Business Risk


The recent disclosure of a major data breach at retailer Home Depot has once again put the spotlight on the increasing vulnerability of businesses to cyber threats and the need for cyber insurance.

But companies are uncertain of how much insurance coverage to acquire and whether their current policies provide them with protection, according to a new report by Guy Carpenter.

It speculates that one of the roots of the uncertainty stems from the difficulty in quantifying potential losses because of the dearth of historical data for actuaries and underwriters to model cyber-related losses.

Furthermore, traditional general liability policies do not always cover cyber risk, Guy Carpenter says.

It notes that in the United States, ISO’s revisions to its general liability policy form consist primarily of a mandatory exclusion of coverage for personal and advertising injury claims arising from the access or disclosure of confidential information.

Though still in its infancy the cyber insurance market potential is vast, Guy Carpenter reports. It cites Marsh statistics estimating that the U.S. cyber insurance market was worth $1 billion in gross written premiums in 2013 and could reach as much as $2 billion this year.

The European market is currently a fraction of that, at approximately $150 million, but could reach as high as EUR900 million by 2018, according to some estimates.

Guy Carpenter also warns that cyber attacks are now top of mind for governments, utilities, individuals, medical and academic institutions and companies of all sizes, noting:

Because of increasing global interconnectedness and explosive use of mobile devices and social media, the risk of cyber attacks and data breaches have increased exponentially.”

Cyber attacks also present a set of aggregations/accumulations of risk that spread beyond the corporation to affiliates, counterparties and supply chains, it adds.

Check out the I.I.I. paper on this topic: Cyber Threats: The Growing Risk.

One day after a magnitude 6.0 earthquake struck the San Francisco/Napa area of California, the Northern California Seismic System (NCSS) says there is a 29 percent probability of a strong and possibly damaging aftershock in the next seven days and a small chance (5 to 10 percent probability) of an earthquake of equal or larger magnitude.

The NCSS, operated by UC Berkeley and USGS, added that approximately 12 to 40 small aftershocks are expected in the same seven-day period and may be felt locally.

As a rule of thumb, a magnitude 6.0 quake may have aftershocks up to 10 to 20 miles away, the NCSS added.

According to Dr. Robert Hartwig, president of the Insurance Information Institute (I.I.I.), this earthquake is the strongest to impact the area since the 1989 Loma Prieta quake which resulted in $1.8 billion in insured claims (in 2013 dollars) being paid to policyholders.

Initial reports suggest the greatest damage has been to historic buildings in the city of Napa, with the downtown area cordoned off to fully assess damage. There have also been reports of non-structural damage such as items falling off shelves, including wine bottles and barrels, and substantial sprinkler leakage to many buildings.

The Napa region is most known for its wine industry, but tourism draws visitors to the area year-round.

napa_earthquake_usgs_map

A report by catastrophe modelers CoreLogic EQECAT gave an initial estimate of $500 million to $1 billion in insured losses. Residential losses would account for about one half to one quarter of this loss estimate.

If the loss exceeds $1 billion it will be from uncertainty in commercial losses, CoreLogic EQECAT said, and losses to the wine industry could increase this estimate:

Business interruption (BI) losses are a major concern. As this is a very popular tourist area, many businesses – including wineries and restaurants – have sustained damage, both non-structural and structural.”

CoreLogic EQECAT noted that the Napa Valley wine harvest was already underway. Losses would have been less if this event had occurred pre-harvest.

According to the Napa Valley Vintners Association, while there have been reports of damage at some Napa Valley wineries and production and storage facilities, particularly those in the Napa and south Napa areas, vintners are still assessing their individual situations. More information is expected in the next 24 to 72 hours.

Standard homeowners, renters and business insurance policies do not cover damage from earthquakes. Coverage is available either in the form of an endorsement or as a separate policy.

I.I.I. earthquake facts and stats show California had the largest amount of earthquake premiums in 2013, at $1.6 billion, accounting for 61 percent of U.S. earthquake insurance premiums written.

This figure includes the state-run California Earthquake Authority, the largest provider of residential earthquake insurance in California. Only about 10 percent of California residents currently have earthquake coverage, down from about 30 percent in 1996, two years after the Northridge, California, earthquake.

The percentage of homeowners and renters who have earthquake insurance in the affected area is very low – in Napa less than 6 percent, and in Sonoma less than 10 percent, according to the California Earthquake Authority.

Check out key facts from the I.I.I. on the insurance industry’s contribution to the California economy here.

Companies large and small appear to have been targeted in what is being described as the largest known data breach to date.

As first reported by The New York Times, a Russian crime ring amassed billions of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.

The NYT said it had a security expert not affiliated with Hold Security analyze the database of stolen credentials and confirm its authenticity.

The records, discovered by security experts Hold Security, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites.

