Tag Archives: terrorists

Growing Risks From Malicious Drones

Recent drone attacks in Saudi Arabia dramatically illustrate several key issues relevant to terrorist and security risk assessment. This should be enough to cause private entities, governments and insurers to reassess their prior risk assessments and security planning around important infrastructure, iconic buildings and large scale events.

According to Aljazeera, the drone used in the Saudi pipeline attack “flew more than 800km into Saudi Arabia to successfully attack its target . . . [and] was guided using satellite technology.” As Aljazeera further noted, “This implies increasingly sophisticated levels of training.” Couple the foregoing with a recent U.N. report indicating that Houthi drones can fly up to 1,500km with a 40-pound warhead and a statement by the FAA that anti-drone security technology is still developing, and it should be apparent that a risk that may have been only theoretically considered now seems to be very real.

Anyone with even a cursory knowledge of risk assessment can readily see the potential dangers posed by a 40-pound bomb capable of traveling up to 1,500km with GPS targeting capability. But should we be surprised? I think not.

See also: New Applications for Drones  

Terrorist innovation and tactical learning are not new. Almost 25 years ago, Ramzi Yousef hid liquid explosives in contact lens solution containers and coupled that with a timer made from an inexpensive Casio watch to hatch a plot that resulted in the death of one person. Fortunately, the plot was disrupted before 12 airliners were destroyed over the Pacific.

Terrorists and other malevolent actors have long used their technical expertise to transform technology that is intended to better our lives into a means for destroying life and societal bonds. For more than 40 years, cars and trucks have been loaded with explosives or just used as a direct means of killing innocent persons all over the world. And 9/11 illustrates how aircraft that serve to bring the world closer together can be used to kill thousands and make the world move a little further apart.

The point is that terrorists innovate and learn from prior attacks. We underestimate them at our peril and increase the attractiveness of a target when we fail to implement measures to deal with the potential disruption and damage that they intend to cause.

There are readily available measures that can be taken to minimize both the damage and disruption to critical infrastructure. First-party damage and disruption can be the subject of insurance coverage that will allow rapid repair and minimize disruption. Third-party damage and liability claims can also be addressed by insurance, as well as by implementing or cooperating in the deployment of defensive measures that will assist government actors fulfill their role as providers of a national defense.

See also: Insuring Drones – A Growing Opportunity  

Recognizing and respecting the governmental role in defending persons and property is also of critical import. My own experience in this area has long convinced me that terrorist attacks by truck, plane or drone are akin to acts of war and that these attacks target government policies far, far more than individual businesses interests. The long-established role of governments is to defend their people and infrastructure. And, cooperation with government defense efforts is what responsible citizenship demands. When private parties and government actors recognize and fulfill their respective roles, they not only help minimize their vulnerability but also lay the cornerstone for defending their actions should they ever be targeted.

Insurers, insureds and government actors working together not only minimize the pre-attack risk but also the post-attack disruption that oftentimes proves more destructive than the physical damage caused by the attack itself. Indeed, when it is considered that the ultimate goal of terrorism is to destroy societal bonds, strengthening those bonds both before and after an attack takes place may prove to be the most effective deterrent and antidote to the terrorist disease that plagues the world today. That process starts with a rational and realistic risk assessment and then continues with the implementation of the mitigation measures deemed appropriate. It’s never too late to start that process but far too late to consider these rapidly emerging risks as something that can be dealt with in the far-off future.

3 Strategies to Manage Geopolitical Risk

Geopolitical risks are high on the agenda for multinational business, both in terms of likelihood and severity. And that’s expected to continue over the next decade, according to the recent World Economic Forum Global Risks 2015 report.

The four most likely geopolitical risks, according to the report, are:

  • Interstate conflict, such as Russia’s annexation of Crimea.
  • Failure of national governance.
  • Weapons of mass destruction.
  • State collapse or crisis.

What should you do if your company does business in less stable parts of the world? Put simply, be prepared for everything.

That may sound trite, but risk professionals are charged with protecting company assets, investments and people around the world from all possible threats – including political risk, which can often emerge in countries that were previously seen as relatively risk-free.

Here are three strategies to help manage geopolitical risk in 2015 and beyond.

