Email
Newsletters
R&I ONE®
(weekly)
The best articles from around the web and R&I, handpicked by R&I editors.
WORKERSCOMP FORUM
(weekly)
Workers' Comp news and insights as well as columns and features from R&I.
RISK SCENARIOS
(monthly)
Update on new scenarios as well as upcoming Risk Scenarios Live! events.

Cyber Threats

Heading Off ‘Cybergeddon’

Cyber experts say resistance is futile, but resilience is paramount.
By: | May 8, 2014 • 3 min read
Cyber dragon

In April’s R&I cover story, Cyber: The New CAT, experts called catastrophic cyber attacks “inevitable” and the prevailing attitude in the C-Suite “denial.”

Jason Healey, director, Atlantic Council’s Cyber Statecraft Initiative, says that in order for organizations to weather the inevitable attacks, the key will be resiliency. “The organizations that fare best,” he said, “will be those that have the size, agility and resilience to bounce back as quickly as possible.” Healey is also author of Beyond Data Breaches: Global Interconnections of Cyber Risk, commissioned by Zurich Insurance Company Ltd. and published in April 2014.

Advertisement




Developing resilience would include conducting exercises, developing response playbooks, increasing funding and grants for large-scale crisis management and developing redundant data storage in case one is compromised.

The tangle of Internet information that companies and countries depend on to function is now so complex, Healey said, that companies and governments can’t manage the risk from within their own four walls. Beyond Data Breaches notes that Internet failures could cascade directly to Internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations.

Like superstorms such as Hurricane Sandy, cyber risks are inevitable and unstoppable, and like the financial crisis of 2008, they can’t be contained, because of organizations’ interconnection and interdependency. The worst-case scenario, stemming from the principle that everything is connected to the Internet and everything connected to the Internet can be hacked, is “Cybergeddon,” where attackers have an overwhelming, dominant and lasting advantage over defenders.

Even now, Healey said, attackers have the advantage. The Internet’s original weakness — that it was built for trust, not security — perpetuates defenders’ vulnerability. “Some ‘serious’ thinkers suggest we should start over” rather than try to retrofit an Internet so flawed by weak security as to threaten every user, he said, despite the impracticality of a do-over.

Second, Healey said, defenders have to be right every time, and attackers have to be right only once.

Third, technology evolves very quickly, and most people don’t understand it well enough to lock out intruders. “Every time we figure out what we’re supposed to be doing right, the technology has moved on and once again we don’t know how to properly secure our data,” Healey said.

Software is still poorly written and so insecure that “a couple of kids in a garage” can hack into corporate and government systems just for a naughty thrill. “Bad guys” with theft or sabotage on their minds can work their mischief behind a veil of anonymity. “The Internet almost encourages bad behavior because of the anonymity involved,” Healey said.

Companies, governments and risk managers should shift the drumbeat from resistance to resilience, and to expand cyber risk management from individual organizations to a resilient and responsive Internet system, Healey said. For systemic risk management, Beyond Data Breaches recommends:

  • Putting the private sector at the center, not the periphery, of cyber risk efforts, since they have the advantage in agility and subject matter expertise.
  • Advertisement




  • Using monetary or in-kind grants to fund effective but underfunded non-government groups already involved in minimizing the frequency and intensity of attacks. Governments and others with system-wide concerns (such as internet service providers and software and hardware vendors) should advocate for this research.
  • Borrowing ideas from the finance sector. This could include examination of “too big to fail” issues of governance and recognition of global significantly important internet organizations.
Susannah Levine writes about health care, education and technology. She can be reached at riskletters@lrp.com.
Share this article:

Higher Education

University Risk Managers Share Concerns

Higher education risk managers are focusing on ERM, as well as cyber security and compliance risks.
By: | October 1, 2014 • 5 min read
University

Higher education risk managers converged on Louisville, Ky., last week for the annual conference of the University Risk Management and Insurance Association, where several themes emerged as key areas of focus.

