Business Risk


U.S. businesses are losing more financially from cybercrime, compared to their global peers, but are generally less aware of the cost, according to PWC’s 2014 Global Economic Crime Survey.

As cybercrime continues to increase in volume, frequency and sophistication, PWC’s findings suggest that U.S. organizations are more at risk of suffering financial losses in excess of $1 million due to cybercrime.

According to the study, some 7 percent of U.S. companies lost $1 million or more, compared to just 3 percent of global organizations.

In addition, 19 percent of U.S. organizations lost $50,000 to $1 million, compared to 8 percent of global respondents.

PWC doesn’t elaborate on the reasons for this discrepancy, but other studies have noted that the types and frequencies of attacks vary from country to country.

U.S. companies are also more likely to experience the most expensive types of cyber attacks, such as malicious insiders, malicious code, and web-based incidents, the research suggests.

Despite having more to lose, some 42 percent of U.S. companies were unaware of cybercrime’s cost to their organizations, compared to 33 percent of global respondents, according to PWC.

Yet, overall U.S. companies appear to have a greater understanding of the risk of cybercrime than their global peers.

PWC notes that U.S. organizations’ perception of the risks of cybercrime exceeded the global average by 23 percent.

Also, 71 percent of U.S. respondents indicated their perception of the risks of cybercrime increased over the past 24 months, rising 10 percent since 2011.

Hat tip to CNBC.com which reports on this story here.

Some 5,128 executives from 99 countries responded to the survey, of which 50 percent were senior executives of their respective companies. Some 35 percent represented listed companies and 54 percent represented organizations with more than 1,000 employees.

While the number of lawsuits filed against U.S. companies in the past year was stable, the financial impact of the litigation they face continues to increase, according to Norton Rose Fulbright’s Annual Litigation Trends Survey.

More than one-third (34 percent) of all companies faced at least one lawsuit with more than $20 million at issue in 2013, up from just 23 percent in 2011, continuing a trend in recent years that’s left fewer respondents untouched by high-value cases.

Energy companies are much more likely to have one or more large lawsuits pending against them compared to other industries (52 percent versus 34 percent for the total sample), the study found, as are larger companies generally (51 percent versus 34 percent for the overall sample).

Among the largest companies surveyed (revenue greater than $5 billion), two-thirds reported having one or more lawsuits greater than $20 million pending against them, twice the rate for the overall sample.

Meanwhile, the percentage of larger companies spending $10 million or more annually on litigation increased to 43 percent in 2013 – the second consecutive year of growth (33 percent in 2012, 19 percent in 2011).

Another key takeaway from this year’s study is that healthcare industry respondents had the most litigation matters compared with other industries, with 55 percent indicating more than 20 suits versus 30 percent for the overall sample.

That increased activity also led to higher spending, with 49 percent of healthcare respondents reporting a 2013 litigation spend of $5 million or more, closely followed by energy at 46 percent.

The percentage of financial services companies spending $5 million or more on litigation more than doubled to 38 percent in 2013, up from 15 percent in 2012 and just 11 percent in 2011.

Labor and employment disputes once again were the most common litigation issues facing U.S. companies in 2013.

The number of U.S. companies facing regulatory proceedings increased for the third consecutive year, reflecting a stricter regulatory environment and increased scrutiny from a broad range of state and federal agencies.

Not surprisingly, legal counsel concerns over regulatory/investigation matters are also up sharply in the 2013 survey, with 41 percent of respondents indicating it as a top concern, versus just 23 percent in 2012.

Norton Rose Fulbright’s 10th annual litigation trends survey of corporate law departments in the U.S. saw responses from a total of 401 senior corporate counsel executives representing a broad range of industries.

The number of countries with downgraded political risk ratings grew in the last year, as all five emerging market BRICS countries (Brazil, Russia, India, China, South Africa) saw their risk rating increase, according to Aon’s 2014 Political Risk Map.

As a result, countries representing a large share of global output experienced a broad-based increase in political risk including political violence, government interference and sovereign non-payment risk, Aon said.

The 2014 map shows that 16 countries were downgraded in 2014 compared to 12 in 2013. Only six countries experienced upgrades (where the territory risk is rated lower than the previous year), compared to 13 in 2013.

