2015 Most Dangerous Emerging Risks

Corporate Privacy: Nowhere to Hide

Companies can no longer expect to conduct business out of the gaze of prying eyes.
By: | April 8, 2015 • 6 min read

SCENARIO: In a small apartment in Atlanta, Pete scanned the hardware in front of him. His fingers flew as he deftly navigated multiple windows. A former defense contractor employee, Pete possessed a highly specialized set of skills.

He knew how to hack into almost anything, from network servers and credit card databases, to VoIP phone systems and video conferencing systems. An encryption expert, he knew how to exploit every weakness and sniff out every back door. Pete never met a digital lock he couldn’t pick.

Advertisement




Pete’s talents — and his reputation for discretion — kept him in demand, especially in certain circles.

His latest gig was gathering intel on Odyssey International for one of Odysseys’ top competitors, especially an inside track on any mergers or acquisitions Odyssey might have up its sleeve.

Pete pulled up his files for several key Odyssey execs and smiled smugly. People like Garry Buchanan made Pete’s job way too easy.

An encryption expert, he knew how to exploit every weakness and sniff out every back door. Pete never met a digital lock he couldn’t pick.

Odyssey’s U.S. head of new business development, Buchanan was tech-obsessed. From the moment Buchanan hopped into his Tesla Model S and engaged the autopilot until he arrived at work, Pete could peek at every email, calendar entry and company report. Buchanan’s smartphone let Pete keep track of him out of the car too, whether he was picking up a latte or checking in for a flight.

Accessing Odyssey’s network was a little tougher than Pete expected — its security was more sophisticated than most. But, like most companies, it spent more time protecting its customer and finance data. Its email server was far less secure. Its phone system was barely protected at all.

Around 8:15 a.m., Pete’s system alert let him know that Buchanan was on the phone. It sounded like Odyssey was researching a potential acquisition.

Pete tapped the screen to record the call and sent an encrypted file to the man who’d hired him.

Buchanan’s flight to London arrived on time. He’d checked into his hotel and stayed there all night. But Pete was drumming his fingers on his desk, aggravated. There were meetings on Buchanan’s calendar. But with whom? There was no data.

There had been a few vague email references, but nothing that had given Pete a clear picture of what was up. Buchanan seemed to be deliberately keeping the details under wraps.

“We’ll see about that,” said Pete, firing up more hardware. He checked the time and calculated the time difference. Buchanan would probably be leaving the hotel soon.

He’d found Buchanan’s Uber account the day before and guessed he’d be using the service. Sure enough, he’d already been picked up. “Gotcha,” said Pete, gaining unauthorized access to Uber’s “God View” and tracking the car’s route.

Ten minutes later, Buchanan walked into a café and was seated at a table out front. Pete watched in real time as Buchanan took a moment to take in the London scenery while waiting for his breakfast companions.

“Bless those Brits,” thought Pete. “And their millions upon millions of CCTVs.”

Advertisement




Buchanan’s two guests arrived a few minutes later. Pete was pleased to have a good angle on both of them. He locked on their faces and dragged the images into his facial recognition program. He got a match on both and searched their records. One was a visiting fellow at the University of Cambridge in the department of engineering. Interesting.

Pete kept digging. An hour later, Pete had enough data on both of them to get a picture of what Buchanan was up to and why Odyssey wanted this little excursion to be kept under wraps.

Time for another file upload to his new corporate benefactor. This info was hot.

“I should’ve charged him twice as much,” Pete thought ruefully as he sent his customer the information on his competitor’s latest move.

04012015_02_privacy_chart

ANALYSIS: There are no more secrets. The lesson brought home by WikiLeaks and later by Edward Snowden is that privacy is a quaint notion of a bygone era. We are in, as it has been dubbed, the “Golden Age of Spying.”

Everyone now knows that the U.S. National Security Agency (NSA) has access — on a massive scale — to chat logs, stored data, voice traffic, file transfers, phone records, email and social networking data. It can also access web chats, Internet searches, text messages … the list goes on.

The agency has long had a certain amount of cooperation from major technology companies including Microsoft, Yahoo, Google, Facebook and Apple. Unbeknownst to some, it also engineered a weakness in an encryption standard, allowing back-door access to those companies, and their data.

Problem is, if you leave the back door open, you can’t guarantee that others won’t find their way in.

Now factor in the Internet of Things. Estimates suggest there could be up to 80 billion connected devices in use five years from now — devices that can monitor anything from the climate quality in your delivery trucks to whether the plant in your window needs more sun.

From your digital world to your physical world, everything will be hackable, trackable, visible. Everything will have the potential to be seen by someone you never intended to share it with.

That’s happy news for those set on malfeasance, either to steal corporate secrets or engage in disruption for fun or profit. But it’s troubling for businesses of all sizes as they face the challenge of protecting what they can and managing the rest.

