Cyber Coverage Faces Legal Challenges as Foreign Attackers Step Up Their Game

With Chinese and Iranian hackers launching aggressive new attacks on businesses and government agencies in the U.S., there are obvious business interruption and data security concerns.
By: | February 27, 2019 • 3 min read

The Gist: Chinese and Iranian hackers have launched aggressive new attacks on businesses and government agencies in the United States, according to a new investigation by the New York Times. The Times spoke with seven people briefed on the Iranian attacks and nine intelligence officials, private security researchers and lawyers familiar with the Chinese attacks.


China hacks to be a tech leader: Boeing, General Electric Aviation and T-Mobile were all targets of Chinese hacking, according to the Times. It was part of a “renewed Chinese offensive geared toward stealing trade and military secrets from American military contractors and technology companies.”

The hacking is meant to help China become a technology leader, part of Beijing’s five-year economic plan. Adam Segal, the director of the cyberspace program at the Council on Foreign Relations, told the Times: “Some of the recent intelligence collection has been for military purposes or preparing for some future cyber conflict, but a lot of the recent theft is driven by the demands of the five-year plan and other technology strategies.”

Iran hacks to gain state secrets: Iranian cyber attacks hit “dozens of corporations and multiple United States agencies,” according to the Times. Iran appears to want state secrets rather than profits, as they’ve targeted police, intelligence agencies and foreign ministries.

Joel Brenner, a former leader of United States counterintelligence under the director of national intelligence, told the Times that a big motivation was the U.S. pulling out of the Iran nuclear deal: “If you tell the Iranians you’re going to walk out on the agreement and do everything you can to undermine their government, you can’t be surprised if they attack our government networks.”

Why is this happening now? The Times linked the increased hacking efforts to President Donald Trump’s escalating trade tension with China and his pullout of the Iran nuclear deal. Back in 2015, two significant events happened: President Barack Obama and President Xi Jinping of China struck a deal to curb hacking. That same year, the U.S signed the Iran nuclear deal. Both events slowed hacking activity significantly.

“Threats from China and Iran never stopped entirely, but Iranian hackers became much less active after the nuclear deal was signed in 2015. And for about 18 months, intelligence officials concluded, Beijing backed off its 10-year online effort to steal trade secrets,” the Times wrote.

Today, those hackers are coming back strong — and they’ve gotten far more sophisticated, particularly the Chinese.

“These hackers are better at covering their tracks. Rather than going at targets directly, they have used a side door of sorts by breaking into the networks of the targets’ suppliers. They have also avoided using malware commonly attributed to China, relying instead on encrypting traffic, erasing server logs and other obfuscation tactics.”

What’s at stake: Hacking from hostile governments can have sweeping effects on global business. Supply chains can be disrupted significantly. This report from the U.S.-China Economic and Security Review Commission offers a deep dive into the political landscape driving the problem. There are obvious business interruption and data security concerns. Meanwhile cyber threats are devouring billions of dollars in uninsured losses and risk managers are seeking protection through cyber insurance. But that hasn’t been easy.


Risk & Insurance® took its own deep dive into the topic to learn how risk managers are analyzing the threat and determining what coverage is best.

What to watch: A recent lawsuit may help everyone understand how these issues will shake out. Mondelez, the maker of Ritz crackers and Oreo cookies, has sued Zurich for $100 million in the wake of a 2017 cyber attack.

The attack rendered 1,700 servers and 24,000 laptops dysfunctional, but Zurich declined to pay, citing an exclusion clause for a “hostile or warlike action” by a sovereign power after finding that the attacks were launched by Russia on the Ukraine. The result of the case will be undoubtedly impactful. &

Jared Shelly is a journalist based in Philadelphia. He can be reached at [email protected]

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.


That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.


Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]