Victimized Twice? Firms Paying Cyber Ransom Could Face U.S. Penalties

Recent advisories from two U.S. Treasury agencies –  the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) – indicating that companies paying ransom or facilitating such payments to cyber extortionists could be subject to federal penalties are a reminder of the importance of good cyber hygiene.  

The notices also underscore businesses’ need to consult with knowledgeable, reputable professionals long before a ransomware attack occurs and before making any payments. 

Ransomware on the rise 

In a ransomware attack, hackers use software to block access to the victim’s own data and demand payment (usually in Bitcoin or another cryptocurrency) to regain access. It has been a growing problem in recent years, and such attacks have intensified since the COVID-19 pandemic has led to many people working from home for the first time.  

The FBI warns against paying ransoms, but studies have shown that business leaders today pay a lot in the hope of getting their data back.  An IBM survey of 600 U.S. business leaders found that 70% had paid a ransom to regain access to their business files. Of the companies responding, nearly half have paid more than $10,000, and 20% of them paid more than $40,000. 

Sanctioned entities 

The OFAC advisory specifically targets transactions benefiting individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). 

If you pay ransom to anyone in these categories, you could be fined or even jailed for breaching the  International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA). Penalties can vary widely, depending on the circumstances.  

How is a business owner to know?  

“Companies should rely on experts to assist with their due diligence and work with the FBI,” writes law firm BakerHostetler in a recent blog post. “Experience in incident response is key, and your counsel should be an informed, confident partner as you navigate this rapidly evolving area.” 

“Before a payment is made,” the law firm writes, “a company generally retains a third party to conduct due diligence to ensure that the payment isn’t being made to a sanctioned organization or a group reasonably suspected of being tied to a sanctioned organization. Additionally, checks are in place to ensure that anti-money laundering laws are not being violated.”

Many insurers are working with their clients to put such practices in place and taking a variety of other steps to address the threat of ransomware attacks. Cyber-insurance premiums started rising 5% to 25% late last year, according to Robert Parisi, U.S. cyber product leader at insurance broker Marsh & McLennan. Parisi called the increases “dramatic” but said insurers have not scaled back coverage. 

Marsh has issued a client advisory — What OFAC’s Ransomware Advisory Means for US Companies — explaining what U.S. businesses need to know about the OFAC advisory and the importance of completing an OFAC review before payment of ransom demands.  Marsh’s advisory also makes recommendations for re-assessing ransom incident response plans, mitigating ransomware risk, and preparation for and recovery from ransomware and cyber extortion attacks. 

Insurers Help Victims Find Freedom from Domestic Violence Through Financial Empowerment

COVID-19 Could Further Impact Intimate Partner Violence Survivors

By Loretta Worters, Vice President – Media Relations, Triple-I

Financial security and access to resources can make all the difference to domestic violence victims when deciding to leave an abusive relationship. And insurance is an important component of financial planning that can help survivors move forward.

Financial abuse is a common tactic used by abusers to gain power and control in a relationship. The forms of financial abuse may be subtle or explicit, but in in general, include tactics to conceal information, limit the victim’s access to assets, or reduce accessibility to the family finances. Financial abuse – along with emotional, physical, and sexual abuse – includes behaviors to intentionally manipulate, intimidate, and threaten the victim in order to entrap that person in the relationship. In some cases, financial abuse is present throughout the relationship and in other cases financial abuse becomes present when the survivor is attempting to leave or has left the relationship.

Repercussions from the pandemic – layoffs, loss of income, living with abusers due to stay-at-home orders, restricted travel and closures of key community resources – are likely to dramatically increase the incidence of domestic violence, which may further hamper a victim from leaving an abusive situation. 

Survivors struggling to get back on their feet may also be forced to return to their abuser.  That’s why it’s so important survivors understand how insurance works and what a critical role it can play in gaining financial freedom and economic self-sufficiency.

