Coverage, Breaches Highlighted at Advisen Cyber Conference

NEW YORK—Advisen’s Cyber Risk Insights Conference, held during Cyber Week, featured risk management professionals and more than 20 panels and sessions on Oct. 26. The keynote was delivered by former New York City Mayor Rudolph W. Giuliani, currently the chair of Greenberg Traurig LLP’s Cybersecurity, Privacy and Crisis Management practice. Giuliani used sports analogies to describe the cybersecurity industry, noting that, “the defense trails the offense by about five years.” Comparing the newest waves of protection software to a strong rookie pitcher, he said, “A new pitcher may come along and strike everybody out as he goes through the league a few times. But eventually he gets figured out and [hackers] figure it out,” he said. “It needs at least a year of being attacked for real,” to find the gaps in efficiency, and leads to the “the kind of experimentation that will yield better results.”

In the session, “SME: In A League of Their Own,” moderator John Mullen, CEO and founding partner of Mullen Coughlin, a cybersecurity and data privacy firm, discussed the growing importance of cyber insurance among small- and medium-sized companies. He asked panelists where they have seen productivity. Panelists agreed that growth among small law firms and accounting firms were strong contributors. Michael Bruemmer, vice president of Experian’s Data Breach Resolution Group, noted he is already seeing breaches of W2 tax forms, which he said is worrisome with tax season approaching. “With some of the recent, large incidents and all the information that was compromised, I think W2s are going to come roaring back again,” Bruemmer said.

As for a look into the future, Bruemmer noted that while startups show great potential for growth, they need to make cyber policy purchases while in their infancies. “Any startup needs cyber protection,” he said, adding that this is particularly crucial during the initial financing and hiring stages, as “You see too many of them go out [of business]. They’re great companies with great ideas but they don’t consider cyber.”

Andy Lea, CNA’s vice president of underwriting for E&O, cyber and media, echoed those sentiments, saying that with the thousands of businesses created each year, “there will always be new buyers and there will be opportunity for this industry to provide value.”

During an afternoon panel, Erica Davis, Zurich North America’s senior vice president, specialty products and E&O, highlighted results from the newly-released annual  Advisen Information Security and Cyber Risk Management Survey, which found that risk professionals view cyber-related business continuity risk less seriously than data integrity risk. This was surprising, she said, as business interruption costs have risen and high-profile business interruption attacks have taken center stage.

The survey also found that just 10% of respondents identified business interruption as the primary reason for purchasing cyber insurance and that purchase growth has gone stagnant after a steady six-year increase from 35% to 65%. Davis noted that the survey ended before the Equifax breach announcement in September.

“These findings may indicate that businesses are not up to speed on the magnitude of the impact that business interruption losses are beginning to have,” she said. “Annually, the survey results are critical for understanding how businesses are thinking about cyber risk and what we need to do to help them protect themselves as we watch this issue continue to evolve.”

The study found that corporate concerns about cyber may be waning, even as the nature of cyberattacks has evolved to include ransomware and malware

According to the study:

  • For the first time in the seven years of the survey, there has been a decline in how seriously C-Suite executives view cyber risk.

  • 60% of the risk professionals surveyed said executive management view cyber risk as a significant threat to their organization—down significantly from 85% in 2016.

  • Only 53% of respondents knew of any changes to their companies’ cyber security systems in response to the high-profile attacks that took place in early 2017.

Keeping Halloween Parties Safe in the Workplace


This year, Halloween is expected to be celebrated by a frightening number of Americans – 179 million. According to the National Retail Federation, 48% of adults plan to celebrate in-costume. These 18-year-olds-and-older are not just chaperoning young trick-or-treaters, many are also employees with their own collective sweet tooth. If you plan to indulge these kids-at-heart with a voluntary workplace celebration, here are some tips to consider:

Dress Code Updates

Your company’s dress code policy will obviously need some flexibility for the day, but one can still be enforced in an effort to limit costumes or themes that are too polarizing, provocative or offensive. It’s good practice to inform employees that certain dress code policies will be enforced.

“Provide examples of inappropriate costumes, such as costumes that are too revealing or are ethnic-, religious- or race-based costumes,” Obermayer Rebmann Maxwell & Hippel LLP, an employment and discrimination law firm, said on its blog. “Request that employees avoid political costumes that could be offensive. If an employee shows up in an offensive costume, send the employee home to change into appropriate clothes.”

