Tag Archives: federal bureau of investigation

Active Shooter Scenarios

Campus safety and security is a topic of increasing concern on both a personal and institutional level. On-campus shootings can no longer be viewed as singular, isolated events. The good news is that the chance of an active shooter incident taking place on campus is pretty small. However, because of the random nature of such events, all institutions need to be prepared. Planning for an active shooter threat has become an unfortunately necessary part of the framework of institutional safety and risk management best practices.

Active Shooter Defined

According to the U.S. Department of Homeland Security, an active shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area; in most cases, active shooters use firearms(s), and there is no pattern or method to their selection of victims. Active shooter situations are unpredictable and evolve quickly. Typically, the immediate deployment of law enforcement is required to stop the shooting and mitigate harm to victims. Because active shooter situations are often over within 10 to 15 minutes, before law enforcement arrives on the scene, individuals must be prepared both mentally and physically to deal with an active shooter situation.

Colleges and universities understand the need for emergency response plans for many different types of disasters and typically already have processes and procedures in place to address multiple types of disasters. Planning for an active shooter threat can and should be integrated into an institution’s overall emergency and disaster preparedness plans. While many of the components are similar for most natural and man-made disasters, the inclusion of an active shooter plan generates an even greater immediacy for response. There are several considerations when it comes to the development and implementation of an emergency response plan to address any threat. These include the three Ps: Prevention, Preparedness and Post-Event Management and Recovery, each of which will be discussed in greater detail below.

See Also: “Boss, Can I Carry While I’m Working?”

  • PREVENTION

Engage in Threat Assessment

Probing how threats develop can mitigate, diffuse or even eliminate a situation before it occurs. Active shooters do not develop in a vacuum. A joint study by the U.S. Department of Education, the Secret Service and the Federal Bureau of Investigation concluded that individual attackers do not simply “snap” before engaging in violence; rather, they often exhibit behaviors that signal an attack is going to occur. The study recommends the use of threat assessment teams to identify and respond to students and employees.

As part of the threat identification and assessment process, an institution may elect to conduct pre-employment background checks to identify past patterns of violent behavior. While the background check process may not be a perfect indicator of future behavior, it does provide a useful mechanism for vetting a prospective employee. If triggering behavior is found, the threat assessment team can be used to evaluate the information and determine whether further action or intervention is needed. 

Encourage Training and Education

An essential component of prevention is training the campus community on how to identify both trigger behaviors and events that may trigger a potential incident.

Supervisor and Faculty Training: Train faculty on how to recognize early warning signs of individuals in distress. Supervisors/faculty should be aware of major personal events in the lives of their employees, as many incidents of violence occur in close proximity to such events.

Student/Community Training: Educate the campus community on how to recognize warning signs of individuals in distress and provide a mechanism for sharing that information.

Develop and Communicate Reporting Procedures

All employees and students should know how and where to report violent acts or threats of violence. Information regarding the function of the threat assessment team or other similar programs should be provided to the entire campus community. The institution should also have an internal tracking system of all threats and incidents of violence.

Continuing Staff and Student Evaluations

When appropriate, obtain psychological evaluations for students or employees exhibiting seriously dysfunctional behaviors.

  • PREPAREDNESS

Leverage Community Relationships

There are many programs and resources in communities that can assist with the development of active shooter response plans.

Include local law enforcement agencies, SWAT teams and fire and emergency responders in early stages of the plan development to promote good relations and to help the agencies become more familiar with the campus environment and facilities. The police can explain what actions they typically take during incidents involving threats and active violence situations that can be included in the institution’s plan. Provide police with floor plans and the ability to access locked and secured areas.

Invite law enforcement agencies, SWAT teams and security experts to educate employees on how to recognize and respond to violence on campus. Such experts can provide crime prevention information, conduct building security inspections and teach individuals how to react and avoid becoming a victim.

Review Resources and Security

Periodic review of security policies and procedures will help minimize the institution’s vulnerability to violence and other forms of crime.

  • Routinely inspect and test appropriate physical security measures such as electronic access control systems, silent alarms and closed-circuit cameras in a manner consistent with applicable state and federal laws.
  • Conduct risk assessments to determine mitigation strategies at points of entry.
  • Develop, maintain and review systems for automatic lockdown. Conduct lockdown training routinely.
  • Place active shooter trauma kits in various locations on the campus. Train employees on how to control hemorrhaging, including the use of tourniquets.
  • Provide panic or silent alarms in high-risk areas such as main reception locations and the human resources department.
  • Implement an emergency reverse 911 system to alert individuals both on and off campus. Periodically test the system to serve as training and verification that the equipment is functioning properly.
  • Equip all doors so that they lock from the inside.
  • Install a telephone or other type of emergency call system in every room.
  • Install an external communication system to alert individuals outside the facility.

