Tag Archives: AON

Cyber and Physical Threats Are Colliding

Overview

A quarter of a century after the Worldwide Web began to transform the Internet into the indispensable tool we all rely on today, we’re entering a new digital revolution. Over the next four years, the number of connected devices is expected to grow to as many as 50 billion, according to the 2015 Ponemon Global Cyber Impact Report sponsored by Aon. Business is expected to make up a far larger percentage of Internet of Things (IoT) usage than the consumer — IoT is more about smart factories and computer-controlled office systems than shiny gadgets like smart watches and fitness trackers.

The risks are becoming physical. Some of these new devices could cause serious real-world damage. We’ve already seen manufacturing plants seriously damaged by cyber attacks and electricity grids and automobiles shut down by hackers. It’s only a matter of time before such threats become more common and more physically dangerous to both people and property.

With the rise of new technology comes fresh opportunity for business — but also new risk. In the workplace, every new connected device represents a new link in the IT chain. With the age of the Internet of Things upon us, what are the new risks and what do business leaders need to know to be prepared?

Projected growth of Internet-connected devices, 2013-2020

Source: 2015 Ponemon Global Cyber Impact Report, sponsored by Aon

In-Depth

New Technology, Big Opportunities 

The benefits of Internet connections are hard to overstate. For businesses, the Internet of Things offers the promise of quantified everything. Employers will be able to track productivity and leverage metrics to uncover new efficiencies. With connected sensors underpinning every square inch of an organization’s footprint — once-siloed data sets can be integrated, correlated and cross-referenced — it will become easier to identify new efficiencies and deliver new value.

See Also: Cyber Threats to Watch This Year

The benefits are immense – but so, potentially, are the risks.

“As we move into having smart workplaces and offices, you’re really talking about a technology backbone that’s driving an organization,” says Stephanie Snyder Tomlinson, a cyber insurance expert at Aon. “What impact can that have on a business? What are the potential losses to an organization if you have a network security breach that results in property damage or bodily injury?”

Digital Threats Turn Physical

An unfortunate side effect to some of the highest-profile recent cyber breaches is that many people have come to regard cybercrime as solely a privacy issue. It can be far more complex than that.

“If there is a failure of network security or systems,” Snyder Tomlinson warns, “there could be a resultant business income loss. It could be intangible loss in terms of loss of data information assets or, especially as we move into relying more heavily on technology and the Internet of Things, it could be tangible loss, as well.”

You don’t need to look very far to get a sense of the potential risks to property and other physical assets when the Internet of Things begins to help run a workplace. As organizations grow increasingly dependent on technology to run their businesses and offices, the attack surface for cybercriminals increases dramatically. Each new device represents an additional access point for hackers.

The scenarios that could result can sound like something out of a science fiction film:

  • Does your building have computerized entry or elevator systems, with smartcard keys for access? Hackers could take control and lock down your building, trapping employees and visitors inside.
  • Computer-controlled electricity or water supplies can be shut down, rendering working impossible.
  • Connected thermostats are becoming increasingly common and could be taken over — shutting off heating in winter or air conditioning in summer, driving temperatures to unbearable levels and making your office unusable.
  • Logistics servers managing orders and deliveries could be hacked, with real orders canceled, false orders placed or essential supplies redirected to the wrong locations, disrupting your supply chain.
  • Factory robots could be set to destroy rather than create your products.
  • HVAC systems in a company data center could be overridden, causing a rise in temperature that could render network servers inoperable.
  • Fire alarm systems could be turned off just as real-world arsonists attack.

These may sound far-fetched, but are already reality. A cyber attack on a German steel mill in late 2014 caused immense physical damage after hackers installed malware on the network.

“It caused the blast furnace to be unable to be shut down, leading to massive property loss,” Snyder Tomlinson says. “The property loss arose from a network security breach. It’s a perfect example of the potential risks when you have companies that are relying on technology to run their business.”

