Critical Infrastructure, Security and Resilience Highlighted in November

National Critical Infrastructure Security and Resilience Month (CISRM) kicked off on Nov. 1. The month’s initiatives address risks such as extreme weather, aging infrastructure, cyber threats and acts of terrorism. Its timing is certainly appropriate, as the effects of recent hurricanes on infrastructures in southern states and Puerto Rico continue to be assessed, as well as Northern California’s devastating wildfires and the deadliest shooting massacre in modern U.S. history.

The month was created by the Obama administration and the Department of Homeland Security (DHS) hosts CISRM in an effort to promote education and awareness of the 16 critical infrastructure sectors that are vital to public safety and national security. Its page reads:

The evolving nature of the threat to critical infrastructure—as well as the maturation of our work and partnership with the private sector—has necessitated a shift from a focus on asset protection to an overarching system that builds resilience from all threats and hazards.

A CISRM toolkit provides companies with templates and drafts of newsletter articles, blogs, and other collateral material for use in outreach efforts. Activities geared toward business owners, public entities and private citizens focus on several key themes to enhance security and resilience, including:

  • Highlighting interdependencies between cyber and physical infrastructure
  • Pointing small and medium-sized businesses to the free tools and resources available to them to increase their security and resilience through Hometown Security and the four steps of “Connect, Plan, Train, and Report”
  • Promoting public-private partnerships
  • Fostering innovation and investments in infrastructure resilience

In his proclamation of CISRM earlier this week, President Trump further committed to helping businesses invest in “needed capital and research and development by reducing burdensome regulations and enacting comprehensive tax reform.” The proclamation states:

We will also renew our Nation’s focus on ensuring that the next generation has the education and training, particularly in science, technology, engineering, and math, required to meet the known and unknown threats of the future.

Overall the United States’ infrastructure is among the top 18 in the world, according to the 2017 FM Global Resilience Index, which aggregates data to help companies identify their key supply chain risks. The U.S. continued to hold high rankings among 130 countries based on drivers in three categories: economic, risk quality and supply chain factors. The U.S. is segmented into three regions to reflect disparate natural hazards exposure:

  • Region 1, encompasses much of the East Coast, is ranked #10 in the index (a one-spot upgrade from last year)
  • Region 2, primarily the Western U.S., is ranked #18 (a three-spot upgrade)
  • Region 3, which includes most of the central portion of the country, is ranked #9 (down three places)

Although the federal government is less focused on asset protection, business owners can still get involved by safeguarding workplaces. In its October 2017 edition, CLM magazine noted that another path toward resilience involves reducing property damage caused by extreme weather and natural disasters. Literally looking to the sky is one suggestion; business and property owners should pay particular attention to their roofs in order to prevent degradation and enable them to withstand high winds.

“Property owners need to have maintenance personnel adopt and implement preventative maintenance and roof inspection programs that alert them to potential and active degradation,” wrote the authors of the article, “Time For Resilience.” “Weak links such as roof detachment, corrosion, or other damage could tear off roofing during an enhanced wind event. Such risks need to be mitigated before an event occurs.”

Ready.gov provides resources on disaster planning and management, and also has this section on Business Continuity.

Coverage, Breaches Highlighted at Advisen Cyber Conference

NEW YORK—Advisen’s Cyber Risk Insights Conference, held during Cyber Week, featured risk management professionals and more than 20 panels and sessions on Oct. 26. The keynote was delivered by former New York City Mayor Rudolph W. Giuliani, currently the chair of Greenberg Traurig LLP’s Cybersecurity, Privacy and Crisis Management practice. Giuliani used sports analogies to describe the cybersecurity industry, noting that, “the defense trails the offense by about five years.” Comparing the newest waves of protection software to a strong rookie pitcher, he said, “A new pitcher may come along and strike everybody out as he goes through the league a few times. But eventually he gets figured out and [hackers] figure it out,” he said. “It needs at least a year of being attacked for real,” to find the gaps in efficiency, and leads to the “the kind of experimentation that will yield better results.”

In the session, “SME: In A League of Their Own,” moderator John Mullen, CEO and founding partner of Mullen Coughlin, a cybersecurity and data privacy firm, discussed the growing importance of cyber insurance among small- and medium-sized companies. He asked panelists where they have seen productivity. Panelists agreed that growth among small law firms and accounting firms were strong contributors. Michael Bruemmer, vice president of Experian’s Data Breach Resolution Group, noted he is already seeing breaches of W2 tax forms, which he said is worrisome with tax season approaching. “With some of the recent, large incidents and all the information that was compromised, I think W2s are going to come roaring back again,” Bruemmer said.

As for a look into the future, Bruemmer noted that while startups show great potential for growth, they need to make cyber policy purchases while in their infancies. “Any startup needs cyber protection,” he said, adding that this is particularly crucial during the initial financing and hiring stages, as “You see too many of them go out [of business]. They’re great companies with great ideas but they don’t consider cyber.”

Andy Lea, CNA’s vice president of underwriting for E&O, cyber and media, echoed those sentiments, saying that with the thousands of businesses created each year, “there will always be new buyers and there will be opportunity for this industry to provide value.”

During an afternoon panel, Erica Davis, Zurich North America’s senior vice president, specialty products and E&O, highlighted results from the newly-released annual  Advisen Information Security and Cyber Risk Management Survey, which found that risk professionals view cyber-related business continuity risk less seriously than data integrity risk. This was surprising, she said, as business interruption costs have risen and high-profile business interruption attacks have taken center stage.

The survey also found that just 10% of respondents identified business interruption as the primary reason for purchasing cyber insurance and that purchase growth has gone stagnant after a steady six-year increase from 35% to 65%. Davis noted that the survey ended before the Equifax breach announcement in September.

