Using ERM to Protect Your Business from The Equifax Fallout

As with many data breaches, the general conclusion of the Equifax attack is that personnel were not aware of the issue beforehand. This conclusion, however, is false.

In early September, I anticipated that a vulnerability in Equifax’s software was known ahead of time, and that this scandal was, therefore, entirely preventable. A month later, the NY Times reported that the Department of Homeland Security sent Equifax an alert about a critical vulnerability in their software. Equifax then sent out an internal email requesting its IT department to fix the software, but “an individual did not ensure communication got to the right person to manually patch the application.”

The Equifax data breach was a failure in risk management. As a credit bureau that deals with the personally identifiable information (PII) of 200 million U.S. customers, Equifax has a legal and moral responsibility to safeguard their customers’ security, and to adopt the proper systems to do so.

For instance, if Equifax had an enterprise risk management (ERM) system in place, the warning from Homeland Security would have been properly recorded and assigned out to the appropriate personnel. This system would have provided transparency over the status of the task in progress, and would have triggered reminders until the vulnerability was patched and verified by the right subject matter expert.

A Point of No Return

It’s my opinion that this scandal is a point of no return for risk management. While data breaches have abounded in recent years, there has never been one of this magnitude or one that provides every piece of information hackers need to steal our identities. Of course, lawsuits and penalties are piling up around the company’s negligence, but these financial losses are nothing compared to the reputational damages Equifax will suffer—shares fell by 18% following the breach and have yet to fully recover.

What makes this scandal so unique, and therefore a point of no return, is that these reputational damages reach far beyond Equifax. Consumers can’t always choose whether they’re a customer of Equifax, but they can choose whether to do business with the institutions that gave away their information to Equifax in the first place.

I also believe that consumers’ outrage with this scandal will cause them to shift their money, loyalty, and trust to institutions that can demonstrate effective risk management. CEOs and boards of every company will have to prove their organizations have adequate enterprise risk management systems in place. They’ll find that more effective risk management and governance programs are necessary to keep their market shares up and their reputation clean.

Where to Go from Here

While this breach may appear to be an event of the distant past, we are in the eye of the storm. Stolen information can lie dormant for months or years as criminals wait to make their move, and when they do, you’ll have either taken this period of calm as a chance to forget the scandal, finding yourself ill-prepared, or a chance to get to higher ground, finding yourself fully protected.

To protect themselves, businesses must:

  • First, to determine where to focus your security resources, recognize that people, processes, and procedures are now the biggest risks. Businesses need to perform risk assessments across all departments to determine who has access to sensitive information and authentication processes, and what the business impact would be if these employees were to be impersonated.
  • Next, to address these risks, businesses must rewrite their procedures for authenticating the people involved in sensitive requests and actions both verbally and electronically. With so much PII now in the public domain, it is no longer safe to rely on traditional authentication based on these pieces of information. For example, the security question “What was your first car?” is not effective because the answer is now easily accessible. A more effective question would be “Who was your best friend in elementary school?”
  • Finally, it is important to keep your third-party vendors in mind. Vendors often have access to sensitive information and processes, which could have an enormous impact on your company. It is crucial, therefore, to extend your internal authentication procedures out to your third parties so that they are authorizing sensitive requests and actions as securely as your own organization.

Our world, including the business world, is becoming increasingly transparent, meaning it’s up to you to act with integrity and protect your stakeholders. Keeping the Equifax data breach in mind, along with enacting these tactical steps, will help you stay ahead of the competition and out of glaring social media headlines.

Insurance Industry Responds to House Approval of NFIP Renewal

Insurance industry trade groups lauded the U.S. House of Representatives’ vote on Nov. 14, reauthorizing the National Flood Insurance Program (NFIP). The 21st Century Flood Reform Act (H.R. 2874) would reauthorize the program for five years and enact operational changes. Advocates from RIMS, the risk management society, the Property Casualty Insurers Association of America, and SmarterSafer.org also asked that the Senate waste no time in passing its version of the measure before its expiration on Dec. 8.

On Sept. 8, President Trump signed legislation passed by both houses to extend NFIP authorization until Dec. 8, which previously had been set to expire Sept. 30.

Dow Jones reports that the act’s reforms include:

  • Authorizing $1 billion to elevate, buy out or mitigate high-risk properties
  • Capping flood insurance premiums at $10,000 per year for homeowners
  • Removing hurdles to the private flood insurance market, which often offers better coverage at lower cost than the NFIP
  • Providing for community flood maps and a homeowner’s ability to appeal their flood designation
  • Better aligning NFIP rates to match a property’s true risk, particularly for in-land and lower-value properties
  • Improving the claims process for flood victims
  • Addressing repeatedly flooded properties, which account for 2% of NFIP policies but 25% of claim payments

While it applauded the U.S. House of Representatives for deciding to reauthorize the NFIP, RIMS, the risk management society, also urged the Senate to quickly follow-up before the program’s Dec. 8 expiration. Allowing the NFIP to expire would have “significant repercussions, impacting both corporate and residential property owners,” said RIMS Vice President Robert Cartwright Jr.

“Nearly five million American consumers rely on the NFIP to protect their homes, properties, and businesses,” said Nat Wienecke, senior vice president of federal government relations at the Property Casualty Insurers Association of America (PCI). “A long-term reauthorization is needed to provide consumers and markets with reliability and stability when it comes to flood insurance coverage.”

SmarterSafer.org, a coalition of taxpayer advocates, environmental groups, insurance interests, housing organizations and mitigation advocates, said in a statement that this year’s “historic hurricane season has pushed the nation’s debt-ridden flood insurance program past the point of bankruptcy once again, so we applaud the House for passing a legislative package that reforms the NFIP to ensure the program is financially sustainable for the future.” The organization also lauded the House for investing in recommended measures including “mapping and mitigation, addressing affordability and providing consumer choice in the flood insurance marketplace.”

The NFIP was created more than 50 years ago to provide affordable flood insurance as private insurers pulled out of the market. The program’s large debt led Congress to cancel $16 billion of its debt last month. NFIP now has about $6 billion to pay claims and $10 billion left that it can borrow from the Treasury Department, according to the Federal Emergency Management Agency, which manages the program.

Keeping Halloween Parties Safe in the Workplace


This year, Halloween is expected to be celebrated by a frightening number of Americans – 179 million. According to the National Retail Federation, 48% of adults plan to celebrate in-costume. These 18-year-olds-and-older are not just chaperoning young trick-or-treaters, many are also employees with their own collective sweet tooth. If you plan to indulge these kids-at-heart with a voluntary workplace celebration, here are some tips to consider:

Dress Code Updates

Your company’s dress code policy will obviously need some flexibility for the day, but one can still be enforced in an effort to limit costumes or themes that are too polarizing, provocative or offensive. It’s good practice to inform employees that certain dress code policies will be enforced.

“Provide examples of inappropriate costumes, such as costumes that are too revealing or are ethnic-, religious- or race-based costumes,” Obermayer Rebmann Maxwell & Hippel LLP, an employment and discrimination law firm, said on its blog. “Request that employees avoid political costumes that could be offensive. If an employee shows up in an offensive costume, send the employee home to change into appropriate clothes.”

Safety Hazards

Even when preparing your company’s party, safety should come first. Be sure that anyone involved in decorating and preparations uses proper equipment. It may seem basic, but related workplace accidents can lead to lawsuits and fines. For example, a preschool teacher broke her arm in 2010 while standing on a child’s seat to hang some decorations, and the school incurred a $5,000 penalty for violating OSHA’s safety terms. Decorations should not put any worker in harm’s way or prohibit their ability to do their job.

Fire risks increase during Halloween parties, often due to the combination of candles and the flammability of the decorations and costumes. PropertyCasualty360.com encourages holiday staples like jack-o-lanterns, but suggests using flameless LED candles that are bright enough to illuminate your carving but don’t pose the risks of a real flame. Due to their flammability, the site also dissuades the use of:

  • Dried flowers or floral arrangements.
  • Corn husks or dried corn stalks.
  • Crepe paper garland or other paper decorations.
  • Homemade paper-towel ghosts.
  • Driveway lanterns with real candles.

Food and Drink

It’s not just employees’ sensibilities that are delicate. According to the Center for Disease Control and Prevention (CDC), 50 million Americans suffer from an allergy each year. Be sure to have employees report any food allergies to the party planner in advance to ensure no one suffers a physical reaction.

If your business has a liquor license and continues serving a visibly intoxicated person, you may be liable for any accidents they cause. In many states, expanding employer liability is a gray area. Some state laws dictate that an employee’s conduct – even after he or she has left a company-hosted party – can still be traced back to the employer. That means that if, for example, an employee is caught driving while intoxicated and/or causes an accident afterward, an injured party can file a lawsuit against the company. When examining such a scenario based on a 2013 court case, Law360 noted:

Since liability is no longer confined to activities conducted on company property, employers may feel the need to police employees before they leave the premises.

Overall Appropriateness

If you’re still up in the air about hosting a party, then that in itself might be an indication to pass on it in the classic sense. The Society for Human Resource Management suggests reflecting on prior Halloween activities and the feedback received from employees or customers:

If most workers did not participate, this practice might not fit with the company culture. Consider alternative ways to celebrate, such as a company potluck or luncheon.

By following these tips, your company can reduce safety hazards and the risks of harassment, lawsuits and outbreaks. October is also Fair Trade Month. Check out Ben & Jerry’s sweet ways to have a “Fair Trade Halloween.”

RIMS Legislative Summit 2017: Focus on Flood

WASHINGTON—The RIMS Legislative Summit kicked off on Wednesday in Washington, D.C. with a panel lead by Congressional office staff.

Panelists included: Democratic Staff in the U.S. House of Representatives; Jason Tuber, Senior Advisor to Senator Menendez (D-NJ); Ed Skala, Deputy Staff Director for the House Financial Services Committee; and Brandon Beall, Professional Staff Member, Office of Senate Committee on Banking, Housing and Urban Affairs; as well as Lisa Peto, chief counsel for the Financial Services Committee.

The focus was the once-again looming expiration of the National Flood Insurance Program (NFIP). The program that was set to expire in September, but was saved with a temporary extension now set to expire again on Dec. 8.

The panelists, each of whom began with the disclaimer that these were their opinions and not the opinions of their office, came to a consensus that a new NFIP was critical, that a gap in coverage is certainly not ideal and they acknowledged that their offices were working on a bi-partisan resolution.

Some of the major concerns discussed were:

  • Funding—who will fund the NFIP? If the NFIP expires or ceases to exist would the burden fall on the taxpayer and then ultimately on government anyway? Should excess flood coverage be privatized? There was also discussion on whether mandating states to offer certain protections for flood exposure would help the situation.
  • Accessibility and Affordability—what measures must be included in the new bill to not only make sure flood insurance is available but that it is available at an affordable price?
  • Residential vs. Commercial—The idea was discussed as to whether there should ultimately be two versions of the NFIP that separate residential and small businesses from large commercial businesses. It was noted that large commercial businesses might have flood coverage elsewhere or are better funded to retain some risk and, as such, should have the opportunity to opt out. This would spur new challenges to determine what qualifies a business as small or large (i.e., an online enterprise that generates considerable revenue but operates out of someone’s basement).
  • Risk Mitigation—Should risk mitigation be a part of the final bill? Incentives for both the insurer and the insured would support organizations that practice good risk management. The argument was made, however, that not all residents and not all businesses have the funds for risk management. For example, not everyone has the money in the bank to raise the height of a house or storefront.

Jim McIntyre, RIMS Washington, D.C. counsel and chair of McIntyre & Lemon stated, “It is probable that we’re looking at another extension come December. Unfortunately for the National Flood Insurance Program, bills regarding trade, healthcare and immigration will take precedent at the moment and [the NFIP] might have to wait a bit longer.”

On Day two of the summit, about 50 RIMS members descended on Capitol Hill for meetings with congressional leaders. The goal was to share RIMS priorities for a long-term National Flood Insurance Program.