Monthly Archives: April 2009

Immediate Vault Immediate Access

P is for Pandemic

Posted on by

In the last few years, plenty of publications, including Risk Management (whose blog this is), have spent no small amount of energy discussing pandemic risk. The spectre of H5N1, the lethal strain of avian flu you’ve heard so much about, has predominated, but other ailments, such as SARS, which shut down the city of Toronto a few years ago but caused few actual deaths, also figure prominently on the mass-disease radar.

The truth is, today’s globalized economy, with rapid and ubiquitous international travel, as well as intense urban development and massive interaction between human and animals all makes the planet one giant incubator for the kind of pandemic that can a) spread quickly and easily between human and animal hosts, b) prove fatal or at least seriosly debilitating, and c) can affect a huge number of people over an international or intercontinental level.

Now, this story got old after SARS didn’t pan out and bird flu never ended the world. Ominously, the same thing happened with terrorism and hurricane risk. Security experts pointed out just how effective it would be to fly airliners into skyscrapers well in advance of 9/11, and yet it was not enough to prevent it from happening. Likewise, when Hurricane Charlie nearly leveled New Orleans, the United States was given its final wake-up call to the increasing severity to coastal risk (especially to that particular city). The next year, Katrina. And we all know how that sad story ended.

So we find ourselves talking about pandemic risk again while Mexico City has shut down due to a large and sudden A (H1N1) outbreak that has already killed at least 20 (whoops! make that 68 – CNN just confirmed it), sickened 1,000 more, and might very well have the needed ingredients to become the big pandemic the World Health Organization has been trying to warn us for a long while. Already, this flu outbreak appears to have elements of human, swine and avian flu, and if people are just learning about it when they are getting sick from it, then it might already have gotten out of the barn, so to speak.

When we covered avian flu back in 2006, we did it from a disaster management angle, focusing on things like having proper workers compensation coverage, having contingency plans for dealing with an empty office, and having remote working policies in place so folks could keep operations going under quarantine conditions. We hoped it was the sort of story we’d cover because we had to just to be thorough, and that nobody would ever actually need it. If Mexico City is a sign of things to come, however, it might be required reading. And as much as we like folks to get a lot out of our book, we don’t like it that much.

Keep your eyes peeled on this blog for updates; we’ll likely be coming back to it soon. A (H1N1) doesn’t look like an instant death sentence — most flus are not, and confirmed cases in New York City means the recent flu I just fought through may have been the same one in Mexico City. But Mexico City is shut down because of this, and there are a bunch of dead and sick people from it; even if it stays at just that level the sickness will have wrought havoc on one of the world’s largest cities. That, my friends, should be enough pandemic risk for anyone’s measuring stick. This is real. The question is, how much more real will it get? And how much will this spur people to take pandemic risk seriously while it still can be considered pre-emptive action? Sadly, not enough, I’ll wager. But time will tell. I hope to be proven wrong.

UPDATE: Many countries are now taking measures to prevent the flu from spreading within their borders.

Officials around the world on Sunday raced to contain an outbreak of A (H1N1) as potential new cases were reported from New Zealand to Hong Kong to Spain, raising concerns about the potential for a global pandemic.

Governments issued travel advisories urging people not to travel to Mexico, the apparent origin of the outbreak, where 81 people have died and some 1,300 have been infected. China, Russia and others set up quarantines for anyone possibly infected. Some countries banned pork imports from Mexico, even though there is no link between food products and the flu, and others were screening air travelers for signs of the disease.

UPDATE II: After the first case of A (H1N1) reported in Europe (Spain, specifically), the EU health czar is urging Europeans to stay out of Mexico and the United States.

Hoping to head off a global pandemic of swine flu that has surfaced in North America, the European Union’s health commissioner on Monday urged Europeans to avoid traveling to the United States or Mexico if doing so is not essential.

The warning came as health officials in Spain confirmed early Monday that a man hospitalized in eastern Spain had tested positive for A (H1N1), becoming what appeared to be Europe’s first case of the disease. Health authorities were also testing 17 other suspected cases across Spain, a major hub for travel between Mexico and Europe.

Britain and other European Union nations had already issued travel advisories for those traveling to Mexico, but the European Union’s health commissioner went a step further on Monday in urging Europeans to avoid nonessential trips. Europeans, she told reporters in Luxembourg, “should avoid traveling to Mexico or the United States of America unless it is very urgent for them.”

RIMS 2009 Wrap-Up

Posted on by

Yesterday marked the conclusion of the 2009 RIMS Conference & Exhibition, where the entire risk management and insurance industry gathered in Orlando to challenge its risk I.Q. From charitable work at the Give Kids the World Village and inspiring keynote speeches to the massive Exhibit hall and the extravagant evening receptions, RIMS 2009 provided guests with an exceptional experience.

As for us, all the editors at Risk Management magazine were able to make many valuable contacts and devise dozens of new story ideas that we look forward to sharing with all of you in future editions.

What was the highlight of RIMS 2009 for you?

UPDATE: Check the RIMS site for even more post-Conference coverage, including each day’s Show Daily newsletter, attendee Twitter feeds (you can follow our editor Jared Wade @RiskMgmt) and a Conference image gallery.

The Exhibit Hall was the hub of the excitement with some 400 exhibitors.

The Exhibit Hall was the hub of the excitement with some 400 exhibitors.

Hiscox Studies Privacy & Data Security

Posted on by

On Monday at RIMS 2009, Hiscox unveiled its new study “Data Privacy and Corporate America: Who’s Recognizing the Risk.” So I sat down earlier today with one of the report’s authors Jim Whetstone, who is the company’s senior VP of technology E&O.

The chief finding is that 38% of Fortune 500 companies surveyed do not explicitly mention privacy/data breach in the risk factors section of their SEC 10-K filings, which when broken down by sector is even more alarming: 46% of diversified financial companies, 50% of telecommunications firms and an astounding 80% of utilities. 

Worse still is that, according to Whetstone, many of even those that do realize the financial and reputational risks associated with a potential security breach deem the easiest solution, encryption, to be too cost-prohibitive to use even though they realize it would largely mitigate the threat altogether. You see, currently around 45 states now have laws that require any organization that loses confidential consumer/patient/student/etc. data to notify anyone who was affected. And that’s when the lawsuits, complaints and horror stories of identity theft begin. Not only is this a huge financial burden — the costs of hiring computer forensic specialists, mailing notifications, setting up call centers and offering free credit monitoring adds up very, very quickly — but the comparable reputational fallout is nearly impossible to quantify.

All this could be averted in most cases, however, with data encryption since almost all those same state laws also include a “safe harbor” provision that allows companies who safeguarded the data to forego the onerous notification process.

To put this all in proper perspective, all Whetstone had to do was ask me one question: “You know why a car has brakes?” 

Since I learned this fact around first grade, I thought to myself “I got this one…to stop, right?”

But before I said anything he answered his own question: “So it can go fast.”

Most companies are prioritizing innovation — and rightly so. They’re trying to gather as much consumer data as possible to put this to use in sales, development and improved customer relations. But in making these technological advances, it’s also important to ensure you have the right safeguards in place. “It’s a constant battle between technology and the brakes on the car,” said Whetstone. “Companies are trying to be innovative — they’re trying to push the envelope — and that’s always dangerous.”

Whetstone has no delusions that any company should stall innovation for the sake of encryption and data security, however. On the contrary, he thinks gathering all this data is huge advantage for companies. They just have to be careful and understand their vulnerabilities. And all it takes is glancing at a few of the colorful charts in Hiscox’s report to realize that most companies are failing at the latter endeavor. In TJ Maxx’s infamous data breach, for example, the company was attempting to improve its store’s operations by implementing a wireless network yet it failed to realize that sub-par security opened up the location to nefarious data thieves.

Of course, it is indeed true that encryption is still expensive in some cases — back-archiving old legacy systems, for instance. But using encryption doesn’t have to be an all-or-nothing proposition and Whetstone believes that, at a minimum, companies need to at least encrypt the data stored on laptops, USB drives and back-up tapes. He includes this in what he calls a “defense-in-depth approach” to IT security. By securing those physical items that can be left at an airport or in a taxi cab, you allow risk managers and legal counsel to rest easy knowing that their employees at least won’t be giving confidential data away. Hackers can still breach the network and that will remain a concern, but protecting the physical storage devices provides a first level of defense.

And most importantly, risk managers need to be involved in the IT discussion. The ideal balance between the legal team, IT and risk management is unique for each company. But unless everyone is talking and understands the priorities and recommendations of the others, data breaches are only going to happen more often.

Hiscox found that only 7% of US companies have implemented end-to-end encryption on their confidential personal data.

Hiscox found that only 7% of US companies have implemented end-to-end encryption on their confidential personal data.

An Unfortunate Cancellation

Posted on by

With so much ink having been spilled over AIG in recent weeks, it seemed a particularly forward-thinking move for AIU to host a session today entitled “Evaluating Carrier Security Through Financial Crisis.

” After all, the insurance wing of AIG is not the part of the company that caused all of the trouble with credit default swaps. It’s still a world leader in insurance, and it is a firm with an enormous amount of strength behind it. It’s almost unfair that such a well-run operation should suffer any stigma attached to its parent, and for things it had nothing to do with, but unfair things happen all the time.

Especially in the world of insurance.

Unfortunately, when I went to the session, I found that it had been cancelled. Exactly why it was canceled is something I don’t know and honestly, I don’t much care to. After all, AIU has a long-standing relationship with RIMS and with this Conference, and there could be any number of reasons why the session did not come together. That’s not the point.

This session would have been a great opportunity for AIU to talk frankly to those who want to know if their insurance partners are really going to be there for them when they are needed. I suspect the event would have attracted a fair bit of trade media attraction, which is always reason for any firm to get a little nervous. But that aside, AIU has a lot of information and insight to share.

It’s too bad they could do that with us today. Another time, perhaps.