Safety Hazards

Even when preparing your company’s party, safety should come first. Be sure that anyone involved in decorating and preparations uses proper equipment. It may seem basic, but related workplace accidents can lead to lawsuits and fines. For example, a preschool teacher broke her arm in 2010 while standing on a child’s seat to hang some decorations, and the school incurred a $5,000 penalty for violating OSHA’s safety terms. Decorations should not put any worker in harm’s way or prohibit their ability to do their job.

Fire risks increase during Halloween parties, often due to the combination of candles and the flammability of the decorations and costumes. PropertyCasualty360.com encourages holiday staples like jack-o-lanterns, but suggests using flameless LED candles that are bright enough to illuminate your carving but don’t pose the risks of a real flame. Due to their flammability, the site also dissuades the use of:

  • Dried flowers or floral arrangements.
  • Corn husks or dried corn stalks.
  • Crepe paper garland or other paper decorations.
  • Homemade paper-towel ghosts.
  • Driveway lanterns with real candles.

Food and Drink

It’s not just employees’ sensibilities that are delicate. According to the Center for Disease Control and Prevention (CDC), 50 million Americans suffer from an allergy each year. Be sure to have employees report any food allergies to the party planner in advance to ensure no one suffers a physical reaction.

If your business has a liquor license and continues serving a visibly intoxicated person, you may be liable for any accidents they cause. In many states, expanding employer liability is a gray area. Some state laws dictate that an employee’s conduct – even after he or she has left a company-hosted party – can still be traced back to the employer. That means that if, for example, an employee is caught driving while intoxicated and/or causes an accident afterward, an injured party can file a lawsuit against the company. When examining such a scenario based on a 2013 court case, Law360 noted:

Since liability is no longer confined to activities conducted on company property, employers may feel the need to police employees before they leave the premises.

Overall Appropriateness

If you’re still up in the air about hosting a party, then that in itself might be an indication to pass on it in the classic sense. The Society for Human Resource Management suggests reflecting on prior Halloween activities and the feedback received from employees or customers:

If most workers did not participate, this practice might not fit with the company culture. Consider alternative ways to celebrate, such as a company potluck or luncheon.

By following these tips, your company can reduce safety hazards and the risks of harassment, lawsuits and outbreaks. October is also Fair Trade Month. Check out Ben & Jerry’s sweet ways to have a “Fair Trade Halloween.”

Protecting Your Company from Rogue Employees

While employee malfeasance rarely takes down entire companies, it can result in serious fines, sanctions, court judgments, settlements and reputational damage. Big data analytics is one way leading companies are able to mitigate risk, by proactively detecting threatening or illegal behavior.

Traditional ERM Approaches Won’t Do

Compliance officers do their best. They generally work within enterprise risk management (ERM) frameworks to introduce corporate policies and procedures, conduct risk avoidance training and audits, and create inter-disciplinary committees. They work with IT to run compliance auditing software on critical structured data, including financial databases and transactional applications.

By targeting only well-behaved structured data, however, compliance officers can lose sight of one key fact—structured data is a small percentage of organizational data. Data storage analysts report that most organizational data are only 15% to 20% structured data and 80% to 85% unstructured. This leaves a huge volume of data that presents serious compliance risk to IP, especially electronic communications.

While e-mail, instant messaging, texting and social media are ingrained in our culture, traditional auditing software does not focus on communications. These threats often evade notice until the damage is done.

Here are some ways threats can escape the radar of employers that have traditional ERM approaches:

  • Limited ability to analyze unstructured data. The inability to monitor unstructured data leaves the company open to regulatory consequences and other risk.
  • Keyword searching to winnow down data sets often delivers a high volume of false positive results. Filtering techniques such as keyword searches may not be highly accurate and require intensive manual review. The result is higher cost and longer timeframes for manual-review projects.
  • Potential security issues. Communication platforms are rapidly proliferating. Employees might be sharing inappropriate corporate information on social media, yet these mentions often go unmonitored by the company, potentially missing evidence of employee misconduct.
  • Complex regulatory changes. Many governmental and industry regulations are already complicated, and their revisions only intensify complexity. For example, since introducing Dodd-Frank, regulators have written 224 of 400 expected rules and continue to modify existing rules.
  • Case-by-case approaches. Case-centric approaches to litigation, investigations and regulatory compliance matters impede applying learning and attorney work product on these cases to other matters. This inability lengthens legal reviews and investigations and multiplies costs. Case-based discovery also makes it difficult to discover widespread risky communications between employee groups and outside organizations.
  • Geographic and organizational silos. Relevant data is spread across different storage locations and eDiscovery platforms, creating distinct data silos.

A Cautionary Tale

Here is an example of risk that can go undetected until it’s too late, as it did at Wells Fargo. Banker 1 is responsible for reaching high quarterly sales goals. His manager increases his sales goals for the next quarter. Banker 1 emails a colleague complaining about how his goals are impossible to meet. Banker 2 suggests he try a creative process called “pinning,” which consists of a banker enrolling an actual customer in online banking to create a “sale.” The banker fills in the customer’s name and address but puts in a fake email address so the customer never receives banking communications. The banker meets his sales goals—and hopes the customer never finds out.

How Big Data Analytics Can Help

Analytics tools are already omnipresent in eDiscovery and compliance reviews. They include predictive coding, email threading and concept searching. They are highly useful for culling large data volumes to more manageable sizes. They also locate meaningful text and concept patterns so that reviewers can strategically work with high priority documents.

The catch is that these analytics can only filter to a point, and only work on a single-case basis. No matter how the case management software learns from tagging and work product, that learning cannot be applied across multiple matters if it resides on different review platforms or with different vendors. Each time a new case begins, reviewers and their software must start over. This leads to very long and repetitive document review processes, already the single most expensive activity in eDiscovery. Clients and attorneys also risk exposing sensitive information as the matter makes its way between document review platforms and multiple stakeholders.

A big data approach, versus specific analytics tools can continuously consolidate billions of documents into a central repository. It can also apply machine and human learning to enable the reporting of trends, new data relationships, and fresh insights into data across all cases—not just a single matter—for greater efficiency, cost control and risk mitigation.

RIMS Legislative Summit 2017: Focus on Flood

WASHINGTON—The RIMS Legislative Summit kicked off on Wednesday in Washington, D.C. with a panel lead by Congressional office staff.

Panelists included: Democratic Staff in the U.S. House of Representatives; Jason Tuber, Senior Advisor to Senator Menendez (D-NJ); Ed Skala, Deputy Staff Director for the House Financial Services Committee; and Brandon Beall, Professional Staff Member, Office of Senate Committee on Banking, Housing and Urban Affairs; as well as Lisa Peto, chief counsel for the Financial Services Committee.

The focus was the once-again looming expiration of the National Flood Insurance Program (NFIP). The program that was set to expire in September, but was saved with a temporary extension now set to expire again on Dec. 8.

The panelists, each of whom began with the disclaimer that these were their opinions and not the opinions of their office, came to a consensus that a new NFIP was critical, that a gap in coverage is certainly not ideal and they acknowledged that their offices were working on a bi-partisan resolution.

Some of the major concerns discussed were:

  • Funding—who will fund the NFIP? If the NFIP expires or ceases to exist would the burden fall on the taxpayer and then ultimately on government anyway? Should excess flood coverage be privatized? There was also discussion on whether mandating states to offer certain protections for flood exposure would help the situation.
  • Accessibility and Affordability—what measures must be included in the new bill to not only make sure flood insurance is available but that it is available at an affordable price?
  • Residential vs. Commercial—The idea was discussed as to whether there should ultimately be two versions of the NFIP that separate residential and small businesses from large commercial businesses. It was noted that large commercial businesses might have flood coverage elsewhere or are better funded to retain some risk and, as such, should have the opportunity to opt out. This would spur new challenges to determine what qualifies a business as small or large (i.e., an online enterprise that generates considerable revenue but operates out of someone’s basement).
  • Risk Mitigation—Should risk mitigation be a part of the final bill? Incentives for both the insurer and the insured would support organizations that practice good risk management. The argument was made, however, that not all residents and not all businesses have the funds for risk management. For example, not everyone has the money in the bank to raise the height of a house or storefront.

Jim McIntyre, RIMS Washington, D.C. counsel and chair of McIntyre & Lemon stated, “It is probable that we’re looking at another extension come December. Unfortunately for the National Flood Insurance Program, bills regarding trade, healthcare and immigration will take precedent at the moment and [the NFIP] might have to wait a bit longer.”

On Day two of the summit, about 50 RIMS members descended on Capitol Hill for meetings with congressional leaders. The goal was to share RIMS priorities for a long-term National Flood Insurance Program.