“ERM seemed to be the biggest theme, but there was a enough variety in the sessions to cover all the basics,” said Mark Logel, director, administrative services & risk management at the University of Evansville and a first-time conference attendee.

ERM Implementation

More than six in 10 (61 percent) survey respondents said they have not conducted an enterprise risk management process at their institution in the past two years, or don’t know if such work was done, according to data shown during one session, “Managing Risk Intelligently: A New Normal.”

And yet, nearly three-fourths (73 percent) said they are more focused on institutional risk now than five years ago, and 63 percent reported having more full board discussions about institutional risk.

Paradoxically, only 39 percent of respondents said they were getting enough information about their exposures, down from 43 percent in 2008.

However, according to Gary Langsdale, university risk officer at Pennsylvania State University (PSU) and a session speaker, these statistics are not as negative as they appear. Such conflicting opinions may demonstrate that institutions are growing more aware of the complex web of risks they face and therefore asking for more information, not necessarily receiving less.

“There’s an impetus for thinking more holistically about risk,” said Andre LeDuc, executive director, enterprise risk services at the University of Oregon. “It’s a continual struggle to promote a risk-aware culture.”

Such a culture needs to be built from the top down, with buy-in from board members and more communication between academic and student affairs offices. The publicity surrounding the Sandusky scandal at PSU revealed a need for greater board involvement, Langsdale said.

But, he noted, there is a limit.

“Board members should have their noses in but fingers out,” he said, meaning the board’s role is to be informed but not overly involved in risk management.

Langsdale identified ways risk managers can help set the culture for a true ERM effort:

• Look for leadership opportunities.

• Break down organizational silos.

• Understand the analytical tools and methodologies available.

• Elicit views from across the organization.

“Establishing ERM is an evolution,” LeDuc said. “Check back in two or three years to see what works and what doesn’t. Every institution is unique. … We have to take lessons learned back to our home institutions and help the thematic thread spread.”

Strategic Risk

Changing demographics and enrollment challenges, lack of funding and regulatory compliance are three major strategic risks faced by universities.

According to Christine Eick, executive director, risk management and safety at Auburn University, some schools saw hundreds of millions of dollars’ worth of cuts in government funding during the recession.

That is compounded, Langsdale said, by a lack of funding on students’ end as well. As costs rise, fewer students and their families are able to contribute much from their own pockets.

“We have to make choices about which programs to support,” he said.

Many attendees acknowledged that funding for sports programs, while ultimately accounting for a very small percentage of a school’s overall budget, should be the first to take cuts because of their high visibility.

Enrollment has also fallen as demographics shift. There are simply fewer 18-year-olds in the prospective student pool now than there were a decade or more ago, which increases competition among schools vying to keep classrooms full.

“One help has been recruiting returning military members,” Eick said, “who often come with the support of government funding” and have incentives to obtain a degree as they re-enter the mainstream workforce.

Compliance has also risen as a priority, especially with adherence to Title IX and the handling of sexual assault cases coming under tighter scrutiny.

Along with the increased risk, however, comes the benefit of putting “risk managers at the right tables,” said LeDuc, as universities need to discuss such risks among different offices and with board members.

Cyber Security

Like any other organization that collects personally identifiable information, higher education institutions are more concerned with cyber threats.

“Data, data, data. Are we fully aware of our exposures?” LeDuc asked, picking out cyber security as a risk to watch related to students’ personal and financial records, as well as the potential for theft of intellectual property, especially at research institutions.

“Cyber is an increasing threat,” Eick agreed. “There has to be a shift in culture that mandates security training for all faculty to be completed by a certain date. Schools should be employing more privacy officers and CIOs to handle those challenges.”

Universities may have a higher exposure for data breach, Langsdale said, because networks are “designed to be open” to allow access for prospective and current students, alumni, faculty, and researchers from other facilities.

“You need to be on top of your cloud providers and know where your servers are located,” he said. “There should be no deemed export of information.”

Study Abroad

Along with the increase in study abroad programs comes the increased need for colleges and universities to do more to ensure the safety of students in such programs, including keeping track of their whereabouts and the conditions of the countries they visit.