Randy Nornes, executive vice president, Aon Risk Solutions

Randy Nornes, executive vice president, Aon Risk Solutions

“What you’re going to see is a more formalized way of communicating sensitive information and housing sensitive information,” said Randy Nornes, executive vice president with Aon Risk Solutions.

“So if you have key data that creates value for your firm, I think you’re going to see that the fundamental technology architecture that people use to store the really important stuff will be remote and distant, and it won’t be readily accessible through the Internet.”

But it’s the day-to-day actions of conducting business that organizations will have more trouble keeping behind locked doors.

“In a fully transparent world … companies will have to behave as if every action will be reported on the front page of their local paper,” said Nornes’ colleague Paul Kim, co-CBO of Aon Risk Solutions U.S. Retail operations.

Futurist and author David Brin said in a recent interview with “Variety,” that organizations can’t “count on anything staying secret for more than 10 years, that’s delusional on the border of psychosis.

“Get used to the notion that some day, someone is going to hear this conversation or read this document. And live and work as if anybody might be watching now,” Brin added.

Along with those inevitable leaks come serious risks to brand and reputation, which is why reputation risk management will need to develop at least as fast as privacy erodes.

That means using an extremely thorough process of scenario planning, and understanding exactly how any kind of breach, leak or competitive attack could affect the company’s value and its ability to conduct business.

“It’s not something that’s limited to the public relations team; it’s not something that’s limited to a chief communications officer,” said Chris Lukach, president of Anne Klein Communications Group, LLC.

“It’s something that needs to be shared among risk management, legal, HR, operations … . That to me is what makes companies prepared.”

There are multiple points at which hyper-transparency can result in a business loss, and insurance products will no doubt keep evolving to meet those needs. In a case where a release of confidential information might damage a company’s image, for instance, Tokio Marine Kiln is already underwriting a product that goes beyond traditional cyber insurance and helps companies insure against that spectrum of losses.

Advertisement




Explained Tom Hoad, underwriter at Tokio Marine Kiln, a Lloyd’s syndicate, risk managers have become increasingly sophisticated in the way they think about their exposures.

“[They’re asking], ‘Where are the key performance indicators for the company and what sorts of things can affect our ability to deliver on those things?’ … The preservation of brand equity, is very much at the forefront of that process.”

BlackBar

Complete coverage of 2015’s Most Dangerous Emerging Risks:

Corporate Privacy: Nowhere to Hide. Rapid advances in technology are ushering in an era of hyper-transparency.

04012015_04B_implant_devices_150px_mainImplantable Devices: Medical Devices Open to Cyber Threats. The threat of hacking implantable defibrillators and other devices is growing.

04012015_03_concussions_150px_mainAthletic Head Injuries: An Increasing Liability. Liability for brain injury and disease isn’t limited to professional sports organizations.

04012015_04_vaping_150px_mainVaping: Smoking Gun. As e-cigarette usage rises, danger lies in the lack of regulations and unknown long-term health effects.

04012015_05_aquifer_depletion_150px_main

Aquifer: Nothing in the Bank. Once we deplete our aquifers, there is nothing helping us get through extended droughts.

04012015_01_CS_superbugs50x50

Most Dangerous Emerging Risks: A Look Back. Each year since 2011, we identified and reported on the Most Dangerous Emerging Risks. Here’s how we did on some of them.

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Catastrophe Risk

Material Resiliency

New materials, methods and ideas are empowering property owners to rein in their catastrophe risks.
By: | October 12, 2017 • 11 min read

The 2017 hurricane season is one for the record books. Rebuilding efforts are underway, with builders working to make insureds whole again as soon as possible … at least until the next storm comes along.

Advertisement




And therein lies the problem with recovery in disaster-prone regions. It evokes the oft-quoted definition of insanity: Doing the same thing over and over again and expecting a different result.

So what if we did it differently? What if instead of rebuilding to make structures “like new,” we rebuilt to make them better, more resilient, less prone to damage?

The reality is, we don’t really have a choice. Climate change is ushering in weather systems that are increasingly volatile. Wildfires are raging like never before. Sea-level rise is threatening our coasts, and there’s no way to dial any of it back.

Nevertheless, people will continue to build homes and businesses along the coast. Real estate developers will continue to nestle luxury homes into wooded foothills.

That means communities need to come to terms with the risk and plan for it intelligently.

Michael Brown, vice president and property manager, Golden Bear Insurance

“Natural disasters are going to happen,” said Michael Brown, vice president and property manager with Golden Bear Insurance. “But if we plan and build communities around the idea that something bad may happen someday, then that community can bounce back faster afterward.”

In any natural disaster, he added, “the property damage is extreme. But the biggest portion of the losses, both insured and uninsured, are the time element pieces. How long was the business closed? How long were homeowners unable to occupy their homes? Those are the pieces that drag on for months — years in some cases — and really drive the economic loss.”

