I had the pleasure of attending the PCI Security Standards Council's North American Community Meeting in Las Vegas this week.  PCI is a consortium formed by American Express, Discover, JCB International, MasterCard Worldwide, and Visa, and its mission is to standardize and enhance worldwide credit card and payment account security.  In other words, PCI works to keep credit card transactions safe from theft, breach, and compromise, and the Community Meeting is a great forum to learn about recent developments in cyber threats, theft of credit card data, breach of data security, and overall computer data safety. 

In his keynote, Bob Russo, PCI's General Manager, urged us all to remember that that hacking isn't adorable anymore.  In the first generation of computers, the hacker's image was of the outsider high-school kid trying to impress his friends.  Today, credit card and data hacking is part of an elaborate world-wide underground economy of organized crime.  This threat goes far beyond mere vandalism or mischief.  Losses are in the hundreds of billions of dollars, and the disruption and existential risks to a business from a breach can be acute.

Most companies that accept card and electronic payments, and that have data to protect, have focused on the Cyber Crime exposure.  But, from my standpoint as an insurance professional, it's clear that many organizations that are fairly sophisticated in their physical risk and health & safety practices sometimes still lag in their data security practices.  An indicator of this is the relatively limited penetration of Cyber Liability and Privacy Liability insurance coverage among all classes of merchants.  Fortunately, the perception is changing.  E-Commerce vendors and companies that accept cards and electronic payments are paying far more attention to contractual data security standards, such as PCI-DSS, and to legal exposures for breach, such as from HITECH or HIPAA. 

There is also greater public awareness of a larger trend that's been happening for years, which is the competition between nations for control of the internet, and competition for both political and commercial control of data.  Among the highlights of the conference was a presentation by Mr. Misha Glenny, an English author and journalist, and expert in the field of internet crime. Mr. Glenny discussed how the general threats of "cyber malfeasance" include not just Cyber Crime, but also Commercial and Political Espionage, and Sabotage/Warfare.  (This link will bring you to a terrific TED Talk that Mr. Glenny presented in Scotland in 2011.)
 

One particularly chilling example cited by Mr. Glenny was of a hack of SOCA, the UK's cyber crimes law enforcement unit, in which the perpetrators were able to alter the contents of criminal records on SOCA's database.  (Frankly, I'm very concerned not just about credit card payments compromise, but also about overall data compromise.  Imagine a breach of your company's computer systems that, in an act of spite, vandalism, or whatnot, wipes or corrupts all your data...)

Another terrific presentation was by Jacob Ansari, an analyst from 403 Labs.  403 Labs is a leading provider of forensic analysis and investigation of credit card and data security breaches.  Jacob pointed out that, generally, the method behind most data breaches isn't glamorous, and most involve basic stuff, like bad passwords, insecure remote access, un-patched systems, default credentials, or a simple breakdown in the human data control chain.  Yet the costs and implications are acute: Contractual and Civil fines and penalties, forensic investigation costs, cost of correctives, legal expenses, reputational damage, and loss of business.

Both Mr. Glennie and Mr. Ansari pointed out that many breaches take place in food service and hospitality, with documented cases of breaches along the human chain of custody of the card.  That is, a common cause of breach is not a hack, but people in the payment chain. Chip and PIN technology, and the (hopefully) coming adoption of the EMV Security Standards into United States, may help reduce this hazard.  (Under the EMV standard, which is widely in use in Europe, the card doesn't leave your hand when you make a purchase.  Instead, you dip your card into a reader, and enter your PIN.  This helps reduce face-to-face fraud.)

So what does insurance have to do with all this?  From the standpoint of companies exposed to privacy breach violations of the PCI Standard, or the violation of another privacy standard such as HITECH or HIPAA, it's important to consider Privacy Liability insurance.  A well-constructed Cyber Liability policy would help pay for the third-party liability costs associated with a breach.

But insurance is not the overall solution to data security.  While insurance is getting better at dealing with third-party liability claims, it still isn't the best solution to first-party data recovery.  Imagine a breach or a physical loss that wipes out your data, and your backups fail.  Even if the insurance company hands you a check to help pay for data recovery, how would you realistically go about recovering all of your contacts, client information, financial records, archives, intellectual property, and pictures of your kids?  At best, a well-constructed insurance policy would help pay for first-party loss-of-data recovery costs.  But the insurance company can't reconstruct your data for you. 

From the standpoint of any company that maintains data that's essential to operations - that is, everybody - it's essential to harden systems against physical damage or penetration, and to maintain robust backup systems. Whether the compromise of your data is the result of a breach, or the result of something a lot less glamorous, like a drive failure or a leaky pipe above your server room, the end result can be disruptive and disastrous.    

One last point: Everybody uses their credit cards, and over time, your numbers can be compromised.  So, once a year, I ask American Express and Mastercard to reissue me new cards, with new numbers. 

(Note: PCI has developed the Data Security Standard, also known as the DSS. The DSS is the credit card community's best-practices technique of maintaining data and payment card security. The link above is a brief layman's introduction to DSS Version 2.0. Part of what we were doing at the meeting was working on the introduction of DSS 3.0.) 

 

 

Inland Hurricanes: Hurricane Camille and Nelson County Virginia - August 19th, 1969

Those of you who have attended my seminars have heard about how hurricanes can cause extensive damage to places that aren't near the coast.  The general public has been made more aware of this in the last few years, as Irene caused prolific destruction in Vermont and northern New England, while Sandy caused extensive inland damage in central and northern New Jersey.  Both Irene and Sandy are examples of the flood and wind damage that a hurricane can inflict on inland areas.

Meteorologists and insurance loss control professionals have long understood that hurricanes are not just a coastal phenomena.  The insurance industry began to more widely recognize inland hurricane exposures several years ago, as inland flood and windstorm claims began to proliferate after storms.  I've attached a link to an excellent article from AIR Worldwide discussing some of the science behind inland hurricane exposure:  http://www.air-worldwide.com/Publications/AIR-Currents/2010/Inland-Hurricane-Risk/

Yesterday was the anniversary of a terribly tragic example of the inland destruction of hurricanes.  

On the night August 19th, 1969, Nelson County was struck by the remnants of Hurricane Camille.  That night, Camille dumped about two feet of rain onto Nelson County, causing extensive landslides and floods.  Over 150 people died, and several dozen bodies were never found.

I've linked an outstanding article from yesterday's Washington Post Weather Blog: http://www.washingtonpost.com/blogs/capital-weather-gang/wp/2013/08/19/unprecedented-rain-hurricane-camilles-deadly-dlood-in-the-blue-ridge-mountains/ 

Much of the damage in Nelson County that night was from Debris Flow, which is basically a fast-moving landslide.  Meteorologists have identified "Debris Flow" as a hazard associated with inland hurricane exposures, and Debris Flow in Nelson County during Camille caused extensive property damage and was responsible for much of the loss of life.  Even today, parts of certain mountainsides in Nelson County are still denuded. 

Camille wasn't an isolated incident: On June 27th, 1995, Madison County, Virginia, suffered landslides after a series of rainstorms.  The USGS published a report after the Madison County event, noting that "scientists have documented 51 historic debris-flow events between 1844 and 1985 in parts of the Appalachians - most of them in the Blue Ridge area."  http://landslides.usgs.gov/docs/faq/fs159-96.pdf

Last summer, our family took our vacation in Nelson County, Virginia, in the Shenandoah Mountains.  Nelson County is fabulous and beautiful, and a marvelous place for a family vacation.  So, two things to leave you with: Please consider that hurricane damage can occur far inland.  And, enjoy this photo of Nelson County from our vacation, and please consider a visit.  It's a beautiful part of our country: 

 

 

http://www.washingtonpost.com/blogs/capital-weather-gang/wp/2013/08/19/unprecedented-rain-hurricane-camilles-deadly-dlood-in-the-blue-ridge-mountains/

Aviation Grounding Exposure, Recall, and Loss of Use

Suppose your company manufactures a mission-critical part for airplanes, such as engine mounts, or landing gear components.   At some point, after a number of your products are in the field and installed into planes, you discover a mistake of some kind, perhaps some manufacturing defect, or a mistake in the way the part was installed.   Fortunately, the mistake was discovered before any planes crashed, so nobody got hurt, and nothing was damaged.  But, now the mistake needs to be corrected, and, in the meantime, a lot of planes will be grounded, flights will be cancelled, and folks like me will be missing business meetings, vacations, and thrilling insurance conventions in far-away, exotic places.

A similar problem could ensnare a manufacturer of a critical part for a production process.  Suppose your company makes valves, or monitors, or power couplings, and your product, after it's widely installed, is discovered to have some type of defect that needs to be corrected.  The cost to correct your product could be minor, but the financial loss to your customer from a shut-down, and your potential exposure, could be mind-blowing.

How will your liability insurance program respond?  Usually, unless the policy includes extension endorsements, grounding coverage, or recall, you're not necessarily going to get a good result from your insurance program. 

The insurance issue arises from the concept of "trigger," that is, turning the policy on and making it respond to a particular event.  A typical General Liability policy will trigger with an "occurrence," normally defined as Bodily Injury or physical Property Damage of some kind.  In the absence of either injury or direct damage, the policy doesn't activate.  So, how do you trigger the Liability coverage if there's no injury or damage?

First and foremost, a key risk management consideration is to be aware of the exposure in the first place.  In other words, have you considered whether your business has such a grounding exposure, or the capacity to shut down one of your customer's operations?  Does your product have a recall potential, whether arising from a government action or from general health and safety considerations?  Do your contracts with your customers make you liable for these potential consequential losses?

