Tag Archives: resilience

Creating a Process for Corporate Resilience

Typically, about 80% of small businesses in Canada will survive the first three years, but only half of the 100,000 new businesses that open their doors annually will still be around eight years later.

Consider the following statistics:

  • Canadian businesses lost $30.4 million to fraud in 2017.
  • 29% of cyber breach victims in 2019 were medium-sized businesses, while 18% were small businesses.
  • Almost one-third of small businesses fear they won’t survive 2021.

No matter their age, many organizations will struggle to survive this year. Whether an organization remains afloat or not depends on how resilient they are and how capable they are to prepare for, respond to and adapt to disruptive events.

In this pursuit, an organization needs to leverage all of the financial, technical and human resources at its disposal. It will need to develop skills and competencies in an efficient, flexible manner to manage the risks and challenges it faces.

While there is no single strategy or solution to make an organization resilient, an organization can enhance its resilience by:

  • Strengthening individual management disciplines of the organization that manage risk and doing so in an integrated and coordinated manner.
  • Building a culture that ensures the organization behaves in a healthy manner.
  • Increasing its adaptive capacity and ability to manage change.

The resilient company or organization uses its financial, technical and social resources to:

  • Develop long-term skills and competencies
  • Deploy resources in an efficient, reliable and flexible manner
  • Manage challenges and exploit opportunities

See also: Navigating the Future of Risk Management

Five Aspects of Risk Management

Strong risk management practices are an important aspect of resilience. Though risk management can be challenging, the importance of building a solid foundation and program to protect your people, property and profitability is vital. Enterprise security risk management (ESRM) is a strategic, all-hazards approach that provides a framework to identify, evaluate and mitigate threats to an organization’s resilience.

A comprehensive and effective risk management program incorporates the following elements and associated capabilities:

  1. Emergency Action Planning: Emergency action plans are intended to protect people and property and prevent further harm during an emergency. As defined by OSHA, an EAP facilitates and organizes employer and employee actions during workplace emergencies. When there are well-developed emergency plans and employees are trained properly, there are fewer and less severe injuries and less structural damage to property. Conversely, poorly designed plans and poor training leads to disorganized evacuation and emergency response, which could lead to avoidable injuries and property damage.
  2. Crisis Risk Management: When a crisis hits, a resilient organization will bounce back or even pivot, if necessary. Crisis risk management includes an organization’s ability to coordinate an effective response to protect people, operations, profitability and reputation. Planning may require gathering resources for outside support and partnerships to manage the issues, as well as a careful consideration of the vulnerabilities inside the organization.
  3. Business Continuity: Business continuity plans help keep a resilient organization operational. Key to this are processes that ensure critical activities keep going during a crisis. A formal written plan notifies team members of their responsibilities and allows them to take charge when the time comes, especially if they have already practiced those tasks during drills and exercises.
  4. Fraud Risk Management: Theft and fraud are two of the most complex risks to your organization. Indeed, they can be so costly that they threaten even the most resilient organizations. While external and insider threats are posing new and heightened risks, regulations and public scrutiny are demanding greater responsibility. Now, more than ever, organizations are looking for ways to manage the risk of fraud, especially within the ESRM context and in a way that takes industry-specific considerations into account.
  5. Cyber Security: Developing a resilient organization means taking into account even newer and ever-evolving risks like cyber security. In fact, cyber security may be one of the least understood areas of the risk picture. Adequately managing cyber risk does not require all participants and stakeholders to be technical subject matter experts. However, it does require comprehensive awareness of cyber risk issues and strategic and appropriate mitigation efforts, especially vendor risk management and privacy laws.

Risk management can be daunting for those at the very beginning, but planning and preparing for all areas of risk is vital to an organization’s survival today.

A Lesson From Hurricane Laura?

Although 2020 kept dishing out pain last week — the pandemic, the economic crisis, the protests and counter-protests on racism, our crazy politics and even wildfires and hurricanes — one event wasn’t as absolutely awful as it could have been.

It was still awful: Hurricane Laura caused billions of dollars of damage and killed 14 people in Louisiana and Texas. But the hurricane didn’t cause nearly as much damage as initially feared.

