Heading Off ‘Cybergeddon’
In April’s R&I cover story, Cyber: The New CAT, experts called catastrophic cyber attacks “inevitable” and the prevailing attitude in the C-Suite “denial.”
Jason Healey, director, Atlantic Council’s Cyber Statecraft Initiative, says that in order for organizations to weather the inevitable attacks, the key will be resiliency. “The organizations that fare best,” he said, “will be those that have the size, agility and resilience to bounce back as quickly as possible.” Healey is also author of Beyond Data Breaches: Global Interconnections of Cyber Risk, commissioned by Zurich Insurance Company Ltd. and published in April 2014.
Developing resilience would include conducting exercises, developing response playbooks, increasing funding and grants for large-scale crisis management and developing redundant data storage in case one is compromised.
The tangle of Internet information that companies and countries depend on to function is now so complex, Healey said, that companies and governments can’t manage the risk from within their own four walls. Beyond Data Breaches notes that Internet failures could cascade directly to Internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations.
Like superstorms such as Hurricane Sandy, cyber risks are inevitable and unstoppable, and like the financial crisis of 2008, they can’t be contained, because of organizations’ interconnection and interdependency. The worst-case scenario, stemming from the principle that everything is connected to the Internet and everything connected to the Internet can be hacked, is “Cybergeddon,” where attackers have an overwhelming, dominant and lasting advantage over defenders.
Even now, Healey said, attackers have the advantage. The Internet’s original weakness — that it was built for trust, not security — perpetuates defenders’ vulnerability. “Some ‘serious’ thinkers suggest we should start over” rather than try to retrofit an Internet so flawed by weak security as to threaten every user, he said, despite the impracticality of a do-over.
Second, Healey said, defenders have to be right every time, and attackers have to be right only once.
Third, technology evolves very quickly, and most people don’t understand it well enough to lock out intruders. “Every time we figure out what we’re supposed to be doing right, the technology has moved on and once again we don’t know how to properly secure our data,” Healey said.
Software is still poorly written and so insecure that “a couple of kids in a garage” can hack into corporate and government systems just for a naughty thrill. “Bad guys” with theft or sabotage on their minds can work their mischief behind a veil of anonymity. “The Internet almost encourages bad behavior because of the anonymity involved,” Healey said.
Companies, governments and risk managers should shift the drumbeat from resistance to resilience, and to expand cyber risk management from individual organizations to a resilient and responsive Internet system, Healey said. For systemic risk management, Beyond Data Breaches recommends:
- Putting the private sector at the center, not the periphery, of cyber risk efforts, since they have the advantage in agility and subject matter expertise.
- Using monetary or in-kind grants to fund effective but underfunded non-government groups already involved in minimizing the frequency and intensity of attacks. Governments and others with system-wide concerns (such as internet service providers and software and hardware vendors) should advocate for this research.
- Borrowing ideas from the finance sector. This could include examination of “too big to fail” issues of governance and recognition of global significantly important internet organizations.
3D Printing Offers New Risk Challenges
As commercial 3D printing advances from occasional to routine use, the product liability landscape will shift around it. Defective and counterfeit product exposures, among others, will arise for all participants along the manufacturing continuum, industry experts said.
In an adverse incident, said Rob Gaus, product risk leader, Marsh, liability will be apportioned among participants in the manufacturing and distribution stream: product manufacturer, printer manufacturer, software designer, feedstock supplier, distributor (especially if it modifies the product) and retailer (if the manufacturer is not well capitalized). No case law exists yet.
In 3D printing, a computer sends the software containing a product design to one or more printers, which builds the product, layer by layer, from many kinds of materials — plastics, metals, drugs, paints and even human tissue.
David Carlson, U.S. manufacturing and automotive practice leader, Marsh, said 3D-printed products are treated the same as any other new operation that poses new risks.
Underwriters and brokers must first assess the company’s risk management profile and risk appetite. When production, research and development teams look at technology, “they should loop in risk management. Risk management should be part of the continuum, or the company could get into sticky situations.”
The emerging risks include unregulated manufacturing, said Mark Schonfeld, a partner at Burns & Levinson LLP in Boston specializing in business and intellectual property law.
If 3D printing enables production of, say, just 100 hip implants or 100 hearing aids, such work will generally take place outside of a traditional mass-production factory, which is subject to government regulation and inspection.
“Insurance companies like FDA oversight of manufacturing because it makes products safer and helps identify responsibility when things go wrong,” Schonfeld said.