That’s the motivation behind new materials, designs and strategies being implemented in the construction and repair of at-risk residential and commercial properties.

Powerful Flood Solutions

Newer building products move the needle significantly in terms of efficacy.

For new or restored structures in flood-prone regions, Georgia Pacific produces gypsum panels that incorporate fiberglass mats instead of paper facings and comply with the latest FEMA requirements for flood damage resistance and mold resistance. Wall boards made from magnesium oxide (MgO) don’t absorb water at all and have the added benefits of being environmentally friendly and non-flammable.

In the UK, advanced flood-resilient structures built with water-resilient concrete-block partitions are being fitted with not only MgO wallboards, but also wood-look porcelain or ceramic flooring that’s non-permeable and fire-resistant — without sacrificing aesthetics. Drains are installed in the flooring, along with sub-flooring gullies and submersible pumps that push the water back outside. Outlets and appliance motors are all situated above expected flood levels. Doors are equipped with sliding flood panels.

In the event of flooding that exceeds a depth of two feet, automatic opening window panels (flood inlets) are triggered by sensors to allow flood water to enter the property slowly, to reduce external pressure that could damage the structure.

Carl Solly, vice president and chief engineer, FM Global

Controlled inflow buys time for a homeowner to raise furniture up on blocks, or for a business owner to raise pallets of goods up to higher shelves or move equipment to a higher elevation.

Water intrusion is reduced dramatically, and even when it happens, there is little to no damage. Water is pushed into the floor drains, surfaces are allowed to dry, and then it’s back to business as usual in days rather than months — likely with no insurance claim filed.

Dramatic improvements are happening on this side of the pond as well. For entities that need permanent on-site flood solutions, barriers like flood gates and retractable flood walls are the most sophisticated they’ve ever been.

After suffering $4 billion in damage during Superstorm Sandy, New York’s Metropolitan Transit Authority invested heavily in flexible fabric flood panels that are made with Kevlar® and can be unrolled quickly and easily. Additional flood gates hinged to air grates are passively activated by the weight of incoming water entering the grates.

Advertisement




The transit authority is also testing a prototype “resilient tunnel plug” — essentially a giant air bag that can be deployed quickly to seal off sections of subway tunnel. The plug is designed to withstand not only flood but also biochemical attack.

Even temporary solutions are leaps and bounds beyond the days when sandbagging was typically the best option. New as-needed barrier methods include inflatable bladders that can be placed around a building’s perimeter and filled with water to keep floodwater and flood debris at bay.

“People have always said, ‘Well, I’m in a flood plain, it’s inevitable. It’s an act of God,’ ” said Carl Solly, vice president and chief engineer, FM Global. “In the last several years, we’ve really been trying to deliver the message that you can do something about your flood risk.”

Shake, Pummel and Burn

Flood is far from the only problem benefiting from smart engineering. FM Global is working with manufacturers to develop and certify roofing material designed to better withstand the localized hailstorms that often plague southeastern and midwestern states.

Current materials rated for severe hail can withstand hailstones up to 1 ¾ inches in diameter. The new product, rated for “very severe” hail can tolerate hailstones up to 2 ½ inches. The difference sounds small, but it’s far from it.

“It’s about three times the amount of impact energy when it hits the roof [compared to a 1 ¾ hailstone],” explained Solly. “That’s a big difference.”

As for “bouncing back” after a catastrophic fire, Solly said that’s a fairly tall order. But even there, technology is helping to reduce the severity of fires so that disruption is minimal.

FM Global researchers recently pioneered the concept of SMART sprinklers — shorthand for Simultaneous Monitoring and Assessment Response Technology — which can sense a fire earlier than traditional systems and activate targeted sprinkler heads when needed and shut off once the fire is out.

“You’ll catch it with less water, so from a water usage perspective, a water damage perspective and a smoke damage perspective, we think that has an opportunity to be a big difference-maker in the fire protection industry, particular with high-challenge fires,” said Solly.

“You’ve got a better chance of stopping what normally would be a really tough fire to catch.”

In addition, added Brown, smarter sprinkler systems, much like burglar alarms, could be programmed to notify the fire department instantly, even when a structure is unoccupied.

For earthquake risk, said Brown, resilient building efforts are less about new materials than they are about more strategic ways of using traditional materials.

“Here in California we wrap homes in stucco around the wood frame to help the whole building move as a unit. Stucco is concrete so it does crack. I end up with a building that’s got some cosmetic damage … but you don’t have to rebuild the building. It does its job in terms of absorbing a lot of the ground motion before it pushes the building beyond its design tolerances.”

Using stronger, larger steel brackets where the walls meet the roof or the floor or each other, said Brown, “keeps the north wall from moving in one direction while the west wall moves a different direction.”