According to Hold Security’s own report, the hackers didn’t just target large companies. They targeted every site that their victims visited:

With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”

The NYT said so far the criminals have not sold many of the records online, but appear to be using it to send spam on social networks.

If ever there was a reason to research – and buy – cyber insurance, this would be it.

In its recently published paper Cyber Risks: The Growing Threat, the Insurance Information Institute (I.I.I.) notes that reliance on traditional insurance policies is not enough, as companies face growing liabilities in this fast-evolving area.

Following the Target data breach and other high profile breaches, the I.I.I. said the number of specialist cyber insurance policies is increasing, and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks.

It cited data from broker Marsh showing a 21 percent increase in the number of clients purchasing cyber insurance from 2012 to 2013. That growth is accelerating in 2014.

Meanwhile, a new report from PwC US and the Investor Responsibility Research Center Institute (IRRCi) indicates that while companies must disclose significant cyber risks, those disclosures rarely provide differentiated or actionable information.

According to the report’s authors:

The consequences of poor security include lost revenue, compromised intellectual property, increases in costs, impact to customer retention, and can even contribute to C-level executives leaving companies.”

It suggests that investors focus on corporate preparedness for cyber attacks, and then engage with highly-likely targets to better understand corporate preparedness and to demand better and more actionable disclosures (though not at a level that would provide a cyber-attacker a roadmap to make those attacks).

Global fatalities from acts of terrorism jumped by 30 percent in the last year even as the number of attacks decreased, according to a new interactive mapping platform from risk analytics firm Maplecroft.

Some 18,668 terrorism fatalities were recorded in the 12 months prior to July 1, up 29.3 percent from an annual average of 14,433 for the previous five years.

Over the same period there were some 9,471 global terrorism attacks at an average of 26 a day, down from a five-year average of 10,468. This indicates that terrorist methods have become increasingly deadly over the last year, Maplecroft said.

Nigeria recorded by far the highest number of fatalities per attack, with 146 reported attacks in the last year resulting in 3,477 fatalities – an average of 24 fatalities per attack (compared to 2 fatalities per attack in Iraq).

Iraq recorded the highest number of attacks, with 3,158 acts of terrorism resulting in 5,929 fatalities.

China, Egypt, Kenya and Libya are seeing the most significant increases in the risks of terrorist attacks, the Maplecroft Terrorism and Security Dashboard (MTSD) reveals.

The MTSD classifies 12 countries as ‘extreme risk,’ including: Iraq (most at risk), Afghanistan (2nd), Pakistan (3rd), Somalia (4th), Yemen (6th), Syria (7th), Lebanon (9th) and Libya (10th). Many of these countries are blighted by high levels of instability and weak governance, Maplecroft notes.

However, of particular concern for investors, the important growth economies of Nigeria (5th), the Philippines (8th), Colombia (11th) and Kenya (12th) also feature in the category.

Jordan Perry, a principal political risk analyst at Maplecroft says:

Libya, Kenya and Egypt are among a handful of countries to witness a significant increase in risk in the MTSD and investor confidence in key sectors, including tourism and oil and gas, has been hurt. When faced with rising security costs and decreasing safety for their personnel, companies can, and do, reconsider their country-level commitments.”

The MTSD logs, analyzes and plots all reported incidents of terrorism, piracy, political violence and human rights abuses by security forces down to 100m² worldwide. It also draws on Maplecroft’s seven years of global data to reveal terrorism and security trends across 197 countries.

Maplecroft CEO Alyson Warhurst makes the important point that the dynamic nature of terrorism means individual events are impossible to predict, but the information included in the MTSD can help organizations make informed decisions relating to market entry, security measures for in-country operations, duty of care obligations, supply chain continuity and risk pricing.

Check out I.I.I. facts and stats on terrorism risk.

No industry sector is immune from cyber threats, and a round-up of recent headlines and reports underscores the increasing risk and cost businesses face.

Just this week, U.S. Treasury Secretary Jacob Lew urged financial institutions and firms to redouble their efforts against cyber threats and said information-sharing and collaboration among businesses and with government is key.

Speaking at a conference in New York, Secretary Lew noted that the consequences of cyber incidents are serious and our cyber defenses are not yet where they need to be:

Far too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more. In particular, it is imperative that firms collaborate with government agencies and with other firms. Disclosing security breaches is often perceived as something that could harm a firm’s reputation. This has made many businesses reluctant to reveal information about cyber incidents. But this reluctance has to be put aside.”

Secretary Lew noted that some banks are already spending as much as $250 million a year to strengthen their cyber security. (Note: this is a cost borne by businesses).

Meanwhile, a new report from the New York attorney general’s office revealed that the number of reported data security breaches in the state more than tripled between 2006 and 2013, with some 22.8 million personal records of New Yorkers exposed in nearly 5,000 data breaches.

