Business Risk


While the Sony cyber attack has put the spotlight on sophisticated external attacks, a new report suggests that insiders with too much access to sensitive data are a growing risk as well.

According to the survey conducted by the Ponemon Institute, some 71 percent of employees report that they have access to data they should not see, and more than half say this access is frequent or very frequent.

In the words of Dr. Larry Ponemon, chairman and founder of The Ponemon Institute:

This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences.”

While the focus in recent weeks has been on the risk of external attacks, the Ponemon study finds that data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks they present.

Some 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

In a workplace environment where employees are under pressure to deliver more, faster, cheaper, it’s easy to overlook security risks in the name of efficiency.

Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half believe their companies strictly enforce security policies related to use of and access to company data.

The flip side is that businesses need to be reticent of going to the other extreme, limiting data that their employees or customers need.

Some 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs. And 68 percent say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Ponemon interviewed 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees in a range of industries including financial services, public sector, health and pharma, retail, industrial and technology and software.

More on insider threats in this I.I.I. paper on cyber risks.

There’s an interesting moment in a report on the current state of cyber security leadership from International Business Machines Corp (IBM).

For those who haven’t seen it yet, the report identifies growing concerns over cyber security with almost 60 percent of Chief Information Security Officers (CISOs) saying the sophistication of attackers is outstripping the sophistication of their organization’s defenses.

But as security leaders and their organizations attempt to fight what many feel is a losing battle against hackers and other cyber criminals, there is growing awareness that greater collaboration is necessary.

As IBM puts it: “Protection through isolation is less and less realistic in today’s world.”

Consider this: some 62 percent of security leaders strongly agreed that the risk level to their organization was increasing due to the number of interactions and connections with customers, suppliers and partners.

Despite this widespread interconnectivity that drives modern business, security leaders themselves aren’t sufficiently collaborative, IBM says.

Just 42 percent of organizations that IBM interviewed are members of a formal industry-related security group. However, 86 percent think those groups will become more necessary in the next three to five years.

Instead of focusing on just their own organizations, security leaders need to take a “secure the ecosystem” approach, IBM concludes.

A sidebar highlights one company’s experience and approach to collaboration and how the key to being more secure is being more open.

For some practical strategies to address cyber risk in your business check out this I.I.I. presentation.

More news keeps tumbling in the wake of the recent cyber attack at Sony Pictures Entertainment—Sony’s second major hacker attack in three years—and it’s not good.

The fact that the breach has exposed employee information ranging from salaries to medical records to social security numbers to home addresses, not to mention five yet-to-be-released Sony movies, causing a major shutdown of the company’s computer systems, appears to break new ground.

First up, the Wall Street Journal says the attack revealed far more personal information than previously believed, including the social security numbers of more than 47,000 former employees along with Hollywood celebrities like Sylvester Stallone.

According to the WSJ:

An analysis of 33,000 Sony documents by data security firm Identity Finder LLC found personal data, including salaries and home addresses, posted online for people who stopped working at Sony Pictures as far back as 2000 and one who started in 1955.”

And:

Much of the data analyzed by Identity Finder was stored in Microsoft Excel files without password protection.”

Aren’t most businesses run in Excel?

A well-timed piece over at the New York Times Bits Blog makes the point that companies that continue to rely on prevention and detection technologies, such as firewalls and antivirus products, are considered sitting ducks for cyber attacks.

Bits Blog cites Richard A. Clarke, the first cybersecurity czar at the White House, who says:

It’s almost impossible to think of a company that hasn’t been hacked—the Pentagon’s secret network, the White House, JPMorgan—it is pretty obvious that prevention and detection technologies are broken.”

So what approaches are working?

According to the Bits Blog post, experts say the companies best prepared for online attacks are those that have identified their most valuable assets, like Boeing’s blueprints to the next generation of stealth bomber or Target’s customer data.

Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.”

Breach detection plans and more secure authentication schemes, in addition to existing technologies, are the key to being better prepared.

Insurance too, is seen as a vital preparedness step.