Understanding the level of risk

“There’s always going to be some type of access point into a network, in one way, shape or form,” Snyder Tomlinson says. “You can have the best network security possible, but as everybody says, ‘It’s not if, it’s when.’”

Consequently, many companies are revisiting their approach to cyber security. Organizations previously concerned only with safeguarding client privacy and personally identifiable information are suddenly contemplating a broader loss spectrum.

“We’re seeing more interest in cyber insurance from manufacturers and critical infrastructure companies, because they recognize that their exposure isn’t necessarily just about private information or the liability arising out of a breach,” Snyder Tomlinson says. “We’re going to continue to see growth in the breadth of cyber coverage over the next several years, where we’re getting into the true property space, because there is the potential to have a property loss arising out of a network security breach or a systems failure.”

Snyder Tomlinson says this is why businesses need to take a holistic view of their cyber vulnerability — “Cyber risk flows through an entire organization.” A good cyber risk management framework has three key elements, she says:

  1. Preparation – Identify and quantify your cyber risk exposures. Develop a breach response plan and business continuity plan. Consider taking out a cyber insurance policy, which can assist with the potential balance sheet impact of a breach.
  1. Practice – Speed of response can be vital to limit damage in the event of a breach. Identify the key stakeholders within the organization and perform a tabletop scenario exercise to ensure everyone knows the role they need to play should an incident occur.
  1. Execution – Engaging with appropriate vendors is critical to successful execution. An organization should have relationships with defense lawyers, a public relations firm and a computer forensics firm so that a firm can work with it to mitigate loss in the event of a breach.

With the rise of the Internet of Things, cyber crime is no longer simply about loss of information. Increasingly, you need to consider the possibility that cyber could be just as physically disruptive to your business as a natural disaster or a terrorist incident. This is no longer simply a data issue — today, property and, potentially, lives could be at stake.

Are You Prepared for Cyber Attacks?

It’s no secret that cyber attacks have the potential to cause massive business disruption – affecting both financial performance and corporate reputations. But when it comes to C-suite preparedness for cyber attacks, organizational silos are preventing businesses from taking a comprehensive approach. Cybersecurity is a threat that affects the entire C-suite, and managing this emerging risk requires an integrated mindset.

Many senior executives lack full knowledge about how cyber attacks could affect their organization and how to make cybersecurity a C-suite priority. Moreover, across organizations different leaders are addressing different parts of the cybersecurity challenge: where the chief  information officer (CIO) and chief information security officer (CISO) are focused on physical and virtual data security, the CFO is concerned about ensuring financial stability in case of an attack. The chief legal officer may be concerned with the potential litigation effect, while the chief marketing officer (CMO) is responsible for mitigating bad PR and preserving the brand. In sophisticated organizations, the chief human resources officer (CHRO) is developing cyber training and awareness programs for employees to address threats that can originate within the company. Cybersecurity is clearly a distributed problem that requires integration across the entire C-suite.

Aon’s latest findings reveal that more than half of companies do not plan to buy cyber insurance even though there is an increased threat of attack. This disconnect exists primarily at the board level — the C-suite knows cybersecurity is an issue, but struggles to define its effect on financial performance. As cyber attacks become more prevalent, organizations will need to take an integrated approach toward preparedness.

AON_cyber_attacks_V6_4_effective_cyber_response

How to Use Risk Maturity Models

Over the last 10 years of the “risk leader” portion of my career, as the head of enterprise risk management at USAA (2001-10), as well as during my subsequent work as an ERM consultant, I was challenged by several questions that affect risk management results and, by extension, ultimate success. All fell under the header of “risk management maturity,” and focusing on it can provide huge benefits to you and to your organization.

To start, we need to get two things straight. First, how are you defining “risk,” and have you driven a consensus among key stakeholders about that definition? Second, which risks are you going to manage, and where on the loss curve do they fall?

These questions may sound simple, but the reality is that many risk leaders have responsibilities for only a portion of the risks that organizations face — often, only the insurable risks. If that’s the case, you have your answer to both questions nailed.

