Monthly Archives: December 2018

On Writing a Book on Cyber Risk

Accessing information on the Internet was once likened to searching for information in a library, where the pages of all the books had been ripped out and strewn on the floor. Everyone knows that there is a colossal amount of online information about cyber security issues. How can this seemingly boundless ocean of information be processed for the practical benefit of cyber risk professionals?

This is a daunting multi-disciplinary challenge because cyber risk management spans the broad domains of information technology, risk regulation, law and criminology, security economics, insurance, as well as risk analysis.

This challenge can’t be met by one person – but it can with three. Early in 2017, Andrew Coburn conceived of the idea of a book on cyber risk, with Éireann Leverett and myself as the two other co-authors. Eireann is an ethical hacker, with specialist capabilities and technical insight into the shadowy world of cyber attack and defense. I knew he had special expertise when he showed he could hack my (Samsung) phone in five minutes.

After a brainstorming session in the RMS London office, Andrew came up with the title, Solving Cyber Risk, and after a year and a half of gestation, this book has just been published by Wiley.

Continue reading

Does Cyber Now Pose the Greatest Threat to Businesses?

Of the many risks that businesses must face, it is now probable that cyber poses the greatest risk for any business – across the globe and across all sectors. Hardly a day passes without another high profile, global business, hitting the headlines with the latest report of a cyberattack, and these incidents are costly. RMS recently estimated that the losses for the Marriott International incident could reach in excess of US$250 million, in an attack that impacted half a billion customers.

Managing the impact of a cyberattack is a complex, lengthy process, and losses occur from a long list of sources. These range from the immediate costs of securing or replacing IT systems, the direct losses occurred by customers or suppliers, all the way through to the “long-tail” losses of litigation such as customer class actions. Perhaps most damaging of all is the loss of reputation as customers feel cheated and violated as their personal details are stolen and sold. Businesses have to try and win back the trust of their customers who may never return.

I invite you to read an excerpt from Solving Cyber Risk, a new book jointly written by Andrew Coburn, Éireann Leverett, and Gordon Woo, which illustrates the origins and the mechanics of an attack, as well as its impact, by examining the Target cyberattack in 2013. The story of the Rescator cyber-hacker team, the perpetrators of a data-theft involving 110 million payment card details from Target customers, is as worthy as any Ocean’s 11 casino-heist. Reading the story, it is hard not to acknowledge the proficiency of this small team of hackers. They identified the vulnerabilities, drew up their target list, circumvented defenses, then through a combination of luck and skill – struck gold, and got clean away from the scene without a trace.

Continue reading

Insuring Against Failure: The Terrorist Threat to Australia

This is a reprint of an article originally published in Insurance News. For the original article, click here.

Australia, along with New Zealand, is part of the formidable Five Eyes Alliance with the intelligence forces of the U.K., U.S. and Canada.

With a massive annual budget of US$100 billion (AUD$138 billion), this is the most effective and intrusive intelligence cooperative in the world, capable of smashing terrorist cells and interdicting complex terrorist plots.

The price of security is not just financial; there is also a cost in loss of privacy. At a recent Five Eyes ministerial meeting on Australia’s Gold Coast, a statement was issued warning that privacy is not absolute, and tech companies must give law enforcement access to encrypted data.

Credible intelligence assessed by Australian security agencies indicates individuals or groups continue to possess the intent and capability to conduct a terrorist attack in Australia. On a five-grade scale, the current threat level is three: probable. The higher grades are “expected” and “certain”. By comparison, the U.K. threat level is one notch higher at grade four.

Everyone has their own social network. For terrorists, interaction with their social network is needed for motivation and gaining the tradecraft for terrorist operations. However, the more communication there is between cell members, the greater the chance that counter-terrorism surveillance will close in. Too many terrorists spoil the plot.

Continue reading

RMS Works With the Insurance Authority of Hong Kong on Return Period After Typhoon Mangkhut

In September, Typhoon Mangkhut wrought a path of destruction across the western North Pacific, causing damage from Guam, to the Philippines, Hong Kong, and southern China. For Hong Kong, Mangkhut was the second strong typhoon to impact the region in consecutive years, following Typhoon Hato in 2017. Damage was extensive – according to local media, at least 500 homes and high-rise buildings in Hong Kong, including apartment complexes and office blocks, were severely damaged.

In the weeks following Mangkhut, RMS worked with the Insurance Authority (IA) – the independent insurance regulator for Hong Kong, to help provide (re)insurers in the region with some context and scientific analysis around this event. According to data from the insurers gathered by the IA, Typhoon Mangkhut caused total insured losses of HKD 3.5 billion (US$448 million) in Hong Kong. This figure, collected as at October 12, three weeks after Mangkhut’s landfall, represents losses reported by insurance and reinsurance companies in Hong Kong. With the loss information provided by the IA and using the RMS China and Hong Kong Typhoon Model, RMS estimated Mangkhut to have a return period of 30 to 40 years in Hong Kong.1

Continue reading

EXPOSURE Magazine: Taking Cloud Adoption to the Core

This is a taster of an article published in the latest edition of EXPOSURE magazine. For the full article click here or visit the EXPOSURE website.

With the main benefits of Cloud computing now well-established, EXPOSURE explored why insurance and reinsurance companies have demonstrated some reluctance in moving core services onto a Cloud-based infrastructure.