That suggests that people are starting to take the sorts of precautions that will be increasingly important as we have to adapt to the changing climate. Those precautionary principles also represent a key opportunity in front of the insurance industry: to go from indemnifying customers after a loss to helping them avoid those losses in the first place.

Now, some of what happened with Hurricane Laura was just good fortune. The hurricane pretty much threaded the needle between New Orleans and Houston, so it hit mostly rural areas, not the dense populations and expensive properties in those metropolises. The hurricane moved inland quickly, rather than sitting over an area and dumping tens of inches of rain, as Hurricane Harvey did to Houston in 2017. The storm surge, predicted to be as high as 20 feet, peaked at about 11 feet — still an almost inconceivable wall of water washing inland, of course.

But, as this New York Times article details, people mitigated the damage because they learned lessons from Hurricane Rita, which hit Louisiana and Texas in 2005. Rita killed 120 people and did some $25 billion in damage (measured in today’s dollars), including business interruption. Because of Rita, building codes have become much stricter, and structures more resilient. Some houses near the coast, for instance, are now on stilts 15 feet high. Partly as a result, while Laura’s winds were even stronger than Rita’s when the hurricanes made landfall (150 mph vs. 130 mph), the early estimates are that Laura did about $20 billion of damage while killing those 14 unfortunate souls.

Again, the storm was a catastrophe. I grieve for those 14 people, for their families and for all those who are now having to try to knit their lives back together after suffering $20 billion — $20 billion! — of damage. But, assuming that the difference between Rita and Laura wasn’t just 2020 finally cutting us some slack, there has been considerable improvement in the resilience of those in the hurricanes’ path, and I vote for more resilience, with the insurance industry helping as much as possible.

Technology should help. With Laura, the National Hurricane Center got the time of landfall precisely right, more than 3 1/2 days in advance, and was only a mile off in its prediction of the location of landfall. Predictions will only get better, giving people more time to evacuate or find shelter.

The industry can also mine its data for insights that will help people prepare better. For instance, of the 14 people who died in Hurricane Laura, more than half succumbed to carbon monoxide poisoning emitted by emergency generators. With that pattern identified, carbon monoxide poisoning seems like a danger that can be reduced or even eliminated through better inspection or education for those using generators.

Government will need to play a role, too, as climate change intensifies storms and raises the level of the oceans, endangering coastal communities. The Federal Emergency Management Agency (FEMA) has already funded “buyouts” of 43,000 homeowners in the U.S. who chose to relocate rather than continue to fight nature in places such as Isle de Jean Charles, in Louisiana, which has been 98% swallowed by the Gulf of Mexico.

We’re still not out of the woods even on this year’s hurricane season, let alone on everything else that 2020 is throwing at us, but maybe we can take a lesson from Rita and Laura. Maybe we can learn how to be even smarter and more resilient, and maybe the insurance industry can lead the way.

Stay safe.

Paul

P.S. Here are the six articles I’d like to highlight from the past week:

3 Big Opportunities From AI and ML

Machine learning can speed underwriting while reducing costs and providing valuable information on why certain proposals fail.

How CISOs Are Responding to COVID

77% of chief information security officers identified incidents that they feel they need cyber coverage for and report being unable to get it.

COVID-19: What Buyers Want Now

Insurers must examine customer pain points and life changes and accelerate digital adoption.

New Sense of Urgency on Going Digital

Events have forced C-suite leaders to realize that their digital transformation efforts need to be expanded and accelerated to light speed.

The Missing Tool for Cyber Resilience

With AI able to assess cyber risk, cyber insurance no longer has to be a long, drawn-out and complicated process.

Payments at the Speed of Light

Insurers and solution providers are making significant advancements to speed delivery of payments and expand digital payment options.

The Missing Tool for Cyber Resilience

Cyber attacks have been on the rise for years, but many organizations are unaware of just how costly cyber incidents can be and what protective measures are most effective in mitigating loss not “if” an attack will happen, but “when.” In fact, a report by Cybersecurity Ventures estimates that global ransomware damage, which includes loss of data, lost productivity, reputation damage and more, will cost organizations $20 billion by 2021.  

Many companies are still skeptical of what cyber insurance actually covers and are oftentimes unsure of which policy best suits their needs. According to Advisen’s 2019 Cyber Insurance: The Market’s View survey, “not understanding exposures” (73%), “not understanding coverage” (63%) and “cost” (46%) remain the top three identified obstacles to writing and issuing cyber insurance.