See Also: How to Develop Risk Maturity

If, on the other hand, you are a risk leader with broader accountability for more or all risks (via enterprise risk management, or ERM) that could affect an organization (both negatively and positively), then the first question — “how does your firm define risk?” — requires clear definition. The most commonly accepted definition of risk is “uncertainty.” I like this simple definition, and it captures the most central element of concern. However, the real challenge remains the question about the level of uncertainty (aka frequency/likelihood). To many, even more important is the level of impact or severity. My favorite chart to help illustrate this concept is one where the “tail” of the loss distribution represents where the proverbial “black swans” live.

A typical loss curve has as its peak the expected level of loss, and the black swan sits out on the tail of this curve, where the x-axis is impact of severity of loss and the y-axis is the frequency or likelihood of loss. While many hazard-focused leaders put their attention on risks at expected level or to the left along the x-axis where certainty of loss rises, the challenge is where in this region of the curve to the right should one be managing? While the possibility of loss becomes increasingly remote as you move out toward the tail of the curve, the impact of events become more destructive. Key questions that must be answered include:

  • Do we care more about likelihood or impact, or are they equal?
  • What level of investigation do we apply to risks that are remotely likely?
  • How do we apply limited resources to risks that are remotely likely?
  • Do we have a consensus among key stakeholders as to what risks we should focus on and how?
  • Do have or need a process to manage emerging risks?
  • Do we have a consensus on and clear understanding of how we define risk in our organization?

These issues are the starting point to the risk management maturity question, which, if handled well, facilitates organizational success. From these answers, you can chart your course for your firm. The answers will define the process elements of maturity. But we need to define what risk maturity is to track progress toward it and to ensure that stakeholders are aligned around the chosen components.

The various components among the numerous risk maturity models tend to overlap considerably. Here’s one generic set of attributes of maturity:

  • Risk is managed to specifically defined appetite and tolerances
  • There is management support for the defined risk culture and direct ties to the corporate culture
  • A disciplined risk process is aligned with other functional areas
  • There is a process for uncovering the unknown or poorly understood risks
  • Risk is effectively analyzed and measured both quantitatively and qualitatively
  • There is collaboration on a resilient and sustainable enterprise

The first, and I think most thoroughly developed, model comes from the Risk and Insurance Management Society (RIMS). It was developed some 10 years ago or so but remains in my opinion a simple yet comprehensive view of the seven most important factors that inform risk maturity and that, when well implemented, should drive an effective approach to managing any risk within your purview.

The components of the RIMS model include a focus on:

  • The degree to which an enterprise-wide approach is supported by executive management and is aligned with other relevant functions
  • The degree to which repeatable and scalable process is integrated in the business and culture
  • The degree of accountability for managing risk to a detailed appetite and tolerance strategy
  • The degree of discipline applied to using the elements of good root-cause analysis
  • The degree to which a robust emerging risk process is used to uncover uncertainties to achieving goals
  • The degree to which the vision and strategy are executed considering risk and risk management
  • The degree to which resiliency and sustainability are integrated between operational planning and risk process

As with all risk management strategies (no two of which that I’ve seen are exactly the same), there is no one way to accomplish maturity. Every risk leader needs to do for her organization what the organization needs and will support.

Another maturity model that is worthy of note is the Aon model. Like RIMS’ model, it enables multiple levels of maturity and methodology for charting progress toward an ideal state. Characteristics of the Aon model include:

  • Ensuring the board understands and is committed to the risk strategy
  • Establishing effective risk communications
  • Emphasizing the ties among culture, engagement and accountability
  • Having stakeholder participation in risk management activities
  • Using risk information for decision making
  • Demonstrating value

This is not to say that the RIMS model ignores these issues. There is simply a different emphasis.

