Making the Most out of a Crisis

CALGARY, ALBERTA, CANADA—Suppose your company experiences a major hurricane, tornado or fire: Property is destroyed and your business is stalled, meaning customers are left waiting. But there are buildings to be rebuilt and equipment to be replaced, and the claims process hasn’t even started. This is when the risk manager’s skills at placing the company’s insurance coverage and negotiating for the best payout can not only demonstrate their true value, but can put the company back on course, according to experts here at RIMS Canada’s annual conference.

“When there’s a serious property loss, this is the time for the risk manager to shine, because up until then it’s about premium, premium, premium,” Tom Parsons, manager of risk management at Fairmont Raffles Hotels International in Toronto said during a RIMS Canada Conference session. “Up until a serious loss occurs, I don’t think you feel the impact that you can give back to the company. Because what we do is buy insurance, so it has to work. It is what you helped craft and build into your policy through the years. You have created a policy that is robust, and that is going to cover everything—you hope.”

Among the examples cited was a soft drink bottling plant flooded with eight feet of water following a hurricane. While the company’s high-speed bottling equipment was damaged and would need to be replaced, explained Jeffrey Phillips, managing director in PwC’s U.S. forensic advisory practice, the issue was that floodwaters were highly contaminated due to a number of chicken and hog farms in the area. As a result, the company determined that the building could not be used for any type of food processing and would need to be demolished. The insurer, however, argued that the walls could be sealed, containing any contaminants. The company had found a competitor to do some of the bottling, but it wasn’t enough to fill their orders, Phillips said.

Because delivery of the new bottling equipment was slated to take months, there was also a large business interruption period being covered, he said. This is when innovation came into play. The bottling company was able to show the insurer that buying another plant rather than rebuilding would put them back in business sooner, cutting back on their losses. The insurer agreed and sent them a check. As a result, the company purchased a larger facility in a better location.

“They were up and running in six months—the business interruption had stopped,” he said. The better location also meant reduced shipping costs and the company gained market share. Because the company was able to make the case to its insurer, both came out ahead in the long run.

Phillips recommended that companies negotiating after a crisis “communicate, communicate, communicate” with their insurers.

They should also get their insurers to sign off on major contracts such as scope of work, rates and overhead and discuss changes to operations or facilities with the adjustment team and agree on scope of property damage repair or replacement whenever possible.

Insurers will typically push to return the facility to pre-loss condition, “unless you can prove the changes will save them money,” he added. “Insurers will not be creative for you, they don’t know your business or your goals.”

Curb Phishing Damage with a New, Human Approach to Bad Habits

In the first quarter of 2016 alone, more than 40 organizations, including Snapchat, Moneytree and Sprouts Farmers Market, acknowledged they were victims of phishing attacks. The attacks came via emails seemingly sent from CEOs to their own human resources and accounting departments. In reality, these emails were sent by cybercriminals attempting to steal vital personal and financial information from companies and their employees.

The FBI estimates that phishing attacks have cost companies more than $2.3 billion in losses over the past three years, and since January 2015 alone, the agency saw a 270 percent increase in identified victims and exposed losses from CEO scams.

Recipients who “take the bait” by responding to a phishing email often provide scammers with all the necessary information to perpetrate identity theft, including filing a tax return in someone else’s name. Clicking a link or opening an attachment may also launch malware-intrusive software and seriously compromise the system by initiating malicious background programs.

The stakes are high and regardless of your organization’s size, you are always at risk for an attack. In fact, the Anti-Phishing Workgroup discovers more than 40,000 unique phishing sites targeting about 500 brands per month, while the Department of Defense and Pentagon report receiving up to 10 million phishing attacks each day.

The success of attacks varies, with 30% to 60% of incidents resulting in victimization, according to a 2013 Verizon Data Breach Report. A phishing attempt’s success or failure, however, rests beyond a scammer’s ability to infiltrate the cybersecurity infrastructure of an enterprise.

Your organization’s susceptibility really comes down to your people. Even with training, vulnerabilities depend on a combination of employees’ awareness levels and enduring personal habits, according to research by University at Buffalo (UB).

Companies can implement more effective cyber preparedness measures only when they better understand the ways that their employees think and behave. As phishing attacks continue to evolve and become more sophisticated, the most successful employee cyber defense strategies should involve two critical components: 1) a combination of cutting edge training and testing and 2) support programs to alter the unconscious human behaviors that compromise cybersecurity.

Currently, most businesses train employees to recognize phishing attempts by identifying key elements in an email message, such as finding the sender’s address, noticing hyperlinks and recognizing clues like typos or awkward language. But research has shown that those efforts fail to sustain positive results because organizational training focuses on situational reactions while ignoring employees’ existing habits, which are difficult to break.

For example, an employee may successfully identify suspicious emails when prompted in a training session. When it comes to an average Monday morning, however, opening every email to clear their inbox may be a strong habit that training simply does not offset. Phishing is largely successful for this precise reason. Perpetrators take advantage of individuals who are habitual in the way they respond, despite any awareness they may have developed or gained in training, according to UB findings.

Many employers complement this basic training with follow-up penetration testing to evaluate whether employees recognize the warning signs of a cybersecurity threat in practice. Organizations may send a mock email with red flags that indicate a potential phishing attack, such as a compelling subject line like “Your computer is at risk.” Once opened, the recipient sees that the message is from the employer with a warning about how similar future messages could pose risks.

Penetration testing, however, doesn’t work in the long run because it also fails to acknowledge habitual actions and attempts to change a person’s behavior by simply encouraging them to do more of the same behavior.

Organizations can actually address the bad habits by identifying employees who are most susceptible to phishing and exposing them to higher levels of education with an emphasis on creating better tailored interventions that address the underlying “why” that drives people to fall prey to phishing time and again.

Continuously testing employees can be helpful; however, a company’s security training program must also attempt to adjust the daily unconscious behavior of employees that puts networks at risk. Companies need to provide their employees with a relatable (non-security/IT) team member/colleague to demonstrate what responsible cyber behavior looks like day in and day out.

One way to accomplish this is to create an internal cyber ambassador program that identifies employees who have proven themselves to have especially strong cyber awareness. These employees should be selected from teams such as accounting, sales, HR and administrative support, that are typically vulnerable to phishing attacks. Cyber ambassadors are responsible for promoting cyber best practices within their own teams. This type of program creates a platooning effect, where employees subconsciously emulate the behavior of their ambassador/team member, resulting in a safer cyber environment.

While employees can be your greatest weakness, they can also be your strongest asset in thwarting phishing attacks. Training employees to identify a phishing attempt—either before or after falling victim to an attack—is only half the battle. By better understanding the mechanisms behind employee susceptibility, companies can anticipate individuals most at risk, create dynamic security and training policies that promote safe cyber behavior patterns, and alter employees’ habits through colleague support programs.

Aug. P&C Rate Holds at Minus 1%; Auto, Transportation Up

The U.S. property and casualty composite rate for August was stable at minus 1%, the same as July, MarketScout reported. By industry classification, manufacturing, habitational and energy each moderated 1% , while all otherBarometer industry classifications remained unchanged.

“While the month to month composite rate is stable, there is clear movement in commercial auto and transportation accounts with each showing a year over year rate increase of plus 3%,” said Richard Kerr, CEO of MarketScout. “Insurers have decided it is time for commercial auto and transportation accounts to start paying up.”

By coverage, commercial property, workers compensation and professional liability each moderated 1% in August—to minus 1% for property, minus 1% for workers compensation and flat for professional liability. Commercial auto rates went up to plus 3%, while all other coverages remained unchanged, MarketScout said.
Coverage class 1

By account size the only adjustment was for accounts with more than $1 million premium, which adjusted from down 3% in July to down 2% in August.

Account size 3

Industry class 2

Active Shooter Preparations Lagging, Study Finds

Between 2014 and 2015, the United States experienced nearly six times as many active shooter incidents as it did between 2000 and 2001, according to the FBI. The report, Active Shooter Preparedness by Everbridge, found that even though U.S. companies are overwhelmingly concerned about violence and violent acts in the workplace, they remain unprepared.

Out of 888 organizations surveyed about their safety plans and ability to manage an active shooter situation, only 21% felt that they were prepared; and 79% said their organizations were at best somewhat prepared for an active shooter incident. Even among those who feel they are prepared, only 7% are “very much prepared,” Everbridge said.

Preparedness is important, as companies cannot rely solely on police and other government assistance. According to an FBI study of active shooter events between 2000 and 2013, 60% ended before the police arrived. Adequate preparedness requires communication and practice plans to make sure responders know who is at risk and that people know what to do if an event happens.

Despite this, close to 40% of respondents said they did not have a communications plan in place for active shooter events.
Plan 2

The survey also found that executives of organizations are much more concerned about employee or student safety than they were two years ago—the overwhelming majority (79%) said they were.
Chart 3

Other Findings:

  • 69% of respondents view an active shooter incident as a potential top threat to their company or organization. Workplace violence was cited as a top threat by 62%.
  • Communicating to people who may be in an impacted building and confirming their safety was seen as the biggest challenge during an active shooter situation (71% of respondents).
  • Safety concerns are growing: 79% of executives/leaders are more concerned about employee or student safety than they were two years ago; 73% said that employees or students are willing to exchange some aspects of privacy for enhanced security.
  • 61% do not run any active shooter preparedness drills at all.