Newer developments like a 3-D laser and sensor technologies are enabling contractors to build in a smarter and safer way. Insurers should understand where the construction industry is headed in terms of technology use and how emerging devices can help improve both physical construction sites and worker safety.
Imagine being in the middle of a large-scale office tower build, with the framing, exterior walls and roof all finished when you notice the structure’s support beam measurements appear to be wrong. Instead of going back to the architect and engineers involved in the project to confirm measurements by hand, and potentially stalling the build of the project, you use a 3-D laser scanner that in a matter of moments confirms the design measurements are on point and you won’t have to delay the build.
This is just one scenario that captures the challenges contractors face today and how the construction site of the future, which will focus on harnessing data and technology together, can ultimately help contractors build in a smarter and safer way.
For construction companies working off an architect and engineering professional’s plans, measurements could be incorrect. When transforming a warehouse into a restaurant, for example, accuracy is highly important. Moving gas and water lines and electrical, and designing a kitchen out of an open space by hand leave potential opportunity for error, which could also cost the contractor time and money. If a measurement is off by even 10 inches, this apparently small mistake could potentially lead to great costs in rebuilding. In fact, according to the American Society of Civil Engineers (ASCE), the direct costs from rework can often account for 5% of the total construction costs, which is not always insurable.
3-D laser technology captures a construction site’s lines by creating an accurate, to-scale model of the different points of the scale, including space, air, and objects. This technology measures the site down to the millimeter.
Laser technology not only provides fast, accurate measurements but also can confirm whether the measurements are in fact correct. The technology matches the architect’s design against the physical building, providing an overlay of the measurements and highlighting areas where they do not align.
Contractors seeking to build with speed and accuracy use this technology to help identify problems in real time, revolutionizing how construction companies are approaching a build. According to a report from MarketsandMarketsTM, the 3-D scanning technology market is forecasted to grow at a significant rate for the architecture and construction industry industries between now and 2023.
Future applications of 3-D technology largely fall into two categories:
Using a 3-D laser scanner on a drone: Imagine being able to have a drone scale an 80-story building in minutes while confirming measurements and accuracy from the sky. A daunting and high-risk scenario becomes a relatively easy and much safer task.
Virtual reality and augmented reality: Contractors can scan the physical building against the design, creating either a virtual reality hollow so that workers can see where pipes will go or augmented reality visuals where architects, engineers, inspectors and even homeowners can see progress on a building in real-time. 3-D scans can be overlaid against the Building Information Modeling design to provide a real-time comparison of the current build against the original design
Protecting the physical site
Among the new technologies that are currently available, mobile sensors – the size of a paperback book – can be deployed on construction sites to help detect the building’s temperature, humidity, dust particles, noise, vibrations, among other things. By monitoring the building’s environment, contractors can receive real-time alerts when the building reaches certain thresholds.
By way of example, let’s say the temperature drops in an office tower construction site. With mobile sensors, the contractor can immediately receive an alert giving them an opportunity to check on the tower. Something as simple as a pipe bursting in the middle of winter because a door was left open can lead to significant losses.
As sensor technology advances and the market becomes more competitive, we will likely see more robust sensors on the market that are able to monitor the building’s holistic environment.
Wearable sensors are another example of emerging technology – similar to the popular bracelets that track one’s physical activity or a pedometer that measures the steps someone has taken in a day – sensors are now being tailored for construction site workers to provide real-time data with the goal of increasing workplace safety.
Construction sites are a high-risk work environment. In fact, some of the most common injuries experienced on construction sites include strains and sprains, falls from elevation, and those related to heat stress. Repetitive motion injuries such as bending or lifting are also common.
Most insurance carriers today offer risk management consultants who can go onsite and provide construction clients with a snapshot of potential risks, observations, and insights into indicators that can potentially lead to workplace injuries. Wearable devices are essentially a safety professional standing behind each worker all day, every day, monitoring whether workers are bending correctly or if the site’s temperature is placing them in a heat stress environment. The technology could also connect to claims data so insurers can provide insureds with proactive proposals and solutions to help change workers’ behavior to reduce the potential for injuries.
In the future, wearable technologies will be able to harness forensic data and other information from the physical construction site as well as historical claims, while also receiving real-time data that can provide predictive analytics.
Smart sites of tomorrow
Construction sites and the construction industry as a whole represent a prime case for technology disruption. In the next 5-10 years, it is probable that all of these technologies will be capable of connecting and talking to each other while outputting data into a single monitoring system that can be used by construction companies, insurers as well as architects and engineers to help take proactive actions.