Once you've established that your company has this exposure, it can be addressed through Recall Coverage, Aviation Grounding Liability, certain Commercial General Liability endorsements, or, potentially, through contractual risk transfer.  A Professional Liability policy with exceptions to the standard Property Damage exclusion might also address certain types of groundings or shut-downs.  Each company's solution varies, depending on the nature and scope of the exposure.

Regardless, all too often, traditional insurance program management becomes a renewal exercise.  Renewals are processed with too much emphasis on pricing an apples-to-apples renewal, and not enough thinking about outside-the-box exposures, non-insurance risk management solutions, company contracts, or company strategic issues.  Don't just go through a pricing exercise.  Use the occasion of your insurance renewal to re-think your exposures.   

Solar Storms and Electrical Injury

A solar storm is one of the great phenomena of our solar system.  For reasons involving the sun's magnetic field, the sun will, quite literally, explode a stream of gas and atomic particles into space.  These particles, which are mostly plasma and sub-atomic protons and electrons, will spew from a spot on the sun, almost like a jet of fire spewing from a spinning balloon. 

This phenomenon, known as a coronal mass ejection, will be seen before it is felt.  Astronomers will see the arcs and curves of the ejection only several minutes after they occur, but the particles themselves, traveling at roughly one million miles per hour, take a few days to get here.

When earth does get hit, these storms have little direct physical impact on human health, because the earth's electromagnetic field will redirect these particles away from the equator toward the North and South poles, where they'll light up the aurora for a few spectacular nights.  (In fact, because it prevents certain extremely destructive atomic particles from killing you, some biologists believe that the earth's electromagnetic field is essential to protecting the very existence of life here.  Mars and Venus, for example, don’t have electromagnetic fields.)

So, these storms are a scientific curiosity, unless, of course, you happen to be a satellite, a passenger on a space ship, anything electronic in Canada, or a company that relies on electricity.

In March 1989, a solar storm caused the Hydro Quebec Power Grid to fail, putting six million people without power for about twelve hours.  The Montreal Metro and Dorval Airport were closed, the kids got a day off from school, and Canadian businesses lost an estimated $2 billion.  This same storm was also responsible for over 200 separate electrical injury events in North America, including significant transformer damage to the Salem Nuclear Power Plant in New Jersey.

There are other examples of damage from solar storms.  In 2000, a railway signal malfunction, believed to have been caused by a storm, resulted in an accident that caused 19 fatalities in Norway.  In October 2003, a solar storm caused blackouts in Sweden and South Africa, and disrupted the FAA's GPS system for over thirty hours.  In 1997, AT&T's Telstar communications satellite was damaged, with several hundred million dollars in ensuing loss.  In fact, as far back as 1859, a solar storm was credited with disrupting the worldwide telegraph system.

The insurance industry understands the hazards created by solar storms, as these claims are similar to electrical injury claims most commonly covered in a Boiler & Machnery or Equipment Breakdown policy.  Certain property policies that include coverage for electrical injury are generally silent on solar storms, though there are exceptions.  Lloyds includes an Electromagnetic Fields Exclusion in many of its policies, while Chartis includes an exclusion for "electrical and electromagnetic interference" in its standard aviation forms.  

Certain industries have a particular exposure.  In addition to electrical power facilities and utilities, other vulnerable industries include telecommunications, oil and gas, and railways.  (Oil pipeline grids and railways can turn into giant antennae, attracting and distributing the solar charge and becoming damaged in the process.)  Naturally, aviation and satellite exposures face unique hazards from solar storms as well.  Anyone in these industries should be well aware of these hazards.

In particular, though, any business that is exposed to power or communications failure could find itself temporarily shut down by a solar storm.  Insurance solutions for power, telecommunications, and utilities disruption can normally be built in to a well-constructed property program, but often have the disadvantage of requiring an "insurable event" to occur at a power facility.  Unfortunately, damage from solar storms can be inchoate and widespread, making it sometimes difficult to identify the specific physical cause of a power disruption, and thus difficult to trigger coverage for power interruption.  Effective insurance programs for power interruption should anticipate this.

Businesses should also consider protection against power failure, such as system redundancy or power and data backup, and those businesses with specific exposures to solar storms should consider hardening their key electrical assets.

Most importantly, though, a business owner should be aware of their particular exposure to solar storm, and electrical injury in general, and plan accordingly.  Does your business rely on aviation or satellite assets?  Does your business rely on a specific electrical asset or device that could be damaged during a solar storm?  Do you have operations in Alaska, Canada, Russia, or northern Europe?  Do you have a plan to respond to an extended power or communications interruption?  Be certain to ask yourself these types of questions, and be better prepared for one of nature's greatest spectacles.

Other references:

Riswadkar and Dobbins "Solar Storms: Protecting Your Operations against the Sun's 'Dark Side.'"  Zurich Services Corporation Risk Engineering White Paper.  April 8th, 2010.