In support of Domestic Violence Awareness Month, the I.I.I. offers financial strategies to protect victims before and after leaving an abusive relationship. They include securing financial records, knowing where the victim stands financially, building a financial safety net, making necessary changes to their insurance policies and maintaining good credit. 

The National Coalition Against Domestic Violence (NCADV) reports that 10 million people are physically abused by an intimate partner each year, and 20,000 calls are placed to domestic violence hotlines each day. In addition, 85 percent of women who leave an abusive relationship return because of their economic dependence on their abusers. Furthermore, the degree of women’s economic dependence on an abuser is associated with the severity of the abuse they suffer.

“Home is often times a dangerous place for survivors of domestic violence, and COVID-19 exacerbates the circumstances, due to the abusers’ ability to further control,” said Ruth Glenn, president and CEO of the NCADV. “Tactics abusers use include ruining the credit of their victim as well as financial and digital abuse, such as stimulus funds being co-opted by abusers to an increase in domestic online harassment,” she said. 

Experts agree that domestic online harassment can come in many forms, from impersonating a victim by email in order to sabotage her work, to controlling the influx of information about the pandemic to make her more fearful and reliant on the abuser.

The Allstate Foundation’s domestic violence initiative has been committed to ending domestic violence through financial empowerment, providing survivors with the education and resources needed to achieve their potential again and equip young people with the information and confidence they need to help prevent unhealthy relationships before they start.  This year the Foundation contributed $500,000 to help the National Network to End Domestic Violence support more than 100 local domestic violence organizations. The Foundation also provided funding for the National Domestic Violence Hotline to enable remote-working technology and has worked with these organizations who are urging Congress to pass a COVID-19 relief package that addresses the housing, economic, physical and mental health needs of survivors of domestic and sexual violence and the advocates on the frontlines that need additional resources to ensure the safety of survivors and their staff.

“One of the most powerful methods of keeping a survivor trapped in an abusive relationship is not being able to support themselves financially,” Glenn explained. “That’s why insurance and financial education are so important,” she said.  “Education can save a life.”

Mitigation Matters – and Hurricane Sally Proved It

 A FORTIFIED roof (left) sustained no damage from Hurricane Sally, the neighboring house (right) did not fare as well.

The FORTIFIED construction certification was developed by the Insurance Institute for Business and Home Safety (IBHS) to protect homes against severe weather. In this post Fred Malik, managing director, FORTIFIED, and Chuck Miccolis, managing director, Commercial – IBHS, talk about how the system held up in Alabama against Hurricane Sally.

In 2004, Hurricane Ivan slammed into Alabama causing widespread devastation. Unwilling to let the same damage happen again, thousands of homeowners and commercial property owners have turned to IBHS’s FORTIFIED program to protect their properties and prepare for the next big storm. 

Last month, the ‘next big storm’ came. Exactly sixteen years since Hurricane Ivan made landfall, Hurricane Sally crawled its way onto the Alabama coast. The Category 2 storm subjected homes and businesses to more than 8 hours of relentless winds. While the aftermath of Sally’s landfall vividly showed too many buildings are still not built as strong as they could be, those in the area built to the FORTIFIED standard provide hope for a more resilient future.

More than 16,000 FORTIFIED properties were put to the test and they demonstrated homes and businesses can be built better. In the days following Sally’s landfall, IBHS conducted field assessments across coastal Alabama to better understand building performance, including dozens of FORTIFIED properties. To date, indications are that more than 90% of the thousands of FORTIFIED buildings had zero to minor cosmetic damage. As a wind standard, FORTIFIED performed to its design.

The evidence is clear driving through Baldwin County, Alabama – home and business owners who had a FORTIFIED Roof didn’t need a blue tarp, didn’t have significant water intrusion through the roof, and businesses were able to re-open as soon as flooding abated and power was restored. Most observed damage was only cosmetic, and disruption was minimized, meaning those who made the decision to strengthen their properties aren’t dealing with the headache of rebuilding. Because FORTIFIED provides layers of protection, it stopped the cascade of damage before it started.