A 2016 report from McKinsey & Company found that large construction projects typically take 20% longer to finish than scheduled and are up to 80% over budget. But thanks to the construction site of the future, using 3-D lasers, mobile sensors, and wearable technology could ultimately help provide a safer, more efficient workplace and, in turn, reduce costs.
If the industry develops a solution for construction sites, it can be applied to other industries such as manufacturing, logistics, warehousing or healthcare. As economies of scale also take hold, we could see the cost of these technologies decrease and the barriers to embracing these technologies start to dissipate.
The United States is no stranger to acts of terrorism. In recent years, domestic and international events have increased with alarming frequency. More importantly, such events have shown that no area of life is completely risk-free.
Domestically, notable acts of terrorism have occurred on school campuses like Virginia Tech or Sandy Hook Elementary School. Just this month, Las Vegas experienced the deadliest mass shooting in modern U.S. history.
Concern over terrorism risk is clear and definite, but information and understanding of terrorism risk insurance is not as well known. Not-for-profit organization RIMS tackles this subject in its latest report, Terrorism Insurance: Understanding the Boundaries of Coverage for a Risk Without Borders.
Guidance for risk managers
The report provides corporate risk managers, insurance brokers and coverage counsel with guidance on determining whether terrorism risk insurance coverage is necessary, identifying terrorism risk solutions that exist in the market and insights on negotiating for terrorism coverage.
“With terrorism risk being an unfortunate reality, corporate risk managers and counsel can take proactive measures to contain a risk that otherwise knows no bounds,” said the author of the report, Micah Skidmore of Haynes and Boone LLP.
Is terrorism risk insurance coverage necessary?
Terrorism risk can be quantified and, to some extent, understood by its relationship to a variety of constantly evolving factors. Historically, domestic terrorism represented a disproportionate risk to property, relative to bodily harm, spread over numerous smaller incidents.
Most attacks occur on a seasonal basis, especially during the spring and summer months. The report also notes there is a greater likelihood of terrorist attacks in the Northeastern region of the U.S. and the coastal states like California and Texas.
Although property damage and bodily injury are the primary risks associated with terrorism, there are other dimensions companies should consider if they’re looking to minimize their exposure, such as:
- Fiduciary liability for corporate directors and officers,
- Pollution loss and liability,
- Professional (E&O) liability,
- Employment practices liability,
- Business interruption loss, and
- Privacy and network security liability.
Even when a company does not independently recognize terrorism risk sufficient to justify an insurance solution, some form of terrorism coverage may nonetheless be required by contract — including lending agreements.
What insurance solutions are available to address terrorism risk?
What terrorism insurance solutions are available to corporate risk managers? A significant market capacity exists for domestic terrorism coverage in two different forms: traditional first- and third-party policies, and so-called stand-alone terrorism risk insurance. Traditional policies, including commercial general liability and property policies, may provide some coverage for terrorism risk if not expressly excluded.
Workers’ compensation insurance — a state-regulated line of coverage compulsory in nearly every state — is another traditional policy that may provide some form of terrorism coverage. Unlike other property & casualty policies, workers’ compensation policies do not have terrorism (or war) exclusions.
To the extent that terrorism risk is excluded or unavailable under traditional policies, a corporate policyholder may consider purchasing stand-alone terrorism insurance. Stand-alone terrorism policies, however, provide a wide a variety of terms — some offering broad coverage, others very little.
They also typically exclude political risks, including loss resulting from strikes, riots, civil commotion, rebellion, revolution, war and insurrection. Cyber-related loss and liability, as well as nuclear, biological, chemical and radiological hazards such as anthrax, are also commonly excluded.
What should corporate policyholders look for in placing stand-alone terrorism coverage?
If a stand-alone terrorism policy is the preferred method of addressing terrorism risk, selecting the policy with the best terms involves more than just ensuring that coverage extends beyond “certified acts of terrorism.” Brokers and policyholders should carefully review the valuation terms in stand-alone terrorism policies to ensure that such terms appropriately compensate the insureds for loss and damage, even when actual repair or replacement may not be possible or optimal.
In a large-scale terrorism event, disputes have developed and may continue to arise over what qualifies as a separate “occurrence,” justifying either the application of separate limits or the accrual of a separate deductible or retention. To avoid such controversy and afford a measure of certainty to policyholders and insurers alike, some considerations should be given to including specific terms defining what constitutes an “occurrence” and how the number of occurrences associated with a given claim will be determined.
What other policy terms justify special consideration in a terrorism risk insurance policy?
- Expediting expense: The costs incurred to sustain operations or expedite repairs in the wake of a terrorism incident may vary substantially from any other casualty loss. Expansion of insuring terms beyond “reasonable and necessary” costs to include items such as security or healthcare-related expense may be appropriate.
- Increased cost of construction: A terrorism incident may itself prompt legislative or other practical requirements that have the effect of increasing the cost of demolition and compliant repair.
- Pollution exclusion: The “act of terrorism” may, directly or indirectly, prompt a release of hazardous substances, which increases the cost of the claim. Policies should not exclude the cost associated with a release of “pollutants” that is an indirect result of an otherwise covered “act of terrorism.”
- Sue and labor: What is reasonable to protect, recover or save insured property after a general casualty loss may be very different from what is appropriate following as an act of terrorism. To avoid disputes, language in “sue and labor” provisions should be tailored accordingly.
Terrorism risk insurance, whether through traditional or stand-alone policies, is an increasingly important element of domestic corporate insurance programs. To that end, risk managers, agents, brokers and corporate counsel should review corporate exposure to risk, existing policies and contracts to determine whether terrorism risk insurance is necessary to protect the business or fulfill contractual obligations.
Although environmental consulting has been around since the early 1970s, it’s still an expanding field with unique risks and exposures.
Governmental regulations, along with public interest in conservation and sustainability, have driven the growth of this $16 billion industry providing environmental services to virtually every sector of the U.S. economy, from surveyors conducting site assessments to engineers developing remediation plans to contractors performing cleanup and pollution abatement.
At the same time, these tasks lead environmental consultants to encounter risks that are excluded under standard commercial package policies. Pollution liability can occur when faulty work is the direct cause of environmental contamination, and professional liability arises when technical errors contribute to an incident and subsequent economic losses for a client.
Even individuals who never set foot on a job site must consider their potential exposure: lab technicians analyzing soil samples for pollutants or engineers advising on regulatory compliance plans may find themselves subject to a claim. Simply put, if your operations can contribute to an environmental incident, you are exposed.
Start with documentation
Complete, consistent documentation is the basis for an effective environmental risk management strategy. This begins with preparing detailed proposals for each project, clearly defining the work to be completed, terms of successful performance, and a realistic estimate of associated costs.
Consultants should take the time to ensure that clients understand the proposed work and agree that it addresses their concerns, so as to avoid future disputes.
Recording the obligations of consultants and clients in a formal contract reduces the potential for conflict over a difference in unstated expectations. The goal of the contract should be an equitable distribution of risk for both parties.
Identify the standard of care to be applied and the limits of liability for the consultant; ideally, this will be an amount equal to the fees charged for the project. Risk professionals should be cautious about commitments exceeding industry standards and especially wary of broad indemnification language that would expose consultants to risks unrelated to the work that they have agreed to perform.
Specify the process for addressing unforeseen circumstances, such as the discovery of unanticipated hazardous materials or subsurface structures, and employ alternative dispute resolution methods in the event of an intractable disagreement. As the project gets underway, procurement should be conducted according to established procedures and criteria.
Subcontractors present additional risk
Any project relying on subcontractors opens itself to additional risk, as the same concerns that apply to the environmental consultant extend to this group as well.
Regardless of past success with a particular subcontractor, consultants must make sure that their partners possess the relevant skills and resources to conduct and supervise the work at hand. Best practices involve prequalifying subcontractors according to expertise, resources, and financial stability, including adequacy of insurance.
Subcontractor questionnaires or other evaluations can be kept on file and updated for future projects as needed.
Project work should follow the specified scope as close as possible, with quality control checks to monitor adherence to guidelines. Team members performing the work should be qualified to conduct initial quality assessments, with senior consultants reviewing calculations and results for sensitive tasks.
If work involves the risk of physical exposure to hazardous materials, site-specific plans are necessary to guarantee conformance to OSHA standards, at a minimum. Firms should have plans in place for handling and storing waste materials and other potential contaminants, as well as for spill response in the event of a breach.
All formal reviews of plans, documentation, and work performed should be recorded for later reference.
Finally, any project is likely to call for changes to at least some of the initial terms. Change requests should be documented for issues large and small, with a record of client acceptance where required. In fact, it’s wise to catalog all project-related correspondence, especially with key stakeholders such as clients or regulators. Evidence of communications and approvals can be the most effective defense against potential claims.
Mining the data in documentation
One secondary benefit to a successful documentation strategy is the wealth of information that it offers to insurance carriers and underwriters assessing the quality of a potential insured. Risk managers should review consultants’ procedures against those described and address any gaps before contacting insurers.