The cost to the public and private sectors in New York? In 2013 alone, upward of $1.37 billion, according to the report’s findings.

The Insurance Information Institute’s (I.I.I.) newly updated report Cyber Risks: The Growing Threat (of which I am a co-author) sheds light on the specialist cyber insurance policies developed by insurers to help businesses and individuals protect themselves from the cyber threat.

Market intelligence suggests that the types of specialized cyber coverage being offered by insurers are expanding rapidly in response to this fast-growing market need.

I.I.I. facts and stats on identity theft and cyber security are available here.

Why are some countries more resistant to supply chain disruption or better able to bounce back?

According to Margareta Wahlström, United Nations Special Representative of the Secretary-General (SRSG) for Disaster Risk Reduction, this is a puzzle that world leaders are perpetually trying to solve.

Hence the inherent value in a new online interactive tool from FM Global that ranks countries by supply chain resilience.

The 2014 FM Global Resilience Index ranks the business resilience of 130 countries around the world.

Nine key drivers of supply chain risk are grouped into three categories: economic, risk quality and supply chain factors. These combine to form the composite index. Scores are bound on a scale of 0 to 100, with 0 representing the lowest resilience and 100 the highest resilience.

Jonathan Hall, executive vice president, FM Global, explains:

Natural disasters, political unrest and a lack of global uniformity in safety codes and standards all can have an impact on business continuity, competitiveness and reputation. As supply chains become more global, complex and interdependent, it is essential for decision makers to have concrete facts and intelligence about where their facilities and their suppliers’ facilities are located.”

So which countries rank at the top of the index?

According to FM Global, Norway (score: 100), Switzerland (score: 98.9) and Canada (score: 93.2) are the top three countries most resilient to supply chain disruption.

At the other end of the scale, the index finds Kyrgyzstan (score: 6), Venezuela (score: 2.5) and the Dominican Republic (score: 0) as the countries least resilient to supply chain disruption.

Where did the United States fall?

Because of its geographic spread and disparate exposures to natural hazards, the U.S. is divided into three separate regions. All three rank in the top 25.

You might also be interested to know that China (also divided into three separate regions) ranks in the top 75. China’s weakest region includes Shanghai and ranks particularly low as a result of poor risk quality due to acute natural hazards.

Another key takeaway is the biggest riser: Bosnia and Herzegovina. The country climbed 19 places from last year, due to improvements in its political risk and in the quality of local suppliers.

And one of the top fallers in the 2014 Index is Bangladesh, with FM Global citing declining quality of both natural hazard risk management and fire risk management.

FM Global commissioned analytics and advisory firm Oxford Metrica to develop the rankings. The index allows you to browse country rankings and scores from 2011 to 2014.

U.S. businesses are losing more financially from cybercrime, compared to their global peers, but are generally less aware of the cost, according to PWC’s 2014 Global Economic Crime Survey.

As cybercrime continues to increase in volume, frequency and sophistication, PWC’s findings suggest that U.S. organizations are more at risk of suffering financial losses in excess of $1 million due to cybercrime.

According to the study, some 7 percent of U.S. companies lost $1 million or more, compared to just 3 percent of global organizations.

In addition, 19 percent of U.S. organizations lost $50,000 to $1 million, compared to 8 percent of global respondents.

PWC doesn’t elaborate on the reasons for this discrepancy, but other studies have noted that the types and frequencies of attacks vary from country to country.

U.S. companies are also more likely to experience the most expensive types of cyber attacks, such as malicious insiders, malicious code, and web-based incidents, the research suggests.

Despite having more to lose, some 42 percent of U.S. companies were unaware of cybercrime’s cost to their organizations, compared to 33 percent of global respondents, according to PWC.

Yet, overall U.S. companies appear to have a greater understanding of the risk of cybercrime than their global peers.

PWC notes that U.S. organizations’ perception of the risks of cybercrime exceeded the global average by 23 percent.

Also, 71 percent of U.S. respondents indicated their perception of the risks of cybercrime increased over the past 24 months, rising 10 percent since 2011.

Hat tip to CNBC.com which reports on this story here.

Some 5,128 executives from 99 countries responded to the survey, of which 50 percent were senior executives of their respective companies. Some 35 percent represented listed companies and 54 percent represented organizations with more than 1,000 employees.

While the number of lawsuits filed against U.S. companies in the past year was stable, the financial impact of the litigation they face continues to increase, according to Norton Rose Fulbright’s Annual Litigation Trends Survey.

More than one-third (34 percent) of all companies faced at least one lawsuit with more than $20 million at issue in 2013, up from just 23 percent in 2011, continuing a trend in recent years that’s left fewer respondents untouched by high-value cases.

Energy companies are much more likely to have one or more large lawsuits pending against them compared to other industries (52 percent versus 34 percent for the total sample), the study found, as are larger companies generally (51 percent versus 34 percent for the overall sample).