Some FORTIFIED homeowners were even able to offer refuge for neighbors in need.  Having benefited from local incentives to build stronger, some FORTIFIED homeowners in Orange Beach experienced no damage from wind or wind-driven rain, while neighbors were forced to make repairs as well as tear out and throw away much of the contents of their homes.

Another poignant example took place at the Lodge at Gulf State Park, which had been completely destroyed by Hurricane Ivan. Determined to overcome the vulnerabilities Ivan had so devastatingly exposed, the property owners wanted to be a leader in demonstrating to the community how to build back stronger. They turned to the FORTIFIED program.

The hotel was rebuilt in 2019 to the FORTIFIED standards, and IBHS verified the construction process and material selection complied with those standards. Evaluators, trained by IBHS, guided construction and design teams to minimize flaws that otherwise may have gone unnoticed. As a result, when Hurricane Sally’s eyewall passed directly over the Lodge, it not only continued operations, it also housed employees who did not have FORTIFIED homes. Additionally, many media outlets, including The Weather Channels, chose to stay at the lodge to cover the storm and, some unknowingly, benefitted from the protection of FORTIFIED to report on the hurricane, perhaps prompting FEMA Administrator Pete Gaynor to emphasize “mitigation works.”

Continuing the post-storm research, IBHS will develop an analysis of key factors influencing the performance of these FORTIFIED structures. Preventing avoidable damage is one of IBHS’s three imperatives, and Sally demonstrated how FORTIFIED achieves that mission. For more information, go to fortified.org.

Hurricane Delta insured losses estimated at up to $3 billion

Flood waters from Hurricane Delta surround structures destroyed by Hurricane Laura on October 10, 2020 in Creole, Louisiana. Hurricane Delta made landfall near Creole as a Category 2 storm initially leaving some 300,000 customers without power. (Photo by Mario Tama/Getty Images)

Hurricane Delta made landfall in Creole, Louisiana, on October 9 as a Category 2 storm with 101 mph sustained winds and a 9.3-foot storm surge. Landfall in Cameron Parish was within 13 miles of where Category 4 Hurricane Laura made landfall in late August. Delta knocked out power to over 500,000 customers in Louisiana (a quarter of the state’s homes), plus another 300,000 in parts of east Texas and western Mississippi. It was a record-setting 10th continental U.S. landfall of a named storm during a single hurricane season and record-tying fifth hurricane continental U.S. landfall in a season.

Similar paths by Hurricanes Laura and Delta in Louisiana triggered the state law that stipulates that policyholders are not required to pay a hurricane deductible twice in the same storm season. State Insurance Commissioner Jim Donelon said that for people who did not exhaust their deductible during Laura, the remainder would apply to Delta only if the unused amount is larger than the standard all-perils deductible. It is not known yet how many people suffered damage from Delta.

Insured loss estimates for Hurricane Delta range from $1 billion to as high as $3 billion, according to catastrophe risk modelling specialist AIR Worldwide. The company warns of the potential for loss increase due to hurricane Delta’s impacts coming so soon after hurricane Laura’s. Karen Clark & Company’s estimate that onshore insured losses will be about $1.25 billion and CoreLogic estimates that onshore and offshore insurance market losses from Delta will be between $1.5 billion and $2.7 billion.

During a live interview on The Weather Channel’s Weather Underground on Monday, October 12, the Triple-I’s Mark Friedlander discussed property losses for Louisianans who were impacted by hurricanes Delta and Laura. He also provided claims-filing tips.

The Future of American Insurance and Reinsurance Releases a Digital Business Interruption Insurance Explainer

Future of American Insurance and Reinsurance (FAIR) has released a new interactive tool to help showcase the need for a federal solution to pandemic relief. The Business Interruption Insurance “explainer” utilizes digital storytelling techniques to help clarify information about this complex topic.

