Risk Insider: Jack Hampton

Breaching the Electronic Levees

By: | October 24, 2016 • 3 min read
Jack Hampton is a Professor of Business at St. Peter’s University in New Jersey and a former Executive Director of the Risk and Insurance Management Society (RIMS). He was named a Risk Innovator in 2008 by Risk and Insurance®. He can be reached at [email protected]

October 21, 2016.

In what was described as a stunning breach of global Internet stability, a coordinated cyberattack struck online social networking and other systems including Twitter and PayPal.

In a distributed denial-of-service, hackers flooded servers, causing them to collapse under the overload.

Such attacks are common and we are getting used to them. This is not good.

Mounting evidence shows hackers are becoming more powerful, more sophisticated, and increasingly interested in targeting core infrastructure providers.

Yesterday Twitter, tomorrow the electricity grid and nuclear power plants.

We have been there before. The year was 2005. The event was Hurricane Katrina.

Today’s “Katrina” is not a natural disaster. Neither is it limited to the U.S. Gulf Coast. It’s a national or global cyber attack.

Here’s what we knew. Major portions of New Orleans flooded on average every three years for the prior 200 years before Katrina struck in 2005. Even heavy rain exceeded the capabilities of pumps trying to get rid of the water.


Since the early 1800s, the city enforced a code of burial in tombs above ground. Nobody wants flooding to uproot caskets and have them floating in the streets.

The cemeteries, called “cities of the dead,” were a major attraction. Even today you can pay $25 a person and take the whole family on a “2-Hour Cemetery & Voodoo Walking Tour” in New Orleans.

So planners in that city rationally had their eyes on tourism dollars. But what about risk management?

Rain is one thing. Levee breaches are another.

The entire city was protected either by high ground or levees built to withstand a Category 3 storm. Atlantic hurricanes had been growing in intensity.

Katrina was a Category 5 upon arrival in Louisiana. The levees failed.

Katrina should have been seen in advance. Not the exact date. Not the horror. Just the madness of how we often fail to fix the obvious until it’s too late.

Today’s “Katrina” is not a natural disaster. Neither is it limited to the U.S. Gulf Coast. It’s a national or global cyber attack.

The recent attack on Twitter and others did more than disturb our instant messaging. It gave us a glimpse of an impending electronic catastrophe.

We recall automobiles with faulty ignition switches that can kill or injure us. We replace defective smart phones that catch fire or explode, with the potential to take down commercial airliners.

Why do we ignore the fact that we are connecting our entire daily life — emails, phones, cars, appliances, hospitals, electrical networks, and pacemakers — to a single vulnerable system? We need more than electronic “levees” built to withstand a rainfall when we are facing a cyber tropical cyclone.

Does this risk management failure stem from being penny-wise and pound-foolish?

The annual U.S. spending on national defense is $600 billion. The government budget deficit is also $600 billion. Annual social security and disability benefits amount to $930 billion.

How much is too much to reasonably spend to protect us as we stand here, watching these approaching electronic storm clouds?

Spending for personal virus protection? $30 annually per computer.

Spending for business systems? Thousands to millions of dollars.

Spending to stabilize a global communication network that could allow really bad people to cause devastation and calamity? Priceless.

Share this article:

Risk Insider: Carol Zacharias

Cyber Directors: Greater Expertise, Greater Liabilities?

By: | October 17, 2016 • 2 min read
Carol Zacharias is underwriting counsel to QBE North America, a multinational insurer. She has a master's degree in corporate law from New York University School of Law. She can be reached at [email protected]

The World Economic Forum places cyber security ahead of terrorism as one of the top 10 economic threats to 140 countries. Cyber security risk in the corporate arena is the responsibility of the board.

As noted by the commissioner of the SEC, “board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks.”

Boards have taken up the charge. Cyber security has moved from 11th place to third place on board agendas according to the Lloyd’s of London “Biennial Risk Index” of 2011 and 2013.  The increased spending on cyber security protection by companies further supports this trend.

Will the cyber expert-director be held to a higher standard of care regarding cyber risk management?

According to Gartner Inc., companies spent $86 billion on protection efforts in 2015, which reflects an 18 percent increase from the prior year, and are expected to spend $94 billion in 2016.


The issue becomes, how can a board address cyber risk complexities and meet its duty of care?

Congress proposes mandating cyber experience on boards. The Cybersecurity Disclosure Act of 2015 requires that public companies disclose whether the company has a director with cyber security experience or expertise, or disclose what cyber security steps it has taken that mitigate against acquiring board expertise.

At the same time, boards today are addressing cyber risk in one of several different ways.

Some address cyber security as a plenary board, receiving reports, engaging in discussions and making critical decisions as a whole. This can prove challenging due to the paucity of time at a board meeting and lack of board level cyber expertise.

Alternatively, boards may delegate cyber risk management to established audit committees. A committee forum provides greater time for analysis and expert consultation. However, audit committees are more likely to have financial rather than cyber expertise, and are more attuned to financial rather than technology and innovation issues.

Other boards create a cyber security committee or seek to add a cyber expert to the board itself. Either way, the board is seeking greater cyber expertise and experience at the board level.


The issue becomes whether the cyber expert director has a higher risk of liability than fellow directors. Will the cyber expert-director be held to a higher standard of care regarding cyber risk management?

All corporate directors owe a fiduciary duty of care to the company and its shareholders. In executing their duty of care, the director must act in a manner that a reasonably prudent person would act under the circumstances.  A reasonable person means one with the expertise of the director in question. If a director has a particular expertise, skill or experience, they are expected to apply it.

Accordingly, the cyber expert-director could be held to a higher standard of care and diligence in reviewing cyber-related matters than a director without cyber expertise.

While no director can turn a blind eye to negligence, and while all directors must act with diligence and care in addressing cyber matters, the cyber expert-director will tenably be expected to act in a manner that a reasonably prudent cyber expert would act under the circumstances, conducting a diligent technical review and evaluation of cyber matters that a director without cyber expertise could not undertake.

Share this article:

Sponsored Content by Nationwide

Hot Hacks That Leave You Cold

Cyber risk managers look at the latest in breaches and the future of cyber liability.
By: | October 3, 2016 • 5 min read

Nationwide_SponsoredContent_1016Thousands of dollars lost at the blink of an eye, and systems shut down for weeks. It might sound like something out of a movie, but it’s becoming more and more of a reality thanks to modern hackers. As technology evolves and becomes more sophisticated, so do the occurrence of cyber breaches.

“The more we rely on technology, the more everything becomes interconnected,” said Jackie Lee, associate vice president, Cyber Liability at Nationwide. “We are in an age where our car is a giant computer, and we can turn on our air conditioners with our phones. Everyone holds data. It’s everywhere.”

Phishing Out Fraud

According to Lee, phishing is on the rise as one of the most common forms of cyber attacks. What used to be easy to identify as fraudulent has become harder to distinguish. Gone are the days of the emails from the Nigerian prince, which have been replaced with much more sophisticated—and tricky—techniques that could extort millions.

“A typical phishing email is much more legitimate and plausible,” Lee said. “It could be an email appearing to be from human resources at annual benefits enrollment or it could be a seemingly authentic message from the CFO asking to release an invoice.”

According to Lee, the root of phishing is behavior and analytics. “Hackers can pick out so much from a person’s behavior, whether it’s a key word in an engagement survey or certain times when they are logging onto VPN.”

On the flip side, behavior also helps determine the best course of action to prevent phishing.

“When we send an exercise email to test how associates respond to phishing, we monitor who has clicked the first round, then a second round,” she said. “We look at repeat offenders and also determine if there is one exercise that is more susceptible. Once we understand that, we can take the right steps to make sure employees are trained to be more aware and recognize a potentially fraudulent email.”

Lee stressed that phishing can affect employees at all levels.

“When the exercise is sent out, we find that 20 percent of the opens are from employees at the executive level,” she said. “It’s just as important they are taking the right steps to ensure they are practicing what they are preaching.”

Locking Down Ransomware

Nationwide_SponsoredContent_1016Another hot hacking ploy is ransomware, a type of property-related cyber attack that prevents or limits users from accessing their system unless a ransom is paid. The average ransom request for a business is around $10,000. According to the FBI, there were 2,400 ransomware complaints in 2015, resulting in total estimated losses of more than $24 million. These threats are expected to increase by 300% this year alone.

“These events are happening, and businesses aren’t reporting them,” Lee said.

In the last five years, government entities saw the largest amount of ransomware attacks. Lee added that another popular target is hospitals.

After a recent cyber attack, a hospital in Los Angeles was without its crucial computer programs until it paid the hackers $17,000 to restore its systems.

Lee said there is beginning to be more industry-wide awareness around ransomware, and many healthcare organizations are starting to buy cyber insurance and are taking steps to safeguard their electronic files.

“A hospital holds an enormous amount of data, but there is so much more at stake than just the computer systems,” Lee said. “All their medical systems are technology-based. To lose those would be catastrophic.”

And though not all situations are life-or-death, Lee does emphasize that any kind of property loss could be crippling. “On a granular scale, you look at everything from your car to your security system. All data storage points could be controlled and compromised at some point.”

The Future of Cyber Liability

According to Lee, the Cyber product, which is still in its infancy, is poised to affect every line of business. She foresees underwriting offering more expertise in crime and becoming more segmented into areas of engineering, property, and automotive to address ongoing growing concerns.”

“Cyber coverage will become more than a one-dimensional product,” she said. “I see a large gap in coverage. Consistency is evolving, and as technology evolves, we are beginning to touch other lines. It’s no longer about if a breach will happen. It’s when.”

About Nationwide’s Cyber Solutions

Nationwide’s cyber liability coverage includes a service-based solution that helps mitigate losses. Whether it’s loss prevention resources, breach response and remediation expertise, or an experienced claim team, Nationwide’s comprehensive package of services will complement and enhance an organization’s cyber risk profile.

Nationwide currently offers up to $15 million in limits for Network Security, Data Privacy, Technology E&O, and First Party Business Interruption.

Products underwritten by Nationwide Mutual Insurance Company and Affiliated Companies. Not all Nationwide affiliated companies are mutual companies, and not all Nationwide members are insured by a mutual company. Subject to underwriting guidelines, review, and approval. Products and discounts not available to all persons in all states. Home Office: One Nationwide Plaza, Columbus, OH. Nationwide, the Nationwide N and Eagle, and other marks displayed on this page are service marks of Nationwide Mutual Insurance Company, unless otherwise disclosed. © 2016 Nationwide Mutual Insurance Company.



This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Nationwide. The editorial staff of Risk & Insurance had no role in its preparation.

Nationwide, a Fortune 100 company, is one of the largest and strongest diversified insurance and financial services organizations in the U.S. and is rated A+ by both A.M. Best and Standard & Poor’s.
Share this article: