Cyber Security’s Latest Buzz
Insurers, here’s a pop quiz. How secure are you that you fully understand all the risks you have accepted on behalf of your clients? That your book of business contains no surprises?
My guess is that you think you’re pretty secure, and my other guess is that you’re really not. One example should suffice, but before I explain, a trigger warning to decent folk: The subject is sex toys.
Right. Now that I have your attention … are you prepared to pay out when hostile forces take over your client’s love machines?
Far-fetched? Far from it. One vibrator on the market reports back to its manufacturer on the behavior of the toy’s owner. Worse, it can be commandeered by hackers.
Full disclosure: I know nothing of sex toys. In fact, I’m mortified just writing about them.
Insurers must cope with unknowable change while providing insureds with good vibrations.
Here are some facts, to steady the ship.
“Two years ago, someone had the good idea to put a Bluetooth connection inside a vibrator,” The Guardian newspaper reported. The vibrator can be linked to a smartphone app that controls it remotely. One party tells the vibrator what to do, and the other party, well, I dunno.
At a hacking conference, two independent hackers from New Zealand reported that the link between the vibrator and the app is not secure. A hacker could take control of the vibrator at a crucial moment and, well, I dunno.
Two million hackable vibrators have been sold. People could be unaware that they’re having virtual sex with total strangers, although in some circles that might be considered a good thing.
Sooner or later, though, hackees must surely come to the conclusion that advantage has been taken of them and demand recompense. Does your company cover vibrator hacking?
The app reports the temperature of the vibrator to its manufacturer every minute, and also reports changes in the intensity of the vibrations.
“What are the implications of who they’re going to give that data to?” asked one of the hackers.
In a statement, manufacturer Standard Innovation said the information was for “market research purposes, so that we can better understand what settings and levels of intensity are most enjoyed.” So that’s alright then.
If the readers of this magazine, the world’s smartest insurance people, were asked to list 100 utterly bizarre risks, not one of them would have written down “vibrator hacking.”
Insurers must cope with unknowable change while providing insureds with good vibrations. By the time the unimaginable becomes imaginable and then becomes hard fact, the risk is routinely covered and insurers are worrying about even more absurd risks that they might one day be asked to cover.
That’s why insurance is so fascinating to the observer — no one ever has any idea what’s coming next. &
From personal items such as e-cigarettes, cellphones and laptops to power tools, hoverboards, electric vehicles and alternative energy storage, rechargeable lithium-ion batteries (LIBs) come in all shapes and sizes, and are integral to modern living.
But despite their increasing application, the fire risks associated with LIBs have gained publicity of late, piquing the interest of insurers across a range of disciplines, from property and casualty to supply chain to product and environmental liability.
If overheated, LIBs can enter “thermal runaway,” emitting flammable material — sometimes in the form of small explosions; the bigger or more powerful the battery, the more impactful the event.
LIBs include a number of safety features to minimize the risk of thermal runaway. However, overcharging, damage to the battery, using an improper charging device or even excessive discharge can all trigger the problem.
After a UPS plane carrying a bulk LIB cargo caught fire and crashed in 2010, at least 18 airlines, including Cathay Pacific, Emirates and Qatar Airways, banned the bulk haulage of such cargo, causing supply chain headaches for companies transporting LIB products.
There have also been incidents when personal items have ignited in the carry hold on passenger flights.
A study by the Federal Aviation Administration (FAA) showed that gas venting from the batteries had the potential to “rocket” the battery away from the heat source. In a bulk storage facility, this could send batteries off into other parts of the warehouse, spreading the fire.
“If you are selling lithium batteries, it is even more important to have detailed instructions and warnings because there are so many things that can go wrong.” — Paul Owens, products liability manager, Sadler Products Liability Insurance
Indeed, bulk storage situations pose the biggest threat due to the risk of contagious overheating when multiple batteries are in close proximity.
“When you have a lot of these batteries together, fires can grow very quickly and be very damaging,” says Lou Gritzo, vice president of research at FM Global.
However, Gritzo’s firm said it made a major research breakthrough in April that could help mitigate LIB fire risk.
In partnership with the National Fire Protection Agency and the Fire Protection Research Foundation’s Property Insurance Research Group, FM Global conducted a first-of-its-kind warehouse fire test on the type of LIBs used in electric cars and energy storage. The test, he said, identified a sprinkler configuration that provides an “adequate fire protection point.”
Gritzo hopes the test results, which he expects to be published in a few months following data quality assurance checks, can be taken on board as an industry standard.
The results do not resolve the issue of air cargo safety, though some findings may be extrapolated out to develop in-flight fire extinguishing systems and improve safety for LIB cargo transportation.
Beyond the warehouse environment, LIB-powered devices present a product liability risk for manufacturers, importers, distributors and retailers. The biggest hazard lies in importing products that have been installed with defective or even counterfeited batteries that have been repackaged and rebranded to look superior.
In February, for example, U.S. Customs and Border Protection seized 3,500 hoverboards worth $1.8 million that reportedly contained substandard counterfeit batteries that posed a safety risk.
“If you are an electronics manufacturer, it is essential you know who and where you are buying your batteries from, that you are getting high quality batteries, and that they have high thermal runaway thresholds,” said Morgan Kyte, senior vice president and technology team leader at Marsh.
Detailed Warnings Required
The importer of defective goods is considered the manufacturer in the eyes of the law, and in the eyes of insurers in the event of a claim, said Paul Owens, products liability manager at Sadler Products Liability Insurance.
“Importers are top of the pyramid in the U.S. as no one is going overseas to recover,” he said. Most importers are buying from companies whose product liability policies won’t respond in the United States.
“Warning and instruction defect is a common entry into a product liability lawsuit,” Owens added.
“If you are selling lithium batteries, it is even more important to have detailed instructions and warnings because there are so many things that can go wrong.”
“When you have a lot of these batteries together, fires can grow very quickly and be very damaging.” — Lou Gritzo, vice president of research, FM Global
Retailers and wholesalers who purchase from U.S. manufacturers at least know they have a route of recourse in the event of a claim, though it is likely they would be dragged into litigation.
When e-cigarette user Jennifer Reis was set on fire in 2015 when the battery in her device exploded, the e-cigarette’s distributor, wholesaler and even the Tobacco Expo store where she bought it were all named in the lawsuit. Reis was awarded $1.9 million in damages.
“Retailers and distributors should ask their suppliers to name them as additional insureds on their policies,” said Owens.
“If you are named as an additional insured, the importer’s policy is primary and yours is secondary, which is an important step for retailers and wholesalers.”
However, Owen noted, not all insurance carriers are comfortable writing coverage for LIB-powered products.
“You have to be very careful with the policies you buy as some can be very narrowly written — some have full health-hazard exclusions, and for items like e-cigarettes this leaves very little coverage.”
It is not always easy to determine whether a thermal runaway event has been caused by a defective LIB, a defective electronic device or human error, Kyte said.
“Often there is not much material left after one of these, though there are certain tests that can be done and sometimes it is possible to extrapolate a sequence of events to determine the cause.”
The best way to avoid expensive product liability claims is to only buy and sell LIBs and chargers of the highest quality.
“This will cost you and your customer a little more, but it’s nothing compared to the increase in premiums after a product liability claim,” said Owens.
Lithium manganese (lMR) and hybrid (NiMH) batteries are considered chemically safer than most LIBs and do not require protection circuits, he said.
“Importers need to be good engineers. They should make sure they buy from reputable sources and it is advisable to batch test products that contain LIBs,” he added. &
Your Workers’ Safety May Be at Risk, But Can You See the Threat?
Deadly violence at work is covered extensively by the media. We all know the stories.
Last year, ex-reporter Bryce Williams shot and killed two former colleagues while they conducted a live interview at a mall in Virginia. In February of this year, Cedric Larry Ford opened fire, killing three and injuring 12 at a Kansas lawn mower manufacturing company where he worked. Also in 2015, 14 people died and 22 were wounded by Syed Farook, a San Bernardino, California county health worker, and his wife, who had terroristic motives.
Active shooter scenarios, however, are just the tip of the iceberg when it comes to violence at work.
“Workplace violence is much broader and more pervasive than that. There are smaller acts of violence happening every day that directly impact organizations and their employees,” said Bertrand Spunberg, Executive Risks Practice Leader, Hiscox USA. “We just don’t hear about them.”
According to statistics compiled by the FBI, the chance that any business will experience an active shooter scenario is about 1 in 457,000, and the chance of death or injury by an active shooter at work is about 1 in 1.6 million.
The fact that deadly attacks — which are relatively rare — get the most media attention may lead employers to underestimate the risk and dismiss the issue of workplace violence as media hype. But any act that threatens the physical or psychological safety of an employee or that causes damage to business property or operations is serious and should not be taken lightly.
