Along with Hurricanes Come Hackers

Cyber crime
With hurricane season in full swing, supermarkets and electronic stores aren’t the only businesses in danger of looting. When defenses are down and attention is elsewhere during a natural disaster, critical data and intellectual property is just as vulnerable to looting as the shopping center down the street.

Each year, the amount of personal information targeted from data breaches only continues to grow. There was a new record set near the end 2015 when 191 million U.S. voters’ identities were exposed, surpassing the previous record for the largest single data beach. Personally identifiable information, including voters name, date of birth, gender, and addresses were exposed for more than a week before the database was officially shut down. Just imagine the opportunity for hackers during natural disasters when systems are down for a similar time frame.

Take “Superstorm Sandy,” back in 2012. Cyber criminals used confusion in the aftermath of the hurricane as part of a social engineering scheme to steal information. One organization received a call requesting an emergency download of sensitive personnel information needed to assist staff that had been affected by flooding. Lost internet connectivity as a result of the storm meant the help desk could not make a reasonable verification of who was making the request and sent the highly sensitive information to the bogus caller’s “backup site,” which was, as it eventually transpired, a system controlled by hackers. During times of crisis we are more susceptible to cyber criminals willing to prey on our good nature and eagerness to help.

The semi-controlled chaos of an emergency response is rife with opportunities for exposure of sensitive data. Here are five steps enterprises can take to minimize cyber exposure before, during and after a natural disaster.

  1. Security Analytics: According to the 2016 Internet Security Threat Report, the overall total number of identities exposed has jumped 23%, to 429 million. Security analytics tools allow IT managers to have full visibility into all network traffic, they can also help enterprises determine if and when anything happened, what systems and data were affected and if the attack has been contained. Monitoring these tools can also be outsourced to security service providers.
  1. Be Secure in the Cloud: During a natural disaster, buildings may be flooded or damaged and roads may be closed, ‘dedicated’ servers can lack the flexibility and access provided in a cloud environment. Access for continuing operations and first-responders operating from mobile devices can be critical in a disaster. But, it is important that your cloud is protected and monitored; access management is top priority. IT managers can use cloud access security brokerage technologies to restrict workers from creating accounts on services such as Box or DropBox and transferring restricted data. More importantly, the information residing in cloud applications can be encrypted and tokenized.
  1. Plan for Emergency Web Access & Bandwidth Management: Prioritizing access to the network becomes critical during natural disasters. With bandwidth tight, restrict and prioritize web access to only the most critical sites and resources. Set up a more restrictive web access policy prior to an emergency and be ready to deploy it when needed. Do the same for bandwidth management. Be ready to prioritize applications such as VoIP and cache critical information like official communications for viewing from a local cache.
  1. Protect social media and public websites: Customers will be looking for updates via social media and websites during and after emergencies. During these times, it is critical to protect public information resources. Web application firewalls can protect the website from common attacks, control input/output and access as well as detect unfamiliar traffic patterns. Twitter is a critical communication resource, but this can also be used to promote malicious information. Deploy security features such as two-factor authentication and verification codes for social media accounts.
  1. Practice, Practice, Practice. Table top exercises, readiness assessments and “live fire” exercises are essential to good preparation. I’m fond of the quote, usually attributed to the boxer, Mike Tyson: “Everyone has a plan until they get punched in the mouth.” Having led a significant number of crisis teams, every disaster presents unique challenges but successfully surviving a determined cyber criminal’s attempts demands on both preparation and practice.

While we can’t always predict the weather, with the right protocols for security in place, enterprises can ensure that their IT infrastructure is protected 24/7.

Small Villages Hit Hardest by Italian Earthquake

A strong 6.2 magnitude earthquake that stuck Central Italy in the early morning hours of Aug. 24 has caused about 250 deaths and hundreds of injuries. The temblor stuck 10km (6.2 miles) southeast of Norcia and 100km (62.13 miles) northeast of Rome. Areas with the most damage are smaller, older towns consisting of unreinforced masonry buildings. One such town was Amatrice, which the town’s mayor has said “no longer exists.”

