About Hilary Tuttle

Hilary Tuttle is the editor of the Risk Management Monitor and Risk Management magazine.

Organizational Complexity Poses Critical Cyberrisk

According to a recent survey on IT security infrastructure, 83% of businesses around the world believe they are most at risk because of organizational complexity.

“Employees are not following corporate security requirements because they are too difficult to be productive, plus policies hinder their ability to work in their preferred manner,” noted the Ponemon Institute’s “The Need for a New IT Security Architecture: Global Study,” sponsored by Citrix. “It is no surprise that shadow IT is on the rise because employees want easier ways to get their work done.”

Shadow IT, the information technology systems built and used by an organization without explicit approval, has largely cropped up because employees feel official tools are too complex or otherwise difficult and inefficient. As a result, company data is being put on personal devices and official business is conducted on platforms that enterprise security teams can not monitor or secure.

Nearly three-quarters of respondents said their business needs a new IT security infrastructure to reduce risk. With increasing amounts of sensitive data stored, new technology like the internet of things adopted, and new cyberrisk threats constantly emerging, addressing individual security challenges may be impossible, Citrix Chief Security Officer Stan Black told eWEEK. Rather, companies should focus on larger issues like controlling complexity, developing and maintaining strong incident response plans, and rigorously vetting vendors with access to systems or responsibility for storing data.

Check out more of the report’s findings in the infographic below:

organizational complexity cyberrisk

Lloyd’s Finds Extreme Weather Can Be Accurately Modeled Independently

In a new report based on research from UK national weather service the Met Office, Lloyd’s has found that extreme weather events may be modeled independently. While extreme weather can be related to events within a region, these perils are not significant correlated with perils in other regions of the world.

The study’s key findings include:

  • Met Office research found that the majority of perils are not significantly correlated, but identified nine noteworthy peril-to-peril teleconnections, most of which are negatively correlated
  • Lloyds’ modeling finds that these correlations were not substantial enough to warrant changes to the amount of capital it holds to cover extreme weather claims
  • Even when there is some correlation between weather patterns, it does not necessarily follow that there will be large insurance losses. Extreme weather events may still occur simultaneously even if there is no link between them
  • An assumption of independence for capital-holding purposes is therefore appropriate for the key risks the Lloyd’s market currently insures
  • The methodology released in the report enables scenario modeling across global portfolios for appropriate region-perils

“This important finding supports the broader argument that the global reinsurance industry’s practice of pooling risks in multiple regions is capital efficient and that modeling appropriate region perils as independent is reasonable,” the report concluded.

According to Trevor Maynard, head of exposure management and reinsurance at Lloyd’s, “This challenges the increasingly held view among some regulators around the world that capital for local risks should be held in their own jurisdictions. Lloyd’s believes this approach reduces the capital efficiency of the (re)insurance market by ignoring the diversification benefits provided by writing different risks in different locations and, in so doing, needlessly increases costs, to the ultimate detriment of policyholders. Insisting on the fragmentation of capital is not in the best interests of policyholders.”

Check out the map below for further insight from the Met Office about large-scale weather perils that do demonstrate statistically significant correlation:

lloyd's extreme weather perils

Charting the Rise of Ransomware

At the beginning of the year, Risk Management put ransomware at the top of the list when surveying the 2016 cyberrisk threat landscape, and these attacks have arguably come to the fore as cyberthreat of the year, whether you measure by buzz or by increase in incidents.

Indeed, ransomware is not just grabbing headlines—these cyberattacks have quadrupled in 2016, according to a recent Beazley Breach Response Services review of client data breaches. Authorities report a similar surge at large, with the Department of Justice estimating that more than 4,000 ransomware attacks have occurred daily since the beginning of the year, representing a 300% increase from 2015. In July and August alone, 20% more of Beazley’s clients suffered a ransomware attack than in all of 2015. While the ransoms remain low, often in the range of $1,000, the firm points out that the true costs are dramatically higher due to the extensive review of company systems and data required to ensure the malware has been removed and data is clean.

Looking at specific industries, Beazley noted a significant uptick in attacks against financial institutions in the first three quarters of 2016, with hacking and malware accounting for 39% of breaches in the sector, up from 26% in 2015, and in higher education, these attacks increased from 38% last year to 46% in 2016. Hacking and malware account for a relatively steady proportion of just over half of breaches in the retail sector. Among healthcare organizations, however, human error has spiked, with 40% of industry incidents caused by unintended disclosure compared to 28% last year.

“From what we are seeing, it appears that many hackers are finding it easier to make money by holding companies to ransom for bitcoin than through selling personal data on the dark web,” said Katherine Keefe, global head of BBR Services. “But, the persistently high levels of hacking and malware attacks of all kinds are a reminder that organizations across industries, and of all sizes, need actionable plans ready to implement when a breach occurs.”

Check out the infographic below from security intelligence firm LogRhythm for more background on the rise in ransomware, how these attacks are impacting businesses, and how businesses are responding.

ransomware logrhythm
ransomware logrhythm

Examining U.S. Immigration’s Economic Impact

In last night’s third and final presidential debate of the 2016 election cycle, immigration again emerged as a defining topic in discussion of both regulatory reform and the economy. With an increasing amount of immigration by highly skilled laborers—and, of course, the potential reputation impact on companies seen as giving more jobs to non-citizens or moving out of the country in pursuit of labor—changes in such policy have clear implications for risk professionals.

Last month, the National Academies of Sciences, Engineering and Medicine released one of the most comprehensive studies to date on the economic impact of immigration in the United States. Overall, the researchers found that immigration over the past couple of decades has done more good than harm, creating positive impacts on the national economy and causing little lasting impact on the wages or employment levels of native-born Americans. “Immigration enlarges the economy while leaving the native population slightly better off on average,” the study said, also pointing out increases in innovation, entrepreneurship and technological change across the economy. “The prospects for long run economic growth in the United States would be considerably dimmed without the contributions of high-skilled immigrants,” the researchers reported.

Some of the study’s key findings and conclusions include:

  • When measured over a period of 10 years or more, the impact of immigration on the wages of native-born workers overall is very small. To the extent that negative impacts occur, they are most likely to be found for prior immigrants or native-born workers who have not completed high school—who are often the closest substitutes for immigrant workers with low skills.
  • There is little evidence that immigration significantly affects the overall employment levels of native-born workers. As with wage impacts, there is some evidence that recent immigrants reduce the employment rate of prior immigrants. In addition, recent research finds that immigration reduces the number of hours worked by native teens (but not their employment levels).
  • Some evidence on inflow of skilled immigrants suggests that there may be positive wage effects for some subgroups of native-born workers, and other benefits to the economy more broadly.
  • Immigration has an overall positive impact on long-run economic growth in the U.S.
  • In terms of fiscal impacts, first-generation immigrants are more costly to governments, mainly at the state and local levels, than are the native-born, in large part due to the costs of educating their children. However, as adults, the children of immigrants (the second generation) are among the strongest economic and fiscal contributors in the U.S. population, contributing more in taxes than either their parents or the rest of the native-born population.
  • Over the long term, the impacts of immigrants on government budgets are generally positive at the federal level but remain negative at the state and local level — but these generalizations are subject to a number of important assumptions. Immigration’s fiscal effects vary tremendously across states.

“The panel’s comprehensive examination revealed many important benefits of immigration—including on economic growth, innovation, and entrepreneurship—with little to no negative effects on the overall wages or employment of native-born workers in the long term,” said Francine D. Blau, Frances Perkins Professor of Industrial and Labor Relations and professor of economics at Cornell University, and chair of the panel that conducted the study and wrote the report. “Where negative wage impacts have been detected, native-born high school dropouts and prior immigrants are most likely to be affected.”

Check out the April cover story from Risk Management, “Welcome to America: Why Immigration Matters for Business,” for more on the risk management implications of immigration into the United States.