In addition to routine application requests for financial information and loss history, risk managers can provide copies of standard operating procedures, site reports, incident response and spill containment plans, hazardous material storage protocols, subcontractor qualifications and resumes of specialists responsible for core operational and oversight functions.
For environmental consultants, incorporating these recommendations increases the likelihood of successful projects and productive client relationships — outcomes that translate into improved availability and affordability of insurance. For insurance professionals, evaluating risks in light of these standards can reduce claim frequency and severity, improving loss experience and underwriting results.
The combined effect is enhanced profitability for carriers, producers, and consultants themselves and greater availability of essential environmental services for the economy as a whole.
The days when a hurricane, tornado, or other natural disaster is raging, along with the immediate aftermath, are both the worst and best of times. Why they are the worst is obvious. But, these moments also attract the most attention, assistance, and funding. Allow a few months or years to go by, and much of that dries up, diverted to the next disaster or event in the news, the effects of the crisis typically last a very long time.
“Long after the waters have receded, Americans will be grappling with the effects of Hurricanes Harvey and Irma, which broke records and ruined lives as they wreaked havoc on the United States and the Caribbean,” warns the Washington Post.
For example, reports the Post, “state and federal health authorities have warned residents to be on the lookout for mold in their homes, strange rashes on their bodies, stray jagged items in standing water that can lead to infected wounds, and depression and post-traumatic stress disorder.” Those all take a while to develop.
“As conditions dry up, we will cycle out of the weeks of floodwater mosquitoes, and then begin cycling into a period of time where the disease-transmitting mosquitoes will emerge and build up,” Sonja Swiger, a veterinary entomologist at Texas A&M AgriLife Extension Service, said in a statement. “So, the initial run of mosquitoes is not too much of a disease threat…It’s the next run we really need to be concerned about.”
Likewise, fully a year after Hurricane Katrina, residents reported an increase in suicidal thoughts, according to a 2015 paper published in the journal Nature. The same is likely to be true for Harvey.
Ben Brown from placemakers.com divides the time post-disaster into several stages. The first is the buildup to the crisis and the “hit.” During the second stage, the tragedy is offset by the rush of attention and inspiring stories of volunteers rushing to their fellow humans’ aid. However, then comes “stage three.”
Building beneath the stage two celebration of everyday heroes is the stage three inevitability of hero fatigue. The first responders, the ad hoc volunteers as well as the pros, are soon overwhelmed by the scale of demands—the logistics of organizing and managing shelter, transportation, food, medical care and clean-up. Exhaustion sets in. Fear of chaos looms. Images of neighbors helping neighbors are replaced by weary property owners sitting on porches with shotguns in their laps. It’s everybody for themselves.
Brown believes this period can also, however, be a time of fresh ideas and initiatives—new thinking that is typically squelched once the various stakeholders eventually come around and allocate the additional resources needed.
This window, this low point of hope, might also be the best opportunity for consensus on a get-something-done agenda, for committing to strategies to avoid reenacting the social and economic misery of the present in the future. As soon as the immediate emergency recedes, leaders…might be up for a talk about better planning approaches. They might even be agreeable to considering the big ideas a lot of us like—restricting building in vulnerable areas, toughening building codes, enacting zoning that encourages density for more cost-effective storm water management and less private automobile dependence.
The key, he says, is to take bite-sized steps—implementation of small components of big ideas, models that can be put in practice fast to demonstrate their utility and appeal, then replicated and scaled up when funding is obtained.
If residents and community stakeholders don’t capitalize on this opportunity for an equitable fresh start, then the result is likely a bounce back to a risk-prone status quo. Entrenched powers leverage “federal dollars to rebuild or allow to be built much of the infrastructure, housing and commercial structures that was there before—too often in the same places that were considered too risky before and are just as vulnerable going forward.”
Just how to tap into additional funding to carry communities into long-term recovery is the challenge. This is particularly true in light of President Trump’s proposed cuts in the Department of Housing and Urban Development, which helps rebuild homes, parks, hospitals and community centers.
One emerging solution is “pre-agreed financing”—such as sovereign parametric insurance, risk pools, or catastrophe bonds. (In sovereign parametric insurance, a premium is paid by a government and payouts are obtained based on an objective trigger, such as wind speed or the Richter scale for earthquakes.) For example, the Caribbean Catastrophe Risk Insurance Facility, set up 10 years ago as a risk pool with 17 member countries, already has announced it will pay out, within a fortnight, $15.6 million to the governments of Antigua and Barbuda, Anguilla, and St Kitts and Nevis—providing resources to get public services and infrastructure functioning again.