Until recently, schools have had limited ways to track and communicate with students abroad, and have kept limited records of incidents. Both nonprofit organizations and businesses offer resources to help risk managers expand their efforts.

One way to conduct due diligence is through site visits, which “are not terribly expensive,” according to Eick, but which usually are only done by larger, better-funded schools.

In addition to scoping out the conditions of hosting school and the surrounding communities, site visits allow risk managers an opportunity to analyze local coverage and ensure that the right policies are in place. Language barriers can result in improper coverage.

Katie Siegel is a staff writer at Risk & Insurance®. She can be reached at ksiegel@lrp.com.
Share this article:

Sponsored: Aspen Insurance

The Embedded Risk Engineer

Risk engineers help stay ahead of emerging risks by working directly with underwriters and insureds.
By: | October 1, 2014 • 6 min read
SponsoredContent_Aspen

Not long ago, concepts such as solar panels, nanotechnology, battery-powered electric vehicles and “green” buildings were more pipe dream than reality. Today, with those trends a growing part of the global marketplace, insurers need ongoing, in-depth, real-time data for optimal underwriting in order to give buyers proper coverage and accurate pricing.

As one leader of Aspen Insurance’s loss control risk engineering team, Troy Bickerstaff knows better than most the value of staying ahead of the curve when it comes to emerging trends and their potential impact on insurance buyers.

“Our underwriters at Aspen Insurance are plugged into what’s happening with today’s exciting technology developments,” Bickerstaff said. “By using specialized, dedicated risk engineers to deliver unparalleled support to our underwriting teams, we can meet emerging marketplace needs. For insureds in these areas, the result is the best possible approach to risk management, insurance programs and pricing.”

SponsoredContent_Aspen“We evaluate all possible hazards, including the insured’s quality management system, their safety and quality standards, their recall process – anything and everything that goes into their product. Then, we advise the underwriters during the application process.”
– Troy Bickerstaff, Assistant Vice President and Loss Control Manager, Aspen Insurance

Aspen Insurance utilizes a concept by which an underwriting team includes an embedded engineer who works closely with the team’s underwriters and clients. This dedicated professional focuses on supporting the team in meeting the specific needs of a client and continually advises on the evolution of emerging risks associated within the team’s industry vertical.

Bickerstaff explained that Aspen Insurance’s risk engineering approach differs from other carriers that typically offer a centralized loss control/engineering department, primarily because they provide a general approach to support of underwriting.

“The difference in the various approaches to risk engineering is similar to specialization in medicine. If you need open-heart surgery, would you want a general surgeon or a cardiothoracic surgeon?” he asked. “Similarly, if your business faces specialized risks, you need the deep expertise of underwriters and engineers well-versed in the nuances of your industry.”

Bickerstaff and his colleagues support the underwriting teams across Aspen Insurance in four key ways:

Evaluating individual risk

To best understand a potential insured’s risk portfolio, the Aspen Insurance team reviews each new submission along with an applicant’s website, history of product recall and compliance with industry standards, in addition to certifications to assess what types of exposures may emerge. Bickerstaff noted that Aspen Insurance’s claims team is also involved in this process, including in respect of all risk engineering communications with the underwriting team. This tight collaboration between underwriting, engineering and claims is a key differentiator for Aspen US Insurance in the market.

If a new technology is part of a coverage application submission, Bickerstaff will also launch an engineering review of the risk, delivering valuable information to the underwriters, who in turn can utilize the data to help insureds find ways to improve their products and potentially reduce expensive product liability exposures, and possibly even claims.

SponsoredContent_Aspen

SponsoredContent_AspenWhen a company looking to import foreign-made tires applied for coverage, Bickerstaff created a document outlining all the major “key points for casualty,” including factors such as improper curing, use of over-aged rubber and contaminants in the tire itself. Underwriters then used that report with the potential insured, helping them avoid any potential pitfalls in importing foreign-made tires.

“We evaluate all possible hazards, including the insured’s quality management system, their safety and quality standards, their recall process – anything and everything that goes into their product,” he said. “Then, we advise the underwriters during the application process.”

Conducting a class of risk consultation

Based on underwriting submission trends or individual risks, the risk engineering team often identifies red flags with certain exposures and prepare detailed “guide sheets” outlining key information about the overall risk to support the analysis of underwriting teams.

SponsoredContent_Aspen

SponsoredContent_AspenBickerstaff created two such guide sheets related to electric vehicles, an emerging, popular alternative to gas-powered vehicles. One guide sheet detailed specific fire hazards associated with electric vehicles (higher voltage, weight distribution and battery blockage), while the other focused on specific fire hazards associated with the lithium ion (Li-Ion) batteries used to power electric vehicles, including ways to mitigate associated risks. Both guide sheets proved helpful to companies looking for coverage who manufactured both Li-Ion batteries and electric cars.

“We undertake a very detailed analysis for insureds in which we typically outline the kinds of claims that could happen, the severity, and what measures an insured would need to have in place to proactively minimize claims scenarios. This additional level of risk analysis is something insureds really value and appreciate.”

Evaluating long-term exposures

As a natural extension of the risk consultation effort, Bickerstaff also conducts long-term research and keeps abreast of different types of exposures through monitoring various media and publications, attending lectures and maintaining research contacts on the academic level. Insureds use Bickerstaff’s research to strengthen their loss control efforts, thereby potentially reducing claims and, as a result, keep overall costs down.

“For areas such as nanotechnology or ‘green’ buildings, we conduct research and create guide sheets,” he said. “But we also constantly stay abreast of the long-term aspects of the risks in those areas, keeping up with industry changes and the evolution of specific technologies”.

Providing added risk management expertise directly to insureds

Finally, the risk engineering group provides additional support for insureds via a face-to-face policyholder consultation at the insured’s location, if necessary.

SponsoredContent_Aspen

SponsoredContent_AspenBickerstaff visited a commercial lawnmower manufacturer and identified several cost-saving enhancement opportunities: guidance on contractual wordings, recommendations for strengthening the weldment inspection program and education on managing increased liability exposures due to the use of temporary workers during the company’s peak manufacturing season. As a result, with that added data, the insured was able to reduce costs and potential claims.

“Among the many advantages we offer to insureds, a key benefit we offer is to ensure that our underwriting is based on the underwriters’ full knowledge of the risk, including access to the best available, most accurate data about the unique exposures relevant to the industry, technology, or niche,” Bickerstaff said, adding that the engineering team’s expertise helps underwriters deliver the best possible outcome, but even more importantly, Aspen Insurance’s specialized, integrated risk engineering strategy ultimately benefits the insured.

“The difference in the various approaches to risk engineering is similar to specialization in medicine. If you need open-heart surgery, would you want a general surgeon or a cardiothoracic surgeon? Similarly, if your business faces specialized risks, you need the deep expertise of underwriters and engineers well-versed in the nuances of your industry.”

“Insureds can feel comfortable and confident they are buying a high-quality, value-added, fairly priced product to meet their specific needs,” he said. “With many of these new, emerging risks, that is a critical benefit to them and a competitive advantage for us.”

To learn more about how Aspen Insurance’s loss control risk engineering and underwriting teams can support your organization, contact your broker.

Troy Bickerstaff, Assistant Vice President and Loss Control Manager at Aspen Insurance, can be reached at troy.bickerstaff@aspen-insurance.com.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Aspen Insurance. The editorial staff of Risk & Insurance had no role in its preparation.
This article is provided for news and information purposes only and does not necessarily represent Aspen’s views and does constitute legal advice. This article reflects the opinion of the author at the time it was written taking into account market, regulatory and other conditions at the time of writing which may change over time. Aspen does not undertake a duty to update the article.

Aspen Insurance is a business segment of Aspen Insurance Holdings Limited. It provides insurance for property, casualty, marine, energy and transportation, financial and professional lines, and programs business.
Share this article: