Tag Archives: PLUS

The Costs of Inaction on Encryption

Alarm systems have a long and varied history — from geese in ancient Rome, to noise makers that announced the presence of an intruder, to present-day electronic sensors and lasers. Originally, the creation of alarms was driven by the psychological need all humans have to establish a safe environment for themselves. Today, that same need exists, but it has been extended to include other concerns, such as valued personal possessions, merchandise and intellectual property. In the cyber realm, security is as important as it is in the physical world because people must be able to feel secure in their ability to store sensitive, high-value data. Without that sense of security, the cyber realm would lose almost all of its relevance.

Cybersecurity is established by various hardware and software components, but none of the components are more essential than strong encryption. It is such encryption that keeps bank transactions, online purchases and email accounts safe. However, there is a disturbing worldwide governmental trend to weaken encryption, which was exemplified in the legal disagreement earlier this year between Apple and the U.S. government. While there are definite aspects of the dispute that fall outside of the professional insurance sphere, there is an undeniable part of the battle for strong encryption that the professional insurance sector must not fail to acknowledge and address. The outcome of this struggle will be felt well into the 22nd century, and, perhaps, at least in the business arena, the outcome will be borne most keenly by cyber liability and technology E&O insurers.

With global attempts to reduce the effectiveness of encryption, no insurer can claim it lacks a part in the effort for resilient and ever-evolving encryption and cybersecurity measures. The Chinese government is not a supporter of privacy, and it has even hacked Google’s Gmail service and the Dalai Lama’s email account to gain access to information it has deemed disruptive. It also has been stepping up its “investigations” into products produced by U.S-based technology companies. Furthermore, after both the 2015 attack in Paris and the 2016 attack in Brussels, the debate regarding whether encryption should be allowed was re-ignited in Europe and the U.K. Recently, the French, Hungarian and British governments have made various attempts at weakening or removing encryption. Therefore, with this global challenge facing insurers, they are required to be completely aware of what is at risk for them, and they must help pave a path forward that endeavors to balance profitability of products (like cyber liability and technology E&O) with the protection those products should afford any insured.

See also: Best Practices in Cyber Security

Apple, perhaps, serves as the best example of how governmental interference with cybersecurity is an issue that requires direct and immediate intervention from insurers. There are thousands of businesses around the world that rely on the iPhone and iPad for productivity purposes — and almost all of those businesses also rely on the security that those devices provide, both from a hardware and a software standpoint. Recently, the U.S. government attempted to force Apple, in different judicial battles, to write code that will allow the government to have a master key to access the data of any iPhone. However, the U.S government is also pursuing a legislative avenue to pass a law that will force U.S. companies to give the U.S. government unfettered retrieval of any data on which it sets its sight.

To provide such access would almost always require companies to write software code that is purposefully compromised from a security standpoint. It would be extremely unwise for professional insurance companies to assume this disagreement is only between the technology sector and world governments because, if there is an outcome favorable for the U.S. government, it will have direct and immediately negative effects on insurers that offer cyber liability and technology E&O insurance in the U.S., and it will set a dangerous precedent that will embolden other governments to justify similar breaches that will allow them to acquire what should be secure data.

From a cyber liability standpoint, any vulnerability in software code gives hackers another way to compromise a victim’s computers and network. If a company like Apple (which has thousands of businesses depending on it to keep them safe) has to create a master key, then all of the businesses that use Apple products will be vulnerable to attack. The U.S. government has a long history of being unable to keep its own data safe, which means, in time, hackers will be able to figure out what entrance point was created and then exploit it. The most worrisome entities that might access the backdoor would be non-democratic nation-states because they have the most to gain from exploiting any vulnerabilities in U.S-based companies. However, such companies are not the only ones who use products produced by Apple, which means companies located anywhere would also be vulnerable. Additionally, if world governments put restraints on encryption to make it illegal or to limit the ways data can be encoded then, again, that gives power to those entities that would exploit weak encipherment to the detriment of the private sector.

From a technology E&O standpoint, any request by the U.S. government to weaken products produced by an insured creates a breach of contract, which will hurt claims made against technology E&O policies. If Foxconn, which builds the iPhone for Apple, was forced to alter firmware used in the iPhone to allow at least one software flaw, then Apple could sue Foxconn for a breach of contract were Apple to learn of Foxconn obeying a government order to create a security bypass in the firmware code. Worse yet would be a company like FireEye being forced to reduce the effectiveness of its virtual execution engines that are at the heart of its malware analysis appliances. FireEye, and other cyber security companies, are what often stand between a hacker and its victim. Should a cybersecurity company ever be forced to obey a government order, little would stand between a hacker and its potential victims. Moreover, all of the companies that depend on the products of a cybersecurity company would also be in a position to bring claims against the insured organization, which would certainly be detrimental to technology E&O insurers.