However, Lawrence Vale, author of “The Politics of Resilient Cities: Whose Resilience and Whose City?,” adds that it’s not just reducing risk that should be of concern when rebuilding. Equitable development should be a priority as well. “Who bears the brunt of the crisis and whose interests are best served by the proposed interventions?” he says we must ask. If resiliency is bouncing back, what are we bouncing back to? In too many of our communities, there already is entrenched inequality. Will we bounce back to more of the same?
Or, even worse, resources may be used for what Naomi Klein has called “disaster capitalism”—remaking the community to advantage the privileged classes at the expense of the “less desirable.”—Pam Bailey
In May, a strain of ransomware known as WannaCry infected more than 230,000 computers in 150 countries, demanding about $300 in the cryptocurrency bitcoin to restore access. Primarily striking Europe and Asia, the attack crippled operations for a wide swath of enterprises, from the U.K.’s National Health Service to German state railways to thousands of private businesses. Although the buzz had died down, some businesses were still struggling to recover over a month later. On June 21, for example, despite efforts to secure its systems at the height of the attacks, Honda had to halt production at one of its vehicle plants in Japan after finding the ransomware in its network.
While most ransomware is spread through phishing, the WannaCry attack used an exploit called EternalBlue that takes advantage of a vulnerability in computers running outdated, unpatched versions of Microsoft Windows. The exploit is one of the National Security Agency-developed hacking tools leaked last year by hacker group the Shadow Brokers.
Experts warned that WannaCry may be a test balloon of sorts—cybercriminals trying to see just how much worldwide havoc they could wreak. Given the relative technical ease of launching a ransomware attack, the hackers netted a decent haul: At the beginning of July, bitcoin wallets associated with WannaCry had accrued a little over $120,000.
It has become a cliché with so many cyberrisks that the question is when, not if, a business will face the threat, but this aphorism is perhaps most accurate when it comes to ransomware. Last year, the FBI recorded more than 4,000 attacks a day, a 300% increase over 2015, and cybersecurity firm Kaspersky Lab reported that ransomware attacks on businesses went from one every two minutes in January 2016 to one every 40 seconds in October. Whether deployed for strategic disruption or for quick cash-grabs, with ransomware available for purchase on the dark web and the considerable efficacy and ease of launching attacks, the threat only grows.
“With the onset of ransomware as a very volatile yet easily findable tool to deploy without much sophistication from a hacking standpoint, it has really become about knocking on as many doors as possible to see if someone answers,” said Bob Wice, U.S. focus group leader for cyber insurance at Beazley.
Ultimately, a ransom payment is the tip of the iceberg when it comes to cost. Cybersecurity Ventures predicts that ransomware damages will exceed $5 billion in 2017, more than 15 times greater than the total from 2015. These costs include damage and loss of data, downtime, lost productivity, post-attack business disruption, forensic investigation, restoration of data and systems, reputation damage, and employee training in direct response to an attack.
Indeed, watching recent attacks unfold, the true toll of WannaCry for organizations may be forcing recognition of these real risks and escalating the conversation—and perhaps panic—over a critical threat that demands preparation.
“WannaCry and other ransomware has demonstrated that the biggest impact to an organization is not the ransom itself, but the associated business interruption, and that has really changed the dialogue because more companies are realizing that the potential financial statement impact is something they really need to be focusing on,” said Stephanie Snyder, national sales leader for cyber insurance at Aon Risk Solutions.
If At First You Don’t Prepare…
Because the stakes are so high, it is critical for organizations to have a clear strategy for responding to a ransomware attack. The first step happens long before you ever see a lock screen and a bitcoin demand—planning for it.
In a June survey by ISACA, an international association of IT governance professionals, 62% of respondents reported experiencing ransomware in 2016, but only 53% have a formal process in place to address it, and 16% have no incident response plan at all. Deloitte also recently found that, despite notable confidence from business leaders, preparation for a cyber crisis lags. While 76% of executives felt highly confident in their ability to respond to a cyber incident, 82% said their organization has not documented and tested cyber response plans involving business stakeholders within the past year, and 21% lack clarity on cyber mandates, roles and responsibilities.
“Having an incident response plan is synonymous with cyber resilience,” said Rocco Grillo, executive managing director and cyber resilience global leader at cyberrisk management and incident response firm Stroz Friedberg. “Strategically, when we’re talking about the incident response plan, you should also be thinking in terms of how updated it is, whether it has been tested, and if it has been tested for situations like this.”
