While the number of incidents and casualties declined in 2017, a report released Monday by Marsh L.L.C. said terrorism is still a significant threat and that the insurance market is adapting to handle the evolving risk.
Marsh’s 2018 Terrorism Risk Insurance Report, which explores the state of the terrorism insurance marketplace, said that in the wake of recent events, terrorism insurers are expanding terrorism definitions to include active assailant events.
In some cases, the report said, insurers also are developing specialty products that offer first- and third-party business interruption protection for businesses that suffer lost income or revenue without the need for a direct property damage trigger.
Although fewer people were killed in terrorist attacks in 2017 than in 2016, the Marsh report said the means of attack and perpetrators have shifted.
“Past attacks were carried out primarily by specific groups against perceived high-value-high-profile targets,” the report said. “While that threat remains, many recent attacks have come against soft targets and been perpetrated by ‘lone wolves’ and small groups with no direct connection to known terrorist organizations. Weapons of choice now include vehicles, knives and other handheld devices.”
In 2017, the report said, pricing increased in five of the 17 industries surveyed by Marsh, with the sharpest increases being felt by hospitality and gaming companies, public entities and nonprofit organizations, which have been targets of terrorist acts in recent years.
Pricing declined in seven industries, the report said, most notably for energy and mining and construction companies, reflecting the generally positive conditions in the property insurance market prior to the 2017 Atlantic hurricane season.
Sixty-two percent of U.S. companies in 2017 purchased coverage embedded in property policies under the Terrorism Risk Insurance Program Reauthorization Act of 2015, or TRIPRA. Companies in the Northeast U.S. were most likely to purchase terrorism insurance, Marsh said.
The number of Marsh-managed captive insurers actively underwriting one or more insurance programs that access the TRIPRA increased 44% to 166 captives in 2017.
After incurring sizable ransomware losses in 2017, kidnap and ransom insurers are seeking to restrict coverage for cyber risks in their policies.
Terrorism insurance capacity remains strong, the report said, but pricing could increase as global insurance costs generally increase following natural catastrophe losses in 2017. January 2018 year-over-year pricing changes for a majority of reinsurance program renewals that included terrorism coverage averaged flat to an increase of 10% on a risk-adjusted basis, according to the report.
The Marsh report made several suggestions for businesses in the face of evolving terrorism risk, including continually reviewing and reevaluating their risk financing programs to ensure they have adequate protection for property, business interruption, workers compensation, general liability and cyber losses.
The report also encouraged businesses to effectively model their terrorism risk and to build and test robust crisis management and business continuity plans.
Author: Rob Lenihan
Source: Business Insurance
Recently, I had the chance to spend some time at Walt Disney World in Orlando, Florida, when I attended the NAMIC conference in February. One session included a presentation by Barry Dillard, director of claims for Walt Disney World, where he shared the company’s approach to handling a wide variety of claims.
I sat down with their vice president of risk management to learn about some of the strategies they employ, and I had the opportunity to tour Walt Disney World itself to peek behind the curtain and see how this massive theme park creates the magic for its guests and cast members while keeping everyone safe.
Believe it or not, the Walt Disney World Resort covers 40 square miles and is twice the size of Manhattan. Within its confines, this world-class attraction employs 75,000 cast members, each of whom plays a critical role in spreading the Disney magic. Their emphasis on safety is both taught and caught, which is especially important when serving the millions of guests who visit the Disney attractions around the world.
The Walt Disney Company is extremely proactive in their risk management strategies — it truly is everyone’s responsibility — not just the realm of those at the corporate level. As is often the case in life, the simplest things can make the biggest difference. Merely walking the parks, hotels, shops, and restaurants can yield valuable information, allowing cast members to identify small issues before they become larger ones. Even in one of the most magical places on earth – reality tends to intrude.
Unexpected risks arise every day and training plays a key role in mitigating them. Hackers are constantly devising new ways to access company information or hold it for ransom. The use of ransomware is expected to increase 350% this year, so being vigilant and backing up data has never been more important.
The number of shooting incidents in businesses and other settings is increasing at an alarming rate. Knowing what to look for and how to respond in these situations can literally be the difference between life and death.
For better or worse, new risks are changing our behavior — how observant we are in open spaces of our surroundings, what we post on social media, where and how we protect our personal information, what we open online and how we train our staffs. It really is the smallest things that can make the biggest difference in keeping people safe.
Author: Patricia L. Harman
How many passwords do you use for work? Five? 10? More? Most nonprofit staffers have too many passwords to remember them all. This leads to bad habits –writing them down on sticky notes, sharing them with colleagues, or reusing the same password over and over. These bad habits can put your organization’s data at risk.
Many nonprofits are turning to password management services such as Dashlane, LastPass, and Sticky Password. These tools allow you to use just one long, complex password behind which you can store all your passwords. Most tools can be configured to automatically enter the right password whenever you go to an account website or open an application.
Some people worry that putting all your passwords in one place is too risky because one hack opens the door to all your data. That’s a valid concern, but chances are that the encrypted system used to manage your passwords and the value-added services you get from a password manager will make you more secure than whatever you’re doing currently.
If you’re interested in implementing a password manager at your organization, here are a few of the features you should look for.
- Enterprise Control. One of the biggest benefits of a password manager is the ability to manage every password user at your organization. Look for a service that allows you to turn off access for people who have left your organization and select the users who should and should not have access to specific accounts. A good system will allow you to maintain this admin-level control without giving you direct access to any password content.
- Audits and Changing. Many password managers can guide users to choose stronger passwords. Some will audit your passwords and suggest ways to strengthen them. Many also allow you to schedule password changing and even automate password changes.
- Two-Factor Authentication. A good password management vendor will understand your concern that one password in the wild can lead to dozens more roaming passwords. Two-factor authentication, a method that requires you to verify your identity in a second way, adds an extra layer of security to make it more difficult for a thief to get into the system.
- Multiple Devices. Chances are your staffers want to use various operating systems and mobile devices. Look for a password manager that is compatible with PCs, Macs, and all the various mobile devices out there.
Source: The Nonprofit Times
What would you do if your nonprofit had over 500 W2 tax forms stolen electronically and put up for sale on the dark web?
This nightmare happened to one unnamed nonprofit, and their solution was to contact the National Cybersecurity Center, a nonprofit founded in 2016 by Colorado Governor John Hickenlooper. The NCC’s mission is to provide collaborative cybersecurity services and training. Their goals are to provide education, training, and response services. According to CEO Ed Rios, almost 90 percent of the attacks reported to the center have been mitigated.
What happened to those W2s? The NCC determined that the records were obtained via an email scam. To help with prevention, the NCC offered training to the nonprofit on identifying and avoiding such attacks in the future.
Rios stated that approximately 75 percent of attacks result from user error. Commonly known as PICNIC: Problem In Chair, Not In Computer, this term is popular with IT help desk employees to describe the non-IT workforce’s propensity to click first and ask questions later.
There are three pillars of the NCC’s work:
- The Rapid Response Center is a dedicated facility with experts, vendors, and partners to serve as a trusted resource during a time of security breaches. Their plan is to be the “one-stop shop” when immediate assistance is needed to solve an attack. The RRC is reached via 877-90-CYBER. Currently only available during business hours, the plan is to offer 24/7 assistance in the future.
- The Cyber Institute takes a think-tank approach to exploring emerging tactics and trends, encryption, and protocols available to better protect our electronic assets. Examples include cyber law, cyber budgeting, cyber communications, and other activities that a small or medium nonprofit or business needs to understand, both now and as technology evolves.
- The Cyber Research, Education and Training Center partners with K-12 and higher education to drive research and development and to provide cyber workforce preparation and education.
Statistics reveal that a single breach can cost up to $9 million for complete resolution, says Rios. Referring to the management level, he said, “50 percent don’t really know enough to even have a discussion.”
Regarding the cybersecurity workforce shortages, Rios further explained that cybersecurity skills can often be taught at the “tactical level” as opposed to the formal education perspective with degrees in computer science. As nonprofits face an increase in cybersecurity and other online threats, it behooves them to be aware of the dangers and the resources available to mitigate them.
Source: The Nonprofit Quarterly
Author: Jeanne Allen
For nonprofits, reputation — theirs and their private-sector partners’ — is everything. Managing it has become a key strategic goal.
When an organization’s mission and message are about “doing good” — helping those in need or tackling an important social or environmental problem — it may be hard to imagine any reputational risk associated with their enterprise. Isn’t reputational risk management something that only private-sector, for-profit corporations need to be concerned with?
Although it might come as a surprise, the reality is that nonprofits — whether they’re development organizations, charitable bodies, or advocacy groups — have started to build fully-fledged reputational risk management systems similar to those employed in the private sector. Why? Because they meet challenges to their missions very similar to those faced by private-sector companies. First and foremost, they want to avoid a relationship with a controversial donor that might jeopardize their reputation.