Develop and Communicate Lockdown Procedures

Lockdown is a procedure used when there is an immediate threat to the building occupants. Institutions should have at least two levels of lockdown – sometimes called “hard lockdown” and “soft lockdown.”

Hard Lockdown: This is the usual response when there is an intruder inside the building or if there is another serious, immediate threat. In the event of a hard lockdown, students, faculty and staff are instructed to secure themselves in the room they are in and not to leave until the situation has been curtailed. This allows emergency responders to secure the students and staff in place, address the immediate threat and remove any innocent bystanders to an area of safety.

Soft Lockdown: This is used when there is a threat outside the building but there is no immediate threat to individuals inside the building. During a soft lockdown, the building perimeter is secured and staff members are stationed at the doors to be sure no one goes in or out of the facility. Depending on the situation, activities may take place as usual. A soft lockdown might be appropriate if the police are looking for a felon in the area or if there is a toxic spill or other threat where individuals are safer and better managed inside.

Evacuation Procedures Communication/Training

Evacuation of the facility can follow the same routes used for fire evacuation if the incident is confined to a specific location. Otherwise, other exits may need to be considered. Designate a floor or location monitor to assist with the evacuation and inventory of evacuees for accountability to authorities. Establish a meeting point away from the facility.

Develop a Communication System

Perhaps the most crucial component of an active shooter response plan is the network of communication systems. Immediate activation of systems is critical to saving lives because many mass shootings are over and bystanders are injured or dead before police can respond.

Create a Crisis Response Box

A crisis response box has one primary purpose: provide immediate information to designated campus staff for effective management of a major critical incident.

If a crisis is in progress, this is not the time to collect information. It is the time to act upon information.

Knowing what information to collect, how to organize it and how to use it during a crisis can mean faster response time.

Create an Incident Command Center Plan

The National Incident Management System (NIMS) is a nationally recognized emergency operations plan that is adapted for large critical incidents where multi-agency response is required. NIMS facilitates priority-setting, interagency cooperation and the efficient flow of resources and information.

The location of an incident command center should be in a secure area within sight and sound of potential incidents with staging areas located nearby.

See Also: Thought Leader in Action: At U. of C.

  • POST-EVENT MANAGEMENT AND RECOVERY

To ensure a smooth transition from response to recovery, plans that went into effect during the event should be de-escalated and integrated into the plan for moving forward. This will include aspects such as:

  • Media and information management
  • Impact assessment
  • Facility and environmental rebuilding
  • Restoring student, staff and community confidence

Conclusion

Though an active shooter situation is unlikely to occur at most colleges and universities, it is still essential to be prepared. Failure to do so can cause the loss of lives, severe financial repercussions and reputational damage that could take years to reverse.

Additional resources for university risk managers and administrators are available in the complete Encampus Active Shooter Resource Guide, which is available for download here.

Fraud: the Cost You Will Never See

Do you know one of the large drivers of your insurance costs may be something you will never see listed as a line item by your agent or insurer? This is not a hidden fee the industry masks. It is not one you could ever find or have disclosed. It is the cost we all share for insurance fraud, which is the second largest financial crime in America (behind tax evasion).

In Iowa, the crime of insurance fraud happens when a person or business provides false information to an insurance company in a claim for benefits or in an application for insurance, with the intent to defraud the insurance company. Federal laws also contain provisions related to insurance fraud.

Before being appointed insurance commissioner, I do not recall thinking about insurance fraud much. Because of my experience in the insurance industry, I certainly knew that there was insurance fraud.  I recall stories I heard second- and third-hand of people who filed claims on boats that became ruined and then were insured after the fact, or of healthcare providers that billed health plans for procedures that never occurred. But I admittedly did not think about insurance fraud much.

People often think of these types of acts as victimless crimes, because no one is hurt except big insurance companies. However, we are all victims of these acts because fraud affects how much we pay for our insurance.

Insurance regulators see all types of fraud and know the cost is great. According to the Coalition Against Insurance Fraud, nearly $80 billion in fraudulent claims are made annually in the U.S. This figure encompasses all lines of insurance. The Federal Bureau of Investigation estimates that fraud costs each insurance consumer in the U.S. between $400 and $700 annually in increased premiums. These are calculable costs, which probably are far less than the total cost we all pay as insurance consumers, because a lot of fraud is not reported.

