Year in Review

As another year comes to an end, we thought it would be fun to take a look back at our most popular posts in 2014.

Our most-read posts here at Terms  + Conditions ran the gamut from extreme weather, to drones, Obamacare and cyber risk.

Perhaps not surprisingly, three of our top 10 posts during the year were on the topic of cyber risk and its impact on companies large and small.

In Latest Cyber Security Breach: 1.2B Passwords Stolen we reported on the largest known data breach to-date, in which a Russian crime ring amassed billions of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.

Our post Data Breaches Becoming More Damaging revealed that data breaches are now the greatest risk factor for identity fraud. In 2013, one in three consumers who received notification of a data breach became a victim of fraud, up from one in four in 2012, according to a report by Javelin Strategy & Research.

And in The Importance of Having a Cyber Liability Policy we highlighted that while companies hit by a data breach look to their insurance policies for coverage, recent legal developments indicate that reliance on traditional insurance policies is not enough.

In case you missed them the first time round, here’s a complete list of our top 10 posts:

1. NOAA: Extreme Cold and Snow Unlikely This Winter
2. Drones and Insurance
3. IRC: P/C Insurers Not Immune to Effects of Affordable Care Act
4. Cavalcade of Risk #209: Risk Assessment
5. Latest Cyber Security Breach: 1.2B Passwords Stolen
6. Poor Service, Not Price Drives Auto Insurance Customers to Shop
7. Data Breaches Becoming More Damaging
8. Sports, Concussion Risk and Liability
9. To Lie or Not To Lie
10. The Importance of Having a Cyber Liability Policy

Thanks for following and commenting. We wish all our readers a very happy new year!

Being Prepared: 10 Years after Indonesian Earthquake and Tsunami

December 26 marks the 10th anniversary of the Indonesian earthquake and tsunami which killed more than a quarter of a million people in Indonesia, Thailand, Sri Lanka, India and other countries surrounding the Indian Ocean.

A decade later, it’s perhaps surprising to read that weaknesses remain in the tsunami warning system across the region.

Yet maybe the best protection for residents living in tsunami-vulnerable areas is to learn natural tsunami warning signals and which areas have the highest flood risk.

A gallery of tsunami protection lessons posted by Allianz cites three key signs from GeoHazards International’s Tsunami Preparedness Guidebook:

-Strong earthquake shaking, particularly shaking lasting longer than 30 seconds;
-Withdrawal of the sea to unusually low levels; and
-Loud roar from the ocean, similar to a jet airplane, explosion or sudden, intense rainfall.

Identifying evacuation routes — creating hazard and evacuation maps showing the quickest and safest routes to higher ground or other safe areas — is also a key recommendation. Allianz notes that it is critical to involve government and emergency responders when developing these maps.

Education and awareness among residents in tsunami-prone areas then, can play as important a role as instrument-based tsunami warning systems.

In addition to high mortality risk, earthquakes and tsunamis can cause significant insured property damages.

While insured losses from earthquakes and tsunamis amounted to just $45 million in 2013, this was far below the record $54 billion recorded in 2011, according to facts and statistics compiled by the I.I.I.

On March 11, 2011 a devastating tsunami hit the coast of northeast Japan, triggered by a powerful earthquake approximately 80 miles offshore. The quake and tsunami caused $35.7 billion in insured damages, according to Swiss Re.

Also, early in 2011, a powerful earthquake struck Christchurch, New Zealand, resulting in $15.3 billion in insured losses.

The Japan and New Zealand quakes are among the 10 costliest world earthquakes and tsunamis, based on insured damages, according to Munich Re.


Cyber Risk on the Inside

While the Sony cyber attack has put the spotlight on sophisticated external attacks, a new report suggests that insiders with too much access to sensitive data are a growing risk as well.

According to the survey conducted by the Ponemon Institute, some 71 percent of employees report that they have access to data they should not see, and more than half say this access is frequent or very frequent.

In the words of Dr. Larry Ponemon, chairman and founder of The Ponemon Institute:

This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences.”

While the focus in recent weeks has been on the risk of external attacks, the Ponemon study finds that data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks they present.

Some 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

In a workplace environment where employees are under pressure to deliver more, faster, cheaper, it’s easy to overlook security risks in the name of efficiency.

Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half believe their companies strictly enforce security policies related to use of and access to company data.

The flip side is that businesses need to be reticent of going to the other extreme, limiting data that their employees or customers need.

Some 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs. And 68 percent say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Ponemon interviewed 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees in a range of industries including financial services, public sector, health and pharma, retail, industrial and technology and software.

More on insider threats in  this I.I.I.  paper on  cyber risks.

Winter Storms and Thunderstorms Top 2014 Most Costly Cats

Natural catastrophes and man-made disasters cost insurers $34 billion in 2014, down 24 percent from $45 billion in 2013, according to just-released Swiss Re sigma preliminary estimates.

Of the $34 billion tab for insurers, some $29 billion was triggered by natural catastrophe events (compared with $37 billion in 2013), while man-made disasters generated the additional $5 billion in insured losses in 2014.

Despite total losses coming in at below annual averages, the United States still accounted for three of the most costly insured catastrophe losses for the year, with two thunderstorm events and one winter storm event causing just shy of $6 billion in insured losses (see chart below).


In mid-May, a spate of strong storms with large hail stones hit many parts of the U.S. over a five-day period resulting in insured losses of $2.9 billion — the highest of the year.

Extreme winter storms at the beginning of 2014 caused insured losses of $1.7 billion, above the average full-year winter storm loss number of $1.1 billion of the previous 10 years, sigma said.

Total economic losses from disaster events in 2014 reached $113 billion worldwide, according to sigma estimates, and around 11,000 people lost their lives in those events.

Ongoing events and revisions to estimates for previous ones may further change the 2014 loss outcomes, sigma noted, as this data includes updates to source data made by 28 November 2014 only.

More on global catastrophe losses from the I.I.I. here.

IBM: Information Sharing Key to Address Cyber Threat

There’s an interesting moment in a report on the current state of  cyber security leadership from International Business Machines Corp (IBM).

For those who haven’t seen it yet, the report identifies growing concerns over cyber security with almost 60 percent of Chief Information Security Officers (CISOs) saying the sophistication of attackers is outstripping the sophistication of their organization’s defenses.

But as security leaders and their organizations attempt to fight what many feel is a losing battle against hackers and other cyber criminals, there is growing awareness that greater collaboration is necessary.

As IBM puts it: “Protection through isolation is less and less realistic in today’s world.”

Consider this: some 62 percent of security leaders strongly agreed that the risk level to their organization was increasing due to the number of interactions and connections with customers, suppliers and partners.

Despite this widespread interconnectivity that drives modern business, security leaders themselves aren’t sufficiently collaborative, IBM says.

Just 42 percent of organizations that IBM interviewed are members of a formal industry-related security group. However, 86 percent think those groups will become more necessary in the next three to five years.

Instead of focusing on just their own organizations, security leaders need to take a “secure the ecosystem” approach, IBM concludes.

A sidebar highlights one company’s experience and approach to collaboration and how the key to being more secure is being more open.

For some practical strategies to address cyber  risk in your business check out this I.I.I. presentation.

Towers Watson Surveys Commercial Insurance Pricing

What a difference a year makes. Towers Watson’s most recent Commercial Lines Insurance Pricing Survey (CLIPS) shows that commercial insurance prices rose again by 3 percent in aggregate during the third quarter of 2014, drawing a line after five consecutive quarters of moderating price increases.

The chart below compares the change in price level reported by carriers on policies underwritten during the third quarter of 2014 to those charged for the same coverage during the third quarter of 2013.


Towers Watson noted:

Price changes reported by carriers mark a pause in the moderation of price increases observed in the prior five consecutive quarters, following increases of between 6 percent and 7 percent, as reported in the second half of 2012 and first half of 2013.”

Price increases were fairly similar to those reported one quarter ago for most lines, but continued moderation in workers compensation and some specialty lines was offset by flat pricing in property.

The employment practice liability line, followed by commercial auto reported the largest price increases, Towers Watson said. Price increases for most lines fell in the low single digits.

Commercial property data indicated no rate change following a slight price decrease one quarter ago. When comparing account sizes, price increases were more moderate for large and specialty accounts than small and mid-market accounts, Towers Watson added.

Insurance Journal has more on this story here.

For the most recent survey, data were contributed by 43 participating insurers representing approximately 20% of the U.S. commercial insurance market (excluding state workers compensation funds).



Sony Cyber Attack Breaks New Ground

More news keeps tumbling in the wake of the recent cyber attack at Sony Pictures Entertainment–Sony’s second major hacker attack in three years–and it’s not good.

The fact that the breach has exposed employee information ranging from salaries to medical records to social security numbers to home addresses, not to mention five yet-to-be-released Sony movies,  causing a major shutdown of the company’s computer systems, appears to break new ground.

First up, the Wall Street Journal says the attack revealed far more personal information than previously believed, including the social security numbers of more than 47,000 former employees along with Hollywood celebrities like Sylvester Stallone.

According to the WSJ:

An analysis of 33,000 Sony documents by data security firm Identity Finder LLC found personal data, including salaries and home addresses, posted online for people who stopped working at Sony Pictures as far back as 2000 and one who started in 1955.”


Much of the data analyzed by Identity Finder was stored in Microsoft Excel files without password protection.”

Aren’t most businesses run in Excel?

A well-timed piece over at the New York Times Bits Blog makes the point that companies that continue to rely on prevention and detection technologies, such as firewalls and antivirus products, are considered sitting ducks for cyber attacks.

Bits Blog cites Richard A. Clarke, the first cybersecurity czar at the White House, who says:

It’s almost impossible to think of a company that hasn’t been hacked–the Pentagon’s secret network, the White House, JPMorgan–it is pretty obvious that prevention and detection technologies are broken.”

So what approaches are working?

According to the Bits Blog post, experts say the companies best prepared for online attacks are those that have identified their most valuable assets, like Boeing’s blueprints to the next generation of stealth bomber or Target’s customer data.

Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.”

Breach detection plans and more secure authentication schemes, in addition to existing technologies, are the key to being better prepared.

Insurance too, is seen as a vital preparedness step.

Earlier this week, a top U.S. regulator said banks should consider cyber insurance to protect themselves from the growing financial impact in the wake of cyber attacks.

Let’s hope companies take heed.

As of December 2, the Identity Theft Resource Center (ITRC) reports that 2014 has seen 708 data breaches, exposing 85.1 million records (this list includes the Sony attack, listing the number of records exposed at 7,500).

Those figures are even higher than 2013, when the total number of data breaches and records exposed, soared.

More on the potential fallout and growing identity theft threat facing consumers here.

In Memorium: Gordon C. Stewart 1939-2014

I.I.I. president Dr. Robert Hartwig shares his thoughts on the passing of his predecessor Gordon Stewart:

The Insurance Information Institute lost one of its own last week with the passing of its former president, Gordon Stewart, at the age of 75. Like many, I was deeply saddened to hear of his passing when his wife, Zanne, called me the day before Thanksgiving. That said, there is no question that his was a life that was very well and very fully lived.

I had known Gordon since 1998 when he hired me as the Institute’s economist and was privileged to work alongside him until his retirement in 2006, handing over the reins to me at that time. From my very first meeting with him–my interview–I knew that Gordon was different. During that first meeting we must have spoken for nearly two hours–during only a fraction of which did we discuss nitty gritty insurance issues. The conversation leapt from insurance to domestic and global economic concerns of the day to politics to fine art, to theater and classical music and back again. Gordon could manage to segue with ease between incredibly diverse topics and in the process always leave you a little smarter than you were before the conversation. He could also leave you scratching your head. How does this man know all this stuff? Why didn’t I see those same connections? These were just a few of the questions I often had to ask myself. But I learned from those experiences–and that’s exactly what Gordon would have wanted.

Gordon’s passion for the arts, literature, language and history transcended his professional life. He named our servers and printers after composers. The I.I.I. offices in lower Manhattan showcased his enormous and eclectic art collection, which included everything from ancient Chinese pottery to 20th-century pop art icons like Andy Warhol. His office wall was festooned with pictures of him with presidents (all of them–dating back to Nixon), popes and potentates of every sort from every corner of the globe. Once while accompanying Gordon on a business trip to Boston he met up for dinner with the famous “French Chef,” Julia Child. On another trip, this time to Washington, he gave a free piano concert to passersby in the lobby of the Mayflower Hotel. Yes, he was a classically trained pianist, and I was spellbound by the performance (he insisted that he was merely practicing!).


Gordon’s formal education at various institutions in the U.S. and Europe focused on history, music, art and literature. He was a master of the written and spoken word–and spoke German fluently. His intellect and passion for what he believed in made him a formidable debater and in the final analysis, a very persuasive individual. These traits served him well in his years writing speeches for President Jimmy Carter and while working in the administrations of two New York City mayors, John Lindsay and David Dinkins.

Gordon’s deep political experience prepared him well for his time in the private sector, first with the American Stock Exchange and then with the I.I.I. Gordon was keenly aware of the power of public perception. When he became president of the Institute in 1991, the insurance industry’s approval rating was just 35 percent. By the time he retired in 2006 it exceeded 60 percent.

Retirement didn’t slow Gordon down. The fact that he remained active in the insurance world through the International Insurance Society, the Geneva Association was a great benefit to the industry. And in many ways, the pace at which he lived his life quickened. He founded an online newspaper and was able to fully indulge his passion for art, music and theater–including teaching his young daughter, Katy, to play piano.

Gordon also returned to his love of 18th century music and last fall recruited top musicians playing period instruments to perform his own arrangement of Handel’s Messiah, conducting the concert just before Christmas. He was planning to conduct this challenging piece once again this Christmas as well as Beethoven’s Eroica next June.

It is impossible to summarize the full 75 years of such an extraordinary man. Despite having known him for 16 years, my words cannot possibly do him justice. When he died he was in the midst of writing his memoirs. How I would have enjoyed reading them, end-to-end.

Gordon was an utterly extraordinary man and I had the good fortune to call him a colleague, a mentor and friend. He was someone I deeply admired and respected for so many reasons and I, as well as everyone who knew him, will miss him dearly.