Reputation as an Asset
A friend who advises the nonprofit sector recently explained it like this: “Companies have products and services. Even if a company is criticized, selling products and services will continue to generate revenues. Nonprofits, on the other hand, depend on donations that are primarily given on the basis of the organization being an honorable and effective one. Put simply, their reputation is really all they have.”
Here’s an example of the harm that comes from an attack on a nonprofit’s reputation. In 2011, the World Wildlife Fund (WWF) was criticized for its partnerships with industry in a German documentary with the audacious title, Der Pakt mit dem Panda — Was uns der WWF verschweigt. This roughly translates as “The Pact with the Panda: What WWF isn’t telling us,” but it was recast in English as The Silence of the Pandas, a reference to the thriller The Silence of the Lambs, insinuating that WWF was involved in an awful crime. The title alone was damaging in either language because it cast WWF as manipulative and dishonest; the film’s content itself, which according to WWF contained a number of significant factual errors, was even more so.
In its press release addressing the issue,WWF was able to prove that most of the claims made in the documentary were unfounded. However — and this is again similar to the situation of private-sector companies — dealing with the controversies absorbed valuable time and money. WWF Germany also lost members and donations. The drama of a message often overshadows a rational, point-by-point refutation; WWF may have had the last word, but it didn’t necessarily reach the ears of donors (or potential donors).
Furthermore, the Internet is an unforgiving archive of allegations, regardless of whether they are true or false. The undesirable effects not only last over time, but also spread across borders. Incidents that occur in a specific region can affect other countries’ offices and the organization’s headquarters as well. WWF Switzerland, for example, felt the ripple effects of the controversies in Germany.
Managing Risk in Corporate Partnerships
Completely avoiding partnerships with private-sector companies would be an effective way of mitigating the corresponding reputational risks. Some nonprofit organizations do exactly that. Think of Greenpeace, an organization active on the very front line of corporate criticism. The last thing it wants is to be accused of taking money from controversial companies or supporting “greenwashing” by partnering with them.
But this strategy comes at a price. First, private-sector companies are an important source of revenue. Donations from private individuals have not grown for many years, but there is still an untapped potential among corporates. “Although only 5% of donations come from companies, the volume of corporate income among Swiss nonprofits grew by 7% last year. However, the more funding nonprofits receive from companies, the more tough questions they will have to answer. The best way for them to avoid controversies is to agree with the partner on a truly transformational agenda. The positive impact of the partnership should be the primary reason to engage with the private sector,” says Michael Arnold, head of corporate partnerships at WWF Switzerland.
Second, as highlighted by Arnold, private-sector companies can play an important role in projects themselves. They have much-needed knowledge and resources. Many subject matter experts at nonprofit organizations believe that it will not be possible to solve today’s challenges without the involvement of the private sector. From the opposite perspective, private-sector companies are more often seeking partnerships with nonprofit organizations as part of their corporate responsibility and sustainability strategies.
With this in mind, donor organizations have also started to think about how they can manage the corresponding reputational issues. Jean-Christophe Favre, in charge of private-sector partnerships at the Swiss Agency for Development and Cooperation (SDC), says that the SDC needed a system “that allowed them to have a good enough understanding of the potential partner so that they could feel comfortable about the partnership.
Not having a reputational-risk framework and clear criteria also made it very difficult to discuss partnerships in a productive manner and to ensure institutional coherence. Every office would make decisions differently. And, in the worst case, SDC would not be able to explain how the partnership was assessed and why SDC came to the conclusion that this partnership was beneficial to SDC’s mission.”
Christian Görg, responsible for the reputational risk process used to assess private-sector partnerships at Germany’s largest development organization GIZ, has had similar experiences: “At GIZ, we wanted to avoid inconsistent decisions in different areas of the organization. The most important benefit of our reputational risk process is that we think about ways to mitigate risk from day one. The process sharpens our senses and makes sure that we don’t enter into partnerships hastily.”
Looking at potential partners, nonprofit organizations need to be able to answer the same questions as private-sector companies in the same situation: with which companies do you want to work? Or, in other words: with which companies is it better not to have a business relationship — and if you embark on a partnership anyway, what should be your terms?
While businesspeople tend to see reputational risk management as an obstacle to business, it is an enabler of business in the world of nonprofits. Understanding the issues a potential partner is exposed to and identifying risk-mitigating measures are essential to doing business. This enables nonprofit organizations to frame the discussion, to evaluate risks and options, and to overcome internal concerns.
Author: Olivier Jaeggi