But thanks to recent developments, including the use of AI to assess cyber risk for an organization’s cyber posture, cyber insurance no longer has to be a long, drawn-out and complicated process. In other words, we can treat cyber insurance like another important tool in an organization’s cyber resilience toolkit, alongside endpoint security, securing networks and the like. 

See also: 5 Things Here to Stay, Post-Pandemic

Here is how business owners can ensure they are purchasing a comprehensive cyber insurance policy, unique to their business: 

Choose a Carrier With Expertise in Technology

While many in the cybersecurity sector argue that cyber insurance isn’t effective and that prevention is the only solution, when executed correctly cyber insurance can save organizations big money and repair reputational damage. Insurance providers with expertise in cybersecurity know that policies should be specifically designed for cyber risk exposure — not associated with other lines of coverage. The most thorough policies to safeguard against cyber threats take into consideration security, cloud, compliance and other security best practices. 

As the digital landscape evolves and malicious cyber criminals find new ways to wreak havoc, cyber insurers must go beyond data breach coverage and offer policies that cover all forms of cyber incidents — ransomware, cyber extortion, social engineering,  business interruption due to distributed denial of service (DDoS) attacks and more. Ransomware-as-a-Service, for example, is now a business in itself, with bounties doubling or tripling during 2019 and forcing the insurance industry to rethink how it approaches coverage and limits. 

Prioritize Education and Analysis

When selecting a cyber insurance policy, organizations should not only want to protect themselves but also educate themselves. The ideal policy offers dynamic, automated, insurable cyber risk assessments, providing businesses with real-time insights into insurable risks. There should be full transparency for all stakeholders: Policyholders, brokers, agents, insurers and reinsurers should have the same access and visibility to risk data.

Manage Risk Aggressively

An effective cyber insurance policy should cover the cost of a security team in the midst of a cyber attack as part of the breach response. The security team would then determine how to upgrade systems to ensure maximum privacy. From a technology standpoint, cyber insurers must anticipate possible threats and continuously evaluate underwriting practices. Another key element in risk management is evaluating the time and cost of recovery. Companies with precise plans on how to get back on their feet after a cyber catastrophe will, without a doubt, be most prepared.

See also: An Inconvenient Sales Truth

When purchasing a cyber insurance policy, you are not just paying for cyber insurance but also all of the services that go along with it. Outside of paying claims, cyber insurers must focus on providing customers with tools that empower them to learn more about the cyber landscape and better protect their businesses.

With many organizations looking to cut costs during COVID-19, some may be quick to axe security spending. Defending against cyber threats that have the power to damage entire corporations and livelihoods, however, is not an area to skimp on. Other assets in our lives are no-brainers to protect,  such as our homes, health and vehicles; there’s insurance for that. There’s no reason that companies shouldn’t add cyber insurance to their resiliency plans to prevent financial and reputational ruin.

The Key to Survival in Wild West of Cyber

Today, the question is not will my organization experience a cyber attack, but when, and how. In our digital and connected business world, companies seeking cost efficiency, speed and better customer experience are rapidly connecting more processes, infrastructure and information to the internet. At the same time, the complexity and frequency of cyber attacks continue to rise. You only need to look at the list of recent high-profile attacks to see that companies across industries, from Wall Street banks to healthcare to entertainment, and government entities are being assailed.

This brave new cyber world exposes organizations to a different category of risks and associated liability issues, including the need to cover themselves for loss or exposure of commercially valuable intellectual property or consumer data; misappropriation of trade secrets; privacy violations; losses via third-parties; costs associated with breach notification, forensics, credit monitoring, outside incident response providers, technical remediation, PCI assessments; business interruption costs and system failure; legal proceedings and defending against regulatory actions – to name a few. On top of this, while companies suffering under the weight of a breach understandably feel like victims, it is not always seen that way by the authorities, the marketplace or the media. While dealing with the fallout of an incident, companies often face the additional challenge of defending their actions, protecting their brands and getting claims settled and paid. In this context, long before an event occurs, proper cyber risk mitigation is a best practice for all organizations.

