About Hilary Tuttle

Hilary Tuttle is the editor of the Risk Management Monitor and Risk Management magazine.

And the 2017 RIMS Awards Go to…

PHILADELPHIA—At today’s RIMS 2017 Awards Luncheon, the society issued its top honors for achievement in the risk management and insurance industry.

Scott B. Clark, area senior vice president and enterprise risk management consultant at Arthur J. Gallagher & Co., received the society’s most prestigious honor, the Harry and Dorothy Goodell Award. Named after RIMS’ first president, the award recognizes outstanding service and achievement in furthering the goals of the society and the discipline of risk management.

Richard Hackenburg and Glen Frederick were this year’s inductees into the Risk Management Hall of Fame, presented in conjunction with AIG.

In his 45-year risk management career, including leadership roles at Willis and XL Insurance, Hackenberg’s received the 1993 Goodell Award and served as president of RIMS in 1985 and later as chairman of the Spencer Educational Foundation, where he remains a director emeritus.

Frederick, former director of risk management client services with the government of British Columbia, received the Goodell Award in 2011 and, the same year, the Donald M. Stuart award for outstanding contribution to the risk management profession in Canada. He served as chair of the RIMS Canada Council in 2006 and co-chair of the RIMS Canada Conference in 2003. Frederick’s 30-year career also included leading implementation of the enterprise risk management strategy for the Vancouver organizing committee (VANOC) and the International Olympic Committee (IOC) to manage risks associated with the 2010 Olympic Games—the first to use an ERM strategy, which is now required for all Olympic games.

“Industry heroes like Richard Hackenburg and Glen Frederick were selfless, giving back to the risk management community and paving the way for future practitioners,” said RIMS CEO Mary Roth. “It is an honor to join AIG in inducting these risk management stalwarts into the Risk Management Hall of Fame.”

The RIMS Rising Star Award, issued to risk management professionals who are under 35 or have less than seven years of experience in the industry, was given to William Lehman. An insurance specialist at Cook Group Incorporated, Lehman was recognized for demonstrating exceptional initiative, volunteerism, professional development, achievement, and leadership potential.

Debra Samuel, manager of insurance and risk management at Arconic Inc., was recognized for exceptional service to strengthen and support the strategic initiatives of RIMS with the RIMS Ambassadors Group award. This year’s Cristy Award for the highest marks on the three Associate of Risk Management exams went to Michael Ratto, risk procurement manager at Kraemer North America.

2017 Atlantic Hurricane Season Outlook

With the official opening of 2017 Atlantic hurricane season fast approaching, researchers appear cautiously optimistic the relatively quiet streak will continue.

Today, Colorado State University’s Tropical Meteorology Project released the extended range forecast of 2017 Atlantic seasonal hurricane activity, predicting slightly below-average activity in the Atlantic basin, with a forecast of 11 named storms, four hurricanes, and two major hurricanes.

Philip Klotzbach, CSU

The probability of at least one major (Category 3+) hurricane making landfall on the entire U.S. coastline is 42%, compared to an average of 52% over the past century. The probability of such a storm hitting the East Coast, including peninsula Florida is 24%, compared to an average of 31%. Thus, CSU noted, the estimated probability of a major hurricane making landfall in the U.S. this season is approximately 80% of the long-period average.

Hurricane activity may not be as critical a determinant for how insurers and property-owners will fare, however. Aon Benfield’s Global Catastrophe Recap reports have consistently noted the rising toll of economic and insured losses due to severe weather events including severe thunderstorms, hailstorms, and flash flooding. In Texas alone, for example, Aon Benfield reports the state incurred record thunderstorm-related losses for the year, with insurers citing costs exceeding $8.0 billion.

Other recent studies support this trend. In the Willis Re and Columbia University report Managing Severe Thunderstorm Risk, researchers found the risk to U.S. property from thunderstorms is just as high as from hurricanes. Their review of Verisk Analytics loss statistics for 2003 to 2015 found the average annual loss from severe convective storms including tornadoes and hailstorms was $11.23 billion, compared to $11.28 billion from hurricanes. Considering the past decade alone, severe convective storms posed the largest annual aggregated risk peril to the insurance industry.

willis re severe convective storms

International Women’s Day: Risk Management Issues to Watch

A 2013 piece on the role of women in risk management remains the most controversial article we’ve ever run in Risk Management magazine and the one that received the most comments and letters to the editor, hands down. Many of those reader comments were…let’s just say less than kind or receptive.

Today, International Women’s Day, offers the perfect opportunity to revisit that article, Woman at Work: Why Women Should Lead Risk Management, and some of our more recent coverage of pressing issues like the wage gap and gender parity at the board level.

The significance of this conversation is ever clearer, given not only the political climate and regulatory concerns, but also the simple data about the bottom line. Just last year, the Peterson Institute for International Economics and EY found that almost a third of companies globally have no women in either board or C-suite positions, 60% have no female board members, 50% have no female top executives, and less than 5% have a female CEO. After analyzing 21,980 publicly traded companies from 91 countries and a wide range of industries, their report, Is Gender Diversity Profitable? Evidence from a Global Study, found that organizations with leadership that is at least 30% female could add up to 6 percentage points to its net margin.

“The impact of having more women in senior leadership on net margin, when a third of companies studied do not, begs the question of what would be the global economic impact if more women rose in the ranks?” said Stephen R. Howe Jr., EY’s U.S. chairman and Americas managing partner. “The research demonstrates that while increasing the number of women directors and CEOs is important, growing the percentage of female leaders in the C-suite would likely benefit the bottom line even more.”

While study after study comes to similar conclusions, a recent report from EY explored why businesses need gender diversity for the innovation to thrive. Five disconnects continue to hold businesses back from achieving gender diversity on their boards, the firm found:

  1. The reality disconnect: Business leaders assume the issue is nearly solved despite little progress within their own companies.
  2. The data disconnect: Companies don’t effectively measure how well women are progressing through the workforce and into senior leadership.
  3. The pipeline disconnect: Organizations aren’t creating pipelines for future female leaders.
  4. The perception and perspective disconnect: Men and women don’t see issues the same way.
  5. The progress disconnect: Different sectors agree on the value of diversity but are making uneven progress toward gender parity.

Check out some of our previous coverage of key issues regarding women in business and risk management specifically:
Equal Work, Unequal Pay: Risks of the Gender Wage Gap
The Wage Gap in the Boardroom
Is the Insurance Industry Improving for Women?
Boards Still Lagging on Gender Parity
Preparing for New Pay Equity Requirements

10 Lessons Learned from Breach Response Experts

SAN FRANCISCO—As hacking collectives target both the public and private sectors with a wide range of motivations, one thing is clear: Destructive attacks where hackers destroy critical business systems, leak confidential data and hold companies for ransom are on the rise. In a presentation here at the RSA Conference, the nation’s largest cybersecurity summit, Charles Carmakal and Robert Wallace, vice president and director, respectively, of cybersecurity firm Mandiant, shared an overview of some of the biggest findings about disruptive attacks from the company’s breach response, threat research and forensic investigations work.

In their Thursday morning session, the duo profiled specific hacking groups and the varied motivations and tactics that characterize their attacks. Putting isolated incidents into this broader context, they said, helps companies not only understand the true nature of the risk hackers can pose even in breaches that do not immediately appear to target private industry.

One group, for example, has waged “unsophisticated but disruptive and destructive” against a number of mining and casino enterprises in Canada. The hackers broke into enterprise systems, stole several gigabytes of sensitive data and published it online, created scheduled tasks to delete system data, issued ransom requests, and even emailed executives and board members directly to taunt them about the data exposed and increase the pressure to pay. Further increasing that pressure, the group is known to contact journalists in an attempt to publicize the exposed data. Victims have endured outages for days while trying to recover data from backups, and some have paid the ransoms, typically requested in the range of $50,000 to $500,000 in bitcoin.

Mandiant refers to this group as Fake Tesla Team because the hackers have tried to seem a more powerful and compelling threat by claiming they are members of Tesla Team, an already existing group that launches DDoS attacks. As that group is thought to be Serbian, they have little reason to target Canadian entities, and indeed, the bits of Russian used by Fake Tesla Team appears to be simply translated via Google.

In all of the group’s attacks that Mandiant has investigated, the hackers had indeed gained system access and published data, but they exaggerated their skills and some of the details of access. Identifying such a group as your attacker greatly informs the breach response process based on the M.O. and case history, Mandiant said. For example, they know the threat is real, but have seen some companies find success in using partial payments to delay data release, and they have found no evidence that, after getting paid, the collective does anything else with the access they’ve gained.

Beyond considerations of specific hacking groups or their motivations, Carmakal and Wallace shared the top 10 lessons for addressing a breach Mandiant has distilled from countless investigations:

  1. Confirm there is actually a breach: make sure there has been a real intrusion, not just an empty threat from someone hoping to turn fear into a quick payday.
  2. Remember you face a human adversary—the attacker attempting to extort money or make other demands is a real person with emotional responses, which is critical to keep in mind when determining how quickly to respond, what tone to take, and other nuances in communication. Working with law enforcement can help inform these decisions.
  3. Timing is critical: The biggest extortion events occur at night and on weekends, so ensure you have procedures in place to respond quickly and effectively at any time.
  4. Stay focused: In the flurry of questions and decisions to make, focus first and foremost on immediate containment of the attack.
  5. Carefully evaluate whether to engage the attacker.
  6. Engage experts before a breach, including forensic, legal and public relations resources.
  7. Consider all options when asked to pay a ransom or extortion demand: Can you contain the problem, and can you do so sooner than the attack can escalate?
  8. Ensure strong segmentation and control over system backups: It is critical, well before a breach, to understand where your backup infrastructure is and how it is segmented from the corporate network. In the team’s breach investigations, they have found very few networks have truly been segmented, meriting serious consideration from any company right away.
  9. After the incident has been handled, immediately focus on broader security improvements to fortify against future attacks from these attackers or others.
  10. They may come back: If you kick them out of your system—or even pay them—they may move on, perhaps take a vacation with that ransom money, but they gained access to your system, so remember they also may come back.