Earlier this week, a top U.S. regulator said banks should consider cyber insurance to protect themselves from the growing financial impact in the wake of cyber attacks.

Let’s hope companies take heed.

As of December 2, the Identity Theft Resource Center (ITRC) reports that 2014 has seen 708 data breaches, exposing 85.1 million records (this list includes the Sony attack, listing the number of records exposed at 7,500).

Those figures are even higher than 2013, when the total number of data breaches and records exposed, soared.

More on the potential fallout and growing identity theft threat facing consumers here.

As holiday shopping gets underway, several major retailers are opening even earlier this year offering the prospect of deep discounts and large crowds to an ever growing number of shoppers.

The National Retail Federation (NRF) notes that 140 million holiday shoppers are likely to take advantage of Thanksgiving weekend deals in stores and online.

Millennials are most eager to shop, with the NRF survey showing 8 in 10 (79.6 percent) of 18-24 year olds will or may shop over the weekend, the highest of any age group.

Much has been written about the risks of online shopping, but for those who still head to the stores, there are dangers there too.

The Occupational Safety and Health Administration (OSHA) reminds us that crowd related injuries can occur during special sales and promotional events. In 2008, a worker at Wal-Mart died after being trampled in a Black Friday stampede.

According to the aptly named blackfridaydeathcount.com, since 2006 there have been seven Black Friday-related fatalities and 90 injuries. As well as stampeding crowds, injuries have occurred as a result of altercations over TVs, road rage over parking spaces, shootings and distracted driving.

For employers and store owners OSHA offers comprehensive tips on how to create a safe shopping experience.

Crowd management planning should begin in advance of events likely to draw large crowds, and crowd management, pre-event setup, and emergency situation management should be part of event planning, OSHA says.

Tips include: hiring additional staff; having trained security or crowd management personnel on site; determining the number of workers needed in different locations to ensure the safety of an event; and preparing an emergency plan that addresses potential dangers facing workers including overcrowding, crowd crushing, being struck by the crowd, violent acts and fire.

For shoppers too, a personal safety and security plan is a good idea. The National Crime Prevention Council (NCPC) advises not to buy more than you can carry and to plan ahead by taking a friend with you or asking a store employee to help you carry packages to the car. Travelers offers some important tips here.

To all our readers, have a happy and safe Thanksgiving!

Reputational risk is among the most challenging to insure, says I.I.I.’s VP of Communications Loretta Worters in this timely tale of Uber shenanigans:

There’s no such thing as bad publicity, the old saying goes. But the publicity ridesharing company Uber is getting lately may not just harm its image, but can hurt its bottom line. And for a business valued by some at north of $50 billion, that’s a world of hurt!

The latest trouble for the beleaguered rideshare titan started earlier this week when SVP of Business Emil Michael was reported by BuzzFeed to have said that the company should initiate a million-dollar “smear campaign” against journalists. Worse still was CEO Travis Kalanick’s response, a rambling 13-tweet condemnation of Michael’s on-the-record screed. (To date, however, Michael still has his job.) Jumping into the fray was Uber investor Ashton Kutcher, who defended the company for “digging up dirt” on journalists.

A company’s reputation is core to its profitability and long-term competitiveness. And the challenges from social media and other interactive online platforms often force businesses to respond immediately. This in part explains why damage from reputational risk events oftentimes does not result from the initial crisis, but from how well the company responds to it.

This isn’t exactly the first time Uber has “stepped in it.” However, leaving aside Uber’s occasional self-destructive missteps, how vulnerable is Uber or any other company with a capricious C-suite?

Reputational risk is among the most challenging categories of risk to manage, according to 92 percent of companies responding to a survey from ACE Group. Fully 81 percent of respondents view reputation as their most significant asset—and most of them admit that they struggle to protect it. The report also suggests that organizations need a clear framework for managing reputational risk that reduces the potential for crises, taking a multi-disciplinary approach that involves the CEO, PR specialists and other business leaders.

While Uber’s Kalanick acknowledged his company needs to repair its image, he clearly would benefit from reputational risk insurance and the expertise of a risk manager—even if that risk manager’s counsel amounts to: “dude, shut UP!”