An incident response plan is a repeatable process that serves as a framework to guide companies through a crisis. Forging relationships proactively and gathering these resources in the incident response plan is key. Grillo called the core team needed in the room for crisis management “the six in the box: an outside forensics investigator, outside counsel, crisis communications, your cyber insurer or broker, notification and communications companies, and some type of relationship with law enforcement.”
In guiding companies through both preparation and crisis response, Grillo finds perhaps the biggest determinant in crafting a strong plan is communication between risk managers and chief information security officers. “One of the biggest things companies come up short on is not including the appropriate stakeholders from both IT security and the business—and when I say business, it’s not just the C-suite, but specifically risk managers,” he said. “That’s one of the paramount things we are striving to do: get all the risk managers and CISOs better aligned and tackling situations like this.”
Snyder agreed, “There has to be appropriate alignment and I think it comes down to the risk manager and CISO having a partnership and being able to have a dialogue to ensure the organization is protected, not just from an IT standpoint, but also from an enterprise risk standpoint.”
Once developed, it is critical that stakeholders go through and practice the plan, explore the decision paths that might arise from different cybersecurity scenarios, and ensure all necessary resources are identified and contact information collected for when disaster strikes.
“A crucial mistake we see is a company buying an insurance policy or saying they have done [the right preparation], but they are not communicating the incident response plan or they are not formalizing it adequately,” Wice said. “When a bad event does happen, they are still in a spot where they aren’t making the right phone calls, getting coordinated, or making a concerted effort to communicate internally about what’s happening. That results in mistakes being made and, probably, costs incurred that don’t need to be.”
To ensure maximum coverage for those costs, the plan should also detail when to contact insurers. “Organizations must be mindful of the notice clause and cooperation clause under their policy,” Snyder explained, urging policyholders to err on the side of notifying as early as possible when contemplating any action in the event of a ransomware attack.
The planning stage is also a good time to reach out to law enforcement, namely establishing a relationship with a local FBI office. Doing so in advance, rather than searching for a contact during a crisis and going in cold, can be very helpful, Grillo said, and the FBI is often aware of emerging threats and industry-specific incidents that have not yet been made public.
It Happened. Now What?
When an attack hits, crisis responders—hopefully with incident response plan in hand—will need to call on the right resources as quickly as possible.
If the company has a cyber liability policy, the first step is contacting the insurer with notice of a potential incident, which will prompt the insurer to activate its network of third-party resources to begin or even lead incident response. It is also time to activate the organization’s established external network, should it have one.
“We first need to hire attorneys to make sure that we understand the legal obligations,” Wice said. “The attorneys will assess the associated risk, hire the forensics firm under privilege, and get them a master services agreement connected with the insured and start conducting a forensics analysis.” Forensics experts must establish how the ransomware entered the system, answering: when did the infection happen, who was affected, how many nodes were affected, and does it impact the entire network?
According to security intelligence firm LogRhythm, 72% of companies attacked could not access their data for at least two days, and 32% could not for five days or more.
“All too often, companies jump off-plan and try to go to containment immediately—they find a system has been exploited or compromised and zero in on that,” Grillo said. “The investigation step is critical to any incident response plan. You need to know what is going on and how widespread it is, then you can move to containment.” This investigation, paired with the efficacy of existing cyber hygiene practices, will determine the decision path from there. “If they’ve got your data and it’s encrypted, your options are limited. If your systems have been patched and your data is backed up, you’ve got other options to take on,” he explained.
Last summer, RIMS, the publisher of this magazine, experienced a ransomware attack. As in the majority of cases, an employee fell for a phishing email and clicked a malicious link. When the attackers struck, Mike Peters, vice president of information technology, quickly isolated the infected machine, informed key stakeholders within the organization, communicated with staff about the crisis and any appropriate action from users, and carried out the key tasks to assess, contain, mitigate and remove the threat. In short, he said, “the logical steps to take were: 1. Identify, 2. Stop and mitigate the attack, 3. Develop a plan to combat it, and 4. Recover our data.”
Peters and his team were able to get RIMS back up and running in six hours with no data loss and no ransom paid. For this successful and rather fast recovery cycle, Peters credits rigorous baseline cyber hygiene practices, including his data retention plan and approach to backups, annual disaster recovery testing, periodic spot testing, and daily monitoring for network intrusion. Paired with his own considerable training and certification as a chief information security officer, ethical hacker, and data forensics examiner, these measures negated the need to bring in forensics consultants, speeding the investigation and mitigation process.
