Category Archives: Risk Modeling

U.S. Flood Insurance: Top Five Things You Should Know From 2018

As we move full steam in to 2019, it is worth remembering that some good progress was made during 2018 with regards to advancing the private flood insurance market in the U.S. – even though Congress struggled with reform of the National Flood Insurance Program (NFIP).

Here’s five takeaway points from the past year:

1. Extending the Extension: The NFIP saw numerous extensions and a few short lapses. Just before the end of the year, Congress reauthorized the NFIP until May 31, 2019 right before the government shutdown commenced on December 22, 2018. But decisions by FEMA during the last week of the year brought uncertainty to the housing and insurance industry as it dealt with changing guidelines on whether policies could be sold or renewed during the shutdown. Ultimately, the NFIP is still operating, but the back and forth of 2018 did not bolster confidence in the stability of the program and left many asking … will 2019 be the breakthrough year?

2. FEMA Boosts the Private Flood Market: Although Congress struggled to act on the NFIP, FEMA did, with technical changes that came into force on October 1, 2018, to attract new private carriers and help existing carriers who participate in the NFIP “Write Your Own” (WYO) program.

First – removing a “non-compete” clause for carriers operating within WYO, now allows WYO carriers to offer their own private flood coverage as well as NFIP policies, with the condition that these businesses are kept separate. Second – policyholders can now cancel their NFIP policy mid-term, before its expiration date when a policyholder has obtained a duplicate policy. In combination, these steps removed hurdles that were hindering carriers from offering new flood products and making it difficult for consumers to purchase those products from the private market.

Continue reading

The Problem of Real and Unreal Tsunamis

Indonesia was beset by disasters in 2018, including two high casualty local tsunamis: in coastal western Sulawesi – impacting the city of Palu, on September 28, and around the Sunda Strait, between Java and Sumatra, on December 22. These events may have appeared unusual, but the great subduction zone tsunamis, like those in the Indian Ocean in 2004 and Japan in 2011, have reset our imagination. Before 2004, forty years had passed without any transoceanic tsunamis. Overall, local tsunamis are more common, presenting many challenges in how they can be anticipated.

The Palu tsunami reminds us how “strike-slip” faults, involving only horizontal displacement can still generate tsunamis, first as a result of vertical displacement at “jogs”, where the fault rupture jumps alignment, as well as from triggered submarine landslides. It seems both factors were important in driving the Sulawesi tsunami that became amplified to more than four meters (13 feet) in the funnel-shaped Palu embayment.

The December 22 Sunda Strait tsunami was caused by a submarine landslide on the erupting Anak Krakatoa volcano and arrived without warning, in the dark of mid-evening. More than 400 people drowned mainly around a series of beach resorts in Banten and Lampung provinces, although water levels in the tsunami only reached a meter or two above sea level. An audience of 200 enjoying a concert at the Tanjung Lesung Beach Resort, staged directly on the beach by Indonesian rock band Seventeen were caught unaware. 29 concertgoers were killed together with four people associated with the band.

Continue reading

Climate Change and NCA4 Part Two: Attribution and Future Climate Change

For the first part of Pete Dailey’s blog, Climate Change and NCA4: Part One, click here

 

What’s Climate Change Attribution?

Lately, the climate science community has spent considerable time on a topic called attribution. In this context, attribution refers to the portion of rising temperatures attributable to human activity via the burning of fossil fuels and release of greenhouse gases (GHGs). Today’s climate models can reconstruct historical temperature records, and then replay history “as if” GHGs had not been released. The difference between these simulated climates provides a means of quantifying the warming that stems directly from the emissions.

Extreme event attribution attempts to quantify the responsibility of climate change for a single weather event. It works by establishing whether climate change can be credited as a factor among all of the factors responsible for a catastrophic event, such as Hurricane Katrina, or the recent Camp Fire wildfire in Northern California – or for that matter any natural disaster. Such events have lots of environmental ingredients and extreme event attribution decides whether human-induced global warming is a significant one.