Among the largest companies surveyed (revenue greater than $5 billion), two-thirds reported having one or more lawsuits greater than $20 million pending against them, twice the rate for the overall sample.

Meanwhile, the percentage of larger companies spending $10 million or more annually on litigation increased to 43 percent in 2013 – the second consecutive year of growth (33 percent in 2012, 19 percent in 2011).

Another key takeaway from this year’s study is that healthcare industry respondents had the most litigation matters compared with other industries, with 55 percent indicating more than 20 suits versus 30 percent for the overall sample.

That increased activity also led to higher spending, with 49 percent of healthcare respondents reporting a 2013 litigation spend of $5 million or more, closely followed by energy at 46 percent.

The percentage of financial services companies spending $5 million or more on litigation more than doubled to 38 percent in 2013, up from 15 percent in 2012 and just 11 percent in 2011.

Labor and employment disputes once again were the most common litigation issues facing U.S. companies in 2013.

The number of U.S. companies facing regulatory proceedings increased for the third consecutive year, reflecting a stricter regulatory environment and increased scrutiny from a broad range of state and federal agencies.

Not surprisingly, legal counsel concerns over regulatory/investigation matters are also up sharply in the 2013 survey, with 41 percent of respondents indicating it as a top concern, versus just 23 percent in 2012.

Norton Rose Fulbright’s 10th annual litigation trends survey of corporate law departments in the U.S. saw responses from a total of 401 senior corporate counsel executives representing a broad range of industries.

The number of countries with downgraded political risk ratings grew in the last year, as all five emerging market BRICS countries (Brazil, Russia, India, China, South Africa) saw their risk rating increase, according to Aon’s 2014 Political Risk Map.

As a result, countries representing a large share of global output experienced a broad-based increase in political risk including political violence, government interference and sovereign non-payment risk, Aon said.

The 2014 map shows that 16 countries were downgraded in 2014 compared to 12 in 2013. Only six countries experienced upgrades (where the territory risk is rated lower than the previous year), compared to 13 in 2013.

Aon noted that Brazil’s rating was downgraded because political risks have been increasing from moderate levels as economic weakness has increased the role of the government in the economy.

This is of particular concern given this year’s World Cup and the 2016 Olympics.”

Russia’s rating was also downgraded due to recent developments with the Ukraine and the annexation of Crimea.

Aon said:

Political strains and focus on geopolitical issues have exacerbated an already weak operating environment for business and exchange transfer risks have increased following the risk of new capital controls. Russia’s economy continues to be dominated by the government, so economic policy deadlock has brought growth to a standstill and with it an increase in the risk of political violence.”

India, China and South Africa also saw their ratings downgraded.

In another key takeaway Aon noted that Ukraine is now rated a very high risk country, as the implications of developments following the annexation of Crimea by Russia and government collapse warranted a further downgrade in political risk.

Exchange transfer risks, which are already very high will be further increased by restrictions in the financial system, Further, the willingness and ability of the country to settle its debts may be affected.”

The map measures political risk in 163 countries and territories, in order to help companies assess and analyse their exposure to exchange transfer, legal and regulatory risk, political interference, political violence, sovereign non-payment and supply chain disruption.

Hat tip to Insurance Journal which reports on this story here.

Cyber security and data breaches remain front and center on the Congressional radar as the Senate Commerce Committee today holds a hearing on protecting consumers from data breaches.

The witness list includes John Mulligan, vice president and chief financial officer at Target, and Dr. Wallace Loh, president, University of Maryland. There’s an insurance industry witness too, with Peter Beshar, executive vice president and general counsel, Marsh & McLennan giving testimony.

Recent data breaches at Target and the University of Maryland highlight the fact that organizations across many different business sectors are vulnerable to cyber attacks.

The February 18, 2014 UMD data breach compromised an estimated 309,079 student, faculty and staff records, including names, birth dates, university ID numbers and social security numbers.

The massive 2013 data breach at Target during the holiday season exposed the financial and personal information of as many as 110 million consumers.

A report released yesterday by the U.S. Senate Commerce, Science and Transportation Committee suggests that Target missed a number of opportunities to prevent the massive data breach. Hat tip to Reuters via Huffington Post which reports on the findings here.

The Senate staffers report, titled “A Kill Chain Analysis of the 2013 Target Data Breach” says key points at which Target apparently failed to detect and stop the attack include:

● Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.

● Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s systems.

● Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting Target failed to properly isolate its most sensitive network assets.

● Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network.

The report analyzes what has been reported to date about the Target data breach, using the “intrusion kill chain” framework, an analytical tool introduced by Lockheed Martin security researchers in 2011, and widely used by information security professionals today.

This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.”

Check out an I.I.I. whitepaper on cyber risks and insurance here.

Next Page »