Love and Cybersecurity: Q&A with eHarmony’s Ronald Sarian

Now through Feb. 14 is the busy season for the online dating and matchmaking industry. Heavier traffic can present risks to these sites, demanding added precautions. Ronald Sarian, vice president and general counsel (and default risk manager) at eHarmony spoke to Risk Management Monitor about the types of risks he faces—particularly regarding data and cybersecurity—and how he protects the “#1 trusted dating site for like-minded singles,” where “Every day, an average of 438 singles marry a match they found on eHarmony.” (For those familiar with its commercials, the song now stuck in your head can be played in a new tab here—don’t fight it.)

Risk Management Monitor: You joined eHarmony following a data breach in 2012 in which 1.5 million users’ passwords were compromised. What steps did you take to prevent a recurrence?

Ronald Sarian: Following that breach, we put everything we did under a microscope and brought in Stroz Friedberg to aid our investigation and help improve our processes. We ultimately decided to migrate all credit card data off-site to CyberSource, a third-party vendor. When we need to charge a credit card we get the key from the vendor and then return it when we’re done. We wrote transmission gateways out of all of our internal apps so things aren’t communicating with each other so easily. This way, if there is an attack, it will be “quarantined.” We also employed extensive layering for the same purpose. We put a much more sophisticated logging system in place, hired a full-time security engineer, and started performing more firewall audits and regular white hat hacks to try to detect vulnerabilities. And we improved our on-boarding and off-boarding for employees.

RMM: What are the prevalent risks you face leading up to Valentine’s Day and how do you mitigate them?

RS: We face risks all year long, but this time of year there are just more of them. There are always fraud issues we deal with and people try to launch bot attacks to take down our systems and cause us grief. We believe we utilize industry best practices for all these issues. For example, to try to prevent fraudsters from getting into the system we have sophisticated business rules that look at keywords or phrases used when filling out the intake questionnaire—certain words or phrases indicate the probability of a fraudster. Misuse of the English language can sometimes signal a problem. These raise red flags in our system.

Our questionnaire is quite elaborate and evaluates psychological factors in order to determine personality traits. We have essentially 29 different dimensions of compatibility we look at and try to glean all these dimensions so we can match you with someone who is typically 80% or higher in each. If you answer the questions in a certain manner for most of the questionnaire and we see a major inconsistency toward the end, for example, that can indicate something is fishy.

We also look at suspicious IP addresses. We utilize these practices all year round but scrutiny is heightened at this time of year and especially when we have free communication weekends. We’re pretty good at sorting these people out before they can communicate. Our system has been developed over 17 years and is constantly being improved as threats change and fraudsters become more sophisticated.

RMM: How else is risk management used in eHarmony’s strategies and operations?

RS: A goal of mine is to adapt the ISO 27001 ERM framework for eHarmony. I believe we have the best practices in place to achieve that when the time and finances are right. It’s quite a bit of work to get the certification and I don’t know if that would happen this year but it’s something I want to do because I think it would be great for us. It basically requires a holistic, top-down look at your entire operation. This is not only from a tech standpoint but from a personnel standpoint as well.

Many breaches start internally, most of the time unintentionally, so people should, for example, know not to click on a link in an email from an unknown source. You also need to assure your vendors are utilizing the appropriate safeguards and you must have a security incident management plan in place. There are many other requirements, of course. I believe we essentially have the information security management system (ISMS) envisioned by ISO 27001 in operation right now. We just need to make it official.

62% of Impacted Companies Lacked Hurricane Prep in 2017

A majority of senior executives of large U.S. companies with operations in Texas, Florida or Puerto Rico admit to being unprepared for last year’s hurricanes that devastated their communities, according to a survey by FM Global. While 64% of respondents said the hurricanes had an adverse impact on their operations, a full 62% said they were not fully prepared.

“These candid admissions drive home a fundamental truth about catastrophe,” Louis Gritzo, vice president and manager of research at FM Global said in a statement. “People routinely fail to understand or acknowledge the magnitude of risk until they’ve experienced a fateful event.”

One reason for a lack of natural-hazard preparation is imprecise terminology, he said. Being located in a “100-year flood” zone, for example, “does not mean you have 99 years to plan—but that there is a 1% chance of such a flood every year.” Another reason for insufficient preparation is over-reliance on insurance, which cannot restore the market share, brand equity and shareholder value lost to competitors.

The study found that as a result of hurricanes Harvey, Irma and Maria:

  • 57% of all respondents said they will put in place or enhance their business continuity or disaster recovery plans.
  • 40% plan to invest more in risk management, property loss prevention, and/or reassess their supply chain risk management strategy.
  • 25% will reassess their insurance coverages or their insurers.

FM Global commissioned market research firm ORC International to survey 101 senior financial executives at Fortune 1000-size organizations by phone in October through November 2017.

Competition Steady Despite Disasters, Fitch Says

In its newest annual outlook report for property and casualty insurers, Fitch Ratings noted that while the 2018 rating outlook for insurers is stable, the fundamental forecast remains negative. Underwriting results deteriorated in the second half of 2017 following events including Hurricanes Harvey, Irma and Maria, along with fourth quarter California wildfires. As a result, Fitch projected that industry-estimated statutory net profits would fall by about 50% in 2017, projecting a market combined ratio of 104.4% for the year compared to 100.7% in 2016.

Fitch said that even with the substantial catastrophe-related losses, U.S. property and casualty insurers’ operating performance appears to be on the rebound. The agency estimates that the industry combined ratio will approach break-even levels in 2018 if natural catastrophe-related losses revert towards long-term averages.

How does all this affect the market for insurance buyers? James Auden, managing director at Fitch Ratings, Inc. told the Risk Management Monitor that from a pricing standpoint, while there is some deterioration in results, especially in property, there is plenty of capacity for coverage in just about every segment.

“We haven’t seen a reduction in capital in the broader market, so how much these losses will carry over and make changes in another segment is a question,” he said. “And there are some segments that have been suffering in their own right, such as commercial and personal auto rates, which have been going up tremendously. We’ve seen a lot of turnaround, but there is still a need for rate hikes there. You’ll probably see that continue.”

Property
Markets affected by catastrophe losses should see some large rate increases in property, which could carry over geographically, he said. Commercial property lines, which have been very soft for a while, should see broader increases. Other factors include companies’ loss history and the types of perils they face.

“I think we’ll see more rate increases geographically throughout the market next year,” Auden explained. “They will be higher in areas hit by hurricanes, but we will see them elsewhere as well. In Houston, the losses were much more commercial than residential in nature. In Florida the losses were more skewed to residential, but there were plenty of commercial losses there, too.” How far rates will rise may be dampened by the amount of capacity that still exists. “If you go back historically, when we’ve had true hard markets, it’s been tied to capacity shortages,” he said.

Auden added, “We are not seeing companies withdrawing from the market right now. We did see that in areas like commercial auto over the last couple of years, especially in long-haul trucking. In commercial property, however, I don’t think there is a big withdrawal of capacity. Companies are seeing an opportunity to improve the economics of their business and relieve pressure around pricing.”

M&A
In the area of mergers and acquisitions, there have not been many with the magnitude of last year’s Chubb-Ace deal. “We have had a few things, like Liberty Mutual’s purchase of Ironshore,” he said, adding that “There is always potential for M&As, but one thing that could restrict them is that with the stock market up so much, insurance markets have benefitted, so evaluations are a bit richer and that may limit interest from a value standpoint.”

Lloyd’s
The Lloyd’s market, which has been affected by competitive pricing over several years now, is on negative outlook. “There have been more exposures in the catastrophe piece and a weaker performance, so that has been driving our opinion there,” he said. “And there definitely are a lot of losses at Lloyd’s from the catastrophes this year.”

Competition
Despite the huge losses being seen, however, competition is still going on. “It’s relentless. There are plenty of underwriters out there trying to write the same business and to differentiate themselves on things like service,” Auden said, adding that he believes turnover will remain steady because insurance buyers typically shop their coverage frequently. “I don’t think there will be more turnover than usual.”

He concluded that in the area of property, while that there will be positive rate actions, making response to the losses more substantial, this may not be sustainable. “Do we see multiple carriers with rate increases? We think it’s likely that is not sustainable, unless we have a really bad year next year in terms of catastrophes,” Auden said.

2020 Visions: Companies Adopt Recycling Initiatives

Decreasing their environmental impact seems to have been a New Year’s resolution for many companies and governments in 2018. This month, several major organizations announced ambitious recycling campaigns in an effort to appease consumers, reduce costs and limit environmental harm.

Dow Chemicals
A collaboration between the U.S. Green Building Council and Dow Building Solutions aims to reduce carbon emissions by advising two cities or communities to help in achieving Leadership in Energy and Environmental Design (LEED) certification. The Dow Chemical subsidiary announced these plans last week as a reaction to data that buildings are currently responsible for about one-third of global energy consumption, about 30% of global energy-related CO2 emissions and 20% of total CO2 emissions.

“This partnership will offer expertise from Dow and USGBC that will not only directly help selected communities reduce their carbon footprint, but will also pave the way for other communities to do the same,” Greg Bergtold, director of advocacy for Dow Building Solutions said in a statement.

In October 2017, Dow announced a strategic partnership to produce recycled plastic bags that are being used to collect trash on ocean shores. Using post-industrial plastic scraps, Dow’s RETAIN recycling technology enabled the production of the recycled bags used for the cleanup.

McDonald’s
This week, McDonald’s pledged that by 2025 all of its guest packaging will originate “from renewable, recycled, or certified sources with a preference for Forest Stewardship Council certification.” The fast food giant will also strive to recycle guest packaging in all of its locations in that same year.

This expands upon McDonald’s existing goal that by 2020, 100% of its fiber-based packaging will come from recycled or certified sources where no deforestation occurs.

“Our customers have told us that packaging waste is the top environmental issue they would like us to address,” Francesca DeBiase, McDonald’s chief supply chain and sustainability officer said in a statement. “Our ambition is to make changes our customers want and to use less packaging, sourced responsibly and designed to be taken care of after use, working at and beyond our restaurants to increase recycling and help create cleaner communities.”

Coca-Cola
To combat what Coca-Cola’s CEO James Quincey referred to as the “world’s packaging problem,” the company announced a sustainability plan called World Without Waste. The strategy will focus on the entire packaging lifecycle—from the creation of bottles and cans through their use and how they’re recycled and repurposed.

Part of its initiative is a plan to recycle a bottle or can for each one sold. By 2030, the company will collect or recycle the equivalent of its entire packaging output; and it is aiming to make bottles half-composed of recycled content. Quincey acknowledged the timing of his company’s and McDonald’s announcements as a coincidence, but that they would collaborate since its drinks are sold at McDonald’s restaurants.

Greenpeace, a vocal critic of Coca-Cola, said the company should focus on reducing the amount of plastic it produces, rather than just recycling more. “We can’t recycle our way out of this mess,” said Greenpeace campaigner Louise Edge, in a statement.

The United Kingdom
Similar initiatives are also appearing overseas in the form of legislation. In the United Kingdom, where there is a levy against plastic bags, members of Parliament announced plans to potentially fund infrastructure and cut down on 30,000 tons of waste by imposing a tax on each coffee cup sold by a retailer. The Guardian reported that 2.5 billion to-go coffee cups are disposed of annually in the U.K., not counting the coffee grips, stirrers and other amenities often associated with a standard coffee drink. The short-term solution is for retailers to sell reusable cups and for consumers to repeatedly bring them when out for a cup of joe.

An audit report indicated that one in 400 cups are recycled – less than 0.25%—and half a million coffee cups are littered each day in the U.K. Members of Parliament are calling for:

  • A 25p levy (35 cents, USD) on coffee bought in takeaway cups to be used to reduce the number of cups thrown away and invest in reprocessing facilities
  • Introduction of a ban on throwaway coffee cups if a target that all takeaway cups are recyclable by 2023 is not met
  • Coffee chains to pay more towards disposing of cups
  • Improved labeling to better educate consumers