Protecting Your Business from Wildfires

There are currently about 60 large wildfires burning in the United States, mostly in western states. But a combination of high temperatures and dry and windy conditions can make wildfires a threat almost anywhere. Adding to the situation is the fact that more and more businesses are expanding into the wildland-urban interface (WUI)—wildfire-prone areas where homes and businesses are located. This creates a growing wildfire risk to businesses, according to the Insurance Institute for Business and Home Safety (IIBHS).

The Property Casualty Insurers Association of America lists the most expensive U.S. wildfires to date, all in western states:

To protect buildings from wildfires, IIBHS recommends that businesses survey the materials and design features of their structures; as well as the types of plants used, their location and maintenance.

Organizations also should determine their fire hazard severity zone (FHSZ) by evaluating the landscape, fire history in the area and terrain features such as slope of the land. Organizations can request the FHSZ rating from local building or fire officials in their area.

IIBHS notes three sources of wildfire ignition:

  1. Burning embers, or firebrands, generated by a wildfire and made worse in windy conditions.
    • Embers can ignite in several ways: By igniting combustible construction materials directly when accumulating on or immediately adjacent to them. Combustible construction materials are those that ignite and burn such as wood, plastic, and wood-plastic products used in decking and siding. By igniting nearby plants and accumulated debris such as pine needles or other combustible materials such as a wood pile. By entering a building through openings, such as an open window or attic vent, and ignite combustible items inside the building.
  1. Direct flame contact from the wildfire
  2. Radiant heat emanating from the fire

It is critical to assess a building’s construction, including roofs, windows, vents and exterior walls, also important is the area surrounding a structure, including trees and plants, IIBHS said.

A defensible space zone around the building will reduce the risk of fire. This includes consideration of specific types of plants and how they are grouped and maintained.

Plant characteristics associated with higher combustibility include:

  • Narrow leaves or needles (often evergreen)
  • Volatile resins and oils, as indicated by leaves that have an aromatic odor when crushed
  • Accumulation of fine, twiggy, dry, or dead material on the plant or on the ground under the plant
  • Loose or papery bark that often falls off and accumulates on the ground (such as palms and eucalyptus).

2017 Atlantic Hurricane Season Outlook

With the official opening of 2017 Atlantic hurricane season fast approaching, researchers appear cautiously optimistic the relatively quiet streak will continue.

Today, Colorado State University’s Tropical Meteorology Project released the extended range forecast of 2017 Atlantic seasonal hurricane activity, predicting slightly below-average activity in the Atlantic basin, with a forecast of 11 named storms, four hurricanes, and two major hurricanes.

Philip Klotzbach, CSU

The probability of at least one major (Category 3+) hurricane making landfall on the entire U.S. coastline is 42%, compared to an average of 52% over the past century. The probability of such a storm hitting the East Coast, including peninsula Florida is 24%, compared to an average of 31%. Thus, CSU noted, the estimated probability of a major hurricane making landfall in the U.S. this season is approximately 80% of the long-period average.

Hurricane activity may not be as critical a determinant for how insurers and property-owners will fare, however. Aon Benfield’s Global Catastrophe Recap reports have consistently noted the rising toll of economic and insured losses due to severe weather events including severe thunderstorms, hailstorms, and flash flooding. In Texas alone, for example, Aon Benfield reports the state incurred record thunderstorm-related losses for the year, with insurers citing costs exceeding $8.0 billion.

Other recent studies support this trend. In the Willis Re and Columbia University report Managing Severe Thunderstorm Risk, researchers found the risk to U.S. property from thunderstorms is just as high as from hurricanes. Their review of Verisk Analytics loss statistics for 2003 to 2015 found the average annual loss from severe convective storms including tornadoes and hailstorms was $11.23 billion, compared to $11.28 billion from hurricanes. Considering the past decade alone, severe convective storms posed the largest annual aggregated risk peril to the insurance industry.

willis re severe convective storms

Costs Climb as Companies Move to Mitigate Supply Chain Interruptions

Some 70% of companies have experienced at least one supply chain interruption during the past year, with an unplanned IT or telecommunications outage the leading cause, according to the eighth edition of the Business Continuity Institute’s (BCI) Supply Chain Resiliency Report, produced in association with Zurich Insurance Group.

Covering 526 respondents in 64 countries, the report studies the causes, costs, and frequency of such events while also looking at companies’ progress in responding to supply chain interruptions and mitigating further occurrences.

While 70% of respondents reported at least one supply chain interruption during the past 12 months, only 17% said they have had no supply chain disruptions, with 13% saying they did not know. Perhaps more alarming is the increase to 13%—from 3% previously—of respondents reporting more than 20 such incidents.

Also alarming is the upward trajectory of costs associated with supply chain disruptions. The portion of respondents reporting cumulative losses of more than € 1 million ($1,058,171.30) resulting from supply chain interruptions jumped to 34% in this year’s survey from just 14% previously.

An unplanned IT or telecommunications outage was the leading cause of a supply chain disruption for the fifth consecutive year, followed by a loss of talent or skills, which jumped to second place from fifth, and then cyberattack or data breach, which dropped to third place from second. Despite this drop, the portion of respondents which said that cyberattacks and data breach had a ‘high impact’ on their supply chains increased from 14% to 17%.

Reaching the top 10 for the first time was terrorism, which moved to ninth from eleventh, while currency exchange rate volatility had the largest move up the list of event causes, jumping to seventh from 20th last year and cracking the top 10 for the first time since 2012. Insolvency in a company’s supply chain also reentered the top 10 for the first time since 2012, moving from 14th to 10th.

Lost productivity (68%), increased cost of working (53%), and customer complaints received (40%) were listed as the top three consequences of a supply chain interruption by respondents. The perception of such incidents can also hurt a company, with damage to brand reputation/image (38%), shareholder/stakeholder concern (30%), and share price fall (7%) all named by respondents as consequences of a supply chain disruption.

“It is crucial to note that the percentage of organizations reporting reputational damage as a result of supply chain disruption is at its highest level since the survey began. As this coincides with greater media scrutiny and social media discussions related to organizations, this result might be a good opportunity to reflect on reputation management and how supply chain disruptions might translate into adverse publicity for a given organization,” said the report.

As threats and costs grow, there appears to have been at least some progress in more closely addressing the issue.

While the percentage of respondents without firm-wide reporting of supply-chain incidents remains high at 66%, the portion of those using firm-wide reporting has grown steadily across the past five reports, rising from just 25% of respondents in 2012 to 34% in the 2016 report, the latest. Similarly, the portion of respondents which employ no reporting has declined steadily from 39% in 2012 to 28% in 2016.

As reporting is on the rise, so too is the complexity of interruption incidents as external supply chains cause more incidents. The portion of respondents which said the majority of their interruptions came from external supply chains jumped to 24% from 9% previously, and the portion attributing at least a quarter of interruptions to external suppliers more than doubled to 34% from just 15% previously.

Even with reporting on the increase, however, insurance uptake appears to be declining. Just 4% of respondents said they were fully insured against supply chain losses, down from 10% previously, with small and medium-sized enterprises more likely to be uninsured, at just 39%, than large organizations at 62%.

“These variations in insurance uptake may indicate a need to revisit business continuity arrangements and risk transfer strategies pertaining to supply chain disruptions,” according to the report.

10 Lessons Learned from Breach Response Experts

SAN FRANCISCO—As hacking collectives target both the public and private sectors with a wide range of motivations, one thing is clear: Destructive attacks where hackers destroy critical business systems, leak confidential data and hold companies for ransom are on the rise. In a presentation here at the RSA Conference, the nation’s largest cybersecurity summit, Charles Carmakal and Robert Wallace, vice president and director, respectively, of cybersecurity firm Mandiant, shared an overview of some of the biggest findings about disruptive attacks from the company’s breach response, threat research and forensic investigations work.

In their Thursday morning session, the duo profiled specific hacking groups and the varied motivations and tactics that characterize their attacks. Putting isolated incidents into this broader context, they said, helps companies not only understand the true nature of the risk hackers can pose even in breaches that do not immediately appear to target private industry.

One group, for example, has waged “unsophisticated but disruptive and destructive” against a number of mining and casino enterprises in Canada. The hackers broke into enterprise systems, stole several gigabytes of sensitive data and published it online, created scheduled tasks to delete system data, issued ransom requests, and even emailed executives and board members directly to taunt them about the data exposed and increase the pressure to pay. Further increasing that pressure, the group is known to contact journalists in an attempt to publicize the exposed data. Victims have endured outages for days while trying to recover data from backups, and some have paid the ransoms, typically requested in the range of $50,000 to $500,000 in bitcoin.

Mandiant refers to this group as Fake Tesla Team because the hackers have tried to seem a more powerful and compelling threat by claiming they are members of Tesla Team, an already existing group that launches DDoS attacks. As that group is thought to be Serbian, they have little reason to target Canadian entities, and indeed, the bits of Russian used by Fake Tesla Team appears to be simply translated via Google.

In all of the group’s attacks that Mandiant has investigated, the hackers had indeed gained system access and published data, but they exaggerated their skills and some of the details of access. Identifying such a group as your attacker greatly informs the breach response process based on the M.O. and case history, Mandiant said. For example, they know the threat is real, but have seen some companies find success in using partial payments to delay data release, and they have found no evidence that, after getting paid, the collective does anything else with the access they’ve gained.

Beyond considerations of specific hacking groups or their motivations, Carmakal and Wallace shared the top 10 lessons for addressing a breach Mandiant has distilled from countless investigations:

  1. Confirm there is actually a breach: make sure there has been a real intrusion, not just an empty threat from someone hoping to turn fear into a quick payday.
  2. Remember you face a human adversary—the attacker attempting to extort money or make other demands is a real person with emotional responses, which is critical to keep in mind when determining how quickly to respond, what tone to take, and other nuances in communication. Working with law enforcement can help inform these decisions.
  3. Timing is critical: The biggest extortion events occur at night and on weekends, so ensure you have procedures in place to respond quickly and effectively at any time.
  4. Stay focused: In the flurry of questions and decisions to make, focus first and foremost on immediate containment of the attack.
  5. Carefully evaluate whether to engage the attacker.
  6. Engage experts before a breach, including forensic, legal and public relations resources.
  7. Consider all options when asked to pay a ransom or extortion demand: Can you contain the problem, and can you do so sooner than the attack can escalate?
  8. Ensure strong segmentation and control over system backups: It is critical, well before a breach, to understand where your backup infrastructure is and how it is segmented from the corporate network. In the team’s breach investigations, they have found very few networks have truly been segmented, meriting serious consideration from any company right away.
  9. After the incident has been handled, immediately focus on broader security improvements to fortify against future attacks from these attackers or others.
  10. They may come back: If you kick them out of your system—or even pay them—they may move on, perhaps take a vacation with that ransom money, but they gained access to your system, so remember they also may come back.