Reputational risk is not covered under a typical business policy, but companies can purchase coverage as a stand-alone policy which typically pays fees for professional crisis management and communications services; media spending and production costs; some legal fees; other crisis response and campaign costs such as research, events, social media, and directly associated activities.

New reputation insurance products have started to emerge in the marketplace that cover financial losses caused by bad news that harms a company’s profits. For example, Aon with Zurich, Willis and Chartis among others have come out with policies that address the exposures of reputational risk and offer risk management services to help corporations keep their reputations intact.

One thing is clear: as the rideshare business grows more competitive, Kalanick will need to do better at projecting a positive image. And if he took a cue from his own product, and let somebody else do the driving for a change, Kalanick would be following the lead of many a troubled CEO before him.

For information on the insurance implications of ride-sharing, check out this handy Q&A.

I.I.I. chief actuary Jim Lynch offers his perspective on how insurers are responding to climate change:

The insurance industry got a report card this week on a test I’m not sure they knew they were taking. And the grading curve was, in my opinion, harsh.

Ceres, a nonprofit group that promotes sustainable business practices, rated 330 insurers – life, health and property/casualty – on how well they are responding to climate change.

Before I wade further into the topic, it is important to acknowledge that insurance companies and their managers have a range of opinions on global warming that is as wide as the opinions of Americans overall on the topic. There is no insurance industry position, though there are individuals and companies with strong opinions – just as with all Americans.

On a four-point scale, nine companies got the highest mark (“leading”): Ace, Munich Re, Swiss Re, Allianz, Prudential, XL Group, The Hartford Financial Services Group, Sompo Japan and Zurich. Matthew Sturdevant of the Hartford Courant does a nice job rounding up how these firms earned their grade.

Ceres gave “minimal” or “beginning” rankings to 276 insurers, 84 percent on my calculator. The New York Times played up that aspect. But the analysis may be skewed because of the source of the rankings and how Ceres adapted that source.

Ceres took a National Association of Insurance Commissioners (NAIC) survey that six states require on climate change. The survey consists of eight yes-or-no questions, each of which follows up with why the insurer answered as it did. The follow-up questions are open-ended – companies can respond with as little or as much information as they like.

The questions help regulators when they assess a company’s enterprise risk management, specifically how hard a company looks for potential problems that might not hit them until years from now. Climate change certainly has that potential.

Ceres took those answers and graded them on its own criteria, resulting in six scores from 1 to 4, which it then re-summarized into a single grade.

Boiling a complex set of open-ended answers is tricky enough, but Ceres has, in my opinion, misused the NAIC survey, which is supposed to help regulators understand how well insurers are considering climate change in their risk management, not whether insurers are acting as stewards of the environment.

So it doesn’t seem like Ceres is giving a fair test. Insurers are answering questions on how climate change might affect their business then being rated on how their actions will reduce carbon emissions. It’s like being told to write an essay, then being graded on penmanship.

How could this skew results? Some insurers are minimally exposed to climate change, so it would not be prudent risk management for them to devote valuable resources to the issue. Medical malpractice writers are an obvious example. Climate change might be important to the world at large, but how relevant is it to the operation of a medical malpractice writer?

Property insurers are in a different boat, pardon the irresistible pun. Rising sea levels and growing weather extremes are important developments, and it would seem a prudent coastal writer would consider whether those trends will continue, abate or accelerate. A company that writes worldwide has still more to think about, as climate trends would affect other countries more than our own.

Seen that way, it makes perfect sense that some large, multinational insurers are concerned about climate change while small writers not exposed to property insurance are less so.

On the life/health side, there is a signal-to-noise problem. Climate change appears to have an impact on mortality, but it’s really small. A 2011 Brookings study suggested that climate change will increase U.S. age adjusted mortality rates by about 3 percent over the next 85 years or so. That rate has declined by 1 percent per year over the past 35 years. So the impact of climate change on mortality is likely to be overwhelmed by other forces at work.

That’s not to say that life expectancies outside the U.S. won’t be affected more. But a life insurer that only writes U.S. risks might not want to incorporate climate change-induced mortality changes from, say, Australia, into its business model.