The digital explainer complements the FAIR campaign’s other recently-released digital assets, including a video overview of BI and pandemics, and a primer deck that provides quantitative backing to the assertion that pandemics cannot be privately insured. 

As trial attorneys attempt to retroactively force uninsurable pandemic coverage in business interruption insurance contracts, this tool is designed to show what business interruption insurance covers, how surplus helps pay for covered perils such as hurricanes and wildfires, how insurers have stepped up to help policyholders, and the need for a federal solution to the pandemic.

ABOUT FAIR
FAIR is an initiative of the Insurance Information Institute and its member companies whose mission is to ensure fairness for all customers and safeguard the industry’s longstanding role as a pillar of economic growth and stability.

Keeping Halloween Safe, Even During a Pandemic

Dan and Ben, ready for a safety-conscious Halloween last year.

My five-year-old nephew, Ben, is a great source of pride to his electrician father, Dan. Last Halloween, Ben refused to trick-or-treat at a particular house because he noticed that the decorations there were a fire hazard.

Halloween is supposed to be fun, but it has always involved risks and potential liabilities. The video below outlines some of the “traditional” hazards and ways to mitigate them, from eliminating trip-and-fall dangers to preventing fire and pet-related perils.  

And while much of the focus of Halloween-risk mitigation is on the home, Donald R. Grady, a Boston personal injury attorney, says the biggest dangers actually involve cars.

“You see an uptick in automobile accidents,” Grady says. “Especially with teenagers, who don’t have adults with them and who rush from house to house.”

The curse of 2020

2020 has aged us all….

Perhaps predictably by now, 2020 has brought the spooky holiday threats of its own. COVID-19 has introduced new Halloween concerns.

The Centers for Disease Control and Prevention (CDC) has published a list of low-, moderate-, and high-risk Halloween activities for a time of pandemic.

Lower-risk activities include:

  • Carving or decorating pumpkins with members of your household and displaying them
  • Carving or decorating pumpkins outside, at a safe distance, with neighbors or friends
  • Decorating your house, apartment, or living space
  • Having a virtual Halloween costume contest
  • Having a Halloween movie night with people you live with.

Moderate-risk activities include:

  • Participating in one-way trick-or-treating, where individually wrapped goodie bags are lined up for families to grab and go while continuing to social distance
  • Having a small group, outdoor, open-air costume parade with people distanced more than 6 feet apart
  • Attending a costume party held outdoors, where protective masks are used and people can remain more than 6 feet apart.

The CDC provides caveats and additional guidance for these and other moderate-risk activities, so if you’re even thinking about them, definitely read the relevant guidance. It advises against the following:

  • Traditional trick-or-treating where treats are handed to children who go door to door
  • “Trunk-or-treat,” where treats are handed out from trunks of cars lined up in large parking lots
  • Attending crowded costume parties held indoors
  • Going to an indoor haunted house where people may be crowded together and screaming
  • Going on hayrides or tractor rides with people who are not in your household
  • Using alcohol or drugs, which can cloud judgement and increase risky behaviors
  • Traveling to a rural fall festival that is not in your community if you live in an area with community spread of COVID-19.

Lightning Round Webinar Showcases Cutting Edge Disaster Mitigation Technologies

Four entrepreneurial teams who have developed products to boost societal resilience and to mitigate natural disaster risks will present them during a free Insurance Information Institute (Triple-I) event on Thursday, Oct. 22, at 11 a.m., ET.

Billed as the Lightning Rounds for Resilience and Pre-Disaster Mitigated Innovations, it is the third time this year the Triple-I and its Resilience Accelerator, ResilientH20 Partners and The Cannon, have connected entrepreneurs with leading insurance innovation specialists and investors. Pre-registration is required.

