Risk Scenario

Stabbed in the Back

Internal perpetrators show a company just what it doesn’t know about cyber risk management.
By: | October 15, 2016 • 9 min read
Risk Scenarios are created by Risk & Insurance editors along with leading industry partners. The hypothetical, yet realistic stories, showcase emerging risks that can result in significant losses if not properly addressed.

Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.

Part One: Opportunity Knocks

Jack Fisk, nice and warm in the comfort of his study in Fort Collins, Colorado, sat and stared at the message in his personal email account inbox. He sat and stared at it for a long time.


Jack took a sip of herbal tea and a nibble of the lemon cookie at his elbow. Then he went back to staring at the message. There it was in black and white, an offer from a Chinese national — an offer he felt he couldn’t refuse.

As a lead engineer with Super Diamond, a manufacturer of mining and drilling equipment, Jack was an integral part of a team that developed one of the most effective drilling bits ever made. The bit, used in gold mining and deep-sea oil extraction, was helping to push Super Diamond into record-breaking revenue territory.

There was only one problem and it was a very big one, for Jack at least. Super Diamond’s top line was breaking records, but Jack Fisk felt left out. Where were his millions, he wondered.

Well here they were. He didn’t know how they found him, but they found him.

The deal was this. Hand over some of Super Diamond’s top-secret product information and receive a seven-figure reward.

As Jack considered the offer, he felt entirely justified in taking it. It was his creativity and knowledge, more than anyone else’s, which led to the product breakthrough. He was sure of it. He knew it in his gut.



Here’s what Jack didn’t know. Another employee of Super Diamond, an IT executive based in Mumbai, was looking at a very similar email. This employee, Vijay Bhakta, enjoyed super-user status within Super Diamond’s computer networks, with access to all of its servers.

The Chinese had done their homework. Jack, married with two children, lived a pretty straight life. The lure of a big paycheck was more than enough for him.

Vijay enjoyed a riskier lifestyle. Money was a good motivator for him, but just as compelling were the offers of drugs and prostitutes the Chinese were dangling in front of him.

In approaching Vijay, the Chinese were after more than product information. They wanted access to Super Diamond’s customer list and information on its entire product line, not just the drilling bits that Jack helped develop.

Both executives, unbeknownst to the other, took the bait.

For the next 18 months, Jack used the time-honored method of downloading proprietary information onto a thumb drive, walking out the door with it, and painstakingly sending it to his Chinese contact using his personal email address in the quiet comfort of his study at home.

The Bitcoin payments from the Chinese, amounting to $2.7 million in 18 months, arrive faithfully. Jack uploads his company’s precious trade secrets just as faithfully.

Vijay is introduced to a hacker who, armed with the IT exec’s user information and passcodes, invades Super Diamond’s system at will over the same time period.

Vijay is also faithfully compensated, with cash drops and services meeting his other needs, under the terms of his agreement with the Chinese.

At the end of 18 months, fully exploiting their two points of entry, the Chinese own the keys to the Super Diamond kingdom. They know how to make a number of Super Diamond’s products and they know exactly who to sell them to and at what price.

Part Two: A Chilling Recognition

Super Diamond’s risk manager, Cathleen Sunbury, is enjoying an invigorating game of tennis with a friend on a sunlit court in San Diego, when she gets an urgent text from the company’s COO.


“Please get to the office, ASAP,” says the message. “Urgent.”

A chill runs through Cathleen.

“Uh oh,” she says, as she and her friend grab a water break courtside.

“What is it?” her friend says.

“I don’t know what it is, but it doesn’t look good,” Cathleen says. “I gotta go.”

“Is this because I was winning?” her friend asks.

That would normally be a funny jibe between friends. It’s not today.

At the office, other company executives share with Cathleen what they know. Sales in several of Super Diamond’s key Asian markets have suddenly softened.


There is also an indication that the company suffered an IT breach, but the extent of it is difficult to ascertain. Whoever broke in did a great job of covering their tracks. What was accessed and what was taken appear to be unknowns. The company’s IT department is at a loss.