In Iowa, we would like to think that there is no insurance fraud. However, the statistics demonstrate a much different picture. On average, the Iowa Insurance Division receives 1.97 referrals each day of potential insurance fraud. From Jan. 1 to Sept. 17, 2015, my team processed 532 referrals with a reported financial impact of $3.7 million. However, only about one quarter of the 532 referrals reported what the financial impact was. Therefore, the $3.7 million is far less than the total financial impact.

Fraud prevention and elimination is a major effort for insurance regulators and insurance companies. It is an area where regulators and companies collaborate. In 42 states and the District of Columbia, fraud bureaus receive and review potentially fraudulent insurance claims. States have robust laws in place to protect consumers and the insurance marketplace from insurance fraud. Companies are required by state statutes to report insurance fraud.

Although these reporting requirements and laws help protect our markets and mitigate the cost of insurance fraud, it is far from eliminated. The need to mitigate or eliminate fraud presents huge opportunities for insurance companies and entrepreneurs to develop innovative tools to combat insurance fraud.

As we all now recognize, insurance companies are big data companies. They possess vast data on their policyholders. This puts insurance carriers in an evolving position to better help deter and eliminate fraud. With advancing data analytics, predictive modeling and simply more data, catching and possibly preventing fraud should become easier.

State insurance departments operate within tight budget constraints. In Iowa, we see innovation and technological developments as very helpful in aggregating data and identifying trends and issues. We are looking to these developments to help us increase efficiency in our investigations so we can combat insurance fraud and protect our consumers.

However, I have no false hope that all fraud will be eliminated. I have every belief that those who want to continue to do damage by committing insurance fraud will also be innovative and adapt to change. In other words, while technology and innovation will help find fraud, the scammers will soon figure out how to get around the new detection methods, too.

Fraud is a fact in every industry, and insurance is no different. However, I believe in the insurance industry there is more opportunity and incentive to commit fraud because of the value of the items insured and the amount of money in play. In addition, because insurance fraud is seen as a victimless crime, it may even be viewed as justifiable. Insurance regulators and companies are improving the capabilities to combat fraud using more technological tools. Credit card companies made tremendous strides in cutting down fraud, and insurance is working toward that goal, too. Innovators and companies that figure out how to succeed in this area will have lower prices and increased market share, and in the end that rewards consumers.

Why Traditional Crime Measurements Don’t Tell the Whole Story

All over the nation, the question is being asked, “Why is the overall crime rate in the US on the decline?”

We have the answer:  “It’s not.”

In 1930, the FBI was given the task of collecting and publishing crime-rate statistics from across the country, and the UCR (Uniform Crime Reporting) Program was born. This program collects data from across the country, and it is published in several reports, including the often quoted Crime in the United States report. The report separates offenses into two categories: violent crime and property crime. 

These two categories appear to provide an adequate sample of the types of crimes that should be captured to measure the overall crime rate, but the four “property crime” categories fall short. There is a simple reason: They have not changed since the 1920s.*

For instance, the category of larceny-theft does not include embezzlement, confidence games, forgery, check fraud, etc. Identity theft, which is growing astronomically, is also not included.

According to the two entities within the federal government that measure and report identity theft rates — the Federal Trade Commission’s (FTC) Consumer Sentinel Report and the Bureau of Justice Statistics — identity theft crime rates continue to increase. Identity theft has been ranked as the #1 complaint reported to the FTC for the past 13 years. Of the 2,061,495 complaints captured from a variety of organizations that share data with the FTC, 369,132 were regarding identity theft.

The Bureau of Justice Statistics uses the National Crime Victimization Survey (NCVS) to capture and report its statistics on identity theft.  The last report available captures information from 2005-2010. According to this latest report, approximately 8.6 million households experienced financial identity theft.

The latest statistics available (2012) are from Javelin Strategy & Research Inc., an independent organization not affiliated with the federal government.  Their study concluded that there have been 12.6 million incidents of identity fraud.

Identity theft is increasing faster than property theft crimes are declining, but the public isn’t paying enough attention.  The reasons for apathy include the misconception that one can’t be a victim without a stellar credit rating (i.e., my identity isn’t worthy stealing) and the conspiracy theorist notion that this is all just a scare tactic promoted by industry to entice consumers into buying services that are unnecessary. Both are misguided.

A change in public perception is required. It has been engrained into us that we must take personal responsibility for safeguarding our possessions and our physical wellbeing, so why not our identity?