The first of the day’s two panels will feature the web-based apps developed by the prize-winning teams from 2020’s collegiate Hack-for-Resilience III. The Triple-I and the Wharton Risk Management and Decision Processes Center at the University of Pennsylvania honored these two student entrepreneurial teams in September 2020.

  • Air.ly:  The app identifies locales near wildfire zones where individuals afflicted with respiratory issues, or other health complications, can find fresh air. It won the prize this year for the Best Overall Hack-for-Resilience.
  • Insura: The app uses a home’s location and historical loss data to recommend mitigation and maintenance activities which could reduce a homeowner’s insurance premiums.  It won this year’s prize for the Best Application of Insurtech.

“We’re excited to spotlight the outstanding work of talented students who have accepted the challenge to build and empower the resilience movement. Products like Air.ly and Insura are proof today’s brightest young minds are creating the tools that will better allow people to navigate through, and prepare for, natural disasters,” said Michel Leonard, PhD, CBE, Vice President and Senior Economist, Triple-I.

Two established businesses – members of the Resilience Innovation Hub “portfolio of disaster risk-mitigation innovation” -will present their products and services during the event’s second and final panel:  

  • Thermal Gate™ 2.5:  The artificial intelligence (AI) based system screens and detects individuals who have an elevated body temperature before they enter venues which are open to the public.
  • Mesh++ : The just-in-time WiFi community network requires no external power nor wiring to generate broadband access for first-responders, citizens, and preparedness interests.

Click here to register.

Economic Datain the Age of COVID-19

Dr. Steven N. Weisbart, CLU, Triple-I Senior Vice President and Chief Economist

COVID-19 pandemic has not only disrupted our economy – it has complicated the data we routinely use to understand economic developments. This is a bit like finding out the thermometer you use to tell if you have a fever is unreliable.

Here are two examples of why it’s hard to know what’s happening.

 What is the correct unemployment rate?

The April 2020 Bureau of Labor Statistics (BLS) employment report said the U-3 rate – just one of six unemployment measures BLS reports – was 14.75 percent. This number is derived by dividing the number of people counted as unemployed (23.078 million) by the civilian labor force (156.481 million), which is everyone who is either working or unemployed and looking for work.

But when the virus was recognized as a major public health threat in mid-March and April and many businesses and organizations were shut down, throwing many millions out of work, some who were affected decided to retire. This means they were no longer counted as part of the civilian labor force. This is most vividly seen by comparing the civilian labor force in February (164.6 million) with its count in April (156.5 million)—a drop of 8.1 million.

The large number of retirees affected the unemployment rate: if they had not retired, most would likely have been counted as unemployed. To keep the math in our example simple, let’s say 7 million of the retirees had remained in the labor force and been counted as unemployed (maybe the other 1 million would have retired then anyway—virus or no virus). The unemployment count would have been 30 million (23 million counted plus 7 million un-retirees) and the civilian labor force would have been 163.5 million (156.5 counted plus 7 million un-retirees).

The unemployment rate would have been announced as 30 million divided by 163.5 million, or 18.35 percent, instead of 14.75 percent.

So, which one is correct?

Are seasonal adjustments still correct?

Macroeconomists have long recognized that many economic data have seasonal patterns. For example, retail sales often spike in the last quarter of the year because of the holidays. Sales for some items, such as those bought for “back to school,” spike at other times. So, to see what’s really happening, economic data are often adjusted to account for the seasonal effects and reported after these adjustments are made.

To see the effect of seasonal adjustments, look at the following two graphs. The first is employment in the construction industry that is not seasonally adjusted. The second is the same industry and time; the only difference is that its data are seasonally adjusted.

Construction employment obviously dips in the cold months, and the drop shown in the first graph doesn’t represent any significant economic change, so the seasonal adjustment in the lower graph lets us see only changes beyond the seasonal adjustment, such as what happened in 2020.

The problem, from an economic analysis viewpoint, is that the amount of seasonal adjusting to apply is a judgment call, and it is often based on a historical period in which conditions were much as they are now. But what’s happening now has no satisfactory historical precedent.

