About Hilary Tuttle

Hilary Tuttle is the associate editor of the Risk Management Monitor and Risk Management magazine.

October 2015 the Warmest Ever Recorded

It isn’t just your imagination: October 2015 was the warmest on record worldwide, and saw the greatest above-average deviation for any month. According to the National Oceanic and Atmospheric Administration, the average temperature across global land and ocean surfaces was 1.76 °F above the 20th century average, surpassing the previous record set last year by 0.36 °F. The globally-averaged land surface temperature was 2.39°F above the 20th century average—the highest for October in 136 years of NOAA records.

NOAA land and ocean temp percentiles

October was also the warmest month ever compared to average, out of a total of 1,630 months. What’s more, NOAA reports, eight of the first 10 months of the year have been record warm for their respective months—also a record number of broken records. Globally-averaged land surface and sea surface temperatures have been 1.55 °F and 2.30 °F above average, respectively, surpassing all previous records. With many months setting record high temperatures by unprecedented margins, NOAA said in August that there was a 97% chance that 2015 would secure the title of the warmest year on record, and it remains solidly on track.

In early November, the Met Office, Britain’s national weather service, and NASA both reported that the Earth’s average temperature is likely to rise 1 °C above pre-industrial levels for the first time by the end of 2015. This milestone is significant since it marks the halfway point to two degrees Celsius, the internationally accepted limit for avoiding the worst consequences of climate change, the Washington Post reported. Since 2000, global monthly heat records have been broken 32 times, yet the last time a monthly cold record was set was in 1916, according to CBS News.

Some of the heat is likely due to a strong El Nino event in the Eastern Pacific that continues to gather strength. This year’s El Nino is already one of the three strongest ever seen, CNN reports, but cannot account for all of the year’s warmth, as 13 of the 15 warmest years on record have occurred since 2000. Rather, it is the combination of long-term warming and the strong El Nino pushing Earth toward its second consecutive warmest year on record.

According to Aon Benfield’s October 2015 Catastrophe Report, there were three billion-dollar weather-related disasters in October: flooding in South Carolina with economic losses of at least $2 billion, $4.2 billion in damage from Typhoon Mujigae in China, and $1 billion in damage from flash flooding in France. The firm estimates worldwide economic losses from October to total more than $10 billion. There have been 21 billion-dollar weather events through October 2015, Aon reported, on pace for a lower total than the annual average of 28.

Check out the infographic below for more of the major climate anomalies and events from October 2015:

NOAA october climate anomalies

Prosecutors Reveal ‘Securities Fraud on Cyber Steroids’

The investigation into a huge cyberattack on JP Morgan Chase last year has exposed one of the largest computer hacking and fraud schemes to date. According to U.S. prosecutors, Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein, all from Israel, hacked a total of 12 companies to expose the personal information of more than 100 million people, netting hundreds of millions of dollars in profit. The men face 23 criminal counts, including wire fraud, computer hacking, illegal internet gambling and money laundering, with alleged crimes targeting 12 companies, including nine financial services companies and media outlets including the Wall Street Journal. Investigators say their massive criminal empire used 75 shell companies that employed hundreds of people, and hacked seven major banks, ran an online casino, laundered money around the world and set up an illegal Bitcoin trading operation.

“It is hacking in support of a diversified criminal conglomerate,” said Preet Bharara, U.S. attorney for the Southern District of New York. “In short, it is hacking as a business model.”

In addition to the hack of JP Morgan, which U.S. Attorney General Loretta Lynch called “the largest theft of customer data from a U.S. financial institution” and exposed the personal information of 83 million customers, the criminals also attacked E*Trade Financial Corp., TD Ameritrade, Scottrade Inc., Fidelity Investments and News Corp’s Dow Jones, which publishes the Wall Street Journal. The breaches date as far back as 2007.

“By any measure, the data breaches at these firms were breathtaking in scope and in size,” Bharara said. “This showcases a brave new world of hacking for profit.”

Breaking into these financial institutions gave the attackers information to target specific people, and gave them extra insight into the stock market. According to the indictment, they used the customer data to contact individuals and push them to buy stocks in order to manipulate their prices. In addition to the pump-and-dump scheme, sometimes the defendants reportedly engineered mergers with shell companies to create publicly traded stocks that could be manipulated. Bharara called the scheme “securities fraud on cyber steroids.”