Also noteworthy is Protiviti’s perspective on the board of directors’ accountability for risk oversight. A few highlights include:

  • An emphasis on the risks that matter most
  • Alignment between policies and processes
  • Effective education and use of people and their place in the organization
  • Assumptions that are supportable and understood
  • The board’s knowledge of the right questions to ask
  • Focus on understanding the relationship to capability maturity frameworks

Certainly, the good governance of organizations is critical, and the board’s role is paramount. If the board is engaged and accountable for ensuring that its risk oversight is effective, the strategy is likely to be executed successfully and, by inference, risk will have been effectively managed, as well.

See Also: How to Link Risk and Strategy

To complete the foundation for the business case for using a risk maturity model to track progress, consider these key points:

  • There is no one right approach; each organization must chart its own course aligned with its culture and priorities
  • Risk must be treated as an integral aspect of strategy
  • There must be a focus on additive value, as with all corporate processes
  • Risk maturity has produced documented valuation premium for studied users

With the effective use of risk maturity models, you should be able to better chart your risk evolution journey, and how a good maturity strategy related to corporate strategy and priorities is the ultimate nexus for success. Risk and risk management should drive performance results and what remains to be done to achieve longer-term aspirations. This approach to managing your risk strategy should allow you to:

  • Translate the component of risk maturity into a successful ERM journey
  • Refer to ERM results and impacts achieved by others to buttress your efforts
  • Understand key tactics to exploit and pitfalls to avoid as you perfect your risk management strategy.

Using a risk maturity model will, if nothing else, provide the guard-rails and discipline that may otherwise be missing from your current attempts to make a difference in the success of your enterprise.

How Safe Is Your Data — Really?

The number and the potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014. And the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before—and a total expected to reach 50 billion by 2020 —there are more potential targets for attackers, and there is more potential for accidental breaches.

What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the 2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon.

So, how do you keep your organization’s data—and that of your clients and customers—safe?

It’s not just a matter of investing in better technology and more robust systems, according to Aon cyber insurance expert Stephanie Snyder Tomlinson, who says, “A lot of companies find that the weakest link is their employees. You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-It note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.”

From intern to CEO: Simple steps everyone can take

It’s easy for individuals to become complacent about data security, says Aon’s global chief privacy officer, Brad Bryant. But, with cyber threats increasing, it’s more important than ever to be aware of seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization.

According to Bryant, there are four key things that everyone can do to help protect themselves and their organizations from the rising cyber threat:

  • Be alert to impersonators. Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
  • Don’t overshare. If you give out details about your personal life, hackers may be able to use them to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
  • Safely dispose of personal information. A surprising amount of information can be retained by devices, even after wiping hard drives or performing factory resets. To be certain that your information is destroyed, you may need to seek expert advice or device-specific instructions.
  • Encrypt your data. Keeping your software up to date and password-protecting your devices may not be enough to stop hackers, should your devices fall into the wrong hands. The more security, the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data

To protect your, your customers’ and your and clients’ information, investing in better cyber security is one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right.

Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations pursue to limit the risk and make sure they’re getting the basics right:

  • Build awareness. Educate employees on what social engineering fraud is, especially those in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
  • Be cautious. Always verify the authenticity of requests for changes in money-related instructions, and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin and destination.
  • Be organized. Develop a list of pre-approved vendors and ensure employees are aware. Review and customize crime insurance—when it comes to coverage or denial, the devil is in the details.
  • Develop a system. Institute a password procedure to verify the authenticity of any wire transfer requests, and always verify the validity of an incoming email or phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new, but the scale of the threat is increasing, making following this advice more important than ever. Fitzgerald warns, “Social engineering fraud is one of the greatest security threats companies can encounter today. … This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites, to impersonating an IT engineer, to baiting with a USB drive.”

How governments are driving data protection

The potential consequences of inadequate data security are becoming more serious, and courts and regulators are focusing on this issue globally.

The European Union is considering a Data Protection Directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on the protection of customers data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and U.S.

Bryant warns: “Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction. … Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.”

Changing E.U. rules aren’t the only thing that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of Internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations.

Why getting the basics right is critical

As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever.

Bryant says, “Given the large scope and impact of the various changes in data protection law—coupled with the drastic increase in fines—becoming educated on how to protect our data is more business-critical now than ever before.”

The Mystery of the Millennial Buyer

For several years, I’ve heard clamor from the agency world about how Millennials’ demands are so different from previous insurance buyers. Well, as a Millennial insurance buyer, I’m here to say… we still have some work to do. We still have a lot of work to do.

According to Accenture Outlook: Who are the Millennial shoppers? And what do they really want?, Millennials are exceptionally loyal …if they feel they’ve been treated right. And, we all know it’s cheaper to keep a customer than it is to get a new one.

“Right” is an incredibly subjective term and can certainly get lost in translation in the insurance world. “Right,” in the insurance world, typically means paying exactly what is fair for losses. No more, no less. That’s understandable, and, as someone in the insurance world, I understand the sentiment.

But I’d like to help you to understand how I define “right” as a Millennial insurance buyer.

Educate, don’t sell

The days of the uninformed insurance buyer are long gone. The added value of the agent is around education. Take a step back and help the Millennial customer understand the fundamentals of risk management and see that insurance is one of many tools used to manage risk. Millennials will identify the value that you bring to the purchasing transaction and remain loyal customers rather than commodity-buyers.

Empower them to make good financial choices

You empower Millennials to make smart financial decisions through education. This also means explaining the upsides and downsides of different policy options. For example, explaining how deductibles and premiums correlate, rather than trying to get them to take the lowest deductible. Millennials expect that, when they come to you asking for help in the realm of personal finance, you’ll be looking out for their best financial interests, rather than your commission check. As soon as a Millennial believes you’re NOT looking out for her best interest and are more interested in the sale, you have just made yourself the commodity.

No more fancy terminology

We have an epidemic of insurance buyers who have no clue what they’re buying. “Limit,” “peril,” “liability,” “occurrence” – these are not words the Average Joe and Average Jane have any practical reason to know, outside of purchasing insurance. Millennials won’t settle for someone who isn’t able (or willing) to give the layman’s definition of these terms. This requires you to have a real command of the fundamentals of risk and insurance, rather than a command of policy forms and exclusions.

Embrace technology to increase service

Sure you have a Facebook and a Twitter, maybe you even post regularly, but that’s not what will retain Millennials. Make yourself and your agency available to them on their terms: phone, email, text or social media. Encourage them to take pictures and videos of all their belongings if they don’t want to make an inventory list. Send periodic, non-marketing text messages to encourage safety. (Example: “With the coming cold weather, be sure you clean off your furnace and think about getting it inspected. Build-up can reduce efficiency, which costs you more money and might even cause a fire.”) These are the types of things that will differentiate you and your team from every other agent out there.

As an aside: If you want to serve Millennials, you must make online payments easy. Most Millennials don’t own stamps and are using the same checkbook they got when they were 16 and opened their first checking account.

Humanize them at claim time

Millennials want to be treated like the humans they are when claims hit, which, in all reality, isn’t asking much. Instead of aiming for that minimum threshold, exceed expectations by doing the following when you are notified of their claim: 1) Make sure they’re okay, 2) Check in and see how they’re doing and if they’re worried about anything (lawsuits, another loss, further injury, claim not getting paid, etc.), 3) Make sure you’re communicating with them, in addition to the adjuster, 4) Explain to them how this might affect future premiums. Claims are your time to shine, and, if treated well, Millennials can be some of the most loyal customers you’ll have.

In closing …

Insurance is a paper and a promise

Without anything more tangible than that, it’s not too much to ask to be treated well, as a smart and autonomous human being. If you can show that to your Millennial customers and follow it up at claims time, you’ll crack the nut that is the Millennial insurance-buyer.

The views expressed by the author are the author’s alone and do not necessarily represent the views of Aon or its affiliates. The standard information provided in this blog is for general purposes only and should not be construed as, or used as a substitute for, financial or other professional advice.