Aon noted that Brazil’s rating was downgraded because political risks have been increasing from moderate levels as economic weakness has increased the role of the government in the economy.

This is of particular concern given this year’s World Cup and the 2016 Olympics.”

Russia’s rating was also downgraded due to recent developments with the Ukraine and the annexation of Crimea.

Aon said:

Political strains and focus on geopolitical issues have exacerbated an already weak operating environment for business and exchange transfer risks have increased following the risk of new capital controls. Russia’s economy continues to be dominated by the government, so economic policy deadlock has brought growth to a standstill and with it an increase in the risk of political violence.”

India, China and South Africa also saw their ratings downgraded.

In another key takeaway Aon noted that Ukraine is now rated a very high risk country, as the implications of developments following the annexation of Crimea by Russia and government collapse warranted a further downgrade in political risk.

Exchange transfer risks, which are already very high will be further increased by restrictions in the financial system, Further, the willingness and ability of the country to settle its debts may be affected.”

The map measures political risk in 163 countries and territories, in order to help companies assess and analyse their exposure to exchange transfer, legal and regulatory risk, political interference, political violence, sovereign non-payment and supply chain disruption.

Hat tip to Insurance Journal which reports on this story here.

Cyber security and data breaches remain front and center on the Congressional radar as the Senate Commerce Committee today holds a hearing on protecting consumers from data breaches.

The witness list includes John Mulligan, vice president and chief financial officer at Target, and Dr. Wallace Loh, president, University of Maryland. There’s an insurance industry witness too, with Peter Beshar, executive vice president and general counsel, Marsh & McLennan giving testimony.

Recent data breaches at Target and the University of Maryland highlight the fact that organizations across many different business sectors are vulnerable to cyber attacks.

The February 18, 2014 UMD data breach compromised an estimated 309,079 student, faculty and staff records, including names, birth dates, university ID numbers and social security numbers.

The massive 2013 data breach at Target during the holiday season exposed the financial and personal information of as many as 110 million consumers.

A report released yesterday by the U.S. Senate Commerce, Science and Transportation Committee suggests that Target missed a number of opportunities to prevent the massive data breach. Hat tip to Reuters via Huffington Post which reports on the findings here.

The Senate staffers report, titled “A Kill Chain Analysis of the 2013 Target Data Breach” says key points at which Target apparently failed to detect and stop the attack include:

● Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.

● Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s systems.

● Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting Target failed to properly isolate its most sensitive network assets.

● Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network.

The report analyzes what has been reported to date about the Target data breach, using the “intrusion kill chain” framework, an analytical tool introduced by Lockheed Martin security researchers in 2011, and widely used by information security professionals today.

This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.”

Check out an I.I.I. whitepaper on cyber risks and insurance here.

The Ukraine crisis is making headlines around the world, and also in the insurance world.

While events are still unfolding, Russia’s move to annex the Crimea region of Ukraine has prompted United States and European Union leaders to impose economic and travel sanctions on some Russian officials.

U.S. and EU leaders will meet next week in the Netherlands to discuss the crisis and further sanctions are possible.

As for insurance implications, the ongoing turmoil has the potential to impact the political risk, structured credit and trade credit insurance markets.

Broker Marsh said in a briefing last week that some insurers had stopped underwriting political risk insurance in the two countries due to concern over the political unrest and credit ratings in Ukraine and potential sanctions in Russia.

Canadian Underwriter reported on the story here.

Noting the uncertainty of the evolving situation, Marsh said:

Companies with interests in the region face the potential for damage to assets through political violence and possible broader expropriation measures or sanctions against foreign interest in Russia should sanctions be imposed against the country. This is in addition to the potential for payment delays on trade payment obligations due from customers, especially those in Ukraine.”

Marsh also noted that because Russia is the political risk and structured credit market’s largest country exposure, if the current conflict results in large-scale insurable damage, global premiums and insurance capacity for these coverages could be adversely affected.

There is also the potential for a downgrade of the country rating by the ratings agencies and possible payment difficulties for creditors of Ukrainian companies, either commercial or economic, Marsh added.

The broker advised businesses with operations in Ukraine, especially those in Crimea, to check their crisis response and insurance programs to ensure they sufficiently mitigate the potential effects on their operations.

The I.I.I.’s International Insurance Fact Book has insurance and economic data on Russia and Ukraine here.

Two months after Target announced a massive data breach in which hackers stole 40 million debit and credit card accounts from stores nationwide and the rising costs related to the incident are becoming clear.

Costs associated with the Target data breach have reached more than $200 million for financial institutions, according to data collected by the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA).

Breaking out the numbers, CBA estimates the cost of card replacements for its members have reached $172 million, up from an initial finding of $153 million. CUNA has said the cost to credit unions has increased to $30.6 million, up from an original estimate of $25 million.

So far, cards replaced by CBA members and credit unions account for more than half (54.5 percent) of all affected cards.

In a press release, CBA notes that the combined $200 million cost does not factor in costs to financial institutions other than credit unions or CBA members, nor does it take into account any fraudulent activity which may have occurred or may occur in the future:

Fraudulent activity would push the cost of the Target data breach to the industry much higher, as consumers would not be held liable.”

A post over at the Wall Street Journal Corporate Intelligence blog points out that cyber attacks like these continue to be a drain on the wider economy.

It cites a study backed by computer security firm McAfee that last year estimated the total cost of cybercrime and cyber espionage to the United States at up to $100 billion each year.

Meanwhile, legal experts caution that companies need to take stock in the wake of the Target breach and make sure they have adequate insurance in place.

A post by Emily R. Caron in Media, Privacy and Beyond published by law firm Lathrop & Gage notes that fortunately Target appears to have a lot of insurance in place.

It cites reports suggesting that between cyber coverage and directors and officers (D&O) coverage, Target has $165 million in total limits, after self-insuring the first $10 million. (Hat tip to @LexBlogNetwork for highlighting this article)

However, The New York Times recently reported that total damages to banks and retailers could exceed $18 billion according to estimates by Javelin Strategy & Research.

In addition the NYT noted that nearly 70 lawsuits have already been filed against Target, many of them seeking class-action status.

As Caron notes in her article at Media, Privacy & Beyond, there is a big gap between $165 million and $18 billion.

Check out I.I.I. facts + statistics on ID theft and cyber security.

Job bias charges reported to the U.S. Equal Employment Opportunity Commission (EEOC) dropped to 93,727 in fiscal year 2013, down 5.7 percent from 99,412 charges in 2012, and a 6.6 percent decrease from the record 99,947 charges reported in fiscal year 2011.

But the decline in the number of charges was offset by an increase in the amount of monetary relief obtained for victims.

Monetary relief obtained for victims increased by $6.7 million to $372.1 million – the highest monetary recovery from private sector employers in agency history through its administrative process, the EEOC said.

As in prior years, retaliation under all statutes was the most frequently cited basis for charges of discrimination, increasing in both actual numbers (38,539 up from 37,836) and as a percentage of all charges (41.1 percent up from 38.1 percent) from the previous year.

This was followed by race discrimination (33,068/35.3 percent); sex discrimination, including sexual harassment and pregnancy discrimination (27,687/29.5 percent); and discrimination based on disability (25,957/27.7 percent).

The EEOC noted that both race and disability discrimination increased in percentage of all charges while decreasing in raw numbers from the previous year, while charges of sex discrimination were down by over 2,600 charges.

The EEOC also received 333 charges under the Genetic Information Nondiscrimination Act, which prohibits discrimination on the basis of genetic information, including family medical history.

Despite the overall positive trend, employers should remain vigilant, legal experts say.

In a post on legal newsfeed Lexology, Hannesson Murphy, a partner at law firm Barnes & Thornburg, writes:

While employers should be encouraged by current trends, this is no time to let down their guard: EEOC charges remain well above the levels of the mid-1990’s or mid-2000’s, retaliation claims are on the rise, and the EEOC is as active as ever. In short: remain vigilant.”

Check out further I.I.I. facts and statistics on employment practices liability insurance here.

The fallout continues in the wake of the massive data breach at Target in which hackers stole 40 million debit and credit card accounts from stores nationwide between November 27 and December 15.