Most people realize that they cannot guarantee they will never be burglarized.  So they employ tactics to make it harder to break into their home.  When leaving for vacation, they secure doors and windows and activate alarms.  Often, mail is held at the post office and friends are asked to check in on the place.

People must likewise actively guard their identity components (such as passwords and devices).  Taking regular steps to safeguard your identity must become engrained in all of us.  It’s absolutely true that you can do everything right and still become a victim of identity theft – but why not make the thieves work hard?

Ask anyone if they would think twice about wandering into a dark alley, alone, at night, in a dicey neighborhood, and they would say, Absolutely! But consumers think nothing of going to strange websites and entering credit card (or even more personal information) without checking the legitimacy of the site, especially when you can get a screaming deal on that flat-screen TV or tablet.

It is widely recognized that fraud and financial crimes don’t scare or shock people in the same way that violent crimes do.  Unless they rise to the level of Bernie Madoff or Enron, the crimes rarely make headlines.

Additionally, financial crimes are often cited as much harder to accurately measure because of underreporting and lack of consistent reporting methods.**  Some individuals do not believe that financial crime victims suffer true harm, especially if they are eventually made financially whole, as can happen with some identity-theft victims.  There is a misconception that once an individual has false charges removed from a credit account, or false accounts removed from a credit report, or a false tax return remedied by the IRS, that they are no longer the victim.  The victim label is assigned to the entity that takes the financial hit, such as the credit card issuer/financial institution and the IRS. Regardless, a crime has still been committed. Even if the crimes are difficult to measure and don’t shock, they certainly should be included in our evaluation of crime rates.

The infiltration of technology into our daily lives has not only changed the way we live, it has changed the way crimes are being committed. Much like water, criminal elements will take the path of least resistance.  When law enforcement and society become adept at suppressing scofflaws by making a particular crime more difficult to commit, such as through anti-theft devices on cars, criminals move on to other crimes.

Non-violent crimes rates haven’t decreased; they have just changed. Whereas the criminal of twenty years ago was armed with a knife or a gun, today’s criminal is armed with a keyboard or skimming device. The weapon(s) of choice has changed from tools of violence to tools of technology.  Criminals aren’t committing fewer criminal acts, just different ones. We don’t have fewer criminals, only smarter ones.

* Upon inquiry, the FBI responded with the historical information to explain how the eight offense classifications known as Part I crimes were chosen as indicators of the overall crime rate in the country.  The first seven offenses were originally chosen in 1929.  Arson, the 8th offense was added in 1979. The 7 original offenses chosen to illustrate the overall crime rate and used in the annual publication Crime in the United States were not altered at that time.  In fact, they have remained mostly unchanged since the 1920s.

** The FBI has a Financial Crimes Report that is listed under its “Other Reports and Publications” section. Other offense data for fraud and fraud type offenses is captured in the FBI’s NIBRS (National Incident-Based Reporting System); however, identity theft is not one of the incident types captured.

The Financial Crimes Report(s) differ in format from the violent crime/property crime format in the UCR and are more difficult to decipher.  The data contained in these reports is for cases investigated by the FBI.  It does not include financial crimes cases for local jurisdictions throughout the United States as the UCR does.  The most recent report shows 5 year trends in various categories.  The categories of  Corporate Fraud, Securities and commodities fraud, health care fraud, and mortgage fraud (reported cases) all show increasing numbers. Financial institution fraud, insurance fraud, and money laundering case statistics show a decrease in numbers and mass marketing fraud has stayed relatively flat.

The NIBRS report for 2011 indicates there is data on the following fraud type offenses: Bribery – 293; Counterfeiting/Forgery – 74,131; Embezzlement – 17,000; Extortion – 1217, and Fraud Offenses – 245,301. This a total of over 330,000 known incidents that could be counted in the overall crime rate in the UCR.  Though small in comparison to the other property crime numbers, it is not a statistically irrelevant number.   Identity theft statistics are not captured on this report.  Identity theft statistics are published by another department within the USDOJ (of which the FBI is a part), the Bureau of Justice Statistics.

A Look At Cyber Risk Of Financial Institutions

Overview Of The Risk
There were more than 26 million new strains of malware released into circulation in 2011. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records. The Ponemon Group, whose Cost of Data Breach Study is widely followed every year, indicated a total cost per record of $214 in 2011, an increase of over 55% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent. NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability Forum” the results of their analysis of 153 data or privacy breach claims paid by insurance companies between 2006 and 2011. On average, the study said, payouts on claims made in the first five years total $3.7 million per breach, compared with an average of $2.4 million for claims made from 2005 through 2010.

And attacks simply don't target large companies. According to Symantec's 2010 SMB Protection report, small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report's opinion that 96% of such breaches could have been prevented with appropriate controls. Bottom line: cyber attacks are here to stay — and in many ways, they are getting worse.

A Look At The Financial Institution Sector
Willy Sutton once infamously remarked that he robs bank because “that's where the money is.” According to Professor Udo Helmbrecht, the Executive Director of the European Networking and Information Security Agency, if Willy Sutton was alive today, he would rob banks online.

Criminals today can operate miles, or even oceans, away from the target. “The number and sophistication of malicious incidents have increased dramatically over the past five years and is expected to continue to grow,” according to Gordon Snow, Assistant Director of the Cyber Division of the Federal Bureau of Investigation (testifying before the House Financial Services Committee, Subcommittee on Financials Institutions and Consumer Credit). “As businesses and financial institutions continue to adopt Internet-based commerce systems, the opportunity for cybercrime increases at the retail and consumer level.” Indeed, according to Snow, the FBI is investigating 400 reported account takeover cases from bank accounts of US businesses. These cases total $255 million in fraudulent transfers and has resulted in $85 million in actual losses.

According to the FBI, there are eight cyber threats that expose both the finances and reputation of financial institutions: account takeovers, third-party payment process breaches, securities and market trading company breaches, ATM skimming breaches, mobile banking breaches, insider access, supply chain infiltration, and telecommunications network disruption.

It was telecommunications network disruption that dominated the news in 2012.

Otherwise known as a distributed denial of service attack, US banks were attacked repeatedly throughout the year by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against this country's infrastructure.

Among the institutions hit were PNC Bank, Wells Fargo, HSBC, and Citibank, among many others. Big or small, it made no difference. At the end of the day, as many as 30 US banking firms are expected to be targeted in this wave of cyber attacks, according to the security firm RSA. And it is likely that we are not at the end of the day. On January 9, 2013, the computer hacking group that has claimed responsibility for cyber attacks on PNC Bank vowed to continue trying to shut down American banking websites for at least the next six months.

That is not to say that financial situations only had to worry about distributed denial of service attacks launched by hostile nation states in 2012.

On December 13, 2012 the Financial Services Information Sharing and Analysis Center, which shares information throughout the financial sector about terrorist threats, warned the US financial services industry that a Russian cyber-gangster is preparing to rob American banks and their customers of millions of dollars. According to the computer security firm, McAfee, the cyber criminal, who calls himself the “Thief-in-Law,” already has infected hundreds of computers of unwitting American customers in preparation to steal that bank account data.

Of course not all threats look like they come from the latest 007 flick. On October 12, 2012, the Associated Press reported TD Bank had begun notifying approximately 260,000 customers from Maine to Florida that the company may been affected by a data breach. Company spokeswoman Rebecca Acevedo confirmed to the Associated Press that unencrypted data backup tapes were “misplaced in transport” in March 2012. She said the tapes contained personal information, including account information and security numbers. It is unclear why the bank waited until October to notify customers. Over 46 states now have mandatory notification laws that dictate prompt notification to bank customers of missing or stolen “Personally Identifiable Information.” Failure to make timely notification can, and often does, prompt customer lawsuits and regulatory investigations.

The bottom line: you cannot be a financial institution operating in the 21st Century and not have a cyber risk management plan which includes the purchase of cyber insurance.

The Cyber Insurance Market
With these facts, it is not surprising that the cyber insurance market has grown tremendously from its initial beginning in 2000. Starting with what was the brainchild of AIG and Lloyds of London, the market has grown to over 40 insurance providers. A widely accepted statistic is that the market now produces over $1 billion in premium to insurance carriers on a worldwide basis.

Despite the increasing claim activity, informal discussions with the market continue to indicate that cyber risk is a profitable business. Perhaps, it is for this reason, cyber premium rates are flat to down 5% according to industry reports in the market where rates in property-casualty are generally increasing.

Carriers also see this as an area where there are many non-buyers, and statistics seem to back them up. According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about this cyber risk. A risk area with a high level of concern but little purchase of insurance is an insurance broker's dream. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy.

It is unclear why there aren't more buyers but most of the industry believes it's a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber risk is covered under their general corporate liability policy.

It is then perhaps not surprising that the Betterley 2012 market report stated “we think this market has nowhere to go but up” Although, they quickly qualified, “as long as carriers can still write at a profit.”