For bigger organizations and those without such internal resources, the process can take far longer and involve a wide range of internal and external stakeholders. According to security intelligence firm LogRhythm, 72% of companies attacked could not access their data for at least two days, and 32% could not for five days or more.
When the University of Calgary suffered a ransomware attack in May 2016, investigation, response and recovery was a considerably longer process, including a week of extensive forensics and crisis management. They brought in a breach coach, retained and engaged security specialists, and assembled an emergency response team and IT incident command that worked around the clock for days on end, according to Janet Stein, the university’s director of risk management and insurance and a member of the RIMS board of directors. Communicating with thousands of users involved both high- and low-tech solutions, from the university’s emergency notification app to posters on doors around campus. Affected computers and file servers were physically unplugged or virtually sandboxed and forensics specialists traced the malware, retaining relevant forensic evidence. The team met three to four times a day, focusing on specific deliverables related to investigation, workaround solutions for users, and next steps.
Once an organization regains access to its data and systems, the response process is not quite over—refining an incident response plan is both the first and last step in any cyber crisis. “It is very easy to overlook one thing that is key in developing a truly formidable incident response plan: lessons learned,” Grillo said.
Somebody will always click the link. Or in our case, when it happened, click the link 12 times.
Such review added concrete value in the wake of the RIMS attack, Peters said. The organization assessed the existing strategy and schedule for backups, contracted with an email filtering vendor to help head off future attacks via phishing, and implemented anti-malware software. These, he said, “have made a difference by leaps and bounds.”
While Peters periodically conducts phishing tests on employees, even within a risk management association, the weakest link will always be end users, and he believes the experience has also made a significant impact on improving awareness and education internally.
“Somebody will always click the link. Or in our case, when it happened, click the link 12 times,” he said. “I don’t think we’ll ever be 100% out of the woods with our end-user community, but I think our awareness has increased tenfold.”
To Pay or Not to Pay?
It is hard to say how many ransomware victims pay the ransom. The FBI believes only a quarter of attacks are reported at all, and insurers do not necessarily hear about ransoms paid. Many victims have immature cyberrisk programs to begin with, so they are not reporting, Snyder said, and even among more prepared companies, ransoms that do not meet the deductible or concerns over the impact on premiums lead some to keep quiet.
The middle of a crisis is not the time to have that debate—those conversations need to be had in advance and a decision made about whether you will pay.
Estimates vary widely: In a study by cybersecurity firm Carbonite, 45% of businesses that had suffered an attack paid up, usually citing lack of preparation as a top determinant. Fortinet pegged the number at 42%, while 70% of respondents surveyed by IBM Security said they paid. In its 2017 Cyberthreat Defense Report, security industry research firm CyberEdge Group found that 61% of its 1,100 respondents were compromised by ransomware in 2016, of whom 33% paid the ransom and recovered their data, 54% refused to pay but successfully recovered their data anyway, and 13% refused to pay and subsequently lost their data.
“The question of whether to pay often comes up, and there are differences of opinion, not to mention the legal and law enforcement aspects of paying cyber thieves,” Grillo said. He advises that companies assess the business implications, get counsel involved, and decide on a policy before an incident ever occurs. “The middle of a crisis is not the time to have that debate—those conversations need to be had in advance and a decision made about whether you will pay.”
For Peters, it was never an option. “We never thought about paying and as long as I’m here, we will never pay,” he said. “I have the utmost confidence in our backups because we do a disaster recovery test once a year and do periodic spot tests to ensure that we can recover servers, files, computers, work stations—the necessary things to keep us running.”
According to Wice, such appropriate and adequate backups are the key factor to avoid paying. Most of Beazley’s insureds rely on their backups and as a result, he estimated the number of clients that suffered an attack and paid a ransom is “less than double-digits.”
“I wouldn’t say that we, as an insurer, should be influencing that decision, but I will say—and most of the security industry would say—as long as you have the appropriate backups in place, don’t pay,” he said. “There’s nothing you could say that would make me comfortable that, should a company pay the ransom, they are going to just get back decrypted data. You’re talking about honor among thieves here. And if you do pay, how do you know that you’re not going to be tabbed as a mark for the next exploit?”
There’s nothing you could say that would make me comfortable that, should a company pay the ransom, they are going to just get back decrypted data. You’re talking about honor among thieves here.