Regardless, life insurers have a built-in mortality hedge in pairing annuity sales with life insurance. People who die sooner drive life insurance profits lower. But they push annuity profits higher, and vice versa. Combine that with the small impact of climate change on U.S. mortality and it makes perfect sense that a great many U.S. life insurers have decided that climate change doesn’t form a central part of their risk management strategy.

Health insurers are in a similar situation. Gradual changes in health have small effects on their business, and those changes can be easily adjusted to year by year. Pandemics are a bigger risk, so risk management efforts focus there.

That helps explain why health and life insurers didn’t score as high as property/casualty insurers. They have less at stake.

California’s insurance department doesn’t sound too concerned. Ceres relied on CA DOI information to compile its report, so there’s a good chance the Ceres researchers saw a 2013 press release that said this:

The results of this year’s survey are a positive sign for the insurance industry and the environment,” said Commissioner Jones. “It is encouraging to see that insurers are aware of the risks that a changing climate brings, and moreover they are taking steps to ensure their responses to these risks are sufficient to protect their business.”

More than 1,000 companies [Duplicates and multi-company insurance groups account for the difference between Ceres’ total and California’s.] were required to respond to the survey. The survey revealed that roughly 75 percent of insurers have a plan for identifying climate change-related risks that could affect their business, and are taking actions to mitigate these risks. Responses to the eight survey questions reveal that nearly every insurer is aware of the risks posed by a changing climate, and an overwhelming majority of insurers have incorporated mitigating practices into their business model.”

That sounds like an industry that is handling the issue prudently, even if it is not the way an environmental group would prefer.

As the number of companies suffering a data breach continues to grow – with U.S. retailer Staples now reported to be investigating a breach – so do the legal developments arising out of these incidents.

While companies that have suffered a data breach look to their insurance policies for coverage to help mitigate some of the enormous costs, recent legal developments underscore the fact that reliance on traditional insurance policies is not enough, notes the I.I.I. white paper Cyber Risks: The Growing Threat.

A post in today’s Wall Street Journal Morning Risk Report, echoes this point, noting that a lawsuit between restaurant chain P.F. Chang’s and its insurance company Travelers Indemnity Co. of Connecticut could further define how much, if any, cyber liability coverage is included in a company’s CGL policy.

Collin Hite, partner and leader of the insurance recovery group at law firm Hirschler Fleischer tells the WSJ that whatever the outcome of this case, companies that want to be sure they are protected against cyber-related losses may have to purchase separate cyber liability policies—and make sure those policies are broad enough to encompass the myriad ways an attack could cost the firm money.

P.F. Chang’s confirmed in June that it had suffered a data breach in which data from credit and debit cards used at its restaurants was stolen.

An earlier post in the Hartford Courant Insurance Capital blog by Matthew Sturdevant has the details on the legal action between Travelers and P.F. Chang’s.

To-date the application of standard form commercial general liability (CGL) policies to data breach incidents has led to various legal actions and differing opinions, according to the I.I.I. paper on cyber risks.

One recent high profile – and oft-cited case – followed the April 2011 data breach at Sony Corp. in which hackers stole personal information from tens of millions of Sony PlayStation Network users.

A New York trial court ruled that Zurich American Insurance Co. owed no defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.

In his ruling, New York Supreme Court Justice Jeffrey K. Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.

Further expertise and analysis on cyber risks and insurance is available from the I.I.I.

A second annual survey from Experian and the Ponemon Institute appears to show that more companies are prepared for a data breach, and that cyber insurance policies are becoming a more important part of those preparedness plans.

The study, which surveyed 567 executives in the United States, found that 73 percent of companies now have data breach response plans in place, up from 61 percent in 2013. Similarly, 72 percent of companies now have a data breach response team, up from 67 percent last year.

In the last year the purchase of cyber insurance by those companies has more than doubled, with 26 percent now saying they have a data breach or cyber policy, up from just 10 percent in 2013.