Beginning in 2012, in addition to disguising payments and constantly obtaining new bank accounts, the men further tried to evade detection by hacking into a company that assessed merchant risk for credit-card issuers. The breach allowed the defendants to read employees’ emails and figure out how to sidestep the company’s efforts to monitor illegal payments, according to the indictment.

The defendants are also accused of operating at least 12 illegal internet casinos, even launching cyberattacks against rival gambling businesses to review executives’ email and gain a competitive edge. Shalon hacked competitors’ customer databases and directed denial of service attacks to shut down their businesses.

Several compliance officers may soon feel the heat as well: the investigation found that, in operating the online casinos and illegal pharmaceutical payment processing enterprises, the co-conspirators deceived financial institutions into processing and authorizing payments between the casino companies and others. “They colluded with corrupt international bank officials who willfully ignored its criminal nature in order to profit from, as a co-conspirator described it to Shalon, their payment processing ‘casino/software/pharmaceutical cocktail’,” the indictment charges.

According to prosecutors, the case illustrates the growing power of criminals and their tools, and makes such crimes particularly difficult to solve. But it may also highlight one key resource to do so: self-reporting to law enforcement. Officials credited JP Morgan’s early cooperation for helping to uncover the network of criminal activity. The firm came forward early on to share information with the government, a move many forensic investigators encourage. This case provides one of the clearest examples of why: hackers frequently use the same schemes to target a swath of companies in a given industry. While many companies worry about the reputational and regulatory risks of disclosing a breach to law enforcement, as hackers grow more sophisticated in their techniques and complex in their operations, it may prove an ever more critical step in the breach response and investigation process.

“Shalon, Aaron, and their co-conspirators allegedly robbed victim companies, often for months at a time, stealing the contact information of tens of millions of customers,” said FBI Assistant Director-in-Charge Diego Rodriguez. “They cloaked themselves in secrecy, but their methods rivaled those of the traditional masked robber. Today’s indictment sheds light on an increasingly complex threat. But just as criminals continue to develop relationships with one another in order to advance their objectives, the law enforcement community has developed a collaborative approach to fighting these types of crimes.”

The Riskiest States for Employee Lawsuits

In 2014, U.S. companies had at least an 11.7% chance of having an employment charge filed against them, according to the new 2015 Hiscox Guide to Employee Lawsuits. The firm’s review of data from the Equal Employment Opportunity Commission and its state counterparts found that the risk also varied notably by state, as local laws creating additional obligations—and risks—for employers led to charge rates up to 66% above average.


State laws that are driving some of this increased employee charge activity include heightened anti-discrimination/fair employment practices, the use of E-Verify in the private sector, pregnancy accommodation, prohibitions on credit checks, and restrictions on inquiring about or requiring background checks.

Key state laws driving increased employee charge activity

These cases can be especially damaging for small- and mid-sized enterprises, with 19% of employment charges among SMEs resulting and defense and settlement costs averaging $125,000 and taking about 275 days to resolve. The average self-insured retention for these charges was $35,000, Hiscox found, and without employment practices liability insurance, these companies would have been out of pocket an extra $90,000. What’s more, 81% resulted in no insurance payout, giving even nuisance charges the potential to be a serious financial hit. While the majority do not end up in court, when they do, the median judgment is about $200,000, not including defense costs, and 25% of cases result in a judgment of $500,000 or more.

During the hiring process, written procedures that outline and comply with federal and state laws can help minimize risk, as can maintaining a customized employee handbook that all staff acknowledge in writing they have reviewed. In addition to risk transfer, such as an employment liability insurance policy, Hiscox offered several tips to best mitigate the risk of employment charges, including:

Independent contractors

Be careful when designating independent contractors. There are variations among states and areas of law as to the test for an independent contractor. It is possible for a worker to be considered an independent contractor for some purposes and an employee for others.

Leaves of absence and accommodation for disabilities

A medical condition can trigger federal and state leave and disability laws, which vary, as well as workers compensation laws. Make it a policy to recognize events or discussions that create an obligation to discuss accommodations or a possible leave of absence.

Employee performance

Ensure that all supervisors and managers are aware of the procedure for addressing unacceptable employee performance. Communicate to the employee about what they are doing (or not doing) that is unacceptable, and make sure they understand what constitutes acceptable performance. Document all communications. Conduct factual, honest performance evaluations. Develop and maintain a procedure for corrective action plans.


To minimize litigation around termination, avoid surprises. Make sure that all guidelines have been followed for addressing unsatisfactory performance, particularly the corrective action plan. Prior to termination, assess the risk for litigation: is the employee a member of a protected class, involved in protected labor activities, or a potential whistleblower? Is the employee under an express or implied-in-face employment contract? Gather and review the documentation that supports the termination and interview relevant players.

Cyber Insurance Purchasing Up, But Breaches Felt in Prices and Limits

NEW YORK—At yesterday’s Advisen Cyber Insights Conference, Zurich and Advisen released the fifth annual Advisen Cyber Survey of U.S. risk managers, finding a 9% acceleration in cyber liability insurance purchasing from 2014 to 2015. The firm has seen a 26% increase in the number of respondents who have coverage since the first survey in 2011.

Companies are taking cyberliability more seriously, Zurich reports, with the number of organizations developing data breach response plans up 10% from last year. What’s more, companies appear to be better recognizing the sheer amount of value at risk, with two-thirds of respondents saying they have either increased their policy limits or are considering doing so. While Zurich found that more organizations view information security as an organizational challenge rather than the purview of the IT department alone, and respondents said that boards and executive management are taking cyberrisk more seriously, those who have not yet obtained cyber coverage say it is because their superiors still do not see the need. There is also still a considerable difference in take-up rates among large corporations and small and mid-sized businesses, with Catherine Mulligan, senior vice president and national underwriting manager of specialty E&O, telling the audience there is an approximate 20-point spread between the groups.

“This year’s cyber survey shows that demand for coverage and higher limits has increased tremendously and we at Zurich have seen double digit growth year over year,” said Bryan Salvatore, president of specialty products for Zurich North America. “That is why we are heavily invested in identifying risks and delivering solutions and why we are committed to staying at the forefront of this issue.”

Marsh has also seen considerable growth in cyber liability insurance purchasing among its clients. According to the insurer’s new midyear cyber benchmarking report, the number of U.S.-based Marsh clients purchasing standalone cyber insurance increased 32% in the first half of 2015, up from 26% growth during this period in 2014. By sector, members of the education industry made up the biggest growth, with 155% more clients purchasing the coverage, followed by power and utilities with a 100% increase and manufacturing with a 76% increase. The healthcare sector remains Marsh’s largest buyer of cyber coverage, with 41% of all clients in this industry purchasing it by the end of the first half of 2015.

Cyber liability insurance growth rates

Sessions throughout the conference made clear that insurers—and the industry at large—are still struggling with what is also risk managers’ biggest challenge: data. Completely evaluating the true value at risk with cyber liability continues to elude both sides, although many new approaches and consultancy services are emerging. Further, the dearth of actuarial data not only compounds the challenges of the cyberrisk assessment process, but make it hard for the industry to set pricing and limits with confidence.

“It is hard for insurers to be prudent with cyber as risk managers often do not fully understand how to measure their exposure,” Mulligan said.

“Actuarial data is the Holy Grail of the cyberinsurance market: we’re all searching for it and it’s just not there,” said Bob Parisi, cyber product leader at Marsh, who moderated a session on the struggle to quantify and model cyberrisk.

In addition to the actuarial uncertainty, the considerable number of large losses over the past few years is continuing to push up the cost of cyber, forming what Willis executive vice president Peter Foster described as a “hot” market that will have to cool and solidify with time. Parisi chose to describe the market as “brittle” after absorbing several hundred million dollars in losses, and a range of insurers and brokers reported that premiums have increased dramatically as a result. The Marsh study found that price increases across industries averaged 19%, with 32% increases among retailers, the most frequently breached sector over the past few years.

cyber insurance limits purchased

While these breaches and better estimates of the real cost of cyber incidents have helped many companies realize they may be underinsuring for cyber liability, the move to correct this is getting more difficult. Insurers have said repeatedly that there is plenty of capacity in the cyberinsurance market and many buyers have increased the limits purchased, but higher limits of liability are increasingly hard to come by, and none really exist in excess of $100 million. Particularly for businesses that have yet to implement serious efforts to address information security, rate increases appear sure to continue, and simply buying more coverage will not only be unsustainable, but may not even be possible as insurers give more thought to the capacity they are willing to commit to these risks.

“There is just not enough capacity to extend $50 to $100 million limits to every account,” said Greg Vernaci, AIG’s head of cyber in the United States and Canada. “We are looking to reward those companies with a robust information security posture who go beyond and take a multifaceted approach to managing cyberrisk.”