To defend itself and its products from government interference, Apple is implementing a security feature that removes its ability to bypass the iPhone’s security. While such method works from a simplicity standpoint, it will not work for a majority of technology companies, with cybersecurity and cloud providers being two examples of where such a solution would not work. Additionally, if a law were passed that forced a company by way of a court order, for example, to decrypt information on its products, then the company so ordered would be put into a bind. Cyber liability and technology E&O insurers could also add exclusions to policies that would void insurance contracts if an insured organization complied with a governmental request to create a backdoor.

However, it would be extremely difficult for an insurer to prove the backdoor was created deliberately, and, ultimately, such exclusions would be ethically ambiguous given they would punish an insured firm for obeying the rule of law. Companies could also contest each governmental request, assuming no law makes it illegal to deny a government request, but not all companies have the time or financial resources with which to fight a government. The only reasonable avenue to rein in disruptive governmental orders, then, is for insurers, technology companies and others to unite and block any legislative attempt to pass a law that would force any technology company to create a security gap. Moreover, the resistance movement will also need to fight against any attempt to weaken or make illegal any type of encryption.

See also: Paradigm Shift on Cyber Security

Currently, the relationship that exists between the insurance and technology sectors is that of provider and client, but that relationship must now evolve into a partnership. The technology sector cannot afford to go without cyber liability and technology E&O insurance because almost every company needs to offset technological risk now that we are in a globally connected and highly litigious age. Insurers also need to continue offering cyber liability and technology E&O policies because they have the clout and financial strength to help protect companies — especially small- and medium-sized ones — from an ever-changing technological landscape. Then, too, whichever insurer develops a realistic understanding of the intersection of risk and technology will be in a position to enrich itself.

The path forward, then, is to create a coalition whose first goal would be to stay on top of both pending and current judicial cases and bills being drafted or voted on in any legislature worldwide that would degrade the security strength of any member’s product. The U.S. government has recently tried to force Apple to create a master key to one of its product lines, and there is no reason to believe that it will not force other companies (like cloud providers) to build similar backdoors into their products. To work against such actions, the coalition might be composed of two representatives from each sector’s main representative organization. For instance, for the professional insurance sector that would be PLUS, and for technology companies that would be IEEE.

Furthermore, the coalition might also be composed of members from automotive manufacturers, educators and telecommunication firms. The coalition’s protective approach, then, would be to identify cases or bills and then attempt to bring all resources forward to eliminate or mitigate the offending threat. A recent example on the judicial side of a case that would have been a threat to the putative coalition was the Apple vs. the U.S. government in Central District of California, Eastern Division. A current example of a legislative threat to the coalition is the Burr-Feinstein Anti-Encryption draft that seeks to allow courts to order a company to decrypt information it has encoded, like the way the iPhone protects a user’s data.

In a judicial case, the main measure could be filing amicus curiae briefs on the part of the aggrieved organization, but another measure might be ensuring the defendant is crafting the most reasonably persuasive anti-governmental interference arguments and appealing unfavorable rulings. On the legislative front, measures might include lobbyists but, more importantly, ought to involve the unity achieved by the existence of the coalition, working with an organization like the EFF and even creating public relation campaigns to appeal to the support of the world populace. In the rare instances when a government attempts to work with the private sector to understand the concerns that it has — for instance, as the U.S. government is trying to do with the proposed “Digital Security Commission” — then the coalition would need to support such efforts as much as possible.

It is true that the coalition’s efforts in countries like China and Russia might be limited, and they will be also be limited when a country feels that a criminal act, like terrorism, is better dealt with by eroding encryption and cybersecurity measures. In an instance concerning China, insurers could consider increasing the amount of re-insurance that they purchase on their cyber liability and technology E&O portfolios to offset the damage from increased claims. Insurers will also need to be extremely cautious when providing cyber liability and technology E&O coverage to organizations that have close relationships with non-democratic governments (like the Chinese government) or ones that produce products that have a high likelihood of being the result of IP theft, such as any mid- to high-end binary processor.

The pursuit of the best encryption and cybersecurity measures needs to be unencumbered by the efforts of any government, just as alarm systems have been free to evolve over the past two or three millennia. This can only be achieved, though, through the unified actions and vigilance of a coalition. Encryption and resilient cybersecurity frameworks are the essential and irreplaceable elements in a safely connected world. To limit, in any way, the efforts to perfect those elements or to purposefully reduce their effectiveness is irresponsible regardless of whether the reason is national security or the pursuit of breaking a criminal enterprise. Lloyds, and other organizations involved with cyber liability and technology E&O insurance, see a future where insurers are able to achieve healthy profits off those two products. However, if insurers do not responsibly oppose governmental attacks on encryption and cybersecurity, that profitable future will give way to a future of excessive claims, damaging losses and very little profit.

Thought Leader in Action: At Starbucks

From the You Can’t Make This Stuff Up Department: Steve Legg took an important step on his path to becoming the director of risk management of Starbucks to avoid having what looked like a bad pun on his business card. He had earned his Associate in Risk Management designation, but that meant his name appeared as Legg-ARM. So, he says, he went on to earn his Chartered Property & Casualty Underwriter (CPCU) designation, because it is listed before ARM. His card now (safely) reads “Steve Legg, CPCU, ARM.”

But I’m jumping into the middle of the story, in this second in our series of Thought Leaders in Action. (The first, with Loren Nickel, director of risk management at Google, is here.)

To begin at the beginning, I’ll provide a summary of Legg’s background, then follow with the story of how he earned his prestigious position, some detail on Starbucks and how it manages risk and some insights from Legg for other risk managers.

legg
Steve Legg

His bio

Legg, who is 46 years old, has been at the Starbucks headquarters in Seattle since June 1997. His responsibilities include global corporate property and casualty insurance and risk financing for the company. Legg reports to the treasurer of Starbucks and heads a risk management team of 13 professionals, with two-thirds involved in claims management and the balance working in risk financing and risk transfer, its risk management information system (RMIS) , internal reporting and captive management. Starbucks has 22,519 stores in 66 countries, with a targeted growth rate of 1,650 net new stores during this fiscal year. Starbucks, the name inspired by Herman Melville’s novel Moby Dick, has one of the most recognized logos in the world. Its mission statement, developed by its founder Howard Schultz, is “to inspire and nurture the human spirit one person, one cup and one neighborhood at a time.”

Before joining Starbucks, Legg worked as an independent insurance broker, as well as in a claims capacity for Crawford & Co. Legg served on the board of the Washington state chapter of the Risk & Insurance Management Society (RIMS) for seven years, serving as president of the chapter during the 2005-2006 year. He has been an active participant within National RIMS and has served as a speaker to other insurance industry groups, such as the CPCU Society, the Professional Liability Underwriting Society (PLUS) and the Marine Insurance Association of Seattle. He has a degree in political economy of industrial societies from the University of California at Berkeley.

His story

Legg grew up in Kirkland, WA, on the east side of Lake Washington. Nicknamed “the little city that could,” Kirkland is the former headquarters for the Seattle Seahawks and Costco. Kirkland Signature is still Costco’s store brand.

“I grew up interested in a lot of different things, but I wouldn’t say with any degree of certainty that I knew what I wanted to do for a living,” Legg said. “I was intrigued with going somewhere else to study, so I attended UC Berkeley. I was interested in crisis management, and I just happened to be at Cal when the 6.9 Loma Prieta earthquake [1989] and devastating Oakland Hills firestorm [1991] hit. From those experiences, I thought I might pursue law school.

“As things turned out, my first job was back in Washington state working as a claims adjuster for the branch manager of Crawford & Co., hired by our mutual friend and industry colleague Katrina Zitnik, who was later director of workers’ comp for Costco, 2001-2013. We handled the huge Boeing workers’ comp self-insured account. There were around 100 employees in that office alone. My specialty was working with chemical-related claims, which was really fascinating, before I moved over to liability claims. By my second year there, I started to really understand what risk management was all about.”

From that experience, Legg went on to achieve his ARM designation. “It may sound corny, but I didn’t like the way it looked on my business card as Legg-ARM, so I went on to pursue my CPCU,” Legg said.

“With that formal insurance education, I went to work for a regional insurance brokerage in Kirkland where I learned a lot about insurance and other facets of risk management.” Legg said: “I came to this realization that I didn’t want to handle claims or broker insurance. I wanted to be on the buyer’s side of all this – tending to insurance and a whole lot of other things.”

In 1997, Legg was hired by his predecessor at Starbucks, which had gone public in 1992. At the time he joined Starbucks, the company had about 1,000 stores in the U.S. and Canada and just a few new locations in Japan. Legg describes his experience at that time in risk management as more of a buyer of insurance, but his job responsibilities quickly deepened and expanded with the global spread of Starbucks. He assumed the director of risk management position in 2006 when his boss and mentor retired and became active in the management of Starbucks’ Vermont captive.

The evolving company

Legg explained that the organizational structure is set up based on three key global regions: (1) the Americas; (2) EMEA, which is Europe, Middle East and Africa; and (3) CAP, which is China, Asia Pacific. “Our biggest push is in the CAP region, especially China, which presents a lot of opportunity,” he said. Although that region has a tea-drinking tradition, Legg pointed out that Starbucks owns the tea company Tazo and more recently bought Teavana and its 300-plus stores, providing a high-end, specialty tea product that has become popular at Starbucks locations. He said Starbucks’ specialty coffee and expresso beverages have also become very popular in tea-drinking cultures.

Starbucks has also expanded its offerings in premium pastries (it bought La Boulange), food and merchandise offerings, and it recently began providing beer and wine in selected areas of the country. “Evenings at Starbucks had been under-utilized,” Legg said, “so with the rollout of beer and wine we’re able to serve additional patrons.”

How Starbucks manages risk

Serving 66 countries with various laws and customs, Starbucks has a global quality assurance organization work with business units that are immersed in foreign locations. “Risk management and legal principles are practiced with our people that understand and are sensitive to local government, culture, customs and laws,” Legg said. “Starbucks wants to provide appropriate food and beverages, and we have a global safety security organization, as well, that makes sure that we are tending to the different types of risks these different and diverse cultures hold. Safety and security are fundamental components in the initial and on-going training of our partners.”

When asked about the challenge of identifying, evaluating and treating risk in far-flung global operations, Legg noted that there is a common thread regardless of demographics that relates to keeping stores well-managed, clean, secure and hazard-free. He added that a global design team works with individual markets to address issues that mitigate any unusual risk factors, which could include something as simple as adjusting counter and stool height. Store components are designed to provide for each locale’s needs while Starbucks maintains the quality and consistency that its customers expect.

As for dealing with its insurance and reinsurance markets, Legg noted that Starbucks collects a significant amount of data on all of its locations to enable its internal team and underwriters to have the geographic information they need for modeling. North American operations are mostly self-insured via large retentions and deductibles; Legg points out that first-dollar and low-deductible insurance policies are far more common, accessible and prevalent in other parts of the world. Compulsory insurance requirements differ across jurisdictions — in many parts of the world, for instance, workers’ compensation as we know it is not available, and injuries or illnesses among employees (which Starbucks calls “partners”) are addressed in different ways.

“Regardless of the transfer or retention of risk, Starbucks feels that no one could ever care as much about our partners and our brand as we do,” Legg said. He added, “We inspire and nurture our partners and customers… through providing good products, friendly service and by contributing to our communities. It’s an important part of our culture and what makes this brand so strong.”

All eligible full- and part-time Starbucks employees receive comprehensive health coverage and equity in their company, referred to as “bean stock.” In turn, employees typically volunteer more than one million hours each year in helping their local communities. Starbucks has also set up agronomy offices in different countries around the world to help origin farmers to better manage their crops and businesses. “It’s really important all up and down the chain from the front-line stores to the source of the company’s most precious commodity to have a seamless connection,” Legg said.

His suggestions

I asked Legg what coaching suggestions he has for people entering the field of risk management.

He said, “I think to be successful in risk management that it helps to have a good understanding of a number of different disciplines like accounting, finance, law, etc. Most importantly, you need to have the ability to think critically through things to make good decisions and to then have the ability to communicate well and to influence others. Knowledge without good communication skills won’t equip you for this career.

“I find myself guiding and teaching other people in the organization every day, helping them develop their own risk assessment philosophy in what they do day in and day out. We in risk management can’t be there all the time, so our job is to train others throughout the organization to make good, sound risk management decisions.

“Be open-minded and flexible. Risk management staff needs to identify and admit their mistakes, correct things and be able to change course as needed.”

Legg added with a laugh, “You think you know in detail how things are, then you find out you really don’t know how things are.”