As risk advisors, WillisWire bloggers tend to think less of ghouls and goblins during the Halloween season than of the frightening real risks our clients face. This year they faced more than their share of new ones, with ISIS, Ukraine, Ebola–and several, just as scary, that don’t have proper names. Here’s what keeps our bloggers up at night in 2014. Which one scares you most? Take our poll at the end and let us know.
Boardroom cyber worries,
Employees on social media,
Health reform deadlines,
New natural disasters,
Spread of terrorism,
by Deana Allen
I remember back to the simple days of being a hobo, or a clown or our favorite cartoon character for Halloween, wearing those claustrophobic plastic masks that never kept the eyeholes where you could see (Casper the Friendly Ghost- three years in a row). The sad thing is that in some parts of our world we are seeing the actual horrendous effect Ebola can have on the human body. The current Ebola outbreak is receiving a high degree of media attention—not as much focused on prevention as many would hope to see—but as expected mostly on headline grabbing events. The health care industry has witnessed the emergence of many “scares” over recent decades and has gone on to develop safe practices and response plans and effective medicines. Think back to when HIV, Pandemic Flu, SARS, MERS and the real threat of drug resistant organisms all emerged, there was initial panic by many. Our industry has made tremendous strides in preparedness and response but we can never sit back and say “we are ready”. We need access to simulation labs, table top exercises and real time drills. Most important we must toughly critique our responses and make improvements. Getting back to Halloween costumes, I hope this year a few will choose to dress as scientists working on a successful Ebola vaccine.
Spread of the Terrorist Threat
by Tim Holt
What has been striking in the more exposed regions of the world is the speed, fluidity and spread of threats to people. In Mexico and Venezuela, for example, we have noted a continued increase in ‘express kidnaps’ in which local staff—as well as expatriates—are held for a shorter time and at a greater risk of violence. In the Middle East, the advance of the so-called Islamic State (IS) triggered evacuations at short notice and has highlighted the perils of becoming hostage to the organisation and the vulnerability of supply chains. In North Africa and the Sahel the proliferation of Islamic extremism, whether under the flag of IS, al-Qaeda or groups such as Nigeria’s Boko Haram or Somalia’s al-Shabaab has presented an extended terror threat in countries already prone to political and criminal violence. With al-Qaeda and IS jihadist groups now competing in South and SE Asia, alongside a Maoist Insurgency in India and secessionist conflicts in the Philippines, organisations intent on fulfilling a duty of care are presented with growing global challenges to staff safety and security. In Libya and Yemen we observe parlous state fragility in the wake of the ‘Arab Spring’; in Kashmir and Pakistan, violent contest over older rifts. From crime, to riots to kidnap the threats to unwary travellers and expatriates are rising in many places. Looking ahead, it is crucial that risk managers ensure that political, security and cultural awareness inform their regional and country assessments and mitigation measures, particularly where state governance is weak or absent.
Geo-Political Disruption to Oil Supplies
From an energy industry perspective, the dual geo-political threat of disruption to oil supplies from both Russia and the Middle East is in many ways the ultimate scary risk. Clearly, the main impact on the energy industry would be on those companies from the affected regions that rely on a smooth flow of exports to the rest of the world, as their revenue streams would be severely disrupted. However, the higher oil prices that would undoubtedly result from any geo-political escalation from these regions would also mean much higher utilisation rates for most of the world’s remaining energy industry infrastructure; history tells us that when rigs, platforms, pipelines and refineries are operating at full stretch, losses tend to be both more frequent and more severe. Furthermore, the pressure on many energy companies’ global supply chains would become more intense, while the chances of a cyber-attack on western energy company infrastructure would also increase. There is therefore no doubt that the energy insurance markets are watching the unfolding situation in these regions with a considerable degree of apprehension.
Air Travel Crippled by Terror and Disease
by Steve Doyle
At this scary time of year we celebrate our fear of things that the vast majority perceive as “far-fetched”. It is perhaps the fear of the unknown that is most worrying. The global terror threat has decided that the high profile of the aviation industry makes it a target that can be struck at any time, as evidenced by flight MH17. The growing threat from Ebola is restricting air travel and calling for increased checks. There is recognition that aviation will potentially be a catalyst for the spread of the deadly virus. Finally as the search for the missing flight MH370 continues we continue to be reminded that a fear of the unknown that can result from day-to-day activities. Suddenly a witch and her cat flying on a broomstick almost gives you a feeling of comfort!