“I know who to call,” Sunbury says, banking on a conversation she had with a former higher-up in the FBI who now works for a cyber forensics firm in Philadelphia.

The Super Diamond CEO and CFO initially balk at the forensic firm’s price tag.

The vice president of the forensic firm, who led key cyber investigations for the FBI before entering the private sector, snorts in derision.

“Your company is horrible at this,” the forensics VP says.

“Your IT department has no idea what happened and it will take them months to figure it out,” he says.

“It’s looking like you have an internal perpetrator, possibly more than one. How much longer can you afford to wait to determine what’s going on?”

The phrase “possibly more than one” overwhelms any resistance on the part of the CFO and the CEO. They sign on the dotted line with the forensics firm.

The forensic firm gets right to work. To connect the dots they pull records from a number of departments, including Human Resources and Security.

They also have their own cyber security specialist take a look at the Super Diamond network to see who might have compromised it.

It takes the forensics firm two days to come up with two names: Jack Fisk and Vijay Bhakta.

Part Three: Gone, Gone, Gone

Jack Fisk and Vijay Bhakta are dismissed and face criminal charges. As painful as that is for company executives, that’s the easy part.


What comes next for Cathleen Sunbury in her role as risk manager is far more painstaking, and far more painful.

The forensics team is able to match up human resources records, including data on when Vijay Bhakta and Jack Fisk were in the office, against data on computer use, including when an outside device was connected to Jack Fisk’s computer.

That left no doubt that the product information and additional company information that was taken from Super Diamond was the work of inside perpetrators.

The “good” news is that Super Diamond executives now understand what happened. The bad news is that their insurance policies are inadequate to cover the loss.

Determining the value of what was taken, including the cost of lost sales, is difficult, but Super Diamond executives settle on a figure of $200 million.

The company’s cyber breach policy, though, covers an occurrence in the event of a breach from an outside hacker. Bhakta and Fisk are internal perpetrators, and thus the company is not covered, its carrier says.

Compounding the pain, Super Diamond shareholders file suit against Super Diamond executives and board members. The shareholders argue that the board and the C-suites failed to take adequate measures to protect proprietary company information.

The company’s E&O and D&O policies respond to the costs of the lawsuits. But the company faces punishing premium increases for both E&O and D&O coverage going forward.

Sales are depressed, due to the theft of key intellectual property, and getting good cyber coverage at a reasonable price is flat-out impossible.

Super Diamond settles for a premium increase to cover both external and internal hacks that is 400 percent more than it faced the previous year.

Worn out by the process of determining the loss and trying to get coverage for a company that is bleeding money; Cathleen Sunbury resigns.

“I don’t know who we’re going to get to replace you,” the CEO says.

“I don’t know either,” Sunbury says, meaning no disrespect but feeling utterly defeated.


Risk & Insurance® partnered with Swiss Re Corporate Solutions to produce this scenario. Below are Swiss Re Corporate Solutions’ recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.

Super Diamond’s Cathleen Sunbury might still have her job and her company would be in much better shape had she partnered with Swiss Re Corporate Solutions.

Swiss Re, in addition to offering cyber insurance coverage that would have covered an internal perpetrator incident such as the one detailed in “Stabbed in the Back,” would also advise Sunbury and her fellow executives at Super Diamond on being much better prepared to defend against and respond to it.

Having a forensics team, a crisis (breach) communications partner and the right law firm lined up ahead of time would have saved the company a lot of time and trouble. Swiss Re offers all of that as part of its coverage.

In just one example, imagine the costs that Super Diamond will incur if it has to go after Vijay Bhakta and Jack Fisk in civil court, or what it’s going to spend defending itself against shareholder lawsuits.

Swiss Re Corporate Solutions would have paid for Super Diamond’s legal defense, compensated it for lost revenue, and paid for data reconstitution and additional legal costs as part of its CyberSolutions product.

The lost sales in Asia that Super Diamond experiences when Jack Fisk sells its intellectual property to a Chinese national would also be covered under that policy.