Those kinds of stress points can push modest earthquake damage to catastrophic levels, he said.

One earthquake innovation still in the beta phase is a project out of the U.C. Berkeley Seismological lab, using the accelerometers in smartphones as virtual seismometers. Participating phones have an app that detects certain types of ground motion. As phones pick up earthquake wave patterns, they ping the server which checks nearby smartphones to see if they sensed the same pattern, all in microseconds. If an earthquake pattern can be confirmed, an alarm will be sent to every cellphone within a logical radius.

That might only buy people an extra two to five minutes before the event, said Brown, “but if you are the operators of Bay Area Rapid Transit commuter trains, that’s enough time to slow all the trains down to five miles an hour. If you are Google, that’s enough time to park a bunch of hard drives in your server farm so that they’re better able to resist shaking and not be damaged too badly.”

Raising Standards

Cost, of course, will impact the take-up of resilient materials and tools. If it’s three times more expensive to build a home out of the resilient materials, a lot of builders aren’t going to want to because the home will be tougher to sell.

Advertisement




FM Global’s Approvals division tests and certifies a variety of products aimed at mitigating disaster peril. That can help increase property owner confidence in these materials, particularly for commercial structures.

“When you’re betting millions of dollars and the future of your business — or at least the near-term future of your business — you really need to know that it’s going to work,” said Solly.

With just-in-time manufacturing, a company may have a few days’ worth of stock on hand rather than three months’ worth.

“So you can’t afford to be out of business for weeks, because your customers are going to go somewhere else for your product,” he said.

Building standards and codes can help drive adoption of resilient measures in both commercial and residential construction. But more work needs to be done to raise standards to meet the goal of resilience.

Effecting real resilience is something leaders across the spectrum should be talking about, including brokers and carriers, government and research agencies, building products manufacturers, and corporate executives.

If lives are saved in an earthquake, but a building is still damaged to the point where it needs to be torn down, said Brown “that building owner, that community, is going to have a much longer path to full recovery. We want the building codes strengthened to an immediate occupancy [goal] — we want people to be able to move right back into that building so there’s a much shorter window of disruption.

“It’s certainly better for me as the insurer,” he said, “but it’s even better for the guy that owns the building or runs his business out of it because now his employees still have a place to come to work and they can still get paid.”

Every single business able to minimize its downtime in this way helps the entire community be more resilient, he added. It creates that snowball effect in a good way. When businesses are able to stay open or reopen quickly, he said, workers don’t lose a meaningful amount of pay. Everybody’s in a better position to continue shopping and supporting the local economy.

“If you just shorten the line of people who are looking for some sort of federal aid, or state aid because they’ve had a massive financial disaster — maybe we can turn those into moderate to small financial disasters. That’s the key, I think, to communities being more resilient.”

Driving Demand

As the likelihood increases that property owners will experience a second loss or even third loss, some insurers are looking at ways to invest in resilience — a smarter long-term business plan than paying to rebuild again and again.

One new initiative is Lex Flood Ready, the product of a partnership between Lexington Insurance and The Flood Insurance Agency (TFIA). Flood Ready is a coverage enhancement for Lexington Private Market Flood clients that will not only indemnify property owners that suffer flood damage but will also provide the funds to rebuild them to a higher standard of resiliency when replacing floors and walls.

Advertisement




Resilience proponents advocate a variety of approaches to encourage take-up, including tax credits, resilience grants, insurance incentives and other partnerships, as well as encouraging lenders to engage borrowers by making the flood risk assessments part of the mortgage process.

A certification scheme similar to LEED could also help drive resilience efforts. The UK is currently beta-testing a certification program called Home Quality Mark, developed by the Building Research Establishment (BRE). Properties are rated on stringent criteria that considers not just disaster resilience, but energy performance and cost, durability and environmental impact.

“Getting people from diverse perspectives thinking about it and talking about it is going to be the avenue to finding the right answers.” — Michael Brown, VP and property manager, Golden Bear Insurance

That’s something builders would be able to use to add value to their properties, offsetting the cost of building in resilience and driving consumer demand for properties built to the highest standards.

With increased resilience will come questions for insurers, said Brown. “It will open up a can of worms.”

It will create something of an arms race among insurance companies, he said. “Who’s going to be the first one to figure out what’s the right way to insure that? What’s the right price? What are the right terms and conditions?” Admittedly, it’s a good problem to have.

Effecting real resilience is something leaders across the spectrum should be talking about, including brokers and carriers, government and research agencies, building products manufacturers, and corporate executives.

“Getting people from diverse perspectives thinking about it and talking about it is going to be the avenue to finding the right answers,” said Brown.

“That kind of mentality top to bottom in the industry is going to be necessary. It’s not the first time we’ve dealt with disruptive things and we will continue doing it. It’s what keeps the game interesting.” &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]