New Natural Disasters
Perhaps the scariest risk we face on a daily basis is the potential for a possible natural disaster at any time. Who would have thought flooding in the desert was a problem, but Tropical Storm Norbert made Arizonans question their possible need for flood insurance. Oklahoma had three times the number of earthquakes this year as last, and the state’s Insurance Commissioner, John Doak, advised homeowners in Oklahoma begin to examine the available options for earthquake insurance. California is no stranger to wildfires, and some residents have taken advantage of the additional coverage of Wildfire Defense Strategies. Natural disasters cannot be avoided, but at least policy coverage is available to assist with the devastation left behind. Speak with your insurance representative to inquire how your current policy responds to natural disasters and what other coverage options are available to you.
by Peter Armstrong
It’s October and you know what that means: Millions of consumers nationwide will be making a trek to their local retailers to purchase costumes, decorations, and Halloween treats. But unbeknownst to consumers and retailers, everyone could be in for quite a headache (unfortunately this one won’t be sugar induced). With the casual swipe of a credit card, consumers instantly grant a retailer access to their private personal and financial information. The retailer processes the information, the consumer’s account is debited, and Susie gets her Elsa princess costume. All is well. Yet, imagine this: Thousands of miles away, a sophisticated hacker has gained access to the retailer’s computer network through one of the retailer’s low-level contractors. One remote link between the retailer’s computer system and the contractor’s system—for something as seemingly innocuous as electronic billing—grants a hacker unfettered access to credit and debit card information, names, email addresses, mailing addresses, and phone numbers for 110 million consumers. With $148 million in uninsured breach-related costs, lost profits, and irreparable loss to reputation, some retailers and their vendors know exactly how scary a data breach can be and the importance of strategizing risk transfer for cyber risk. Companies in every industry need to carefully evaluate their relevant exposure and take proactive steps to maximize insurance availability.
Traders Spoofing in the First Degree
Traders should be afraid—very afraid. The intent behind their trading is being examined by authorities. And if that intent is found to be malicious, they could be going to jail. A high-frequency trader was recently charged with the crime of “spoofing”. Spoofing is the intentional act of creating the false impression of market demand by rapidly placing orders and then canceling them. Spoofing was explicitly banned by Section 747 of the 2010 Dodd-Frank Wall Street Reform Act, which describes spoofing as a disruptive practice. The “trick” behind spoofing is to convince the market that there is substantial demand for a specific security by placing numerous orders that flash on screens around the globe, but then canceling those orders before anyone has a chance to execute at the displayed price. The “treat” for the deceitful trader is a quick profit when other traders move the price in his favor based on the misinformation that his spoofing has produced. The terrifying results are that the Department of Justice and Attorneys General will now be looking over the shoulders of traders to determine if they had the requisite intent to commit spoofing when they placed and subsequently canceled their orders. The government looking into the hearts of high-frequency traders…. Scary, right?
Tech-Media & Telecom Vulnerable in Emerging Markets
Today’s technology, media and telecommunications (TMT) companies are fast expanding in a complex and often violent world. With operations and supply chain dependencies in frontier and emerging markets, their growth is often exponential, and further opportunities abound. However, exposure to natural catastrophe when combined with weak government, corruption and political or ideologically-driven violence could produce catastrophic shocks to installations and staff, not to mention to critical suppliers or customers, and therefore impact share price. Terrorist attack and cyber vulnerability are very real perils that may occur in the threat matrix and demand a high-level of preparation and management if complex crises are not to spiral out of control. A scary prospect indeed!
Employees on Social Media
Social media presents a unique and “scary” challenge for HR. It’s a tool for employers–for communicating with customers, creating an employment brand, and executing their recruiting strategies. It is also increasingly popular with employees, who interact with their personal and professional networks before, during, and after work hours—saying who knows what. As the use of social media becomes more prevalent, employers should consider implementing a social media policy for their organization. To avoid liability when creating a social media policy, employers should understand the current status of what the law is and the legal limitations to ensure their policy is legally compliant.
Directors, They’re Out to Get You
by Francis Kean
With regulators, prosecutors and legislators getting more aggressive, directors of large corporations may be feeling that they really are out to get them. Perhaps as a director you already have the company’s lawyer’s telephone number on your speed dial in case of need. You may feel therefore that you have taken all reasonable precautions to protect yourself. So when you receive your request for attendance at a regulatory investigation you dial the number and duly receive legal advice to prepare you for your ordeal. What you may not appreciate, though, is that the company’s lawyer is not necessarily also your lawyer. He or she may be advising the company through you. This may sound like a technical distinction that doesn’t matter very much but it really does. Imagine just how scary it would be if the company were later to decide to waive privilege in the legal advice you had received and share that advice with the very regulators or prosecutors who are out to get you. This is not the stuff of fantasy. It has happened before. And will happen again.
When Employees Collude in Fraud
by Jason Lelio
Most companies believe their internal controls and procedures are adequate and will reduce the likelihood of fraud occurring. However, many companies continually grow and change, forgetting to test and adjust internal controls along the way. One client of mine relied on internal control procedures that were in place when the department had only four employees. When the department grew to over 45 employees, the control procedure of having a supervisor approve all overtime hours was no longer adequate. Unfortunately the supervisor and many staff employees discovered this gap in controls and colluded to falsify time records indicating that employees worked significant overtime hours. The employees and the supervisor would split the additional wages and defrauded the company for over $1 million in wages and variable benefits. Simply adding an additional control to have a second approver outside of the department would have either caught or deterred the collusion all together or would have identified the collusion earlier and significantly reduced the loss. Don’t get frightened by staggering fraud losses – test, monitor and adjust!