On the front end, Swiss Re would work with Super Diamond to identify which of its mining or drilling technologies were most valuable; in other words, naming the “crown jewels” that the company absolutely could not afford to lose control of. That would also involve ascertaining where those “jewels” are stored and who has access to them.

The upfront work would also include the services of experts with IBM who can conduct penetration tests of the company’s IT systems.

In essence, companies everywhere need to understand that any gap in its preparedness or ability to respond creates liability. There is not only the initial liability of a loss or a penetration, there is the multiplying liability of shareholders, or regulators, holding the company responsible for its negligence.

By partnering with Swiss Re Corporate Solutions and picking up its CyberSolutions product, Super Diamond would have bolstered its risk mitigation and vastly improved the efficiency of its response.

No company is safe from a cyber penetration; the record is clear on that.  But experts say many companies have a lot of ground to make up to become more vigilant and better coordinated to bounce back when an incident occurs.

No entity can do this on its own. Pick the right partner(s).

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]
Share this article:

Risk Scenario

Washed Up

Climate change and rapid development create flood conditions that undo a semiconductor manufacturer.
By: | October 1, 2016 • 9 min read
Risk Scenarios are created by Risk & Insurance editors along with leading industry partners. The hypothetical, yet realistic stories, showcase emerging risks that can result in significant losses if not properly addressed.

Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.

Bright Shiny Objects

As the plane touches down, Meredith Fiers feels the butterflies in her belly. The risk manager for semiconductor manufacturer Bluepoint is now on the ground for her first big overseas assignment.


Her task? Visit the site of a proposed Bluepoint plant outside of Chandigarh, India, the provincial capital of Haryana. Officials in Haryana are offering generous tax breaks, a prime location and help accessing an educated, modestly compensated local workforce.

But there are still some issues to work out. Fiers needs to help determine how exposed the plant is to flood and other hazards.

Her first meeting with government engineers in Chandigarh leaves her feeling that she has her work cut out for her.

“These flood maps leave a lot to be desired,” she says to herself as she reviews a set of plans and elevations with local officials.

Something pings in her gut.



“I need to get out in the country and meet with some locals,” she thinks.

The next morning Fiers and an interpreter hop into a taxi and headed to the local village that is closest to where the Bluepoint plant will be built.

Fiers keeps her eyes peeled as the taxi driver navigates a bumpy provincial town road into the village. Out of the corner of her eye, she notices a group of older men gathered under the canopy of a Jujube tree.

“Stop! Here!” she says and the interpreter, in rapidly delivered Hindi, delivers the message to the driver.

“Ask them! Ask them,” she says excitedly.

“Ask them what?” says the interpreter, beginning to show signs of trepidation in the face of the forward manner of his American client.

“Ask them about flood,” Fiers says. “What’s the worst flood they remember?”

At the center of the group of villagers is an old man. Part of his white beard is stained by nicotine to a goldfinch yellow.

He nurses a glass of tea and the smoldering hand-rolled cigarette in his fingers seems like a natural extension of his anatomy. His dark eyes sparkled brilliantly though and he smiles as the interpreter approaches him.

The interpreter pops the question.

“Old man,” he says with a bit of cheek. “What is the worst flood you remember?”

The old man strokes his white-yellow beard and his smile fades as the memory hits him. Suddenly excited, he turns, jumps up and points with a trembling hand at a nearby temple wall.

Fiers turns and looks with him. She sees it immediately, a faint division in the shading of the stones. The stones to a certain point darker from the ground up, then lighter above. A highwater mark.

The man speaks excitedly to the interpreter in Hindi. But once he begins speaking, other members of the group started to engage and argue with one another. One pointing further up the hill; another pointing downhill. The argument soon becomes quite heated.

The interpreter turns to Fiers, surprised at the detail he just picked up. He just ignores the growing chaos behind him.

“1945,” he says. “That was the high point right there. In 1945.”

The village elder argument dies down and the old man sits down and takers a sip of tea; subdued again.


That night Fiers leaves an excited voicemail with Bluepoint’s CFO.

“Our proposed site is 1.5 meters higher in elevation than the worst flooding Haryana has ever seen,” she says.

“Let’s do this.”

Monsoon Season in Haryana

By August of 2018, the Bluepoint semiconductor plant near Chandigarh is everything company executives thought it would be. The local workforce and management team are delivering like a dream.


Part of Bluepoint’s confidence in the Chandigarh operation is that it is armed with a contract from Todah. Todah, one of the largest auto manufacturers in the world, is grabbing large chunks of market share with its hybrid vehicles.

This very month, Bluepoint wins yet another enormous contract, this time with a U.S.-based car maker.

Bluepoint’s leaders though, are keeping a close eye on a German competitor, Tek-Kraft. Tek-Kraft also used government incentives to build a semiconductor plant nearby. Bluepoint seems to be in a budding talent war with Tek-Kraft.

But as monsoon season builds to a peak, Bluepoint finds it has something else to worry about. The rain is coming down like no one in Haryana has ever seen.

“It’s Superstorm Sandy all over again,” says an engineering consultant that works with Bluepoint, on a call with Fiers and other executives as flood waters begin to overwhelm the lower elevations.


“What do you mean?” says Fiers, with some irritation in her voice. She doesn’t initially get the connection.

“I mean that a couple of underlying factors are producing flooding like this area has never seen before,” he says patiently.

“One, climate change is increasing the intensity of storms and other climactic actors like monsoons. This area has probably never seen such moisture.”

“And the second?” Fiers says. Panic is causing her to lose her composure.

“The second is that there is no way local flood maps could take into account the rapid increase in development which has sealed off the soil with concrete, asphalt and business parks,” the consultant says.

“There’s nowhere for all this water to go.”

The image of the old man pointing to the temple wall flashes in front of Fiers’ eyes. How high up that wall will this flood go? The answer is … high enough.

Bluepoint’s Chandigarh location is devastated by three days of flooding. The old man Meredith Fiers interviewed never thought he’d see the day when that 1945 flood is eclipsed. Well that day is here.

Nothing to do for it but get on the phone with her broker and her carriers. Fiers takes a deep breath and starts dialing.

Goodbye Local Workforce

“You’re in good shape from a coverage standpoint,” her broker tells Fiers when they connect and go over the policies two days after the plant is so severely damaged.


“You’ve got robust property coverage. You’ve got business interruption coverage as part of your property policy. No issues there given how long we think it will take the plant to get back up to speed, which I think is about nine months,” he says.

“True,” Fiers says.

“Of course we have some work to do to make sure we don’t get hurt at renewals,” he added. “But with your loss run, you should be okay,” he added.

But Fiers isn’t convinced that all is well. She’s right.

Six months later, with the re-opening of the Bluepoint Chandigarh plant a mere three months away, the company is buffeted by a different kind of flood; a wave of bad news.

The first blow is that Bluepoint loses Todah as a customer. The superstar hybrid maker picked up a new supplier while Bluepoint was down. Guess who? Yes, it’s Tek-Kraft.

Then Bluepoint loses the contract with the U.S. hybrid maker. Semiconductor makers with locations in China and Thailand were only too happy to pick up that business.

Still, Bluepoint executives push on to open the Chandigarh plant. Their sales people are begging other customers to stay with them until they can open again.

Their pleas may be in vain. Bluepoint puts out the word that it is hiring again at the Chandigarh plant. Unfortunately very few answer the call.

Local officials indicate that much of Bluepoint’s work force is now working for the Tek-Kraft plant.

“We’re none too happy with how your company has managed things here,” a Haryana economic development official tells a Bluepoint manager.

“So now it’s our fault?” the manager says.

Politics being politics, somebody’s got to take the blame for squandered tax breaks that in the end, failed to create long-lasting jobs. In these parts, Bluepoint is now the bad guy.


Bluepoint is rocked by the events in Haryana.

One day, just to escape the tension of what has become a daily work nightmare, Meredith Fiers takes a walk on the outskirts of the local village.

Coming up to the Jujube tree, she sees the village elder, the one that pointed to portentiously to the temple wall’s high water mark.