Dozens of aftershocks have since occurred in the area—the strongest a magnitude 5.5. Because it was a shallow quake, occurring about six miles below the surface, it was more destructive, the New York Times reported.
Italy map

Map: USGS.gov

The vicinity of Wednesday’s temblor has also experienced significant earthquakes in the past, including one with a magnitude of 6.3 near the town of L’Aquila in 2009. According to the Times. That quake killed at least 295 people, injured more than 1,000 and left 55,000 homeless. Bloomberg reported that only about 2% of the economic loss from the 2009 quake was insured.

Catastrophe modeling firm AIR Worldwide said that Italy’s nonlife insurance market is the eighth-largest in the world and the fifth largest in Europe, and its property insurance market is the second-largest nonlife market in the country after automobile. Earthquake coverage, however, is often not included in standard homeowners’ policies and is typically issued as an extension of fire policies. Earthquake coverage for industrial and commercial structures may be offered for an additional premium, which varies by region.

Fitch Ratings said on Aug. 26 that it expects to see limited impact on Italian insurers. According to Fitch:

We estimate insured losses of EUR100 million-EUR200 million, arising mainly from property lines. Our estimate reflects the low density of population and businesses and limited insurance coverage in the region. Claims of this magnitude would not have a material impact on Italian insurers’ underwriting results or credit profiles. Italian non-life insurers wrote EUR2.3 billion of gross written premiums of property insurance in 2015.

Italy has declared a state of emergency in the region hit by the earthquake and the government has pledged EUR50 million for first aid. The declaration of a state of emergency means that certain losses will be covered by a state fund for emergencies, limiting losses for insurers.

We expect the insured losses to be EUR40 million-EUR80 million for primary insurers and EUR60 million-EUR120 million for reinsurers. A similar event that struck a nearby area in 2009, where the insurance exposure was higher, caused insured losses of around EUR250 million.

Planning for Extreme Floods

Flooding

Companies in the United States should begin preparing now for climate change, which is predicted to cause extreme weather conditions, according to FM Global’s report, The Impact of Climate Change on Extreme Precipitation and Flooding. As the climate warms, areas that are dry will become drier and moist areas will see higher precipitation. The characteristics of precipitation will also change. “We feel cli­mate change not so much through subtle changes in the mean, but through changes in the extremes,” MIT Prof. Kerry Emanuel said in the report.

While the overall amount of precipitation might remain the same, it will become less frequent but more intense. A specific region of the country that has historically seen 10 inches of rain each May might see the same volume that month, for example, but those 10 inches may occur in a much shorter period of time, increasing the risk of flooding, according to the study.

By the end of the century, as temperatures rise, it is possible for precipitation to change by 8%, which could exacerbate wildfires in some areas and flooding in others. The danger is that, because these extreme events are infrequent, they lack urgency, so planning can easily be put off. Risk managers are advised to check their facility’s resilience in terms of the building’s ability to withstand flooding, focusing on 500-year flood levels rather than 100-year.

Extreme wet or dry conditions can affect a company’s buildings, machinery, data centers, transportation networks, supply chains, people and sales. Organizations should focus on water management—diverting water from property, optimizing drainage and protecting water supplies, and they should consider new weather extremes when managing supply chains.

Flood hazard mapping is increasingly proving helpful as understanding of water risk is improving, Louis Gritzo, vice president and manager of research with FM Global, wrote in “Mitigating Evolving Water Threats,” from this month’s Risk Management Magazine. Advances in technology have led to improvements in weather satellites, geospatial data acquisition and physical model development, making old models obsolete. Anyone working with information from a flood map that is more than 15 years old should consider an update, he wrote.

Those with a flood map should make sure it includes potential coastal flooding areas as well as river flooding, also taking into account the local topography of coastal locations. “Areas along the coast that are surrounded by hills and mountains will likely experience far more wind-blown water (storm surge), as the local terrain directs more water in spaces between steeper slopes,” Gritzo wrote.

FAA’s New Drone Rules Ready for Takeoff

Drone
The commercial use of drones, or unmanned aircraft systems (UAS), has been widely discussed in the insurance industry. There is much to speculate upon as the technology is still emerging, with any number of possible applications and concerning reports of injuries. While drones bring the promise of efficiency, there is also the uncertain risk profile that comes with this most exciting technology.

With new Federal Aviation Administration (FAA) rules ready to take off (pun intended) in August, there will be improved visibility into the procedures and practices used by drone operators. The FAA recently finalized the first operational rules for routine commercial use of drones and, while the total risk picture is still unknown, we can now evaluate the strength and appropriateness of safety controls employed by UAS operators.

Drones are being used in many industries, from construction to utilities to agriculture, and these industries will need to prioritize compliance and risk mitigation. Some of the new operational limitations from the FAA include:

  • At all times the drone must remain close enough to its remote pilot in command and the person manipulating the flight controls must be capable of seeing the aircraft with vision unaided by any device other than corrective lenses.
  • Drones may not operate over any person not directly participating in the operation, or under a covered structure, or inside a covered stationary vehicle.
  • Drones may only operate during daylight hours or 30 minutes before sunrise or 30 minutes after sunset with appropriate anti-collision lighting.
  • Drones cannot operate from a moving vehicle unless it is over a sparsely populated area.

These rules appear to provide sound guidelines, but most regulations are only as good as the ability for them to be enforced. For example, under the rules’ operational limitations section, it is stated that most of the new restrictions are waivable if the applicant demonstrates that his or her operation can be safely conducted under the terms of a certificate of waiver. How often will these waivers be allowed and how will the FAA conduct investigations? Insurers will be watching to see how the rules are implemented and enforced.

Clearly, we should take note of this important moment for drones, as implementation of federal safety standards for emerging risk drivers has spawned or grown new insurance business lines that are now viewed as essential coverages. For example, environmental regulation in the late 1970’s and 80’s created the need for environmental coverage. State and more recent federal cyber laws are the backbone of cyber policies as insureds must comply with standards to prepare for and respond to breaches. Most recently, the FDA’s Food Safety Modernization Act is driving insureds to take a fresh look at product recall insurance.

Risk managers should expect operating rules to drive new coverages that support the insured’s risk evaluation process. This will allow for a spectrum of outcomes from exclusionary wording for UAS operations to distinct coverage grants for safe and compliant operators. Loss control and consulting services from insurers could be helpful to guide the risk management surrounding drones. The federal rules also enable additional objective underwriting questions tied to compliance. Expect to see these questions incorporated into specific UAS underwriting application questions.

The risk manager can readily imagine the Coverage A risks that can arise from UAS operations. Those could include but are not limited to third party bodily injury resulting from aircraft failure, a wildfire resulting from a crash and potential catastrophic terrorism uses. Privacy risk under Coverage B is also a risk easy to imagine and well-documented even in the early stages of this new commercial risk driver.

Insurance brokers or consultants can also offer guidance on the various ISO endorsements in circulation seeking to clarify the commercial general liability aircraft exclusions to include unmanned aircraft. ISO endorsements provide options to include Coverage A and/or schedule-specific aircraft for coverage. I do not believe that ISO has plans to amend the currently available endorsement in response to the aforementioned FAA operating rules.

There is no question the use of drones is only going to expand in its application and, with that, operational safety will improve as exposures grow. The industry should expect increased regulations, including flight worthiness certification as well as possible insurance requirements. According to a Goldman Sachs analysis, total global spending on drones in the commercial market is estimated to be around $100 billion over the next five years. Of that, about $11.2 billion will be generated by the construction industry.

Risk managers should anticipate liability exposure for those that fail to comply with the new regulations. The uses are vast, and given the diversity of users the levels of knowledge and awareness of compliance obligations will vary. Education will be key to ensure users understand their responsibilities and the consequences for not meeting regulatory standards.

As the technology and uses continue to advance, catastrophic loss examples will likely arise in the future. I am hopeful that the new FAA regulation will be a useful tool to mitigate the unknown risks to both drone operators and third party premises owners that might be exposed to drone-related accidents.