Just like in the Wild West, organizations dealing with cyber risk are operating in a fast, continuously shifting threat landscape, governed by its own set of evolving laws and rules. Even knowing the bandits are out there, organizations continue to be caught off guard by new criminal tactics and attack vectors. Hackers continue to hone their techniques, whether that means obtaining access through the Internet of Things, masterminding more sophisticated social engineering methods or attacking information sources and manipulating data. What is more, the delay between a cyber criminal penetrating a network and being discovered can be considerable: it might take a hacker only eight days to attack a network, but it typically takes six or more months to detect the incident. Financial firms take an average of 98 days to detect a data breach, and retailers can take as much as 197 days, according to the Ponemon Institute and IBM Cost of Data Breach Study. That’s a wealth of time for attackers to inflict significant damage, and it doesn’t look good to regulators, customers and other stakeholders.

See also: Actuaries Beware: Cyber Is Treacherous  

Against this backdrop, cyber insurance is an essential component of a company’s risk management strategy. Even while companies tend to view the likelihood of a loss as higher for information assets than for property, plant and equipment (PP&E) assets, they are more adept at protecting physical assets, with approximately 51% of PP&E assets covered by insurance to only 12% of information assets covered on average, according to the Ponemon Institute’s 2015 Global Cyber Impact Report. One reason for this is that insureds and cyber insurance providers alike struggle with accurately assessing and quantifying cyber risk; despite paying significant premiums, companies remain under-insured. According to the CEO of Lloyd’s of London, cyber-related losses for businesses worldwide were valued at $400 billion in 2015, yet ABI Research estimated that global gross written premiums for cyber insurance that year only totaled around $2 billion.

The lack of data on which to quantify cyber risk means insurers feel they are often writing policies on the back of incomplete information. Unlike in other risk areas such as flood insurance – where historical data means that companies can quantify risk almost to the dollar – developing a strategy to assess and insure against cyber risk is altogether different. And for the insured, selecting a policy is taxing: all policies are not available to all companies, all policies are not equal, and, on top of this, companies are required to demonstrate the existence of sound cyber risk management policies and programs to be eligible for a policy and to claim benefits. These challenges posed by the burgeoning cyber insurance market, and the fact that companies cannot expect to transfer all their cyber risk, mean that they must take a broader, more holistic approach to assessing and reducing exposure.

It is easy for organizations to lose perspective on how to best to manage cyber risk, particularly as it affects multiple stakeholders in an organization, from the CISO to the risk manager, the board, IT, the C-suite and even HR. Everyone will have their own ideas about which programs should be mandated and which technology is the latest “holy grail” in cybersecurity. However, this siloed approach is not effective. Cyber attackers are simply too well-motivated, -resourced and diverse. But it’s not time to throw in the towel. Knowing they will be attacked does not leave companies powerless; in fact, this certainty can empower a far better approach to cyber security. The key to managing risk – and avoiding chaos and significant loss in the wake of an attack – is achieving cyber resilience. Adopting a cyber resilient mindset serves the interests of all stakeholders trying to defend an organization and provides assurance to insurers that companies are prepared in the event of an attack.

So, what does it mean to be cyber resilient? Resilience is the ability to withstand or recover quickly from difficult, often unanticipated conditions. In the world of cyber, resilience strategies enable companies to rapidly detect, respond to and recover from cyber attacks. The goal is to detect incidents before they become serious, respond to them vigorously and recover from them effectively. You will be attacked, but if you are resilient you are less likely to have to wear a scarlet letter when the incident occurs.

Achieving resilience

The most urgent question companies must answer is: What are the critical assets that we are trying to protect? Some organizations will find it easy to agree on a list of assets, such as customer data or Social Security numbers. Others, perhaps more complex organizations, might find it hard to come to agreement. Alignment on defining critical assets is essential and, above all, economically prudent. Cybersecurity talent is scarce and budget is finite, so prioritizing assets helps allocate money where it matters most. Knowing what needs protection, and where it is, enables organizations to focus controls on that area, directs threat detection activity and tells first responders where to look when an attack is suspected. This has the potential to shorten the gap between attack and detection, minimizing the risk of having a predator in the network for seven, eight or more months. Identifying critical assets is also a necessary first step in choosing and benefiting from cyber insurance products. It’s true you don’t need a $100 safe to protect a $1 bill, but you do need an adequate policy to protect everything that you safeguard. Of course, while focusing on protecting critical assets is essential, companies should continue to defend the full organization, maintaining a strong overall security posture.