To protect themselves and their clients, Schonfeld advises insurers to keep abreast of technological developments, consult with a creative and knowledgeable attorney about how to address liability exposure, and adjust existing policies to be fair to consumers and prevent injury to the insurance company.
3D printing also raises the risk of counterfeit products, said Peter Dion, line of business director-product liability, Zurich Insurance. The digital “recipe” in the software design, and is vulnerable to capture, he said.
Although there is no encryption mechanism for the software, one solution might be to transfer the digital file in pieces only as they are needed by the printer to prevent capture of the entire design signature, Dion said.
Manufacturers have always struggled with counterfeit products, but 3D printing magnifies the risks because it can slash the time from product development to market-ready product to a matter of hours and requires no molds or prototypes. “Hackers can take the proprietary blueprint or software, send it to a third-world country, and have the product ready for market tomorrow,” said Carlson. “That’s a business disruption issue. Counterfeiters can put a company out of business.”
Drug manufacturers may subvert counterfeiters by adding tracer elements and watermarks to their formulations, which protects their reputations, profits and public health. “If the counterfeiters get the recipe wrong, they might not produce high-quality drugs for public consumption,” Carlson said.
Other manufacturers can also use watermarks and digital rights management (DRM) software to prevent file sharing. Still, Carlson said, counterfeiting is an old problem. “Bad guys have always exploited new technologies for their personal gain.”
The materials used by manufacturers present a greater potential loss exposure than the 3D printer itself, said Dion, noting that it is just another piece of equipment, like a pencil or a lathe.
For example, if a 3D printer is used to replicate a cupcake, the manufacturer should be as careful of contaminants in the mix as traditional bakers need to be. “When 3D printer manufacturers purchase materials from suppliers, they need to perform due diligence on their supplier’s products also.”
A Foreign Education
As more and more American colleges and universities broaden their international footprints, their risk profiles also change. Many are expanding to the developing world, where risks are greater. To keep up, a small but growing number of institutions are hiring full-time international risk managers, according to industry leaders.
Of the 4,500-odd American colleges and universities, about 600 employ dedicated risk managers, and 29 employ full-time international risk managers.
“It’s a new trend, and it’s taking root,” said Jean Demchak, the Global Education and Public Entity practice leader for Marsh. Most were hired in the past three years, and their ranks are growing at about 10 per year.
That trend is most visible in large universities with very mature international programs. However, small schools, including many community and junior colleges, also have international programs that require risk management.
Gone are the days when mere undergraduate study-abroad programs defined an institution’s international presence, said Joan Rupar, division president, Foreign Casualty, AIG.
The traditional health and safety risks to undergraduates remain, but are now complicated by increasingly commercialized enterprises involving faculty and local nationals that raise issues of local and international law, employment and environmental regulations. Trips to remote, undeveloped, and politically unstable locations introduce yet a new set of medical access, kidnap and crime risks.
“When institutions contract with commercial entities for clinical trials or to use their engineering or agriculture expertise in the market, their scope of liability opens considerably,” said Rupar.
“Institutions plan to bring the litigation back to the U.S. if anything happens, but that doesn’t always happen.”
Yet institutions take on the risks with zeal, since foreign programs prepare students for a globalized workplace and political environment, and commercial opportunities compensate for diminishing public education funds as tuition soars, said Paul Pousson, associate director of risk management at The University of Texas System. “Every university president wants to expand the institution’s foreign footprint.”
Compliance With Local Laws
Mike Liebowitz, senior director of enterprise risk management and insurance, New York University — who is one of the 29 full-time international risk managers — said institutions must protect themselves with broad coverage that complies with local regulations.
Domestic insurance policies may be useless for overseas claims because many countries require a licensed insurer, Liebowitz said. U.S. coverage might not be valid in another country because the local coverage is often taxed.
“It’s a revenue source for the country,” Liebowitz said.
Although most exposures for foreign campuses are not much different from those in the United States, employment exposures are a notable exception. When institutions hire from the local population, as foreign campuses and research facilities inevitably will do, risk managers should examine the full battery of employment issues, said Pousson. Those questions include:
• What’s the position to be filled?
• How are employees paid?
• What are the tax issues?
• What are the fringe benefits?
• What are the banking and cash management issues?
• Will the institution open a local bank account?
• Who will have access to the account?
• Who will reconcile it?
Institutions must also comply with local building and construction codes when they buy or renovate property, said Harsh Dutia, vice president, Multinational practice, Marsh USA. “They’re concerned about being good corporate citizens in these countries.”
When setting up the foreign program, Pousson said, most institutions need to tap legal and accounting consultants external to the school. In some cases, those may be professionals in the host country.
Mitigating Health and Safety Risks
Although commercial exposures account for a large and growing part of universities’ international risk, the traditional one — students studying abroad — remains Temple University’s single greatest international risk, said Lisa Zimmaro, assistant vice president for risk management and treasury, Temple University.
“You have a population of 18- to 24-year-olds who think they’re immortal,” she said. “They’re not old enough to drink legally at home, and suddenly they can order a drink. They take risks.”
Some trips are risky simply by virtue of their purpose and location. For example, said Bill Hoye, executive vice president and chief operating officer, IES Abroad, which manages 100 study-abroad programs in 36 global locations, a service-learning trip to an AIDS clinic or a construction site in Africa may carry a range of developing world risks: illness and injury, remoteness and access to medical care.
“You have a population of 18- to 24-year-olds who think they’re immortal.”
– Lisa Zimmaro, assistant vice president, Temple University
“Before you go, have a plan in place,” Hoye said. That may mean bringing a sophisticated medical kit as well as trained and certified first responders.
“You identify the foreseeable risks in that environment and then tailor a plan that spells out how you respond to each risk.”
Safe educational travel is itself a topic of academic research as well as a cottage industry. UCLA’s Center for Global Education provides an exhaustive clearinghouse of best practices and information, including checklists, to help institutions plan for conditions around the world, such as the lack of smoke detectors in France, penalties in Singapore for chewing gum, which way to look before crossing the street in Auckland and evacuations from war zones.
The University of Pennsylvania emphasizes pre-departure preparation and training of its students, establishing contingency plans for “every imaginable” situation, including kidnap, ransom and war, said Jaime Molyneux, director of international risk management, University of Pennsylvania. Where some institutions use commercial travel tracking systems to broadcast alerts and establish a head count in emergencies, Penn requires students to use its homegrown travel tracking system.
Many risk managers and insurance brokers advocate for site visits and assessments when possible. Liebowitz of NYU — a “risk-conservative” school — has visited many of its campuses on every continent except Antarctica. Zimmaro of Temple University credited her site visits with being able to evacuate students from Japan without undue incident after the 2011 earthquake and tsunami. “It was the first time I chartered a plane,” she said.
If they can’t make site assessments, said Rupar of AIG, risk managers at least should learn “an awful lot” about building codes, safety and security in locations of repeat travel, and facilities used as classrooms. That information will transfer to the students and faculty in pre-trip training. Some institutions that can’t make site visits choose to contract with vetted and established assistance providers, such as International SOS, a medical and travel security services company, or the travel tracking service company Terra Dotta Software, which pushes out alerts, about say, a dengue fever outbreak in Ecuador, to affected travelers, per their itineraries.
The most effective mitigation, Pousson said, involves internal cross-collaboration between risk managers, international studies, faculty and athletics to hash out the full scale of the foreign undertaking. Some institutions tackle this through international oversight committees, said Rupar. “They gather all the stakeholders at the table to say, ‘This is the program we want, and these are the risks. How do we protect the university’s assets?’ ”
One of the potentially best training programs seldom takes place in the United States, said Gary Rhodes, director, UCLA Center for Global Education: foreign language instruction in the early grades, when the child’s neural pathways for language are still elastic. “It’s harder to learn a language at the college level,” he said.
Many colleges and universities belong to self-insured consortia, and more want to belong, said Jan Trionfi, risk management, environmental health & safety, Central Michigan University (CMU), which belongs to the Michigan Universities Self-Insurance Corp. (MUSIC), a consortium of 11 Michigan public universities.
CMU buys its “very good, very broad” foreign liability insurance through the consortium at about a 15 percent savings, thanks to the volume purchase. Coverage includes general liability, property, auto liability, workers’ compensation, and the once exotic but now routine kidnap, ransom, emergency evacuation and repatriation coverage. Some but not all MUSIC members buy the policy, which isn’t included in the core general liability coverage. Because each institution has its own risk tolerance, they don’t share risk, instead buying stand-alone policies, said MUSIC’s broker, Jerry McKay, senior vice president, Marsh Inc.
In addition to cost savings, McKay said, consortia members benefit from sharing best practices. “Typically, the larger members develop best practices that they share freely with the other members.”
“Consortia are a forum for members to discuss how they found missing travelers, how they keep track of them, how they’ve helped them, what’s their disaster plan,” said Rupar.
“That takes a lot of collective thinking, and the result is a very good thing.”