However, this means that two-thirds of respondents – 68 percent – are still not buying cyber policies. (Six percent of respondents are also unsure whether their company has cyber insurance.)

Interestingly, the fact that more companies have data breach response plans in place does not appear to instill greater confidence that they are effective.

Despite the existence of plans, only 30 percent of respondents say their companies are effective or very effective in developing and executing a data breach plan, the survey found.

Why are the plans not effective?

The survey indicates that in many cases a breach response plan is largely ignored after being prepared.

Some 41 percent of respondents say there is no set time for reviewing and updating the plan, while 37 percent say they have not reviewed or updated the plan since it was put in place.

All of this comes as the frequency of data breaches is accelerating. Some 60 percent of respondents say their company experienced more than one data breach in the past two years, up from 52 percent in 2013. And 43 percent say their company had a data breach in the last year, up from 33 percent in 2013.

Check out the latest I.I.I. white paper on this topic Cyber Risks: The Growing Threat.

More on this story from the Wall Street Journal’s Risk & Compliance Report.

Drought continues to make the headlines, with the latest U.S. Drought Monitor showing moderate to exceptional drought covers 30.6 percent of the contiguous United States.

Its weekly update also shows that 82 percent of the state of California is in a state of extreme or exceptional drought. Reservoir levels in the state continued to decline, and groundwater wells continued to go dry, the U.S. Drought Monitor says.

20140923_usdm_home

The LA Times reports that California’s historic drought has 14 communities on the brink of waterlessness. It quotes Tim Quinn, executive director of the Association of California Water Agencies, saying that communities that have made the list are often small and isolated and have relied on a single source of water without backup sources.

However, Quinn also tells the LA Times that if the drought continues, larger communities could face their own significant problems.

A recent article at CFO.com by Lauren Kelley Koopman, a director in PwC’s Sustainable Business Solutions practice, makes the point that when water-related disruptions affect operations, companies can suffer significant profit and losses and pay higher prices for goods in the supply chain.

Water management issues pose significant operational, regulatory and reputational risks to companies, the article noted.

And a recent report from the University of California found that farmers had spent an extra $500m in pumping extra water to cope with the state’s drought, while the total economic cost to the state’s agricultural industry reached $2.2bn.

For insurers, droughts can be costly. Drought, wildfires and heat waves caused 29 deaths and $385 million in insured losses in the U.S. in 2013, according to Munich Re.

In 2012, drought in various parts of the U.S. caused $15 billion to $17 billion in insured losses, making it the second costliest disaster after Hurricane Sandy.

The recent disclosure of a major data breach at retailer Home Depot has once again put the spotlight on the increasing vulnerability of businesses to cyber threats and the need for cyber insurance.

But companies are uncertain of how much insurance coverage to acquire and whether their current policies provide them with protection, according to a new report by Guy Carpenter.

It speculates that one of the roots of the uncertainty stems from the difficulty in quantifying potential losses because of the dearth of historical data for actuaries and underwriters to model cyber-related losses.

Furthermore, traditional general liability policies do not always cover cyber risk, Guy Carpenter says.

It notes that in the United States, ISO’s revisions to its general liability policy form consist primarily of a mandatory exclusion of coverage for personal and advertising injury claims arising from the access or disclosure of confidential information.

Though still in its infancy the cyber insurance market potential is vast, Guy Carpenter reports. It cites Marsh statistics estimating that the U.S. cyber insurance market was worth $1 billion in gross written premiums in 2013 and could reach as much as $2 billion this year.

The European market is currently a fraction of that, at approximately $150 million, but could reach as high as EUR900 million by 2018, according to some estimates.

Guy Carpenter also warns that cyber attacks are now top of mind for governments, utilities, individuals, medical and academic institutions and companies of all sizes, noting:

Because of increasing global interconnectedness and explosive use of mobile devices and social media, the risk of cyber attacks and data breaches have increased exponentially.”

Cyber attacks also present a set of aggregations/accumulations of risk that spread beyond the corporation to affiliates, counterparties and supply chains, it adds.

Check out the I.I.I. paper on this topic: Cyber Threats: The Growing Risk.

Next Page »