While a growing number of insurance and reinsurance companies are using Cloud services (such as those offered by Amazon Web Services, Microsoft Azure and Google Cloud) for nonessential office and support functions, most have been reluctant to consider Cloud for their mission-critical infrastructure. Simply moving a legacy offering and placing it on a new Cloud platform offers a potentially better user interface, but it’s not really transforming the process.

EXPOSURE also asked whether now is the time for market-leading (re)insurers to make that leap and really transform how they do business, embrace the new and different, and take comfort in what other industries have been able to do.

Continue reading

Marriott International Data Breach: A Major Industry Event

On September 8, 2018, Marriott International received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. A subsequent investigation carried out by security specialists firm Kroll, determined unauthorized access had taken place. As the investigation progressed, Marriott discovered that the Starwood network had been accessed since 2014. An unauthorized party had also copied information and had taken steps towards removing it.

In its statement on November 30, Marriott stated that it had not finished identifying this duplicate information in the database, but believed it impacted around 500 million customers. For approximately 327 million of these guests, the information includes some combination of name, address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, and arrival and departure information. For some, the information also includes payment card numbers and expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).

With regards to the potential perpetrators, rumors have spread that Chinese state hackers might have been behind the cyberattack, although as with most cyberattacks the attribution to a specific threat actor is a lengthy and uncertain task.

Continue reading

RMS Impact Trek: Share Your Expertise and Make a Difference

Many of us across the risk management industry actively help communities in need after natural disasters, through donations, working with organizations to promote resilience, or through on-the-ground assistance. Our intimate understanding of the power of these catastrophes makes us acutely aware of the need to act.

This is true for everyone here at RMS, where our values embrace the need to understand risk, build resiliency, and make an impact to help improve the lives of communities who live with the threat of natural disasters. One of the ways we live our values is through our annual RMS Impact Trek, where both RMS employees and our clients work with the social enterprise Build Change in some of the world’s most catastrophe-prone areas.

If you are an RMS client, I would like to extend an invitation to our annual RMS Impact Trek. This is the fourth year that we are sponsoring representatives from our clients to join RMS employees and Build Change so that their skills can be used to build stronger communities.

Continue reading

Civil War Drives the Spread of Ebola

The worst outbreak of Ebola in the DRC (Democratic Republic of Congo), Africa’s second largest country by area, with a population of over 77 million, has already claimed several hundred lives, and there have been more than three hundred and fifty cases.

Many of the Ebola cases have been in Beni (pop. ~230,000), a major city in North Kivu province, close to the Ugandan border. DRC is a failing state, where the government regime is weak, and cannot prevent militias from pillaging DRC’s abundant mineral resources. One such militia is the ADF (Allied Democratic Forces), which was formed in neighboring Uganda in the 1990s, and operates in the mineral-rich border area in North Kivu province.

The geography of the disease spread is intriguing for epidemiologists. Officially declared on August 1, 2018, this is the tenth outbreak of Ebola in DRC since 1976, but this is the first time that Ebola has affected the far northeast of this vast Central African nation. A crucial risk factor hampering the control of Ebola in this region is the conflict over mineral resources. This has limited the number of inhabitants who can be vaccinated, and restricted the access of health response teams, who are exposed to personal danger such as physical assault and kidnapping. Indeed, insecurity was a factor delaying the alert to the actual start of the outbreak, which was several months before the official declaration.

Continue reading

The Sum of Its Parts: Wildfire in Multi-Peril Catastrophe Bonds

Water, wind, and wildfire. It’s been a devastating three months for the U.S.

Total insured losses from Hurricanes Florence and Michael, and the Camp and Woolsey wildfires are estimated by RMS in the range US$18.6 billion to US$28 billion (see table below):

September 1 Hurricane Florence $2.8 – $5.0 billion
October 8 Hurricane Michael $6.8 – $10.0 billion
November 8 Camp Wildfire $7.5 – $10.0 billion
November 8 Woolsey Wildfire $1.5 – $3.0 billion
TOTAL INSURED LOSSES   $18.6 – $28 billion

While California wildfires may seem far removed from Atlantic storms, for capital markets investors the fires may make the difference to how 2018 is remembered. Insurance Linked Securities (ILS) eyes are now trained on multi-peril aggregate catastrophe bonds.

Continue reading

Opportunities Ahead: A Review of the U.S. Private Flood Insurance Market

It is evident that the opportunities presented by the U.S. private flood insurance market are attracting attention across the industry, and interest in this market is growing. I was recently invited by insurance financial ratings specialist Demotech to be a panelist on their U.S. flood insurance webinar to give an overview and delve into these issues. Joseph Petrelli, president of Demotech was our host, with contributors Fred Karlinsky, co-chair of law firm Greenberg Traurig, and Meg Glenn, consulting actuary at Merlinos and Associates.

The webinar is definitely worth a viewing. Fred started the discussion with an overview of the current state of the private U.S. flood insurance market. The National Flood Insurance Program (NFIP) has towered over the market for the past 50 years, reporting US$3.5 billion of written premium and some 5.1 million flood policies as at the end of September 2018. Florida has 35 percent of all NFIP policies, followed by Texas with 12 percent, and Louisiana with ten percent, with NFIP policies in force in all U.S. states.

Continue reading