“These findings may indicate that businesses are not up to speed on the magnitude of the impact that business interruption losses are beginning to have,” she said. “Annually, the survey results are critical for understanding how businesses are thinking about cyber risk and what we need to do to help them protect themselves as we watch this issue continue to evolve.”

The study found that corporate concerns about cyber may be waning, even as the nature of cyberattacks has evolved to include ransomware and malware

According to the study:

  • For the first time in the seven years of the survey, there has been a decline in how seriously C-Suite executives view cyber risk.

  • 60% of the risk professionals surveyed said executive management view cyber risk as a significant threat to their organization—down significantly from 85% in 2016.

  • Only 53% of respondents knew of any changes to their companies’ cyber security systems in response to the high-profile attacks that took place in early 2017.

Zombie Risk Management 101

An emerging risk over the past 10 years has been the rise of undead walkers, or “zombies” and their influence on supply chains, natural resources and mortality rates. These once-alive individuals thrive on human flesh and spread deadly diseases; their exploits have been well documented in California and Georgia for years on basic cable television.

Renegade armies have made significant gains in controlling the risks of these attacks and uprisings using makeshift weapons, but sadly, the supply chain is limited due to an outbreak that has been wiping out Americans.

To avoid these risks, on Halloween, encourage employees to travel in pairs in case the undead appear out of the shadows, as they often do. Their bites are infectious and pose the risk of death or even worse—you could become one of them. Should you sustain a bite, consider whether you will want to:

  • “Live on” and become a flesh-eater
  • Be placed under special quarantine
  • Be terminated on-the-spot to prevent future outbreaks and harm

As previously reported in Risk Management magazine, when considering risk management techniques for zombie encounters, such as fight or flee, it pays to plan ahead: Consider objects around you that could be used as weapons, wear shoes that can accommodate speed if fleeing is necessary and always be aware of your surroundings.

The undead do not need oxygen or blood to function, as detailed in the Zombie Survival Guide. They can thrive on land and even under water, so be sure to account for both scenarios when designing your contingency plans. If you are preparing to defend yourself or your company, it’s suggested you use a long blade or propulsion weapon and be sure to aim for the head. It is commonly believed that once its brain is pierced, a zombie should perish for good. Visit the CDC’s Zombie Preparedness page for more survival techniques and tips on how to best handle an encounter with the undead.

Keeping Halloween Parties Safe in the Workplace


This year, Halloween is expected to be celebrated by a frightening number of Americans – 179 million. According to the National Retail Federation, 48% of adults plan to celebrate in-costume. These 18-year-olds-and-older are not just chaperoning young trick-or-treaters, many are also employees with their own collective sweet tooth. If you plan to indulge these kids-at-heart with a voluntary workplace celebration, here are some tips to consider:

Dress Code Updates

Your company’s dress code policy will obviously need some flexibility for the day, but one can still be enforced in an effort to limit costumes or themes that are too polarizing, provocative or offensive. It’s good practice to inform employees that certain dress code policies will be enforced.

“Provide examples of inappropriate costumes, such as costumes that are too revealing or are ethnic-, religious- or race-based costumes,” Obermayer Rebmann Maxwell & Hippel LLP, an employment and discrimination law firm, said on its blog. “Request that employees avoid political costumes that could be offensive. If an employee shows up in an offensive costume, send the employee home to change into appropriate clothes.”

Safety Hazards

Even when preparing your company’s party, safety should come first. Be sure that anyone involved in decorating and preparations uses proper equipment. It may seem basic, but related workplace accidents can lead to lawsuits and fines. For example, a preschool teacher broke her arm in 2010 while standing on a child’s seat to hang some decorations, and the school incurred a $5,000 penalty for violating OSHA’s safety terms. Decorations should not put any worker in harm’s way or prohibit their ability to do their job.

Fire risks increase during Halloween parties, often due to the combination of candles and the flammability of the decorations and costumes. PropertyCasualty360.com encourages holiday staples like jack-o-lanterns, but suggests using flameless LED candles that are bright enough to illuminate your carving but don’t pose the risks of a real flame. Due to their flammability, the site also dissuades the use of:

  • Dried flowers or floral arrangements.
  • Corn husks or dried corn stalks.
  • Crepe paper garland or other paper decorations.
  • Homemade paper-towel ghosts.
  • Driveway lanterns with real candles.

Food and Drink

It’s not just employees’ sensibilities that are delicate. According to the Center for Disease Control and Prevention (CDC), 50 million Americans suffer from an allergy each year. Be sure to have employees report any food allergies to the party planner in advance to ensure no one suffers a physical reaction.

If your business has a liquor license and continues serving a visibly intoxicated person, you may be liable for any accidents they cause. In many states, expanding employer liability is a gray area. Some state laws dictate that an employee’s conduct – even after he or she has left a company-hosted party – can still be traced back to the employer. That means that if, for example, an employee is caught driving while intoxicated and/or causes an accident afterward, an injured party can file a lawsuit against the company. When examining such a scenario based on a 2013 court case, Law360 noted:

Since liability is no longer confined to activities conducted on company property, employers may feel the need to police employees before they leave the premises.

Overall Appropriateness

If you’re still up in the air about hosting a party, then that in itself might be an indication to pass on it in the classic sense. The Society for Human Resource Management suggests reflecting on prior Halloween activities and the feedback received from employees or customers:

If most workers did not participate, this practice might not fit with the company culture. Consider alternative ways to celebrate, such as a company potluck or luncheon.

By following these tips, your company can reduce safety hazards and the risks of harassment, lawsuits and outbreaks. October is also Fair Trade Month. Check out Ben & Jerry’s sweet ways to have a “Fair Trade Halloween.”