Continue reading

De-risking the City

I am in Wellington, New Zealand, looking out from a rainy hotel window high over the city, admiring the older wooden houses on the forested slopes. Below there are four to eight story office and retail buildings, a number of which are shrouded in scaffolding, still repairing damage from the 2016 Kaikoura earthquake. The earthquake epicenter was some distance from the city, but the pattern of fault ruptures propelled long period ground shaking into the heart of Wellington.

In 1848, only eight years after the city was founded, a Mw7.5 earthquake on the far side of Cook Strait, shattered the town’s brick buildings. The Lieutenant Governor, Edward Eyre, forgetting his official role as colonial booster, declared the “… town of Wellington is in ruins … Terror and despair reign everywhere. Ships now in port … (are) crowded to excess with colonists abandoning the country.” However, the tremors declined, and the town survived.

Many ordinary houses were rebuilt using wood instead of brick. As a result, they suffered far less damage from a larger and closer Mw8.2 earthquake in 1855, that struck at the end of a two-day public holiday to celebrate the fifteenth anniversary of the city’s formation. This ruined all the remaining brick and stone commercial buildings including churches, barracks, the jail, and the colonial hospital. However, the earthquake delivered a tectonic bounty, raising the city by one to two meters (3.2 to 6.5 feet), turning the harbor into new land for development.

Continue reading

On Writing a Book on Cyber Risk

Accessing information on the Internet was once likened to searching for information in a library, where the pages of all the books had been ripped out and strewn on the floor. Everyone knows that there is a colossal amount of online information about cyber security issues. How can this seemingly boundless ocean of information be processed for the practical benefit of cyber risk professionals?

This is a daunting multi-disciplinary challenge because cyber risk management spans the broad domains of information technology, risk regulation, law and criminology, security economics, insurance, as well as risk analysis.

This challenge can’t be met by one person – but it can with three. Early in 2017, Andrew Coburn conceived of the idea of a book on cyber risk, with Éireann Leverett and myself as the two other co-authors. Eireann is an ethical hacker, with specialist capabilities and technical insight into the shadowy world of cyber attack and defense. I knew he had special expertise when he showed he could hack my (Samsung) phone in five minutes.

After a brainstorming session in the RMS London office, Andrew came up with the title, Solving Cyber Risk, and after a year and a half of gestation, this book has just been published by Wiley.

Continue reading

Does Cyber Now Pose the Greatest Threat to Businesses?

Of the many risks that businesses must face, it is now probable that cyber poses the greatest risk for any business – across the globe and across all sectors. Hardly a day passes without another high profile, global business, hitting the headlines with the latest report of a cyberattack, and these incidents are costly. RMS recently estimated that the losses for the Marriott International incident could reach in excess of US$250 million, in an attack that impacted half a billion customers.

Managing the impact of a cyberattack is a complex, lengthy process, and losses occur from a long list of sources. These range from the immediate costs of securing or replacing IT systems, the direct losses occurred by customers or suppliers, all the way through to the “long-tail” losses of litigation such as customer class actions. Perhaps most damaging of all is the loss of reputation as customers feel cheated and violated as their personal details are stolen and sold. Businesses have to try and win back the trust of their customers who may never return.

I invite you to read an excerpt from Solving Cyber Risk, a new book jointly written by Andrew Coburn, Éireann Leverett, and Gordon Woo, which illustrates the origins and the mechanics of an attack, as well as its impact, by examining the Target cyberattack in 2013. The story of the Rescator cyber-hacker team, the perpetrators of a data-theft involving 110 million payment card details from Target customers, is as worthy as any Ocean’s 11 casino-heist. Reading the story, it is hard not to acknowledge the proficiency of this small team of hackers. They identified the vulnerabilities, drew up their target list, circumvented defenses, then through a combination of luck and skill – struck gold, and got clean away from the scene without a trace.

Continue reading

Insuring Against Failure: The Terrorist Threat to Australia

This is a reprint of an article originally published in Insurance News. For the original article, click here.

Australia, along with New Zealand, is part of the formidable Five Eyes Alliance with the intelligence forces of the U.K., U.S. and Canada.

