Archives

Security Management Magazine Cover
​Beginning December 2016, Security Management will also be available as a PDF. View ​Issues available for Download

 May 2017

 

 

https://sm.asisonline.org/Pages/After-an-Active-Shooter.aspxAfter an Active Shooter2017-05-01T04:00:00Zhttps://adminsm.asisonline.org/pages/holly-gilbert-stowell.aspx, Holly Gilbert Stowell<p>​Organizations affected by an active shooter event will face extraordinary challenges from the moment the first shot is fired. Even if the company is able to maintain business operations in the aftermath, the physical and emotional recovery can go on for months and years after the event. Besides reevaluating physical security measures, updating business continuity plans, and dealing with possible lawsuits, companies also have a responsibility toward their employees who have suffered severe emotional trauma. </p><p>To recover from an active shooter event, restore business operations, and retain employees, experts say that business continuity planning, communication strategies, and personnel issues should be among the top priorities for organizations. In this article, experts discuss what security professionals can do in the aftermath of an incident to recover as quickly and effectively as possible.​</p><h4>Business Response </h4><p>Business operations will be devastated by an active shooter situation, experts say. Access to the building, or at least the floors where the incident occurred, will be virtually impossible.  </p><p>“Law enforcement is going to lock down the building, and it may not be given back for many days,” says Dave Hunt, senior instructor at Kiernan Group Holdings, a consulting firm that assists companies in planning for and responding to active shooter events. “It depends entirely on the extent of the incident–how many injured, dead, how many bullets? Every single trajectory of every single bullet, every shell casing, is all going to be essentially recovered.” </p><p>Communication. Having a well-prepared crisis communications plan in place before an incident is crucial, but executing that strategy is inevitably more difficult when faced with a real-life tragedy. Experts say that an organization needs to maintain open communication with various groups following an active shooter event.</p><p>Because news travels at lightning speed, any organization affected by an active shooter event can expect the media to pick up on it almost immediately. “When an incident occurs, local media, newspapers, and TV stations are going to hear about it and they’re going to descend on that campus or facility,” says Josh Sinai, principal analyst at Kiernan Group Holdings, “and this will happen within 30 minutes.”</p><p>Talking to the media and the public can be one in the same, says Hunt, and he recommends that companies put a message on their social accounts and websites, and have a skilled speaker to talk to the press. “The media is one avenue through which the public can be communicated to,” he says, “but today we can also communicate with the public directly via Twitter, websites–there are all kinds of different social media options.” </p><p>Larry Barton, a crisis management consultant, echoes this sentiment: “Get to the media before they get to you.” He recommends that leadership have several preplanned responses to rely upon and modify, as needed. </p><p>“This is where a company can really distinguish itself by being crisis-prepared. Have your frequently asked questions ready, and start filling in the blanks from the moment the incident occurs,” Barton says. “You can keep refining them, you can keep massaging them, but get them started.”</p><p>These communication techniques work in the case of any crisis, says Darryl Armstrong, crisis communications expert at Armstrong and Associates. For example, one of his clients, a company responsible for large cleanup jobs after natural disasters and other hazardous events, used prewritten statements for large-scale incidents to quickly communicate with the media. </p><p>“On the front end, they sat down as a core team and had put together an extensive set of media holding statements,” he says. These holding statements are prewritten messages that refer to specific event types, such as active shooter, fire, or medical hazard, for example. The documents can be easily accessed and modified during a crisis, then quickly sent out to the media and the public. </p><p>He adds that the company also took the time to think about “every single question imaginable” that could come up in a press conference for any given disaster. “There was not a single question in the press conference they were not prepared to handle,” Armstrong says. </p><p>Stakeholders. Communicating with family members of employees, especially those who are killed or wounded, should be a priority for companies after an active shooter event. </p><p>Barton, who helps clients prepare for and respond to active shooter and workplace violence events, tells Security Management that he recently worked for an industrial facility in Tennessee that lost three employees in a workplace shooting. Within an hour after the incident, the employer had contacted all the victims’ families. This should be a standard practice for any company that finds itself in a similar crisis, he says. </p><p>“There is not an ounce of liability associated with being kind to a family after an active shooter event,” he notes. “We have to say to our legal colleagues in HR, ‘This is not about the handbook, this is about the Golden Rule. We have to do the right thing.’”</p><p>Small and family-owned businesses tend to handle these events with more empathy, making for a faster overall recovery, says Armstrong. “In the recovery phase, they make themselves available. They go out of their way to do what they can to help the victims’ families, and the communities rally around them,” he notes. </p><p>He adds that universities are another sector that handle communicating with stakeholders well, given that there are usually guidance counselors and psychologists on staff. “Their crisis management teams typically include people who are interacting daily with students and parents, so they are able to empathize.” </p><p>Barton adds that while social media makes a great tool for communicating with the public post-incident, the platform is not appropriate for informing family members of any details. “Shame on any company where an employee’s loss of life is shared with the family by Twitter. That has happened, it will continue to happen, and you must never allow that to happen on your watch.”</p><p>Organizations may consider using “dark websites” that go live in the event of an emergency. When someone types in the main URL for the organization, they are redirected to a ghost site that has the latest information available. Armstrong recommends that organizations set up these pages to have at least 10 times the bandwidth as their normal site to accommodate heavy traffic. ​</p><h4>Recovery</h4><p>A well-prepared organization can continue business operations in the event of a range of hazards, such as bad weather or a fire, and it can build off those same crisis continuity plans when recovering from an active shooter event. “This is one more threat that your organization should be preparing for to determine how you can continue operations,” Hunt says. </p><p><strong>Business operations. </strong>Hunt recommends identifying an off-site location where operations can take place while the building is still being evaluated by law enforcement or damage is being repaired. IT systems should be backed up so they can be accessed from anywhere. </p><p>“You need redundancy for roles,” adds Sinai, who says that at least one additional person should be trained in each major position at an organization. That way if someone in a leadership role is killed or injured, their job function is not completely lost. </p><p>Company leaders will still be addressing basic questions of business operations that could easily be overlooked in the aftermath of a tragedy. Barton notes that employees who survive an incident are still worried about their livelihood. “Besides asking who got hurt or was killed, the second thing is, ‘Are we going to be paid?’” he notes. “So we have to have our leadership rehearse and train on a wide variety of questions that will come up.”</p><p>As a benchmark for business recovery, Sinai cites the example of a beer distribution plant in Manchester, Connecticut, that suffered an active shooter event. On August 3, 2010, eight employees of Hartford Distributors were killed by another worker at the facility who was being escorted out of the building after resigning. “It was a small business, it didn’t have the resources of a big company,” Barton says. But this distributor reached out to surrounding companies for help. </p><p>The beer distributor didn’t have a trained counselor on staff, so Manchester law enforcement contacted area businesses to get trauma counselors and ministers onsite. “Know the community resources that can be at your site within an hour after any catastrophe,” Barton says. </p><p>An offsite location was being set up for business operations, but employees protested, saying they felt strongly about returning to the original facility as soon as possible. In the days following the shooting, 100 employees from other beer distribution plants in Connecticut, as well as in Rhode Island, came to assist the company in keeping business operations on track. A memorial service was held for the employees who lost their lives. The company president addressed workers on the front lawn, in front of a makeshift mem­orial, before they reopened their doors. </p><p>Just two months after the tragedy, Hartford Distributors merged with another beer company, Franklin Distributors, forming a larger organization. “The shooting was a very tough thing for all of us to go through,” Jim Stack, president of the new business, said to the Hartford Business Journal in a January 2011 article. “It certainly slowed some things down for us in coming together, but it did not stop us.”</p><p><strong>Emotional response.</strong> The trauma inflicted on those who survive an active shooter incident can be enormous, and experts say that businesses ought to prepare in advance to provide mental health assistance for affected employees. This will help businesses recovery more quickly by retaining experienced workers, and provide employees with the emotional help they need. </p><p>Hunt cites the Navy Yard shooting in Washington, D.C., in September 2013, when a shooter killed 13 employees. He says that employees were shaken that an active shooter could breach a secure military installation. “People who were interviewed following that incident were asked, ‘Do you feel safe going back to work?’ and the answer was, ‘No, I don’t feel safe going back to work.’” Hunt notes. “So you have the potential of losing employees, which are your most valuable asset, as a result of this incident.” </p><p>Employees may not show immediate signs of trauma–negative emotions could surface months later. “Depression and PTSD are rarely going to emerge in the first hour. Your body is still in shock,” Barton says.  </p><p>Experts stress the importance of employee assistance programs (EAPs), which are confidential and provide counseling, assessments, and referrals for workers with personal or work-related concerns. </p><p>“In all 50 states you can mandate that an employee actually go to an EAP program if there was a critical incident,” Barton notes, though he doesn’t recommend it in every case. </p><p>To order an employee to seek counseling, the worker must demonstrate tangible evidence that they may pose a risk of harming themselves or others, Barton says, such as mentioning suicide, a desire to hurt others, or talking about weapons. Employers may decide instead to have a sit-down with that worker and have them sign a letter acknowledging they made the remarks, but understand doing it again could result in termination. “EAP is not your human resources department, they are there to support your HR department,” he emphasizes. </p><p>There will also be organizations indirectly affected by shootings. For example, Barton worked with one financial firm that had a worker lose a family member in a high-profile mass shooting. The other employees struggled with how to respond to him emotionally. The company asked Barton to hold a debriefing to address people’s concerns. </p><p>“I heard it all,” Barton says. “Do you leave a card on the desk? Do you kind of ignore him and just look the other way? Do you come up and say, ‘I have no idea what you went through but my prayers are with you?’” Ultimately, he says you can expect a variety of emotions expressed by employees at businesses both directly and indirectly impacted by these events, including fear, sadness, and even anger. </p><p><strong>Outlook. </strong>Conducting an after-action report may be a good idea for organizations that have suffered an active shooter event, experts say. It not only helps evaluate what worked and what did not in response to an incident, but other practitioners can turn to these documents for their own planning. “It’s very important for a security officer to look at after-action reports and to get best practices out of it,” Sinai says. </p><p>He cites the after-action report completed by the U.S. Fire Administration on Northern Illinois University (NIU) after a classroom shooting on campus in 2008. That tragedy left six people dead, including the perpetrator. </p><p>The report cites that NIU had studied the official report on the Virginia Tech Shooting and was prepared for the tragedy that occurred in its own building just a year later. “The value of that report, their training, and their joint planning was apparent in the excellent response to Cole Hall,” the after-action report stated of the university. </p><p>While organizations may recover from a business standpoint, there may be significant changes implemented afterwards. For example, the building that formerly housed Sandy Hook elementary was torn down, and a new facility was constructed at the same site. That building reopened in August of last year, nearly four years after the shooting. In the case of Virginia Tech, the classroom building where the second shootings took place was turned into a dormitory hall. </p><p>Overall, Hunt says that while organizations can never fully prepare themselves for a tragedy, they can learn from even the worst of situations. “You’re going to identify a lot of areas that can be improved,” he says. “There’s never going to be a perfect plan or a perfect response.” </p><p><em>​To read how the city of San Bernardino ​recovered from the 2015 holiday party shooting that killed 14 people, <a href="/Pages/Responding-to-San-Bernardino.aspx" target="_blank">click here.​</a></em><br></p><p>--</p><h2>Active Shooter Liability<br><br></h2><p>​In the case of an active shooter, U.S. companies are liable for protecting their employees as in any workplace violence incident. Under the U.S. Occupational Safety and Health Act of 1970, every U.S. employer is required to “furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees.” U.S. state and local provinces may also have their own relevant laws.</p><p>Hunt says companies that suffer a shooting can expect lawsuits. “If a family member is killed or injured here, there’s a high likelihood there will be a lawsuit alleging that not enough was done to prevent the incident, or to protect them during the incident,” he says. The case of disabled workers can also come up. “Someone who is disabled may feel they weren’t appropriately accommodated,” a requirement under the U.S. Americans with Disabilities Act. </p><p>Barton says he believes a little effort and communication goes a long way in helping reduce the severity of a lawsuit when employees are killed. “If you can, reach out to the family with the support of your legal department to simply say, ‘We are here for you,’” he notes.</p><p>In addition to advanced planning, organizations need to carefully document the steps they take in the aftermath to help their case “There’s going to be a lot of holes in there. But at least say, ‘Here are the steps that we did proactively take to try to manage the incident.’”​​ ​</p>

 

 

https://sm.asisonline.org/Pages/Terrorists-Check-In.aspxTerrorists Check InGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Just after 8:00 a.m. on January 25, attackers detonated a truck bomb outside the gates of the Dayah Hotel in the Somali capital of Mogadishu before storming inside. Fifteen minutes later, another truck bomb exploded, and security forces were dispatched to take control of the hotel. </p><p>The hotel, located near Somalia’s Parliament building, was said to be popular with lawmakers and government officials. That may have made it a target for the attackers—later identified as al-Shabaab, an extremist group linked to al Qaeda, whose attacks are designed to turn Somalia into a fundamentalist Islamic state.</p><p>The attack in January killed at least 21 people and injured more than 50, according to CNN. It was just the latest in a succession of recent attacks on soft targets in Africa and Europe, and it raised awareness of a global and shifting threat that no international business can ignore: the risk of an attack on a hotel where a traveling employee is staying.</p><p>Since 2002, more than 30 major terrorist attacks have targeted hotels across the world. Because of this outbreak of attacks, businesses, tourism professionals, and hoteliers themselves are calling hotel risk procedures into question.​</p><h4>Hotels as Soft Targets</h4><p>Hotels became major targets for bomb attacks by terrorists in Asia in the 2000s, and the threat has since moved to Africa. Attacks against hotels in 2015 and 2016 accounted for a third of all major terrorist attacks in the world, likely because they are considered to be soft targets.</p><p>Some hotels make more attractive targets than others, for a variety of reasons. One of these is the opportunity to harm a large number of people. Hotels are gathering places, and in addition to guests there are visitors for banquets, as well as bar, restaurant, and leisure facility customers.</p><p>Another reason a hotel might be an attractive target is that it is likely to garner international media attention. The more victims there are from different countries, the more media attention the attack is likely to generate. </p><p>Attacks on hotels also express an ideology: international luxury hotels symbolize Western culture. Jihadists often consider hotels immoral places where men and women interact, and where alcohol is easily accessible.​</p><h4>Attack Strategies</h4><p>Terrorists used three attack strategies when targeting hotels between 2002 and 2015: explosives (44.4 percent), firearms (25 percent), and a combination of the two (30.6 percent), according to the Global Terrorism Database.</p><p><strong>Explosives.</strong> There are two varieties of attacks on hotels using explosives: the human bomb and the vehicular bomb. These tend to cause the most physical destruction and injure the most people, making them effective for terrorists.</p><p>Human bombs tend to have geographically restricted limits and are mainly used in spaces that are open to guests. For instance, in November 2005 in Amman, Jordan, terrorists detonated explosive belts in the ballroom of the Radisson SAS, near the coffee shop of the Grand Hyatt Hotel, and in the entrance of a Days Inn. Fifty-seven people were killed in the attacks, and more than 100 people were wounded, according to The New York Times.</p><p>In contrast, vehicular bombs account for 31 percent of terrorist attacks on hotels. This technique is used to cause large-scale material destruction and potential chain reactions from the explosion—such as gas line bursts, fire, structural collapse, and destruction of guest and staff lists.</p><p>In 2008, for example, terrorists packed a truck with a ton of explosives and drove it into the Islamabad Marriott’s security gate. The vehicle exploded, killing 53 people and injuring 271, and officials were concerned that the building itself might collapse and cause even more injuries and damage, The Telegraph reported.</p><p>Occasionally, the two techniques are used together. One such case was in 2005 in Sharm El Sheikh, Egypt, when terrorists set off a truck bomb near the Iberotel Palace hotel while simultaneously discharging a bomb in the façade of the Ghazala Gardens Hotel. They also detonated a third bomb in a parking lot of one of the city’s tourist areas. The coordinated attacks killed 88 people, most of whom were Egyptian instead of the targeted Western tourists, according to the Times’ analysis of the attack.</p><p><strong>Assaults. </strong>Terrorists often use the assault technique, armed with automatic rifles and hand grenades, to target hotels. This method makes it easier for the terrorists to damage a wider area while also killing a large number of people as they move through the hotel and its floors.