USA Today reports that so far three class-action lawsuits have been filed in the wake of the incident, seeking more than $5 million in damages. Two of the cases were filed in California and one in Oregon.

The same USA Today article reports that the Attorney General in at least four states – Connecticut, Massachusetts, New York and South Dakota – have asked Target for information about the breach, in what is regarded as the first step to a possible multi-state investigation into the breach.

Meanwhile, the Krebs on Security blog which broke the story of the Target breach last Wednesday December 18, reports that card accounts stolen in the breach are flooding the underground markets. Check out the latest reports here and here.

For anyone who shopped at Target during the breach period, the New York Times has a helpful Q&A on what you should do.

While latest studies indicate U.S. companies continue to improve their preparation for and response to a data breach, the security breach at Target highlights the vulnerability of major companies to this threat.

Both the organizational cost of a data breach and the cost per lost or stolen record declined last year, according to the 2013 Cost of a Data Breach study by the Ponemon Institute and Symantec.

The organizational cost of a breach declined from $5.5 million to $5.4 million and the cost per record from $194 to $188.

The Ponemon report also noted that while the cost of a data breach can vary widely because of the types of threats and data protection laws, the financial consequences are serious worldwide.

Check out I.I.I. facts and statistics on identity theft and cyber security.

Direct foreign investors operating in the Middle East and North Africa (MENA) face an increasing level of political risk as a result of the instability and uncertainty created by the Arab Awakening, according to an annual risk report.

The 2014 Marsh-Maplecroft Political Risk Map reveals that more than 60 percent of countries in the MENA region have experienced a significant increase in the level of political violence since 2010.

According to the map, 17 countries since 2010 have experienced a significant increase in their level of dynamic political risk, more than half of which are located in the MENA region.

Note: dynamic political risks focus on short-term challenges, such as rule of law, political violence, the macroeconomic environment, resource nationalism and regime stability.

Syria has seen the most significant increase in risk and is now ranked as the second-highest risk country behind only Somalia.  For the first time, Egypt is now categorized as “extreme” risk for political violence, a deterioration driven by post-coup violence and increased terrorist activity in the Sinai Peninsula.

Over the past year, East Africa was host to the most countries with an increase in political violence, according to the map.

Marsh notes that the increase in political violence in East Africa presents significant challenges to foreign investors looking to the region following the discovery of substantial oil and gas reserves.

Despite these risks, the map points to opportunities for investors in six growth markets where overall dynamic political risk has significantly improved since 2010: the Philippines, India, Uganda, Ghana, Israel, and Malaysia.

The map draws from Maplecroft’s Political Risk Atlas 2014 and highlights dynamic political risks across 197 countries, including conflict, terrorism, macroeconomic stability, rule of law, and regulatory and business environments.

Hat tip to Business Insurance which reports here.

Health care organizations are facing a much more challenging directors and officers (D&O) liability insurance market as they adapt to changes arising from the Affordable Care Act (ACA), according to a new report from Marsh.

It reveals that average primary D&O rates for midsize and large health systems increased by 9.6 percent in the third quarter of 2013, while total program D&O rates renewed with 7.9 percent increases on average.

Nearly all organizations – 91 percent – renewed with rate increases, according to its findings.

Marsh notes that since the passage of the ACA in 2010, the health care industry has undergone rapid consolidation resulting in organizations working more closely together and sharing information.

As a result, many health care organizations face increased exposure to antitrust risks and this has insurers concerned.

In some cases D&O insurers have lowered their antitrust sublimits and increased antitrust-related coinsurance requirements and retentions, Marsh says. In addition to raising rates, some D&O insurers are also pulling back on offering full policy limit defense coverage.

It quotes Mark Karlson, Marsh’s FINPRO Health Care Practice Leader:

Ongoing merger and acquisition activity and the transition to accountable care organizations and similar networks are creating new exposures for many health care organizations, including antitrust risks.

This has resulted in a much more challenging D&O market for health care companies. Risk managers should expect to face additional rate increases in 2014 and be prepared to provide underwriters with detailed answers about their response to health care reform.”

PC360 has more on this story.

Check out I.I.I. information on D&O liability insurance.

« Previous PageNext Page »