“One of the core responsibilities that any organization must fulfill is keeping employees safe, and honoring that duty is becoming more challenging than ever,” Spunberg said.
“Workplace violence is much broader and more pervasive than that. There are smaller acts of violence happening every day that directly impact organizations and their employees. We just don’t hear about them.”
— Bertrand Spunberg, Executive Risks Practice Leader, Hiscox USA
Desk Rage and Bullying: The Many Forms of Workplace Violence
Bullying, intimidation, and verbal abuse all have the potential to escalate into confrontations and a physical assault or damage to personal property. These violent acts don’t necessarily have to be perpetrated by a fellow employee; they could come from a friend, family member or even a complete stranger who wants to target a business or any of its workers.
Take for example the man who killed three workers at a Colorado Spring Planned Parenthood in April. He had no affiliation with the organization or any of its employees, but targeted the clinic out of his own sense of religious duty.
Companies are not required to report incidents of violence and many employees shy away from reporting warning signs or suspicious behavior because they don’t want to worsen a situation by inviting retaliation. It’s easy, after all, to attribute the occasional surly attitude to typical work-related stress, or an office argument to simple personality differences that are bound to emerge occasionally.
Sometimes, however, these are symptoms of “desk rage.”
According to a study by the Yale School of Management, nearly one quarter of the population feels at least somewhat angry at work most of the time; a condition they termed “chronic anger syndrome.” That anger can result from clashes with fellow coworkers, from the stress of heavy workloads, or it can overflow from family or financial problems at home.
Failure to recognize this anger as a harbinger of violence is one key reason organizations fail to prevent its escalation into full-blown attacks. Bryce Williams, for example, had a well-documented track record of volatile and aggressive behavior and had already been terminated for making coworkers uncomfortable. As he was escorted from the news station from which he was terminated, he reportedly threatened the station with retaliation.
Solving Inertia, Spurring Action
Many organizations lack the comprehensive training to teach employees and supervisors to recognize these warning signs and act on them.
“The most critical gap in any kind of workplace violence preparedness program is supervisory inertia, when people in positions of authority fail to act because they are scared of being wrong, don’t want to invade someone’s privacy, or fear for their own safety,” Spunberg said.
Failing to act can have serious consequences. Loss of life, injury, psychological harm, property damage, loss of productivity and business interruption can all result from acts of violence. The financial consequences can be significant. In the case of the San Bernardino shootings, for example, at least two claims were made against the county that employed the shooter seeking $58 million and $200 million.
Although all business owners have a workplace violence exposure, 70 percent of organizations have no plans in place to avoid or mitigate workplace violence incidents and no insurance coverage, according to the National Institute for Occupational Safety & Health.
“Most companies are vastly underprepared,” Spunberg said. “They don’t know what to do about it.”
Small- to medium-sized organizations in particular lack the resources to develop risk mitigation plans.
“They typically lack a risk management department or a security department,” Spunberg said. “They don’t have the internal structure that dictates who supervisors should report a problem to.”
With its workplace violence insurance solution, Hiscox aims to educate companies about the risk and provide a solution to help bridge the gap.
“The goal of this insurance product is not so much to make the organization whole again after an incident — which is the usual function of insurance — but to prevent the incident in the first place,” Spunberg said.
Hiscox’s partnership with Control Risks – a global leader in security risk management – provides clients with a 24/7 resource. The consultants can provide advice, come on-site to do their own assessment, and assist in defusing a situation before it escalates. Spunberg said that any carrier providing a workplace violence policy should be able to help mitigate the risk, not just provide coverage in response to the resultant damage.
“We urge our clients to call them at any time to report anything that seems out of ordinary, no matter how small. If they don’t know how to handle a situation, expertise is only a phone call away,” Spunberg said.
The Hiscox Workplace Violence coverage pays for the services of Control Risks and includes some indemnity for bodily injury as well as some supplemental coverage for business interruption, medical assistance and counseling. Subvention funds are also available to assist organizations in the proactive management of their workplace violence prevention program.
“Coverage matters, but more importantly we need employees and supervisors to act,” Spunberg said. “The consequences of doing nothing are too severe.”
To learn more about Hiscox’s coverage for small-to-medium sized businesses, visit http://www.hiscoxbroker.com/.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Hiscox USA. The editorial staff of Risk & Insurance had no role in its preparation.