Shutterstock, Chris Roe

The rash of incidents involving whale-phishing has created new challenges for risk managers. In these cases, criminals use a combination of emails and phone calls to scam companies out of large sums of money through fraudulent wire transfers.

Perpetrators use emails that appear to come from senior executives to instruct employees that have access to a company’s finances to transfer large sums of money to temporary accounts held by the criminals. By the time the fraud is discovered, accounts typically have been closed and the criminals can’t be traced.

Managing this exposure calls for careful planning and a coordinated effort both within the organization and with external providers and trading partners. For risk managers, navigating this exposure might involve the following steps:

• Assess your vulnerabilities. Form an “anti-whale-phishing” team with executives from your finance/treasury, security, legal, operations, IT and HR departments to identify where your firm might be vulnerable and the individuals most likely to be targeted by outside perpetrators.

• Establish clear protocols for any fund transfers. Make sure there are multiple internal steps for approval of any financial transactions that exceed defined sums.  Don’t allow any exceptions and make sure all senior leaders of the firm are aware of the protocols, comply fully and consistently reinforce them with staff.

• Communicate protocols within your organization. Be sure everyone with access to funds who might be targeted for these types of scams is fully aware of the protocols, the reasons they are being implemented, understands there are absolutely no exceptions, and knows how to report any email,  phone call or other communication that appears suspicious.

• Coordinate with your banking/financial institutions. Establish protocols with your financial institutions with respect to any requests for wire transfers that exceed clearly identified thresholds.

• Check your crime insurance coverage. Meet with your broker to review how your crime policy might respond to any claims related to whale-phishing losses. You may have to arrange a meeting with your insurer to clarify or add policy language that will extend coverage for these types of losses.

• Look for coverage opportunities under cyber policies. Your broker will help you determine how and whether your current cyber insurance policy might address first-party losses, such as those resulting from a whale-phishing attack. As protection under cyber insurance policies continues to expand, see if there is related coverage under newer stand-alone policies.

• Maintain organizational vigilance. Work with your anti-whale-phishing team to continue to monitor risks associated with whale-phishing. Monitor changes in employee responsibilities, promotions, new hires, adjustments in banking relationships, email system updates, and any other developments that may affect your organization’s vulnerability to potential risks.

• Remember, time is not on your side. Plan ahead to know what federal investigative agency is best for you, such as Secret Service or the FBI. Call them while the bad guys are still communicating and before you take actions to scare them off.

As these scams evolve and become more sophisticated, whale-phishing is likely to remain a significant risk for businesses and other employers. By taking steps before a loss occurs, risk managers can put their organizations in position to manage this difficult and potentially costly exposure.


Board of Directors

According to a new study from Protiviti, engagement by a company’s board of directors is a critical factor in best managing information security risks.

Overall, engagement and understanding of IT risks at the board level has increased, yet one in five boards still have a low level of comprehension. As the report states, this suggests “their organizations are not doing enough to manage these critical risks or engage the board of directors in a regular and meaningful way.” Further, while large companies do exhibit stronger board-level engagement, it is not a dramatic distinction.

Overall engagement data

Of those companies that have implemented all core security policies—an acceptable use policy, record retention and destruction policy, written information security policy (WISP), data encryption policy, and social media policy—78% have boards with a high or medium level of engagement on information security. Even rudimentary security measures appear to vary with board engagement. Three out of four organizations with engaged boards have a password policy, while just 46% of those with medium or low levels of engagement have this basic provision in place.

IT Security Measures

The study did find two particularly alarming trends, both in companies with and without risk-aware boards. There was a significant increase this year in the number of organizations without a formal, documented crisis response plan to address data breach or cyberattack. Further, a surprising number of companies still do not have core information security policies. “One in three companies do not have a written information security policy (WISP). More than 40% lack a data encryption policy. One in four do not have acceptable use or record retention/destruction policies. These are critical gaps in data governance and management, and ones that carry considerable legal implications,” the report states. “On the other hand, organizations with all of these key data policies in place have far more robust IT security environments and capabilities.”



There are a number of reasons organizations need to be paying attention to their employees’ travel risks, including health scares, natural disasters and political unrest. Since unpredictable events like these are now a global reality, many businesses are taking a hard look at business travel risks and ways they can protect their employees abroad.

