Fort McMurray Wildfire Insured Losses Up to $6.9 Billion

Ft-McMurray map

NASA Fort McMurray wildfire map

Insured loss estimates from the wildfire in Fort McMurray, Alberta, Canada, are projected between $3.4 billion and $6.9 billion, catastrophe modeling firm AIR Worldwide reported. Officials are still in the early stages of assessing damage caused by the wildfire that began on May 1 and quickly spread from forests to neighborhoods, outpacing local firefighters’ capacity to contain it. According to AIR, the Fort McMurray wildfire is the costliest natural disaster in Canada’s history.

The fire had initially moved away from Fort McMurray, but shifted back toward the city this week, causing evacuations for the second time. About 500 to 600 people were evacuated from four small work camps, Alberta Premier Rachel Notley said in a news conference on Monday.

The fire is still uncontained and, as of May 14, had covered nearly 600,000 acres, mainly in wildlands and away from population centers. Winds are now calmer and temperatures have lowered, with considerable cloud cover and a possible shower expected—all of which are expected to help firefighting efforts.

The fire’s new threat reversed earlier efforts to return local oil sands projects to full operation, the New York Times reported. The highway through Fort McMurray was reopened several days ago to allow workers to return to the work sites, but was closed again on Monday.

Premier Notley said that five things need to be in place before residents may reenter Fort McMurray:

  • Wildfire is no longer an imminent threat to the community
  • Critical infrastructure is repaired to provide basic services
  • Essential services, such as fire, EMS, police and health care are restored to a basic level
  • Hazardous areas are secure—100 truckloads of fencing are being sent to Fort McMurray
  • Local government is re-established

Firefighting crews are still trying to put out fires in the northern part of the city. Fort McMurray’s airport, water treatment plant, municipal building, hospital and all functioning schools were safeguarded, according to AIR. The airport continues to be used only for wildfire aircraft operations, however, and is closed to commercial and private aircraft until further notice. Current information suggests that a total of more than 2,400 structures have been lost—roughly 10% of the total number.

AIR said its loss estimates capture residential, commercial and automobile losses, as well as business interruption losses, except those related to the oil industry. AIR derived its loss estimates based on high-resolution Industry Exposure Database (IED) for Canada and damage ratios estimated from satellite imagery and experience from claims adjustments for historical U.S. wildfires. IED exposure values included in loss estimates have been trended to Jan. 1, 2016.

The wildfires in Canada illustrate a continuing trend of increasingly severe wildfires that caused a record 10.1 million acres to be burned in the United States in 2015, surpassing the previous high of 9.8 million acres in 2006, Mark Crawford reported in last month’s issue of Risk Management. It was the fourth year in the past decade in which more than nine million acres burned. According to the U.S. Forest Service, the 2015 wildfire season was the costliest on record, with more than $2 billion spent fighting fires.

Switzerland, Norway Rank Highest in Supply Chain Resilience

Plummeting oil prices, natural catastrophes and political disruption in a borderless business environment are some of the threats to the resilience of countries that can impact supply chains, according to the 2016 FM Global Resilience Index, which aggregates data to help companies identify their key supply chain risks. The Index ranked the resilience of 130 countries to supply chain disruption based on drivers in three categories: economic, risk quality and supply chain factors.

This year’s top-rated country, Switzerland, traded places with Norway—a reflection of Norway’s drop in oil revenue at a time of falling crude oil prices. Rounding out the top 10 in the Index, in descending order, are Ireland, Germany, Luxembourg, the Netherlands, the central United States, Canada, Australia and Denmark.

The lowest-ranked country in 2016 is Venezuela (ranked 130) for the second year in a row. It is followed in ascending order by the Dominican Republic, Kyrgyz Republic, Nicaragua, Mauritania, Ukraine, Egypt, Algeria, Jamaica and Honduras.

For the second consecutive year, Ukraine (ranked 125, down from 107) was among the countries with the biggest drop, reflecting the high degree of tension the remains within the country as well as with Russia (ranked 75).

FM Global also noted:

Venezuela’s position at the bottom reflects its exposure to the natural hazards of wind and earthquake, perceptions of its lack of control of corruption and poor infrastructure and its ill-perceived local supplier quality.

France (ranked 19) and the United Kingdom (ranked 20) retained their positions from last year, while Germany (ranked 4) rose by two places.

The United States is segmented into three regions to reflect disparate natural hazards exposure:

Region 1, encompassing much of the East Coast, is ranked 11 in the Index.

Region 2, primarily the Western United States, is ranked 21.

Region 3, which includes most of the central portion of the country, is ranked 7 in the Index.
FM Global-infographic

How Phishing Emails Can Threaten Your Company

Impostor emails, dubbed “business email compromise” by the FBI, are increasing and targeting companies of every size, in every part of the world. Unfortunately, victims often do not realize they have been had until it’s too late. There are no security tool alarms and there is no ransom note. But because systems appear to be running as normal, everything seems like business as usual. And that is the point, according to Proofpoint’s study, “The Imposter in the Machine.”
PP1

From New Zealand to Belgium, companies from every industry have suffered losses, the study found. Here is a small sampling of recent impostor attacks during the last year:

  • A Hong Kong subsidiary at Ubiquiti Networks Inc. discovered that it had made more than $45 million in payments over an extended period to attackers using impostor emails to pose as a supplier.
  • Crelan, a Belgian bank recently lost more than $70 million due to impostor emails, discovering the fraud only after the company conducted an internal audit.
  • In New Zealand, a higher education provider, TWoA, lost more than $100,000 when their CFO fell victim to an impostor email, believing the payment request came from the organization’s president.
  • Luminant Corp., an electric utility company in Dallas, Texas sent a little over $98,000 in response to an email request that they thought was coming from a company executive. Later it was learned that attackers sent an impostor email from a domain name with just two letters transposed.

PP2

Most often, company executives are targeted, with two common angles. In one case, the always-traveling executive is studied by attackers, who use every resource available to understand the target’s schedule, familiar language, peers and direct reports. Because the executive is frequently on the road, direct reports who routinely process payments can easily be victimized.

Another ploy involves suppliers and how they invoice. For example, the supplier’s language, forms and procedures are used to change bank account information for an upcoming payment. If the attackers are successful, a company may find that they have been making payments to them for months without knowing it.

PP3

For more about the risks of phishing, check out “The Devil in the Details” and “6 Tips to Reduce the Risk of Social Engineering Fraud” from Risk Management.

Financial Services IT Overconfident in Breach Detection Skills

Despite the doubling of data breaches in the banking, credit and financial sectors between 2014 and 2015, most IT professionals in financial services are overconfident in their abilities to detect and remediate data breaches. According to a new study by endpoint detection, security and compliance company Tripwire, 60% of these professionals either did not know or had only a general idea of how long it would take to isolate or remove an unauthorized device from the organization’s networks, but 87% said they could do so within minutes or hours.

When it comes to detecting suspicious and risky activity, confidence routinely exceeded capability. While 92% believe vulnerability scanning systems would generate an alert within minutes or hours if an unauthorized device was discovered on their network, for example, 77% said they automatically discover 80% or less of the devices on their networks. Three out of 10 do not detect all attempts to gain unauthorized access to files or network-accessible file shares. When it comes to patching vulnerabilities, 40% said that less than 80% of patches are successfully fixed in a typical cycle.

The confidence but lack of comprehension may reflect that many of the protections in place are motivated by compliance more than security, Tripwire asserts.

“Compliance and security are not the same thing,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “While many of these best practices are mandated by compliance standards, they are often implemented in a ‘check-the-box’ fashion. Addressing compliance alone may keep the auditor at bay, but it can also leave gaps that can allow criminals to gain a foothold in an organization.”

Check out more of the study’s findings below:

financial services cyber risk management