With his ever-present cigarette he looks sadly to the damaged temple, where there is a new high water mark. Fiers’ gaze follows his.

“If I only knew,” she says to herself.


Risk & Insurance® partnered with FM Global to produce this scenario. Below are FM Global’s recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.

Do not underestimate the impact you can have on reducing the potential damage and disruption to your business if flooding occurs. It all starts with a clear understanding of the risk, flood maps, onsite engineering expertise, local knowledge and a flood emergency response plan.

At important facilities, an onsite engineer is crucial to evaluating factors such as changes in terrain and infrastructure, impediments to water flow and other factors. Ideally, the facility should lie outside of a flood zone. Flood maps and onsite engineers are your best defense to mitigating flood exposure.

Regional and global mapping capabilities represent a unique blend of scientific knowledge, local expertise and technology to ensure you have the most comprehensive, up-to-date information to help you make informed risk improvement decisions.

But, if your facility is flood exposed, an engineer can look at opportunities to provide fixed or temporary flood protection, such as flood barriers or elevating critical assets.

A flood emergency response plan (FERP) can help you:

  1. Gain a thorough understanding of how a potential flood event could affect your facility;
  2. Make your emergency response team aware of their roles during such an event; and
  3. Ensure you have adequate resources on hand.

Consider taking the following steps:

  • Make sure you understand the potential flood events to which your site is exposed. It is critical to know how much time you will have to put your plan in place. Important aspects include warning time, how fast the water will rise and how long it will last. This is where an onsite engineer can help you.
  • Ensure you have a reliable method of flood warning.
  • Establish the potential impact to your business (what operations will be affected, what level of damage will be involved – an engineer can provide assistance in assessing)

Taking action against flood can lead to disruption. After all, there always is the chance that predictions are wrong and the flood may not occur. By truly understanding the potential flood event, as well as the nature of the warning and timing, you will be able to determine a “point of no return,” after which your plan will not have time to work. This may be the most critical part of the plan, so it’s essential that your entire team is aware of the implications, supports the plan and agrees to who has the authority to put the plan into place—regardless of the immediate business implications.

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]
Share this article:

Sponsored: Lexington Insurance

Sparking Innovation and Motivating Millennials

What started off as a one-off project for Lexington Insurance evolved into an annual program that sparks innovative solutions and helps develop millennial talent.
By: | October 3, 2016 • 5 min read

Two trends in the insurance industry, if they continue, could compromise its vitality in today’s fast-paced, technology-driven business world: slow innovation and a scarcity of millennial talent.

The quests to develop innovative solutions and services and to recruit young people to the field have raised concerns in the industry for several years, causing some insurers to think about how they will stay viable in the future when senior-level managers begin to retire.

But Lexington Insurance Company, a member of AIG, may have found a way to spark innovation that also engages millennial minds.

Innovation Boot Camp started three years ago as a one-off project meant to identify young, high-potential employees, give them exposure to senior management and evaluate their teamwork and leadership capabilities.

“The original concept was fairly straightforward. We would bring together a group of about 30 high potential employees for some semblance of team project work and it would allow management to gauge and assess talent,” said Matt Power, Executive Vice President, Head of Strategic Development, Lexington Insurance.

Little did he know how well the program would not only generate a plethora of innovative ideas that would drive the company forward, but also reinvigorate younger employees.

Lexington_SponsoredContent“The boot camps would be focused on innovation, with the idea that if we ended up with a concept or product that we could commercialize, then the boot camp would have been effectively self-funded. When they came back at the end of the 12 weeks, we were absolutely shocked because they produced about half a dozen products that have since been commercialized and are in some phase of being rolled out.”
— Matt Power, Executive Vice President, Head of Strategic Development, Lexington Insurance

New Ideas Emerge

The inaugural Innovation Boot Camp began with a two-day kick off meeting for participants— consisting of six teams with five or six participants. Each team was tasked with developing a business plan, and began to connect virtually over the next 12 weeks. The plan would culminate in a presentation to a senior management judging panel at the program’s conclusion.

“The boot camps would be focused on innovation, with the idea that if we ended up with a concept or product that we could commercialize, then the boot camp would have been effectively self-funded,” Power said. “When they came back at the end of the 12 weeks, we were absolutely shocked because they produced about half a dozen products that have since been commercialized and are in some phase of being rolled out.”

Power credits the program’s success in part to the participants’ youth. They were tuned in to different trends and issues than their more experienced counterparts.

Cyberbullying, for example, was a problem that didn’t exist for Power and his contemporaries as they grew up, but was salient for millennials. Based on the presentation of one group, Lexington developed coverage on their personalized portfolio for exposures associated with cyberbullying.

Likewise, “they educated us on the emergence of the craft brewing industry and how rapidly it was growing in the U.S.,” Power said. “That led to us launching a whole suite of products for craft brewers.”

Another team brought forth the concept of how rapid sequencing laser photography could be used to create a three-dimensional picture of a construction work site. That would allow contractors or claims managers to virtually walk through the site at a given point in the construction process to identify deviations from the original blueprint plans.

The images could memorialize the building process down to the millimeter, to every screw and wire. If a loss emerges later on due to a construction defect, the 3D map would be a valuable investigation tool.

Innovation Boot Camp proved so successful that Lexington expanded it to other arms of AIG all over the world.

“Suddenly we started getting calls from London, Copenhagen, Brazil,” Power said. “We were doing these programs for our global casualty team, for our lead attorneys in New York, for our financial lines group, and so on. We recently embarked on the 16th iteration of this program in London, with additional programs in the works.

“It’s a journey that has evolved from trying different things and not being afraid to fail, not being afraid to try new ways of thinking about the business.”


Engaging Millennial Minds

In addition to generating new product ideas, Innovation Boot Camp also engages younger employees more fully by offering the opportunity to make meaningful contributions to the company through independent work that requires some creative thinking.

Past participants are often great crusaders for the program.

“A program like IBC is something rarely seen at a large corporate conglomerate, and really a concept for new age startup companies,” said Alyson R. Jacobs, Vice President, Broker and Client Engagement Leader in AIG’s Energy & Construction Industry Segment. “But we were given a chance to work with people of all different professional backgrounds, and that environment unearthed concepts and solutions that have made a significant impact in the lives of our insureds and their employees.”

The chance to do work that makes a difference, both for the success of their company as well as the clients its serves, is what attracts millennial employees to the program and motivates them to devote their best effort to the project.

“Millennials want to be able to share their ideas and make meaningful contributions at work,” Power said. “Innovation Boot Camp has evolved into the perfect forum for that.”

David Kennedy, Esq., Product Development Manager for Lexington Insurance and former Coach for two Innovation Boot Camps, said the program engenders an “entrepreneurial spirit of developing something new, of applying analytical rigor to emerging risks to create unique and timely solutions for our clients and the marketplace.”

Exposure to senior executives doesn’t hurt either.

“It provided a platform for me to not just interact with our Senior Executive leadership but present a concept that could potentially be adopted by our company in the future,” said Ryan Pitterson, Assistant Vice President, AIG. “It helps to build your internal network, elevate your profile in the company and connects you with our client base as well.”

At a time when recent college graduates choose employers based on how much opportunity they’ll be given to have meaningful input — as well as opportunities for advancement — projects like Innovation Boot Camp could be the answer to the insurance industry’s struggle to pull in millennials.

“We give them the time, space and resources to create something new,” Power said. “When employee engagement is done right, it inspires passion and creativity.”

As multiple arms of AIG adopt Innovation Boot Camp around the globe, both the quantity and quality of new ideas are bound to flourish.

“The bottom line is, many heads are greater than one, and AIG has figured out how to leverage this. AIG hears their employees’ voices and enables those ideas to take our company into the future,” Jacobs said.

To learn more about Lexington Insurance, visit http://www.lexingtoninsurance.com/home.


This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Lexington Insurance. The editorial staff of Risk & Insurance had no role in its preparation.

Lexington Insurance Company, an AIG Company, is the leading U.S.-based surplus lines insurer.
Share this article: