation. The health insurer has been praised for its initial response in promptly notifying the FBI after observing suspicious activity.

An FBI statement quoted in an LA Times article noted:

Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”

On the dedicated website, Anthem president and CEO, Joseph R Swedish, offered a personal apology to members. Anthem has also established a toll-free number – 1-877-263-7995 FREE – that both current and former members can call if they have questions related to the breach.

In 2014, the medical/healthcare sector accounted for 42 percent of data breaches – the largest among industry sectors – as reported by the Identity Theft Resource Center (ITRC).

In fact, breaches in the medical/healthcare industry have accounted for the largest percentage of data breaches by industry sector since 2012, which ITRC attributes primarily to the mandatory reporting requirement for healthcare breaches to the Department of Health and Human Services (HHS).

If the estimate of 80 million records compromised holds, this will put the Anthem data breach up there with recent mega breaches of 2014 such as eBay (145 million people affected), JP Morgan (76 million households and 7 million small businesses affected) and Home Depot (56 million unique payment cards).

While 2014 was dubbed the year of the mega breach, the Ponemon Institute recently warned that 2015 is predicted to be as bad or worse as more sensitive and confidential information and transactions are moved to the digital space and become vulnerable to attack.

As of January 27, 2015, some 455,377 records had been exposed in 64 breaches reported to the ITRC. This followed a record high of 783 U.S. data breaches exposing 85.6 million records tracked by the ITRC in 2014.

For an analysis of cyber risk and insurance, download this Insurance Information Institute (I.I.I.) white paper.

While the Sony cyber attack has put the spotlight on sophisticated external attacks, a new report suggests that insiders with too much access to sensitive data are a growing risk as well.

According to the survey conducted by the Ponemon Institute, some 71 percent of employees report that they have access to data they should not see, and more than half say this access is frequent or very frequent.

In the words of Dr. Larry Ponemon, chairman and founder of The Ponemon Institute:

This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences.”

While the focus in recent weeks has been on the risk of external attacks, the Ponemon study finds that data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks they present.

Some 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

In a workplace environment where employees are under pressure to deliver more, faster, cheaper, it’s easy to overlook security risks in the name of efficiency.

Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half believe their companies strictly enforce security policies related to use of and access to company data.

The flip side is that businesses need to be reticent of going to the other extreme, limiting data that their employees or customers need.

Some 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs. And 68 percent say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Ponemon interviewed 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees in a range of industries including financial services, public sector, health and pharma, retail, industrial and technology and software.

More on insider threats in this I.I.I. paper on cyber risks.

There’s an interesting moment in a report on the current state of cyber security leadership from International Business Machines Corp (IBM).

For those who haven’t seen it yet, the report identifies growing concerns over cyber security with almost 60 percent of Chief Information Security Officers (CISOs) saying the sophistication of attackers is outstripping the sophistication of their organization’s defenses.

But as security leaders and their organizations attempt to fight what many feel is a losing battle against hackers and other cyber criminals, there is growing awareness that greater collaboration is necessary.

As IBM puts it: “Protection through isolation is less and less realistic in today’s world.”

Consider this: some 62 percent of security leaders strongly agreed that the risk level to their organization was increasing due to the number of interactions and connections with customers, suppliers and partners.

Despite this widespread interconnectivity that drives modern business, security leaders themselves aren’t sufficiently collaborative, IBM says.

Just 42 percent of organizations that IBM interviewed are members of a formal industry-related security group. However, 86 percent think those groups will become more necessary in the next three to five years.

Instead of focusing on just their own organizations, security leaders need to take a “secure the ecosystem” approach, IBM concludes.

A sidebar highlights one company’s experience and approach to collaboration and how the key to being more secure is being more open.

For some practical strategies to address cyber risk in your business check out this I.I.I. presentation.

More news keeps tumbling in the wake of the recent cyber attack at Sony Pictures Entertainment—Sony’s second major hacker attack in three years—and it’s not good.

The fact that the breach has exposed employee information ranging from salaries to medical records to social security numbers to home addresses, not to mention five yet-to-be-released Sony movies, causing a major shutdown of the company’s computer systems, appears to break new ground.

First up, the Wall Street Journal says the attack revealed far more personal information than previously believed, including the social security numbers of more than 47,000 former employees along with Hollywood celebrities like Sylvester Stallone.

According to the WSJ:

An analysis of 33,000 Sony documents by data security firm Identity Finder LLC found personal data, including salaries and home addresses, posted online for people who stopped working at Sony Pictures as far back as 2000 and one who started in 1955.”

And:

Much of the data analyzed by Identity Finder was stored in Microsoft Excel files without password protection.”

Aren’t most businesses run in Excel?

A well-timed piece over at the New York Times Bits Blog makes the point that companies that continue to rely on prevention and detection technologies, such as firewalls and antivirus products, are considered sitting ducks for cyber attacks.

Bits Blog cites Richard A. Clarke, the first cybersecurity czar at the White House, who says:

It’s almost impossible to think of a company that hasn’t been hacked—the Pentagon’s secret network, the White House, JPMorgan—it is pretty obvious that prevention and detection technologies are broken.”

So what approaches are working?

According to the Bits Blog post, experts say the companies best prepared for online attacks are those that have identified their most valuable assets, like Boeing’s blueprints to the next generation of stealth bomber or Target’s customer data.

Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.”

Breach detection plans and more secure authentication schemes, in addition to existing technologies, are the key to being better prepared.

Insurance too, is seen as a vital preparedness step.

Earlier this week, a top U.S. regulator said banks should consider cyber insurance to protect themselves from the growing financial impact in the wake of cyber attacks.

Let’s hope companies take heed.

As of December 2, the Identity Theft Resource Center (ITRC) reports that 2014 has seen 708 data breaches, exposing 85.1 million records (this list includes the Sony attack, listing the number of records exposed at 7,500).

Those figures are even higher than 2013, when the total number of data breaches and records exposed, soared.

More on the potential fallout and growing identity theft threat facing consumers here.

As holiday shopping gets underway, several major retailers are opening even earlier this year offering the prospect of deep discounts and large crowds to an ever growing number of shoppers.

The National Retail Federation (NRF) notes that 140 million holiday shoppers are likely to take advantage of Thanksgiving weekend deals in stores and online.

Millennials are most eager to shop, with the NRF survey showing 8 in 10 (79.6 percent) of 18-24 year olds will or may shop over the weekend, the highest of any age group.

Much has been written about the risks of online shopping, but for those who still head to the stores, there are dangers there too.

The Occupational Safety and Health Administration (OSHA) reminds us that crowd related injuries can occur during special sales and promotional events. In 2008, a worker at Wal-Mart died after being trampled in a Black Friday stampede.

According to the aptly named blackfridaydeathcount.com, since 2006 there have been seven Black Friday-related fatalities and 90 injuries. As well as stampeding crowds, injuries have occurred as a result of altercations over TVs, road rage over parking spaces, shootings and distracted driving.

For employers and store owners OSHA offers comprehensive tips on how to create a safe shopping experience.

Crowd management planning should begin in advance of events likely to draw large crowds, and crowd management, pre-event setup, and emergency situation management should be part of event planning, OSHA says.

Tips include: hiring additional staff; having trained security or crowd management personnel on site; determining the number of workers needed in different locations to ensure the safety of an event; and preparing an emergency plan that addresses potential dangers facing workers including overcrowding, crowd crushing, being struck by the crowd, violent acts and fire.

For shoppers too, a personal safety and security plan is a good idea. The National Crime Prevention Council (NCPC) advises not to buy more than you can carry and to plan ahead by taking a friend with you or asking a store employee to help you carry packages to the car. Travelers offers some important tips here.

To all our readers, have a happy and safe Thanksgiving!

Reputational risk is among the most challenging to insure, says I.I.I.’s VP of Communications Loretta Worters in this timely tale of Uber shenanigans:

There’s no such thing as bad publicity, the old saying goes. But the publicity ridesharing company Uber is getting lately may not just harm its image, but can hurt its bottom line. And for a business valued by some at north of $50 billion, that’s a world of hurt!

The latest trouble for the beleaguered rideshare titan started earlier this week when SVP of Business Emil Michael was reported by BuzzFeed to have said that the company should initiate a million-dollar “smear campaign” against journalists. Worse still was CEO Travis Kalanick’s response, a rambling 13-tweet condemnation of Michael’s on-the-record screed. (To date, however, Michael still has his job.) Jumping into the fray was Uber investor Ashton Kutcher, who defended the company for “digging up dirt” on journalists.

A company’s reputation is core to its profitability and long-term competitiveness. And the challenges from social media and other interactive online platforms often force businesses to respond immediately. This in part explains why damage from reputational risk events oftentimes does not result from the initial crisis, but from how well the company responds to it.

This isn’t exactly the first time Uber has “stepped in it.” However, leaving aside Uber’s occasional self-destructive missteps, how vulnerable is Uber or any other company with a capricious C-suite?

Reputational risk is among the most challenging categories of risk to manage, according to 92 percent of companies responding to a survey from ACE Group. Fully 81 percent of respondents view reputation as their most significant asset—and most of them admit that they struggle to protect it. The report also suggests that organizations need a clear framework for managing reputational risk that reduces the potential for crises, taking a multi-disciplinary approach that involves the CEO, PR specialists and other business leaders.

While Uber’s Kalanick acknowledged his company needs to repair its image, he clearly would benefit from reputational risk insurance and the expertise of a risk manager—even if that risk manager’s counsel amounts to: “dude, shut UP!”

Reputational risk is not covered under a typical business policy, but companies can purchase coverage as a stand-alone policy which typically pays fees for professional crisis management and communications services; media spending and production costs; some legal fees; other crisis response and campaign costs such as research, events, social media, and directly associated activities.

New reputation insurance products have started to emerge in the marketplace that cover financial losses caused by bad news that harms a company’s profits. For example, Aon with Zurich, Willis and Chartis among others have come out with policies that address the exposures of reputational risk and offer risk management services to help corporations keep their reputations intact.

One thing is clear: as the rideshare business grows more competitive, Kalanick will need to do better at projecting a positive image. And if he took a cue from his own product, and let somebody else do the driving for a change, Kalanick would be following the lead of many a troubled CEO before him.

For information on the insurance implications of ride-sharing, check out this handy Q&A.

I.I.I. chief actuary Jim Lynch offers his perspective on how insurers are responding to climate change:

The insurance industry got a report card this week on a test I’m not sure they knew they were taking. And the grading curve was, in my opinion, harsh.

Ceres, a nonprofit group that promotes sustainable business practices, rated 330 insurers – life, health and property/casualty – on how well they are responding to climate change.

Before I wade further into the topic, it is important to acknowledge that insurance companies and their managers have a range of opinions on global warming that is as wide as the opinions of Americans overall on the topic. There is no insurance industry position, though there are individuals and companies with strong opinions – just as with all Americans.

On a four-point scale, nine companies got the highest mark (“leading”): Ace, Munich Re, Swiss Re, Allianz, Prudential, XL Group, The Hartford Financial Services Group, Sompo Japan and Zurich. Matthew Sturdevant of the Hartford Courant does a nice job rounding up how these firms earned their grade.

Ceres gave “minimal” or “beginning” rankings to 276 insurers, 84 percent on my calculator. The New York Times played up that aspect. But the analysis may be skewed because of the source of the rankings and how Ceres adapted that source.

Ceres took a National Association of Insurance Commissioners (NAIC) survey that six states require on climate change. The survey consists of eight yes-or-no questions, each of which follows up with why the insurer answered as it did. The follow-up questions are open-ended – companies can respond with as little or as much information as they like.

The questions help regulators when they assess a company’s enterprise risk management, specifically how hard a company looks for potential problems that might not hit them until years from now. Climate change certainly has that potential.

Ceres took those answers and graded them on its own criteria, resulting in six scores from 1 to 4, which it then re-summarized into a single grade.

Boiling a complex set of open-ended answers is tricky enough, but Ceres has, in my opinion, misused the NAIC survey, which is supposed to help regulators understand how well insurers are considering climate change in their risk management, not whether insurers are acting as stewards of the environment.

So it doesn’t seem like Ceres is giving a fair test. Insurers are answering questions on how climate change might affect their business then being rated on how their actions will reduce carbon emissions. It’s like being told to write an essay, then being graded on penmanship.

How could this skew results? Some insurers are minimally exposed to climate change, so it would not be prudent risk management for them to devote valuable resources to the issue. Medical malpractice writers are an obvious example. Climate change might be important to the world at large, but how relevant is it to the operation of a medical malpractice writer?

Property insurers are in a different boat, pardon the irresistible pun. Rising sea levels and growing weather extremes are important developments, and it would seem a prudent coastal writer would consider whether those trends will continue, abate or accelerate. A company that writes worldwide has still more to think about, as climate trends would affect other countries more than our own.

Seen that way, it makes perfect sense that some large, multinational insurers are concerned about climate change while small writers not exposed to property insurance are less so.

On the life/health side, there is a signal-to-noise problem. Climate change appears to have an impact on mortality, but it’s really small. A 2011 Brookings study suggested that climate change will increase U.S. age adjusted mortality rates by about 3 percent over the next 85 years or so. That rate has declined by 1 percent per year over the past 35 years. So the impact of climate change on mortality is likely to be overwhelmed by other forces at work.

That’s not to say that life expectancies outside the U.S. won’t be affected more. But a life insurer that only writes U.S. risks might not want to incorporate climate change-induced mortality changes from, say, Australia, into its business model.

Regardless, life insurers have a built-in mortality hedge in pairing annuity sales with life insurance. People who die sooner drive life insurance profits lower. But they push annuity profits higher, and vice versa. Combine that with the small impact of climate change on U.S. mortality and it makes perfect sense that a great many U.S. life insurers have decided that climate change doesn’t form a central part of their risk management strategy.

Health insurers are in a similar situation. Gradual changes in health have small effects on their business, and those changes can be easily adjusted to year by year. Pandemics are a bigger risk, so risk management efforts focus there.

That helps explain why health and life insurers didn’t score as high as property/casualty insurers. They have less at stake.

California’s insurance department doesn’t sound too concerned. Ceres relied on CA DOI information to compile its report, so there’s a good chance the Ceres researchers saw a 2013 press release that said this:

The results of this year’s survey are a positive sign for the insurance industry and the environment,” said Commissioner Jones. “It is encouraging to see that insurers are aware of the risks that a changing climate brings, and moreover they are taking steps to ensure their responses to these risks are sufficient to protect their business.”

More than 1,000 companies [Duplicates and multi-company insurance groups account for the difference between Ceres’ total and California’s.] were required to respond to the survey. The survey revealed that roughly 75 percent of insurers have a plan for identifying climate change-related risks that could affect their business, and are taking actions to mitigate these risks. Responses to the eight survey questions reveal that nearly every insurer is aware of the risks posed by a changing climate, and an overwhelming majority of insurers have incorporated mitigating practices into their business model.”

That sounds like an industry that is handling the issue prudently, even if it is not the way an environmental group would prefer.

Next Page »