Wrongdoing by Offspring Companies
by Silvi Wompa
Following the European Commission’s fine of EUR 302 million upon 11 producers of underground and submarine high-voltage power cables for operating a cartel, the private equity sector discovered that, just like parents worldwide, they would not only be held responsible for their own compliance behaviour but their portfolio company offspring too. In this case, the parent companies of the producers involved were held liable because they were considered to “exercise a decisive influence over them”. Investment companies were held to have the same responsibility to ensure “a compliance culture” as any parent company. This risk is similar to corrupt practices. Under the US Foreign Corrupt Practices Act and UK Bribery Act, private equity firms can be held liable for the actions of their portfolio companies even if the corrupt acts occurred before the acquisition. So how do you discover if you’re getting a troubled child? Adequate due diligence is a good start. Private equity firms should also pay more attention to compliance warranties when negotiating share purchase agreements and carefully consider the compliance systems and controls of the target. Once acquired, the work does not end. A post-acquisition review should be held and any identified problems should be swiftly resolved. Private equity investors are starting to realize that case law on parental liability doesn’t distinguish between financial and other investors – and that the price tag can be huge. It’s time to start being a better parent.
Cyber Worries in the Boardroom
by Tom Srail
Perhaps the scariest call of the year didn’t come from outside hackers threatening an attack, law enforcement informing you of your breach, or even the credit card firms implicating you in a massive theft of data. It came from… INSIDE YOUR BUILDING! No, not a gruesome creature hiding under the stairwell, but from your own directors in the board room. 2014 saw technology failures and cyber risks become a Top 3 boardroom issue in most organizations. Not only does the board want to review the defenses, mitigation plans, and auditing that has been completed, they also asked about insurance coverage. Do we purchase technology E&O or cyber insurance? Do we require our IT and HR vendors to do so as well? Why did we make the decisions we made? What evaluations and analytics were employed? Scary questions, if you don’t have the answers!
by Dan Buelow
An architect and engineer’s greatest exposure is by far his or her professional liability/errors and omissions. The good news is that a properly drafted A&E professional liability (PL) insurance policy should cover the design firm for everything it does as a design professional. The scary news is that, by contract (or the actions of an employee on the job site), a design firm can find itself over and above the standard of care and possibly in an uninsured position. All A&E PL policies exclude liability assumed under contract—unless the firm would have been liable in the absence of that contract. It’s important to recognize this relationship between a design firm’s PL insurance coverage and its standard of care. If a firm agrees contractually to accept risk over and above the standard of care, such as providing a warranty or guarantee, it very well won’t have insurance—which is in nobody’s best interest. Be sure to join us for our annual Willis A&E Halloween webinar special titled “Contracts From Hell!” October 31st 11:30am – 1pm, Central Time. To register: www.WillisAE.com
Impending Health Reform Deadlines
2015 will be the deadline for most employers to finally be in full (or mostly full) compliance with the Patient Protection and Affordable Care Act (PPACA). Employers have to know which employees are full-time versus part-time and make the appropriate offers of coverage. That can be daunting because if employers do not make the offer of qualifying coverage available to at least 70% (95 % in 2016) of all full-time employees—those who work an average of 30 hours per week or more—they will be subject to potential penalties of $2,000, multiplied by all their full-time employees. This is true even if those employees have qualifying coverage. That can indeed be pretty scary. But most employers are ready for that and will likely be prepared. That “ghoul” is unlikely to startle employers. However, a whole new batch of reporting obligations looms too. The new Forms 6055 & 6056 have to be completed and filed in 2016. The necessary information must be compiled during 2015! That means another reporting and compliance mandate that employers have to deal with that might just catch them unprepared. They need to get their payroll and administrative providers on board NOW to make sure that information will be compiled in a timely fashion to make the filings available next year.
Electoral Hacking in Brazil
by Alvaro Igrejas
Technological evolution sometimes ends up looking like a futuristic movie, but this could be more present-tense than we realize. In this evolution, we must always have on our radar the constant hacker attacks and their continuous improvement. This year, the target was October’s Brazilian elections. To contextualize, in 1996 the Superior Electoral Court-TSE (organ responsible for elections in Brazil) implemented an electronic voting system. Today the system operates in 100% of the Brazilian territory and has been proven quite effective. However, as reported, in the weeks leading to this year’s elections, the Electoral Court computers suffered hacker attacks. There were about 200,000 attempts per second, all from other countries. Fortunately, the hackers were unable to break the TSE system.
The threats of hackers break boundaries, and geographical distances today are no longer obstacles. 2013 saw an increase of 62% of violations over the previous year, which marked the year as the Year of Mega Breach. In addition, each of the eight major data breaches that occurred in 2013 resulted in a loss of tens of millions of data records. The alternative is to be protected, not only in systems upgrading and improvement, but also in corporate assets and possible damage that companies can suffer. Hacker attacks are not exclusive of government agencies; in Brazil the biggest targets are our financial institutions, e-commerce clients, etc. The speed with which they act and the impacts they can cause companies, businesses and their clients in risk situations is a scary scenario.
Which of these was the scariest risk of 2014? Weigh-in on our poll–or in the Comments section below.