It’s a Great Time to Be a Risk Manager

2017 has so far been a wild ride of change. Companies are navigating through a new U.S. administration, Brexit and cyber risks that are more daunting each day. We are bombarded with uncertainty and unchartered waters. Nevertheless, it’s a great time to be a risk manager.

This kind of disruption is the reason many of us got into the risk and insurance industry.  Addressing disruption is what we do best. According to a recent CNN report, in fact, Risk Management Director is the number-two Best Job in America for 2017. Recognizing the meaningful contributions and rewarding work of a risk manager, the report highlighted the role in “identifying, preventing, and planning for all the risks a company might face, from cybersecurity breaches to a stock market collapse.”

In the midst of a riskier environment, the insurance industry that serves risk managers faces highly competitive market conditions. The result is more choices and better services for the risk management community. Now is the time for the risk manager to take the lead.

As thousands of risk professionals soon head to the RIMS Annual Conference in Philadelphia, it’s a good time to consider the opportunities in this growing profession.

Why the time is right for risk managers:

  1. 2017 brings a new risk profile. Every company, regardless of industry or size, needs to evaluate the new risks from the shift to nationalist policies in the U.S. and abroad. Our new administration’s efforts to increase America’s manufacturing raises a host of new insurance needs—more U.S. production means more U.S. liability. We are also seeing a shift in global supply chain and an increase in the political risks of operating outside our borders. These changes require board-level and C-suite attention. We expect to see risk managers play a more significant role with management in building risk mitigation into their company’s strategic direction.
  2. Rise in specialists. This is your time to be selective about specialists that understand your business and the specific challenges you face. Insurers are differentiating through specialization. Work with an underwriter that knows the risks, regulations, complexities and nuances of your industry. Many industries, such as construction and health care, will experience rapid change this year. Find partners that have been in the same trenches and can help you navigate changes.
  3. Tailored products and solutions. The highly competitive insurance market is also driving product innovation for clients with more tailored solutions. Take the time to learn about less-understood products, such as accounts receivable insurance, which protects companies from non-payment risks and gives them the ability to borrow, receive loans, and as a result, improve their credit quality. In Europe, 70% of companies purchase this coverage, compared to only 8% of U.S. companies. Understand the risks across your supply chain and work with your broker to customize insurance programs and bring innovative solutions.
  4. At the center of technology and innovation. The insurance industry is on the front lines of the cutting-edge technologies: internet of things (IoT), robots and drones. These advances will only grow and thrive with the right risk and insurance programs. For example, the technology surrounding drones or unmanned aerial systems is rapidly evolving. The ability to collect and analyze aerial data has improved efficiencies, enhanced safety and lowered costs within the construction, agriculture, telecommunications, oil & gas and real estate industries. As usage  grows, risk managers will be central to the successful operation of drones by understanding and managing the risks and compliance needs.
  5. Ability to leverage the best in data analytics. Risk managers have the data, tools and skills to anticipate the risks from this tumultuous environment. The insurance industry views these challenges with a different lens, drawing on past catastrophes and predictive analytics to plan for the challenges ahead. Risk professionals who know how to leverage this information can bring a sense of preparedness and control at a time of heightened uncertainty. There is also a role for risk managers to advise senior management on the use of data. But because models are continually amended and updated after losses occur, it is important to avoid an over-dependence on data and false sense of security.
  6. Opportunity to participate in growing your business. Risk managers do not just protect a business, they grow a business. Companies are reevaluating strategies based on new policies. Will they build manufacturing plants? Will they buy a strategic target? Risk professionals have an important role in mergers and acquisitions deals as insurance can be used to help quantify contingent liabilities and allow for accurate pricing models. The most common is representation and warranties insurance, which can help strengthen and facilitate a transaction.
  7. Better risk management services. Insurers realize it is not enough to write a check for a claim. Take advantage of risk mitigation services that are built into your insurance policies. They include education, training, tabletop exercises and risk assessments.
  8. A thriving profession. With more and more universities offering undergraduate risk management majors, we will see a dedicated, high-caliber talent pool focused on careers in risk and insurance. The Spencer Foundation, for example, has completed an eight-month competition between students of 29 universities from around the country, analyzing, developing and presenting the most comprehensive risk management solutions for a case study. The top eight teams will be in Philadelphia to present at RIMS.

The risk and insurance industry is made up of some of the most agile and level-headed professionals. Risk managers have always moved with the changing environment and crisis situations, developing programs to address their entity’s risk profile. Hopefully, we will see more companies include risk management in their strategic planning and leverage the experience and skills of their risk managers.

Closing the Vendor Security Gap

What do organizations really know about their relationships with their vendors?

It’s a question that most companies can’t answer, and for many, that lack of knowledge could represent increased risk of a security breach. This year, Bomgar conducted research into vendor security on a global scale, and the findings underscore that much work remains to be done to shore up third-party security.

The 2016 Vendor Vulnerability Index report produced eye-opening results that should be a wake-up call for business leaders, CIOs and senior IT managers. The survey of more than 600 IT and security professionals explores the visibility, control, and management that organizations in the U.S. and Europe have over external parties accessing their IT networks. Some of the most surprising statistics are summarized below:

  • An average of 89 vendors are accessing a company’s network every week.
  • 92% of respondents reported they trusted their vendors completely or most of the time.
  • 69% said they definitely or possibly suffered a security breach resulting from vendor access in the past year.
  • In the U.S., just 46% of companies said they know the number of log-ins that could be attributed to vendors.
  • Only 51% enforce policies around third-party access.

It’s evident from these findings that third-party access is pervasive throughout most organizations. What’s more, this practice is likely to grow—75% of the respondents stated that more vendors access their systems today than did two years ago. An additional 71% believe this number will continue to increase for another two years.

Two-thirds of those polled admit they have a tendency to trust vendors too much—confidence that should be questioned based on the results of this report. The data revealed that, while most organizations place a high level of trust in their vendors, they still have a low level of visibility into how vendors are accessing their systems.

This contradiction is not something organizations should take lightly. As noted above, 69% of respondents admitted they had either definitely or possibly suffered a security breach resulting from vendor access. An additional 77% believe their company will experience a security issue within the next two years as a result of vendor activity on their networks.

As an organization’s network of vendors grows, so too does the risk of a potential breach. For most companies, it is essential that third-parties have access to sensitive systems as a course of doing business—the question centers on how to grant this access securely.

Historically, companies have used VPNs to provide network access to third-parties. While appropriate for the intended end-user—remote and/or traveling employees—issues arise when the scope of VPN is trusted to manage connections from external groups. If a system connected via VPN is exploited and used as a point of persistence for leap-frogging into the broader network, hackers can persist for days or months and move stealthily about the network. Companies have also seen malicious (or well-intentioned) insiders choosing to abuse their access to steal or leak sensitive information, as this is all made fairly trivial when leveraging open-ended VPN connectivity.

To balance the dual demands of access and security, companies need a solution that allows them to control, monitor and manage how external parties are accessing their systems. Rather than providing “the keys to the kingdom,” a modern secure access solution enables organizations to grant vendors and other third-parties access only to the specific systems and applications needed to do their jobs.

To ensure security, organizations should also select a secure access solution that provides video and text logs of all session activity. This allows companies to monitor how remote access is being used and, perhaps more importantly, by whom. With this technology, any suspicious activity can be immediately flagged for further investigation. In addition, these session forensics can help companies meet internal and external compliance requirements.

Another secure access best practice is to employ a password/credential vaulting solution. This enables organizations to mitigate the risk of credentials shared between privileged users, which are often the target of a threat actor. It also reduces the risk of what system administrators often think of as “the stickynote nightmare,” where a sensitive credential is written on a stickynote and stuck on someone’s monitor for all who walk by to see. Password vaulting technologies also help with the dangers posed by embedded system service accounts that have administrative privileges and are rarely rotated for fear of bringing critical business services down. A small, yet strong initiative to protect network security would include requiring every privileged user to access credentials required for elevated work via checking out of a password vault. This removes most of the challenges associated with sharing credentials as, once they are checked back in, those credentials can be immediately rotated and thus become unknown to the employee or the bad actor who may have stolen them. Incorporating multi-factor technology in order to access the password vault and other sensitive systems takes it a step further.

In today’s heightened environment, following these steps should be essential security best practices for any company allowing vendors or other third-parties to access their network.

The Vendor Vulnerability Index report suggests that companies are aware of the threats posed by ineffective management and poor visibility into vendor access. Yet, as the data shows, just slightly over half of the respondents are enforcing any policies around third-party access. In light of these findings, companies should also ensure that they are properly screening any third-parties with whom they share network access. For example, does the vendor provide security awareness training as part of their employee on-boarding process? Asking this and similar questions will give companies a clearer picture of the vendor’s security ethos, and help them to determine if the partnership is a good fit to begin with.

In order to combat this growing vulnerability, organizations need granular control over external access. Only with such a solution in place can companies feel confident that their vendors won’t unintentionally become their weakest security link.

10 Lessons Learned from Breach Response Experts

SAN FRANCISCO—As hacking collectives target both the public and private sectors with a wide range of motivations, one thing is clear: Destructive attacks where hackers destroy critical business systems, leak confidential data and hold companies for ransom are on the rise. In a presentation here at the RSA Conference, the nation’s largest cybersecurity summit, Charles Carmakal and Robert Wallace, vice president and director, respectively, of cybersecurity firm Mandiant, shared an overview of some of the biggest findings about disruptive attacks from the company’s breach response, threat research and forensic investigations work.

In their Thursday morning session, the duo profiled specific hacking groups and the varied motivations and tactics that characterize their attacks. Putting isolated incidents into this broader context, they said, helps companies not only understand the true nature of the risk hackers can pose even in breaches that do not immediately appear to target private industry.

One group, for example, has waged “unsophisticated but disruptive and destructive” against a number of mining and casino enterprises in Canada. The hackers broke into enterprise systems, stole several gigabytes of sensitive data and published it online, created scheduled tasks to delete system data, issued ransom requests, and even emailed executives and board members directly to taunt them about the data exposed and increase the pressure to pay. Further increasing that pressure, the group is known to contact journalists in an attempt to publicize the exposed data. Victims have endured outages for days while trying to recover data from backups, and some have paid the ransoms, typically requested in the range of $50,000 to $500,000 in bitcoin.

Mandiant refers to this group as Fake Tesla Team because the hackers have tried to seem a more powerful and compelling threat by claiming they are members of Tesla Team, an already existing group that launches DDoS attacks. As that group is thought to be Serbian, they have little reason to target Canadian entities, and indeed, the bits of Russian used by Fake Tesla Team appears to be simply translated via Google.

In all of the group’s attacks that Mandiant has investigated, the hackers had indeed gained system access and published data, but they exaggerated their skills and some of the details of access. Identifying such a group as your attacker greatly informs the breach response process based on the M.O. and case history, Mandiant said. For example, they know the threat is real, but have seen some companies find success in using partial payments to delay data release, and they have found no evidence that, after getting paid, the collective does anything else with the access they’ve gained.

Beyond considerations of specific hacking groups or their motivations, Carmakal and Wallace shared the top 10 lessons for addressing a breach Mandiant has distilled from countless investigations:

  1. Confirm there is actually a breach: make sure there has been a real intrusion, not just an empty threat from someone hoping to turn fear into a quick payday.
  2. Remember you face a human adversary—the attacker attempting to extort money or make other demands is a real person with emotional responses, which is critical to keep in mind when determining how quickly to respond, what tone to take, and other nuances in communication. Working with law enforcement can help inform these decisions.
  3. Timing is critical: The biggest extortion events occur at night and on weekends, so ensure you have procedures in place to respond quickly and effectively at any time.
  4. Stay focused: In the flurry of questions and decisions to make, focus first and foremost on immediate containment of the attack.
  5. Carefully evaluate whether to engage the attacker.
  6. Engage experts before a breach, including forensic, legal and public relations resources.
  7. Consider all options when asked to pay a ransom or extortion demand: Can you contain the problem, and can you do so sooner than the attack can escalate?
  8. Ensure strong segmentation and control over system backups: It is critical, well before a breach, to understand where your backup infrastructure is and how it is segmented from the corporate network. In the team’s breach investigations, they have found very few networks have truly been segmented, meriting serious consideration from any company right away.
  9. After the incident has been handled, immediately focus on broader security improvements to fortify against future attacks from these attackers or others.
  10. They may come back: If you kick them out of your system—or even pay them—they may move on, perhaps take a vacation with that ransom money, but they gained access to your system, so remember they also may come back.

Aon Introduces Single-Parent Captive Cyber Insurance Program


With cyberattack listed as one of their top risks, organizations are looking for ways to mitigate their risk in a market where cyber insurance rates are quickly rising. According to the Center for Strategic and International Studies, the annual cost of cyber crime and economic espionage to the world economy runs as high as $445 billion, or about 1% of global income.

This does not include intangible damage to an organization, however. Companies are purchasing more insurance to cover the risk. In 2014, the report said, the insurance industry took in $2.5 billion in premiums on policies to protect companies from losses resulting from hacks.

As a result, captive insurers are being used more and more for coverage.

Aon said it is addressing shortcomings in traditional cyber coverage with a cyber captive program with capacity of up to $400 million. Companies looking to form a captive would undergo a review to quantify their cyber exposures.

According to Peter Mullen, CEO of Aon Captive and Insurance Management, the program is designed to help clients understand their risk profile. “Once this is understood, they are is in a better position to make decisions about how much risk to retain in their captive and how much risk to transfer to the program,” Mullen said. “The program allows captives to purchase coverage up to $400 million on a reinsurance or excess insurance basis.”

The cyber captive program will be domiciled in Bermuda and is available to single-parent captives. The basis for coverage will be “a very broad form which includes coverage for property damage and business interruption following a cyber event,” he added.

“Building a large tower of limits can be hampered by differing policy terms and conditions and dislocation of rates at different layers in a program,” Mullen said. “Additionally, many organizations facing cyber risks that can result in physical impacts, such as property damage and business interruption, agree that a more comprehensive approach to cyber risk is needed.”