In fact, 80% of travelers believe their companies have a legal obligation to protect them abroad, according to On Call International LLC’s report, “Travel Risk Management.” This means employees may blame their organization if their health or safety is compromised during a business trip. Because so much is at stake for companies that send staff members across the globe, it is important for employers to understand business travel risks and implement a travel risk management strategy to protect their workforce—and their company.

The study notes that companies need to be prepared to respond quickly and effectively to any travel-related incident. Responses should also put the needs of the employee first. Companies need to anticipate the risks and prevent them from occurring–or at least limit their potential impact.

The infographic below looks at business travel risks and why it is essential for companies to protect their employees.







Are companies prepared for skyrocketing energy costs to combat extreme heat? Can farmers handle average crop losses of up to 73%? Should businesses invest in oceanfront property that is virtually guaranteed to flood? Because of climate change, these are just some of the crucial questions the United States will face before the end of the century, according to “Risky Business: The Economic Risks of Climate Change in the United States,” a report co-chaired by business experts Michael R. Bloomberg, Henry Paulson and Tom Steyer. The report quantifies and publicizes the economic risks posed by a changing climate. While climate change can be a politicized topic, there is little controversy that the phenomenon presents a great deal of risk to everyone, from individuals to institutions.

Decision-makers already use risk analysis to address uncertain situations, routinely evaluating potential threats and challenges such as bad investments or schedule delays. The report adds climate change to the risks that all decision-makers should account for. Robert E. Rubin, co-chair of the Council on Foreign Relations and member of the report’s risk committee, said, “Companies should disclose both their potential exposure to climate risk, and the potential costs they may someday be required to absorb to address carbon emissions.”

The report uses risk analysis, Monte Carlo simulation (MCS) and models to illustrate how different regions are likely to be affected by climate change. The project’s simulation also analyzes efforts to mitigate climate change, showing a changed distribution of probabilities if those efforts are made in the coming years. “As there a very high number of permutations and combinations of weather events, it would be very difficult to analyze these meaningfully using an averaged or deterministic approach,” said Robert Kinghorn, associate director at the consulting firm KPMG Australia. “MCS overcomes this by allowing thousands of possible combinations of extreme weather events to be analyzed.”

MCS can illustrate the potential costs if no adaptation takes place, or if adaptation is employed. The “Risky Business” report demonstrates that ignoring climate change risks will lead to disaster, while taking steps now will have a big impact. Luckily we have tools to face these challenges.

Many forward-thinking business and communities have already applied MCS to climate change risk analysis. For example, AECOM, a professional technical and management support company, used MCS software and optimization techniques to evaluate the risk and costs of climate-change-related flooding of the Narrabeen Lagoon near Sydney, Australia.

AECOM was asked by the Australian Federal Government to conduct an economic analysis of climate change impacts on infrastructure. When the Narrabeen lagoon’s entrance is blocked, it can fill like a bathtub, flooding the surrounding land and houses. The community can tackle this problem in various ways—such as a lagoon entrance opening, levee construction, flood awareness and planning controls. Because climate change is expected to increase flooding in the Narrabeen catchment over the coming century, decision-makers needed a clearer understanding of the different possible adaptation measures.

“The objective of the study was to use an economic cost-benefit analysis to identify both what measures government should invest in to prevent the impacts from flood events and when they should invest,” said Kinghorn, who, along with his KPMG colleague Lisa Crowley, developed, designed and ran the project as previous employees of AECOM.

Kinghorn and Crowley estimated the social benefits of adaptation to climate change in terms of willingness to pay, rather than just costs avoided. Using MCS, they generated more realistic probabilities of overall costs and benefits, and modeling the expected future values of variables such as rainfall.

As the report states, even modest global emission reductions can avoid up to 80% of projected economic costs resulting from increased heat-related mortality and energy demand. While many companies may be resistant to change, the report makes an undeniable case; we cannot afford to ignore the momentous climate risks that threaten our near- and long-term future. “Responding to climate change is no longer a problem without a solution, said Crowley. ”It is not a question of do I need to respond, but how do I respond. An effective response to climate change is possible. The complex set of climate change data can be processed through a cost benefit analysis using MCS, producing a set of economic indicators to inform a more meaningful decision-making process on how and when to respond.”