With a massive annual budget of US$100 billion (AUD$138 billion), this is the most effective and intrusive intelligence cooperative in the world, capable of smashing terrorist cells and interdicting complex terrorist plots.

The price of security is not just financial; there is also a cost in loss of privacy. At a recent Five Eyes ministerial meeting on Australia’s Gold Coast, a statement was issued warning that privacy is not absolute, and tech companies must give law enforcement access to encrypted data.

Credible intelligence assessed by Australian security agencies indicates individuals or groups continue to possess the intent and capability to conduct a terrorist attack in Australia. On a five-grade scale, the current threat level is three: probable. The higher grades are “expected” and “certain”. By comparison, the U.K. threat level is one notch higher at grade four.

Everyone has their own social network. For terrorists, interaction with their social network is needed for motivation and gaining the tradecraft for terrorist operations. However, the more communication there is between cell members, the greater the chance that counter-terrorism surveillance will close in. Too many terrorists spoil the plot.

Continue reading

RMS Works With the Insurance Authority of Hong Kong on Return Period After Typhoon Mangkhut

In September, Typhoon Mangkhut wrought a path of destruction across the western North Pacific, causing damage from Guam, to the Philippines, Hong Kong, and southern China. For Hong Kong, Mangkhut was the second strong typhoon to impact the region in consecutive years, following Typhoon Hato in 2017. Damage was extensive – according to local media, at least 500 homes and high-rise buildings in Hong Kong, including apartment complexes and office blocks, were severely damaged.

In the weeks following Mangkhut, RMS worked with the Insurance Authority (IA) – the independent insurance regulator for Hong Kong, to help provide (re)insurers in the region with some context and scientific analysis around this event. According to data from the insurers gathered by the IA, Typhoon Mangkhut caused total insured losses of HKD 3.5 billion (US$448 million) in Hong Kong. This figure, collected as at October 12, three weeks after Mangkhut’s landfall, represents losses reported by insurance and reinsurance companies in Hong Kong. With the loss information provided by the IA and using the RMS China and Hong Kong Typhoon Model, RMS estimated Mangkhut to have a return period of 30 to 40 years in Hong Kong.1

Continue reading

Marriott International Data Breach: A Major Industry Event

On September 8, 2018, Marriott International received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. A subsequent investigation carried out by security specialists firm Kroll, determined unauthorized access had taken place. As the investigation progressed, Marriott discovered that the Starwood network had been accessed since 2014. An unauthorized party had also copied information and had taken steps towards removing it.

In its statement on November 30, Marriott stated that it had not finished identifying this duplicate information in the database, but believed it impacted around 500 million customers. For approximately 327 million of these guests, the information includes some combination of name, address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, and arrival and departure information. For some, the information also includes payment card numbers and expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).

With regards to the potential perpetrators, rumors have spread that Chinese state hackers might have been behind the cyberattack, although as with most cyberattacks the attribution to a specific threat actor is a lengthy and uncertain task.

Continue reading

Civil War Drives the Spread of Ebola

The worst outbreak of Ebola in the DRC (Democratic Republic of Congo), Africa’s second largest country by area, with a population of over 77 million, has already claimed several hundred lives, and there have been more than three hundred and fifty cases.

Many of the Ebola cases have been in Beni (pop. ~230,000), a major city in North Kivu province, close to the Ugandan border. DRC is a failing state, where the government regime is weak, and cannot prevent militias from pillaging DRC’s abundant mineral resources. One such militia is the ADF (Allied Democratic Forces), which was formed in neighboring Uganda in the 1990s, and operates in the mineral-rich border area in North Kivu province.

The geography of the disease spread is intriguing for epidemiologists. Officially declared on August 1, 2018, this is the tenth outbreak of Ebola in DRC since 1976, but this is the first time that Ebola has affected the far northeast of this vast Central African nation. A crucial risk factor hampering the control of Ebola in this region is the conflict over mineral resources. This has limited the number of inhabitants who can be vaccinated, and restricted the access of health response teams, who are exposed to personal danger such as physical assault and kidnapping. Indeed, insecurity was a factor delaying the alert to the actual start of the outbreak, which was several months before the official declaration.

Continue reading