  1. Take a multi-country approach
    As Marsh’s recent Political Risk Map 2015 report shows, political hot spots exist in every corner of the world, driven by a variety of underlying political, economic and societal factors. Instead of purchasing single-country insurance policies, consider multi-country credit and political risk programs, which can often bring more favorable terms and conditions. Multi-country policies can offer blanket regional or global coverage for a variety of risks, including political violence, currency inconvertibility, expropriation, non-payment and contract frustration.
  2. Protect your balance sheet, not just physical assets
    Credit or non-payment risk closely follows political risk. In Global Risks 2015, the risk of state collapse or crisis ranked fourth in terms of likelihood. When a government collapses or descends into crisis, it often loses its ability to honor financial obligations. This can quickly spread to the private sector, creating a chain reaction of default. If you are a supplier or lender to buyers based in less stable markets, consider purchasing structured credit insurance.
  3. Build resiliency plans before trouble begins
    As we saw in Sydney and Paris, terrorist or politically motivated attacks can happen without warning. So it’s important to engage in effective crisis management and resiliency planning ahead of a potential event. Identify essential functions and assess the potential impact of a crisis on your customers, employees and other stakeholders. Developing and testing crisis plans that ensure effective communication with employees can better protect them during an emergency.

For more information, read Global Risks 2015 or view Marsh’s Political Risk Map 2015.

Am I Covered For Cyber-Terrorism?

Are you covered for cyber-terrorism? If you have not purchased Cyberliability insurance, the answer is likely no. A General Liability policy needs bodily injury, property damage or possibly an advertising injury to respond. Property insurers don't view data as tangible property, and a property policy needs a peril like wind, fire or hail to respond to a loss. Crime policies cover embezzlement by employees. In the event of a cyber-terrorism loss, you can look to all of these policies for coverage, but there is only one policy that is designed specifically for this type of exposure — Cyberliability.

The next question is, what constitutes cyber-terrorism? When you think of activities committed by a terrorist, your first thoughts might be actions that lead to death or destruction of property. There are other ways terrorists can inflict harm, including through electronic means.

Below are scenarios that might be covered by a properly structured Cyberliability policy:

Sadly, the array of bad things for a terrorist to try extends far beyond the items listed above. They are out there working on ways to cause mayhem without leaving the comfort of wherever they may call home.

  1. Hackers funded by a foreign government get into your insured's network and cause private information to be leaked into the public domain.
  2. Hackers funded by a hostile party hijack an insured's network and computers and use them to cause a denial of service attack against other third parties, who then sue the insured for not preventing such an event.
  3. Unnamed hackers from a foreign nation deliver a virus to an insured's network and wipe out 30,000 company laptops causing a business interruption loss.
  4. Foreign-sponsored hackers launch denial of service attacks at everyone in the insured's industry in retaliation for some action taken by our own government. The business interruption may be covered, as well as a security breach arising from the attack.
  5. Hackers penetrate the control system for a manufacturing client's assembly line and prevent them from producing their product.
  6. Hackers replace a client's website with offensive or politically motivated content that causes people to sue for emotional distress, libel or slander.
  7. Hackers penetrate an insured's network and threaten to release private records or intellectual property.

To most insurers, it won't matter who is behind the security breach. The hackers can be foreign-sponsored, the kid next door, a disgruntled former employee or an organized crime gang. Coverage should apply regardless of who funded the attack. Cyberliability insurance policies are there to respond to liability claims arising from a security breach as well as some first-party expenses. There are also policies that include coverage for data restoration expenses and business interruption losses.

You probably won't see a policy that states, “You are covered for cyber-terrorism;” however, you should look for any definition of what constitutes a hacker. We have yet to see any definition that differentiates between prankster hackers, criminal hackers, political hackers, organized crime hackers or any other group. It is in the policyholder's favor that the definition isn't limited by a detailed description.

Most policies will be silent regarding the origin of the network attack; it remains your responsibility to be vigilant for any terrorism exclusion as well as acts of war exclusions. If you have been reading the newspapers lately, you have seen articles alleging that other nations have sponsored network attacks against companies and defense contractors in the United States. Some of those alleged foreign nations include Iran, China and North Korea. Our government hasn't classified those as acts of war, but at some point those actions could be deemed a precursor to war. A declaration of war usually requires a vote by Congress, which could take months, meaning that an insurer would likely have to wait to respond until the point a formal declaration of war is made. Insurers aren't intending to cover an aspect of war between two countries, but if an insured's computer network is collateral damage, they should provide coverage for the damages and liability.

A commonly asked Cyberliability question concerns the theft of intellectual property by a foreign nation, company or other party. Unfortunately that first-party loss is not contemplated in current Cyberliability insurance policies. There are intellectual property policies out there designed to defend and enforce patents, but it can be challenging to prove who took the information and how to find them. Those policies usually respond to claims once a competing product with the same or similar design(s) is sold on the open market. The theft of digital blueprints may not be enough to trigger these policies. There are also issues regarding the enforceability of intellectual property rights outside the United States.

A quick search of our major metropolitan newspapers shows that a number of industries are in the sights of a variety of hacker groups. The current list of primary targets includes financial institutions, power companies and defense contractors. In light of these ongoing activities of terrorists and state-sponsored hackers, it remains a good time to look at Cyberliability insurance. Your clients may not specifically be targeted by cyber-terrorists, but their network could suffer collateral damage or be used to inflict damage upon others.