Indeed, the FBI, which officially discourages payment, has cited several recurring problems experienced by those who do. Paying a ransom does not guarantee an organization will regain access to its data—in fact, some never received decryption keys after paying, and there are reports of malware simply deleting the files after decryption. Upon initial payment, some enterprises were pressed for more money, while other victims who paid reported being the target of cybercriminals again soon thereafter. The FBI also points out that payments “embolden the adversary to target organizations for profit” and create a lucrative environment that may draw in more criminals.
Cyberrisk experts acknowledge, however, that from a financial standpoint, paying may be the only practical option for some enterprises.
Despite extensive incident response efforts and temporary solutions like issuing 8,000 new email addresses so users could work, the University of Calgary ultimately paid a ransom of 27 bitcoin (then about $15,000, or CAN $20,000). While Stein said the response was largely considered successful, the university endured a week of disruption and had to evaluate all the data potentially not backed up, including academic research conducted on campus. The university’s board decided that access to data and services—and mitigating the potential costs of data loss—made paying worthwhile.
“As much as you would like to take the prudent position not to pay, that may not outweigh the company’s losses, and it really becomes a business decision,” Grillo said. “Ultimately, if your data is impacted and you can’t get it back, if it’s interrupting your business or impacting your clients, there are some serious business decisions that need to be made.”
If planning to pay, the organization should involve counsel and seriously consider contacting law enforcement, Grillo advised. “You’re negotiating with criminals at this point,” he said. “When you get that far into extortion situations, it’s likely beneficial to have law enforcement involved.”
Insurance: Beyond the Bitcoin
If an organization does pay, the ransom can be covered by a cyber insurance policy. In some cases, however, since the sums requested are so low, it may not meet the deductible. “We certainly have paid cyberextortion on the cyberextortion insuring agreement, but it’s not as much as one might think,” Wice said.
Covered losses specifically from ransoms remain low at Willis Towers Watson as well. “At this early stage, it seems to be sort of a high-frequency, low-severity issue—the extortion demands are relatively low, so a lot of times, it likely falls within the retentions,” said Jason Krauss, cyber/E&O thought and product leader for FINEX North America.
Beyond the ransom funds, cyber insurance can help companies manage and recover from a variety of ransomware-related losses. Carriers and brokers have even cited such cases as the best encapsulation of the growing insurance line.
A ransomware event is really the perfect scenario to illustrate the coverages in a standalone cyber insurance policy.
“A ransomware event is really the perfect scenario to illustrate the coverages in a standalone cyber insurance policy: you have, obviously, the extortion demand, the cost to investigate the potential breach, a business interruption situation that could arise, and potential third-party claims,” Krauss said.
These cases may also be broadening the way organizations assess their own cyberrisk exposure, and impacting insurance penetration as WannaCry primarily struck regions with very low take-up rates to date. “Because of the broad nature of the attack and the fact that it spread to so many countries, WannaCry certainly got organizations’ attention,” Snyder said. “Right now, roughly 30% of organizations of all revenue sizes purchase a cyber insurance policy and 90% of those organizations are inside the United States. This attack has changed the dialogue because it’s an example for organizations that may have previously thought about cyber insurance solely as coverage for privacy risk.”
While high-profile attacks prompt companies to assess the different kinds of loss a cyber policy would cover, these ransomware cases are helping firm up answers from insurers as well. As a burgeoning line that continually evolves to catch up with the changing threat landscape, some cyber insurance provisions remain relatively untested. Particularly given the increased potential exposure for insurers, Krauss said the recent widespread attacks have prompted conversations with the market about how every insuring agreement within a cyber policy would respond and how coverage will actually hold up to claims.
Although take-up rates are rising—and the attacks and subsequent losses continue to mount—there are no signs that ransomware claims will significantly impact pricing in the near future.
“The cyber insurance marketplace is becoming much more robust, including a number of new market entrants in both the London and U.S. markets, and it’s become rather competitive,” Snyder said. “Because it’s so competitive, we haven’t seen any type of rate impact arising out of ransomware losses. Right now, we continue to see a flattening of rates and a broadening of coverage in the cyber market, and that really has not changed as a result of the increase in losses.”
Wice agreed the surge in ransomware attacks will likely not impact pricing, but he believes it may help shape the growing cyber insurance market more broadly. “Ransomware is probably going to affect capacity,” he said. “Just like with large breaches in point-of-sale for retailers, just like in the managed care space, just like in the large hospital space, once large losses hit a tower of insurance, insurers take notice. A lot of the players that recently came into the marketplace because they thought there was a growth opportunity…history would dictate that they would leave and capacity would shrink.”
Author: Hilary Tuttle