Once critical assets are clearly defined, cyber threats and vulnerabilities can be assessed and prioritized from three distinct perspectives: the threat to mission-critical technology, the balance sheet and corporate reputation. With vulnerabilities determined, companies can sharpen defenses and deploy programs to uncover, test and remediate them. Tactics regularly used include sophisticated penetration testing and social engineering techniques, to employing ethical hackers or red teams. In the world of resilience, however, the work does not stop at identifying vulnerabilities and shoring up defenses. Resilient organizations are ready for the “during” and “after” phases of an attack, as well as the “before.” They enhance monitoring activities, develop response plans and study and practice threat detection and response processes so that they can quickly bounce back and resume normal business operations.

See also: New Approach to Cyber Insurance  

When news of an attack occurs, it is not scheduled on the day’s calendar of events. It comes as a hit. Companies will typically learn of a breach in one of three ways: The company identifies the breach itself, finding a malicious actor has been in the network for weeks, or even months; a company receives a call from law enforcement often with limited information as part of a larger compromise that has occurred; or, the worst scenario, a third party breaks the news, for example a customer, business partner or the media. Cyber-resilient organizations can adapt to any of these scenarios, take control and respond with confidence. To be prepared, companies need response plans to manage this “during” phase of an attack. Importantly, these plans need to come alive – which means that they are continually enhanced, practiced and ingrained into the workplace culture.

This response preparation and practice equates to confidence, and the degree of practice will be clear in the wake of an attack. Some organizations call this conducting table-top exercises, or simulated cyber attack exercises. This preparation involves all key stakeholders, both internally and externally, and with a well-oiled plan, when a breach call comes, each player follows the blueprint. Public relations is not relegated to a “no comment” statement; financial teams are geared up to manage insurance; lawyers are deployed; and law enforcement is called – among other actions. Ideally, companies have already contracted with a cyber insurance carrier and cyber resilience firm, and have cultivated personal relationships with primary (and even secondary) representatives.

Companies should also take steps to have incident response and forensic investigators, as well as outside counsel, on retainer, even if they have additional internal expertise to handle these aspects of an investigation. During a breach, companies need to move quickly. Entering contract negotiations and procurement processes mid-crisis will not only waste precious time but also leave companies on the back foot in price negotiations with providers. When considering who to retain, it is key to look at the firm’s experience: the number of cases a firm has been engaged on; the diversity of skillsets; the technical tools used; the references of the subject matter experts; and vertical experience. Be careful if selecting a firm that requires its own technology be used on the investigation, as this can limit the scope of its capabilities and potentially lead to conflicting motivations. Also be aware that asserting privilege over the information shared with any firm is a slippery slope, especially through in-house counsel: the strongest way to assert privilege in an investigation is through outside counsel.

Recovering from a cyber attack

Now that the attack is contained, it’s time to recover. Enter stage right, cyber insurance. The cost of a breach can be significant, not only in intangible ways but in concrete costs, particularly if companies face risk and liability via a regulatory or legal investigation. For example, the Federal Trade Commission (FTC) can launch lawsuits against organizations if it suspects them of failing to properly safeguard customer information. Such cases have the potential to span several years and can result in companies’ drowning in millions of pages of documents in response to requests and questioning, often involving executives at the very highest level. The cost of related investigations can reach millions of dollars in legal and vendor fees, not to mention the associated damage to brand and reputation.

To protect from such costs, it is critical that companies quantify the intangible damages that will occur in the event of a breach and enhance board-level understanding of the financial value of these risks to deploy capital to strengthen resilience and purchase insurance policies. When looking to transfer risk, companies must seek industry-leading terms and conditions with global carriers, often across multiple lines of business. Unlike policy options for physical assets, which are relatively standardized, the insurance industry is still ascertaining what cyber coverage looks like and, while more sophisticated teams are being assembled to effectively assess risk, evaluate preparedness and write policies, the policies still vary greatly. At its base, companies want a policy that covers “first party” types of losses, including forensics, notification costs, credit monitoring and breach coach fees. Companies will also want products to cover the third-party traditional liability costs, in case they are found liable for the incident and must pay a judgment or enter into a settlement. Insurance can also cover costs to defend against any regulatory action. Once a policy is purchased, a resilient organization has processes in place to ensure that potential losses are properly tracked in the event of a breach, which will help maximize coverage and cost recuperation. A strong personal relationship with the carrier representative is invaluable at this juncture, as is the ability to quickly and fully disclose the depth of cyber preparedness planning. This will confirm that the organization has an advocate for claim submission and approval.

In terms of the risk of a public lawsuit and legal proceeding, negligence is by far the most common reason an organization is found to be liable of cyber wrongdoing. Fortunately, class action lawsuits are not common. Bryan Cave, in its Data Breach Litigation Report, reported that in 2016 about 5% of all breach cases filed led to class action litigation, a number that has remained consistent over the past four years. One case recently decided in favor of the plaintiffs was Tampa General Hospital, where it was argued that a series of insider breaches put plaintiffs at risk for identity theft, and was the result of the hospital’s inadequately safeguarding patient data. Tampa General, in an October 2016 preliminary settlement approval, agreed to pay plaintiffs $10,000 plus as much as $7,500 toward attorney and litigation costs. Larger data breach class action settlements have reached the tens of millions, for example, in which claimants are eligible for cash payment if credit or debit card data or personal information was stolen as a result of the breach. Although it is still rare to see these allegations result in settlements, this pendulum could swing. When it swings, a sound cyber insurance product will bring protection in the form of covering part, or all, of the defense costs and resulting settlement payments.

See also: Most Firms Still Lack a Cyber Strategy

Cybersecurity is firmly entrenched as one of the most consequential issues affecting organizations across industries – no one is immune. However, acceptance that an attack is likely can be the impetus for companies to work toward becoming resilient. By putting in place better policies, people, response processes and technology, companies can position themselves in a place of power when a breach does occur. Resilient companies also put themselves in better positions when negotiating cyber security insurance rates, when claiming damages following an attack and when facing regulators, lawsuits and, importantly, embittered and disappointed consumers. Ultimately, adopting a cyber-resilient mindset serves the interests of all stakeholders and allows companies to focus on doing what they do best – running their businesses.

An Opportunity in Resilience Analytics?

In my post last month, I discussed why the insurtech revolution should be focusing more on addressing the protection gap, thereby growing the pool of insurable risks, rather than figuring out how best to eat the insurance incumbents’ lunch.

At a conference in February, Tom Bolt of Lloyd’s noted that an increase of 1% in insurance penetration can lead to a 13% drop in uninsured losses and a 22% drop in taxpayers’ share of the loss. The key to increasing penetration is lowering distribution costs to make products more affordable. That is where insurtech can come in. Many recent startups have business models looking to tackle the excessive intermediation costs that exist in the current insurance value chain.

Sadly, when a catastrophe strikes areas of low insurance penetration, those communities not only suffer from the difficulties of having to seek aid—which can take three-plus months to reach affected zones—but also face the prospect of a significant drag to economic growth. It is unsurprising, therefore, that governments in vulnerable countries are keen to improve their “resilience” and seek solutions to better prepare themselves for catastrophes by working with the likes of the World Bank, the UN and the recently established Insurance Development Forum (IDF). Interestingly, AIR Worldwide announced recently the Global Resilience Practice, which will be led by former U.S. presidential adviser Dr. Daniel Kaniewski.

See also: InsurTech Need Not Be a Zero-Sum Game  

As well as providing low-cost distribution models in new markets, a related opportunity I see for insurtech is working together with the insurance industry in the growing field of resilience analytics. As Robert Muir-Wood recently pointed out on RMS’ blog, the claims data gathered by insurers — which historically has been used for the pricing and managing of risk — have the potential to also be used to reduce the potential for damage before the event. Insurtech companies could work with government authorities to pool this claims data, leveraging it with other key data from external sources and then using the results to influence urban resilience strategies. There are inevitable doubts over the willingness of insurers to share their data, but agile and thoughtful startups are likely better placed to be able to find insights in a world of abundant unstructured data than the more technologically challenged incumbents.

The current size of the protection gap is a failure of the insurance industry, and any companies that can help address it will not only be first movers in new markets but will also be adding social value and much-needed resilience to vulnerable communities all over the world.