So should we keep using the seasonal adjustment factors from before, or do they not apply to the current economic situation?

These are just two examples of datasets or analytical approaches whose relevance can be called into question in light of COVID-19 – further complicating the already complex and nuanced endeavor of attempting to understand and anticipate economic developments.   

Insurance kicks it old school: Virtual campus event series to showcase alumni in insurance

By James Ballot,  Senior Advisor, Strategic Communications, Triple-I

Is insurance the ultimate high return/low-risk career option?

Many career experts and insurance professionals agree that few fields offer as many outstanding career paths and opportunities. To spread the word to college students, Gamma Iota Sigma (GIS) is teaming with Triple-I to host virtual sessions at three academic institutions this fall.

GIS’s Security in Risk Tour brings insurance industry executives back to their alma maters to share career stories and advice with students who are pursuing degrees in majors other than risk management or actuarial science (the two fields most often associated with insurance). 

The first stop on the 2020 Security in Risk Tour is the “Insurance Career Showcase and Alumni Panel” on Wednesday, Oct. 14, at 5:30 p.m. EDT at Syracuse University, which will be hosted by the upstate New York institution’s Martin J. Whitman School of Management.

“For hundreds of years, insurance has been a key driver of innovation and economic growth worldwide,” said Sean Kevelighan, CEO, Triple-I. “Thanks to Gamma Iota Sigma and programs like the Security in Risk Tour, the U.S.’s insurance industry is able to engage with, and recruit, some of the nation’s most promising college students.  Insurers are making homes, businesses and communities safer by recruiting and hiring well-educated and ambitious young men and women as they embark on their professional careers.”

Other 2020 Security in Risk events scheduled for the fall include:

  • Wednesday, Nov. 4: “STEM [Science, Technology, Engineering, and Mathematics] Careers in Risk Management and Insurance,” at Stevens Institute of Technology, Hoboken, NJ
  • Thursday, Nov. 5: “Security in Risk: Careers in Cyber Risk Management and Insurance,” at Baruch College, New York City.

“The insurance industry has a great story to share,” notes Alyssa Bouchard, CPCU, ASLI, ARM, Director of Education & Programming, Gamma Iota Sigma. “We’re excited to team up with the Triple-I to expand our reach by engaging with students at colleges and universities without GIS chapters. The Security in Risk Tour helps to educate students of all majors and backgrounds about the insurance industry’s positive societal impact and limitless career opportunities.”

The Gamma Iota Sigma Security in Risk Tour is presented in partnership with Triple-I. Funding is provided by the program’s lead supporters, Chubb and the Spencer Educational Foundation.

Deaths Resulting from Louisiana Hurricanes Underscore Need for Personal Power Generator Safety Awareness

(Photo by Rob Foldy/Getty Images)

By James Ballot,  Senior Advisor, Strategic Communications, Triple-I

On October 1, Hurricane Delta hit Louisiana as a Cat. 2 storm, cutting power to almost 700,000 residents and causing further setbacks to people in that region who were still recovering from Hurricane Laura, the Cat. 4 storm that ravaged the region in late August.

Residents in hurricane-prone regions commonly rely on emergency power generators to aid in recovery from storms and other catastrophes. Nevertheless, many home and businessowners lack knowledge and training to safely run these devices: of the more than 30 lives lost to Laura and Delta nearly one-third  were caused by fires or carbon monoxide (CO) poisoning due to improper use of emergency power generators.

If you own a generator or are considering purchasing one as part of your emergency preparedness planning, the Triple-I encourages you to follow guidance put forth by the Center for Disease Control, State Farm, Travelers and other reliable sources, including:

William Davis, the Triple-I’s Georgia Media Relations Director adds, “Before a storm knocks out electricity, generator owners need to learn how to use them safely. Generators can be life savers in time of need, but they can also be killers!”