</p><p>This kind of attack occurred in November 2015 when heavily armed and well-trained gunmen drove into the Bamako, Mali, Radisson Blu hotel compound. They detonated grenades and opened fire on security guards before taking 170 people hostage, according to The Guardian. Twenty-one people, including two militants, were killed in the attack and seven were wounded.</p><p>Terrorists will also move from one hotel to another, not hesitating to take clients hostage to make the operation last longer. The duration of the siege often has a direct impact on the amount of international media coverage the attack receives.</p><p>Additionally, some assault-style attacks show that terrorists had knowledge of the hotels before attacking them. For example, in the 2009 attacks on the Ritz-Carlton and the JW Marriott in Jakarta, the attackers blew themselves up—one in a parking garage at the Marriott and the other at a restaurant at the Ritz-Carlton. Authorities later discovered, according to the BBC, an unexploded bomb and materials in a Marriott guest room that was dubbed the “control center” for the attacks.</p><p>Terrorists also may plan to conduct attacks during a hotel’s peak operation times—such as during meals or organized events. For example, the attack in Bamako took place around 7:00 a.m. when breakfast, checkouts, and security officer shift changes were taking place.​</p><h4>Travel Policies</h4><p>Not all companies have well-developed travel security policies. Predictably, companies with employees who travel more frequently for work have a more advanced travel security program, as do companies that operate in countries with elevated security risks or in remote areas.</p><p>Companies also tend to have a more highly developed travel security program if one of their employees has been affected by a security incident, such as a hotel bombing, in the past. In this current threat environment, however, all international companies should review their travel risk policies because they have a duty to protect employees when they travel for work.</p><p>The European Directive on the Safety and Health of Workers at Work mentions this obligation, as do national regulations: Germany’s Civil Code, France’s Labor Code and a judgment by the Court of Cassation, and the United Kingdom’s Health and Safety at Work Act of 1974 and the Corporate Manslaughter and Corporate Homicide Act of 2007.</p><p>The United States also addresses this responsibility through its statutory duty of care obligations detailed in the Occupational Safety and Health Act of 1970. The act requires large and medium-sized companies to define basic emergency planning requirements.</p><p>Also, depending on the U.S. state, workers’ compensation laws may have provisions for American business travelers abroad. Similar obligations apply in Australia, Belgium, The Netherlands, and Spain. And case law has reinforced this legal arsenal addressing the security of employees traveling abroad.</p><p>Under these frameworks, employers must assess foreseeable risks, inform employees of these risks, and train them to respond.</p><p>And these risks are no longer reserved for employees traveling to Africa or the Middle East; the succession of terrorist attacks in countries qualified as low-risk destinations—Berlin, Brussels, Nice, and Paris—means that many companies need to address these locations in their crisis management preparation for employees traveling abroad.</p><p>Some companies have already changed their internal procedures to address these risks, including changing the way that hotels are chosen for business travel. ​</p><h4>Choosing Hotels</h4><p>Given the current threat environment and duty of care obligations for traveling employees, corporate security managers and travel managers need to work together to choose the right hotels. No matter the choice of accommodation, security and travel managers must conduct their own risk analysis to adopt the best strategy for choosing hotels for their employees. The analysis should include the destination, the profile of the business traveler, the duration of the employee’s stay, the company’s image, and the potentially controversial nature of the project in that destination.</p><p>Once the analysis is complete, companies have four options for choosing accommodations for traveling employees: international brand hotels, regional chain hotels, apartment or house sharing, or residences that are owned and operated by the company.</p><p>The most common option is to choose hotels with an international brand whose rates have been negotiated by the company. These big-name hotels can be reassuring. However, these institutions—described by some specialists as high-profile—tend to meet terrorists’ selection criteria for targets.</p><p>These hotels are also often franchise hotels, meaning they are independent institutions, master of their own investment decisions and the management of their staff. This can make it difficult for security professionals and travel managers to get answers to important questions during the vetting process: What security procedures does the hotel have in place and what is its staff management policy? Does it subcontract its security to a guard company or have its own security team?</p><p>The second option is to choose less emblematic hotels that some would consider low-profile, such as regional chain hotels—like Azalaï, City Blue, Serena, and Tsogo Sun in Pan-Africa—or independent boutique hotels. </p><p>Hotels such as these may provide more discretion than an international brand hotel, but may come with slightly lower levels of security, which could become a problem should a crisis develop. Lesser-known hotels, for instance, may not receive as rapid a response from security forces as a luxury hotel frequented by public figures and politicians. And for travel managers, this second option could be a difficult sell to employees who might be used to staying at international brand hotels.</p><p>Another option that companies might choose is to have employees stay at a private residence through the sharing economy, such as Airbnb. Google and Morgan Stanley recently began allowing employees to use Airbnb for business travel, and the company saw 14,000 new companies sign up each week in 2016 for its business travel services, according to CNBC. </p><p>For some destinations, this is not a viable option because of the lack of accommodations, but for other locations Airbnb has numerous places to stay and even offers a dedicated website for business travelers, which make up 30 percent of its overall sales.</p><p>One location where Airbnb is a pop­ular choice is in sub-Saharan Africa where a major influx of young expatriates used to traveling and staying in Airbnbs have rooms, apartments, and houses available for business travelers.</p><p>However, this option has collateral risks, and many companies forbid employees from staying at an Airbnb while traveling because of the lack of verification and vetting of the residences, which may not allow them to meet many companies’ duty of care obligations. </p><p>Also problematic is the risk that employees will get lost while trying to locate their Airbnb, as opposed to an easily identifiable hotel. And the traveler might be unable to check in when the host is unavailable to let them in or provide a key. </p><p>The Airbnb option also raises questions for security professionals: If it’s attacked, how will local law enforcement respond? Who is responsible for contacting law enforcement?</p><p>The final option is for the company itself to provide private accommodations for its travelers. This is only cost effective, though, for high-risk destinations where companies frequently send employees to work. With this option, companies have full control over the security of the accommodations. However, this level of security comes with a high operational cost—purchasing or renting the accommodation, ensuring the maintenance of the location, and supervising essential service providers, such as housekeeping and security.</p><p>Additionally, companies that choose to provide a private accommodation for traveling employees would have the responsibility to secure the property—creating a security plan; purchasing, installing, and implementing security equipment, such as access control, CCTV, and fences; and providing security staff, either in-house or through a contract.​</p><h4>Improving Security</h4><p>In 2002, a Palestinian suicide bomber killed 30 people at a Passover Seder at the Park Hotel in Netanya, Israel, in the deadliest attack during the Second Intifada. Following the attack, Israel’s hotel industry led the charge to address security threats by tightening security regulations. These regulations required the hospitality industry to staff a chief security officer in each hotel, led to the development of dedicated educational programs on security with recognized diplomas, and ultimately provided career opportunities for skilled and motivated security professionals.    </p><p>This model is one where companies can support hoteliers by including security as a key element when choosing which hotels can be used by employees on business trips.  </p><p><em><strong>Alexandre Masraff </strong>is a security and crisis management senior advisor at Onyx International Consulting & Services Ltd. and the cofounder of the InSCeHo certification program that focuses on hotel security. He is a member of ASIS International. <strong>Aude Drevon</strong> is a security analyst with a master’s degree in geopolitics and international security. <strong>Emma Villard</strong> is a regional security advisor based in Vienna, Austria, and a member of ASIS.     ​</em></p>
https://sm.asisonline.org/Pages/Book-Review---Info-Risk.aspxBook Review: Info RiskGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Butterworth-Heinemann; Elsevier.com; 408 pages; $49.95.</p><p>Factor analysis of information risk (FAIR) is a methodology for understanding and analyzing information risk.<em> Measuring and Managing Information Risk: A FAIR Approach</em> provides extraordinary detail, explaining both the essentials and fine details of the FAIR process.</p><p>This book is informative and insightful—and surprisingly engaging. Using examples, anecdotes, and metaphors, the writers keep this educational work from becoming difficult.</p><p>Comprehensively explaining FAIR ontology in all its layers and complexities, the book includes thorough definitions of the terminology, many examples for applying the concepts, and detailed explanations of each step of the process from preparation through presentation and implementation. It examines challenges and common mistakes and suggests multiple solutions to suit different cultures, leadership, and scope of work. Diagrams and tables provide specific examples and a thorough index allows for quick reference to key words and concepts.</p><p>This is advanced material presented in a style that’s often humorous while still focused. The authors’ expertise is obvious in their detailed explanations of fact and theory, and in their relaxed approach to this complex subject matter. Professionals new to thorough information risk analysis or using more simplified approaches will find this book extremely useful.</p><p><em><strong>Reviewer: Lex Holloway, CPP</strong>, is director of security for Caris Life Sciences. He is a member of ASIS and serves on the ASIS Healthcare Security Council.</em></p>
https://sm.asisonline.org/Pages/Flying-Solo.aspxFlying SoloGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Senior executives routinely travel the globe without security and rarely are there any incidents of concern, but when things go wrong from a protective security perspective, they usually go wrong quickly and can snowball into disaster. </p><p>Most failures stem from a lack of proper advance work, logistical foul-ups, and lost luggage. Robust protective intelligence and countersurveillance programs, along with comprehensive threat assessments, can greatly reduce the risk to executives who travel. But when a security detail will not be included in the trip, basic training and preparedness for those executives can go a long way.</p><p>Many executives want to run under the radar, whether they are attending a meeting on the other side of town or traveling around the world. Few CEOs travel surrounded by visible security personnel with earpieces and shoulder holsters because the optics are deemed bad for business. Few executives need or seek that level of security. And although it’s rare for an armed robbery or a Kardashian-style hotel invasion to occur, it’s on every protection officer’s mind.</p><p>A more thoughtful approach to protection for senior government personnel, executives, and high-net-worth families was created by a group of former government agents in the private sector. They adopted a different model of protection, focused heavily on protective intelligence and countersurveillance. </p><p>The model is now used by many Fortune 500 companies and takes a nuanced approach to empower the executives themselves. Even though security staff may not be in tow on any given trip, there are several key principles that executives can practice that will dramatically increase their level of safety and security wherever they are in the world. ​</p><h4>Situational Awareness</h4><p>With enough will and discipline, executives can use situational awareness to stay ahead of threats while traveling. To successfully practice situational awareness, executives must be mindful of a few basic facts. </p><p>First, they must acknowledge that a threat exists, because bad things do happen to good people. Executives traveling solo must also take care of themselves because they are ultimately responsible for their own safety and welfare. Finally, they must heed their instincts. If something doesn’t look or seem right, chances are it’s not, and executives need to be comfortable identifying and acting on that intuition. </p><p>When discussing situational awareness with an executive, it is important to stress that this does not mean being paranoid or obsessively concerned about security. Still, there are periods where enhanced awareness levels are needed. </p><p>Solo executives can learn to practice enhanced observation skills with simple exercises, like paying attention to the cars behind them in traffic, or by challenging themselves to see if they can remember automobile license plate letters and numbers. </p><p>One best practice is to have executives pay special attention to their departure points and destinations, scanning the area with an eye for vehicles and people that could be watching. If the same vehicle, bicycle, or person is spotted over time and distance, someone may be conducting surveillance. </p><p>For example, a blue van glimpsed at the point of departure and then seen later near a business meeting means someone could be watching. Not all watchers are criminals or possible kidnappers—in some locations, the watchers could be state security services or private detectives hired by competitors.​</p><h4>Countersurveillance</h4><p>Burglars, kidnappers, assassins, and any manner of criminals all follow an attack cycle, including some level of preoperational surveillance. Attacks don’t happen in a vacuum. In most cases, criminal and terrorist surveillance tradecraft is the least well-developed skill in the hostile operator’s toolbox. </p><p>When persons with hostile intentions are engaged in preoperational surveillance, they are also highly vulnerable to detection. Professional countersurveillance teams are trained to recognize operatives conducting surveillance on a target. However, an individual practicing good situational awareness can often spot preoperational surveillance on his or her own, especially if the surveillant is sloppy, as many are. </p><p>If suspects realize that their surveillance efforts have been detected, they will become anxious and may decide against acting—or at least redirect their attention to an easier target. The detection also lets the executive know he or she must take further protective steps, such as changing routes or vehicles, switching hotel rooms, notifying local authorities or staff, alerting corporate headquarters, and calling for backup. Monitoring for surveillance needs to be part of executives’ ongoing situational awareness practice. </p><p>One terrorist plot uncovered in 2003 revealed how an al Qaeda cell used preoperational surveillance when targeting financial institutions in Washington, D.C.; New York City; Newark, New Jersey; and potential targets in Singapore. In one instance, several operatives sat in a Starbucks cafe across from their intended target, recording information like security measures and building access. Their notes, videos, and practices were uncovered when the terrorist cell was broken up by authorities­—fortunately before an attack took place.​</p><h4>Fire Safety</h4><p>While traveling, executives may obsess over the potential threat posed by terrorist attacks, political violence, or other incidents that result in news headlines, but they tend to discount the less exciting but more likely threat posed by fire. </p><p>Fire kills thousands of people every year, and there are instances where fire has been used as a weapon in terrorist attacks. During the November 2008 Mumbai attacks, a group of attackers holed up in the Taj Mahal Palace Hotel started fires in various parts of the hotel. </p><p>Anarchists and radical environmental and animal rights activists have conducted arson attacks against a variety of targets, including banks, department stores, ski resorts, and the homes and vehicles of research scientists.</p><p>It is common to find items stored in emergency stairwells that render them obstructed or sometimes impassable. This is especially true outside the United States, where fire codes may not be strictly enforced, if they exist at all. In some instances, fire doors have been chained shut due to criminal threats.</p><p>To mitigate the threat from fire, executives should note whether emergency exits at their hotel are passable. This applies to apartments and office buildings as well. </p><p>In the August 2011 Casino Royale attack in Monterrey, Mexico, the attackers ordered the occupants out of the building before dousing it with gasoline and lighting it on fire, but 52 people died because they were trapped inside the building by a fire exit that had been chained shut.</p><p>Travelers staying at hotels in countries with lax fire codes should stay above the second floor to avoid break-ins, but not above the sixth floor. That puts them within range of most fire department rescue ladders. </p><p>Smoke inhalation is also a concern. It is the primary cause of fire deaths and accounts for 50 to 80 percent of all deaths from indoor fires. </p><p>The U.S. diplomatic facility in Benghazi, Libya, that was attacked on September 11, 2012, is an apt example. A video of the building after the attack showed that fire had not badly damaged the building’s structure. The two diplomats killed in the attack did not die from gunfire or even rocket-propelled grenade strikes—they died from smoke inhalation. </p><p>At minimum, a smoke hood should be a key piece of safety equipment carried by the executive while traveling. These hoods can be easily carried in a purse or briefcase and can provide the wearer with 15 to 30 minutes of safe air to breathe. That time makes a world of difference when caught in a burning building, a subway tunnel, or an aircraft while trying to escape. </p><p>Many executive protection experts encourage executives to place smoke hoods next to their hotel bed. Another useful tool in such situations is a small, high-intensity flashlight to help them find their way through the smoke or dark once they have donned their smoke hood. ​</p><h4>Identifying Risks</h4><p>While executives may not appreciate the security team’s efforts to scare them ahead of a trip, they do need to know the inherent risks during travel and after reaching their destination. This will require advanced research by protective intelligence analysts to gather hard data on a range of issues appropriate to the destination. Alternatively, security can use a service that consistently tracks that data. This type of research involves analyzing everything from the latest street crime trends in London to the prevalence and nature of recent express kidnappings in certain Latin American cities, and incorporates that data into the executive briefing.</p><p>The briefing can also include the advance work of the corporate security team: analyzing the executive’s schedule, transportation routes, and destinations to determine the times and places where he or she is most vulnerable. By identifying the moments most likely to be used by a hostile actor, an executive can understand when to raise his or her level of situational awareness for greatest effect. This will also make it more difficult for assailants to conduct preoperational surveillance without detection.</p><p>On September 28, 2016, a group of assailants abducted Abid Abdullah, the executive director of Pakistan’s largest publishing group, during a business trip to Peshawar. Abdullah was in Peshawar to check on the status of a company facility under construction and did not return to his hotel until the early hours of the morning. </p><p>Several armed men in two vehicles stopped Abdullah and his driver around 3:15 a.m. in the city’s industrial area. Peshawar is dangerous even by Pakistan’s standards, and, based on his driver’s statements, Abdullah was traveling without a protective detail to an industrial park where the kidnapping team had likely been watching him while he conducted business late into the night. The industrial area made a good intercept point because it was likely to be deserted at that hour. On such visits, a robust security plan is needed. </p><p>There are always incidents that are more difficult to detect ahead of time. In July 2016, Jeff Shell, chairman of the Universal Filmed Entertainment Group, was briefly detained and forced to leave Russia hours after arriving in the country. </p><p>Russian authorities pulled Shell out of the immigration line shortly after he arrived at Moscow’s Sheremetyevo Airport from Prague. After hours of interrogation, Shell was told he had been barred from Russia and was placed on a flight to Amsterdam. </p><p>The Russian Foreign Ministry later explained that it barred Shell from Russia because of his involvement with the Broadcasting Board of Governors, a group that oversees U.S. government broadcasters. </p><p>Before July 13, there was no indication that Shell or anyone affiliated with the Broadcasting Board of Governors was included on any list. Russia’s lack of transparency on who is barred from the country and why is troubling for traveling corporate executives and can become highly disruptive, embarrassing, or potentially dangerous for those involved. Executives and their protection teams should take these sorts of threats into account long before they begin travel.​</p><h4>Liaisons </h4><p>Once executives are well-versed in these skills and practices, they may feel prepared to travel solo around the world. However, the work of the corporate security team doesn’t end there. </p><p>Whether the protective intelligence team is working for the government or in the private sector, it is critical to maintain frequent contact with the appropriate authorities and security counterparts where executives are likely to travel. </p><p>Beyond maintaining a close liaison with their counterparts and industry partners at the travel destination, corporate security officers should work with local, state, and federal law enforcement agencies that would be called on to prosecute the case should someone commit an illegal act against an executive. </p><p>If an executive is traveling to another city or country on business, be sure to establish a line of communication with the counterpart at that company ahead of time. If an incident does occur, a liaison will provide a shared interest in executive safety or concern about the potential optics around incidents affecting executives who are visiting their company. </p><p>These counterparts should also have efficient lines of communication with their local law enforcement contacts. In that case, they can become an executive protection advocate on-site, or at least connect the team back home with the right people until the situation is fully resolved. </p><p>Executives can travel safely abroad with minimal intrusions on privacy, as long as corporate security teams establish proper procedures and baselines. Building trust with the executives and their administrative staff goes a long way to ensure that business travel functions without security disruptions. </p><p>Not every executive needs visible security officers on travel; however, every executive traveling abroad does require a good security team behind the scenes to properly balance risk and facilitation.  </p><p><em><strong>Fred Burton </strong>is chief security officer at geopolitical intelligence platform Stratfor.com and a lead analyst for Stratfor Threat Lens. He has authored three books, including </em>Under Fire: The Untold Story of the Attack in Benghazi.</p>
https://sm.asisonline.org/Pages/Cyber-Travel-Tips.aspxCyber Travel TipsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Security managers must be aware of their physical surroundings when they travel, but electronic devices frequently place employees and their companies at risk. To help keep devices and corporate data secure while traveling, Security Management reached out to several security experts to learn about their own travel best practices.​</p><h4>Do a Cleanse</h4><p>Before packing your laptop, Bruce McIndoe, CEO of integrated risk management company iJET, recommends doing some device cleansing. </p><p>“That’s the first level of defense when you are getting ready to leave on a trip—slim down and remove as much data as you can,” he says.</p><p>This means assessing whether you actually need to take a laptop with you and, if so, removing all the sensitive data from it that you can. “That way if the laptop is stolen or infiltrated or lost, you’re not going to have all that data exposed,” McIndoe says.</p><p>Take the same approach with your smartphone, and pare down your USB devices to the essentials. Then make sure that all your devices are encrypted in case they are lost or stolen.​</p><h4>Talk to IT</h4><p>After you’ve assessed what you need to take with you, it’s a good rule of thumb to check with your IT department to see if they have travel devices for you to take with you, such as travel laptops, phones, and even routers.</p><p>IT can also review with you any policies or procedures in case your devices are lost, stolen, or breached while you’re away from the office.​</p><h4>Take the Right Bag</h4><p>When traveling, sometimes your devices are out of your sight—whether they’re tucked in your checked bag or stowed in the hotel while you’re out at dinner. This is when a zippered bank bag comes in handy, says former U.S. Secret Service Agent John Toney. He and other agents used zippered bank bags, such as an A. Rifkin bag, to store guns, electronic equipment, and anything else they wanted to keep away from prying eyes.</p><p>“When agents go en masse overseas, everyone throws their bag into the same Pelican case for customs,” says Toney, who is now senior manager of forensic technology and discovery services at Ernst & Young LLP. “That way, customs agents can scan the outer carrier but don’t get inside the bags.” ​</p><h4>Avoid Free Wi-Fi</h4><p>While a wonderful invention, Wi-Fi does come with risks, which is why McIndoe says he doesn’t connect to airport Wi-Fi or pub­lic Wi-Fi. </p><p>“What I try to do is use Gogo and AT&T hotspots,” McIndoe explains. “I can use Gogo on flights and get onto Wi-Fi only from access points that I know about.”</p><p>He also says travelers should be cautious about connecting to hotel Wi-Fi. As a precaution, consider using a VPN to access systems at work and ensure that you have an HTTPS connection. If you do access a website without an HTTPS connection, McIndoe says you should not consider that information private.​</p><h4>Talk to IT, Again</h4><p>After you’ve returned from your trip and before you connect any of your devices to your company’s network, go talk to IT. They can scan the devices to make sure you didn’t pick up any malware while you were abroad. Many companies require employees who have been in designated countries to have their laptops scanned before connecting them to the network.</p><p>“A lot of companies have more sophisticated malware detection on the company network than on your laptop and will detect a virus that your local virus scan did not detect,” McIndoe says.  ​</p>
https://sm.asisonline.org/Pages/Access-Via-App.aspxAccess Via AppGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Virgin Money, part of the Virgin Group, is a U.K.–based bank with the goal of innovating how customers experience financial services. Founded in 2007, the bank has several lounges around the United Kingdom that offer free Wi-Fi and coffee for customers, as well as tellers and ATM machines for their banking needs. One of Virgin Money’s newest lounges even has a bowling alley inside.</p><p>“We’re about changing the face of banking…by providing fantastic customer service and facilities,” says Brian Shepherdson, property and facilities manager at Virgin Money.</p><p>With a multibuilding headquarters campus housing nearly 3,000 employees, the bank is always looking for ways to streamline its access control, enhance physical security, and improve the overall flow of business. </p><p>“We have nearly 3 millio​n customers, and one of our key priorities is to make sure their data is safe,” Shepherdson notes. “Knowing who’s in the building and making sure the right people have access is fundamentally important to our business and our customers, as well as to protecting our brand.” </p><p> The bank has used the Honeywell EBI building management software suite since it first opened its campus about 10 years ago. EBI allows the company to manage various aspects of building efficiency and security, including access control. </p><p>In early 2016, Honeywell was looking to conduct testing around the globe of its new Vector Occupant app, which has several building automation and business efficiency components. The app can be used for everything from temperature control to booking meeting rooms. </p><p>Shepherdson says the bank was excited to be a part of a test group, and conversations about installation began in February 2016. “As part of the Virgin Group, we’re always looking to innovate and do things differently,” he adds.</p><p><img src="/ASIS%20SM%20Product%20Images/0517%20Case%20Study%20Stats.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:560px;" />Virgin Money was particularly interested in enhancing its access control with the Vector app. While the bank uses physical access control cards for headquarters employees to move throughout buildings on campus, it wanted to provide more convenience for users by supplying digital credentials directly on their smartphones. </p><p>Shepherdson notes that the company’s process for replacing lost badges is burdensome, involving multiple steps and various departments. It also leaves the building vulnerable if an employee fails to promptly report a lost badge. </p><p>“Whereas if you lose your cellphone, you’ll probably be aware quite quickly and you can report that,” he says. </p><p>The Honeywell Vector Occupant App is available for download in app stores for smart devices. From the administrative side, Virgin Money provides a unique username and password for employees to enter once they’ve downloaded the app. </p><p>“Once Vector is set up on a person’s device, the Bluetooth pairing on the device opens the door without contact. You don’t have to swipe a card,” he says. “If my phone is in my pocket, it will open the door when I’m near it.”</p><p>For the past year, about 30 people have been testing the Vector app, and Virgin Money is preparing to launch the app with a final, larger test group, before deploying it across the entire campus. </p><p>“We need to get a reaction to the technology, and use the learning from that to roll it out further,” he notes. </p><p>Testing the technology with a smaller group has had benefits, Shepherdson says. He explains that the Bluetooth access control feature was putting a huge strain on smartphone batteries, which would die quickly when using the app. </p><p>“Initially we did experience a high level of drain on the battery, so Honeywell has developed the technology to solve that problem,” he notes. “Honeywell has made various improvements in the background to get through teething problems.” </p><p>From a security standpoint, Shepherdson says there are several benefits to having access control on a phone rather than a physical card. “If you lost your access card on a Friday, you’ll probably wait until Monday to deal with that when you get back at the office,” he notes. “If we lose our smartphone we feel like we’ve lost our hand—that’s how possessive and reliant people are on a smartphone.” </p><p>Virgin Money’s company-issued smartphones already come with an added layer of security around them that the company can control, including strong passcode requirements. Through Honeywell EBI, Shepherdson can add and revoke access to employees using the active directory. </p><p>“If somebody loses a cellphone and reports it quickly, we can then disable their credentials more quickly...we can take away their access,” he says. </p><p>And Vector integrates completely with Honeywell EBI, giving Shepherdson a full administrative picture of who is going where throughout the building. </p><p>“We know who has authorized access to an area and who’s tried to get into an area where they don’t have authorization,” he explains. “A transit report would tell us exactly where they have been, what time they came in, where they went, and what doors they went through.” </p><p>The bank is also testing the temperature control aspect of Vector, a portion of the app that allows building occupants to report their comfort level to building engineers in real time. </p><p>“The Vector app recognizes where you are in the building—for example, meeting room 1—and when you’re in that space, it will give you the option to provide feedback in real time about the temperature,” Shepherdson says. </p><p>If there is a general trend from occupants in a particular part of the building, an engineer will further investigate whether something is wrong with the HVAC system. If everything is running fine but several people report feeling hot or cold, the engineer will adjust the temperature. </p><p>Later this year, the organization plans to roll out EasyLobby, a visitor management system through Honeywell EBI that prints a barcode for visitors or contractors. </p><p>“Similar to when you get a boarding pass for air travel—an email with a barcode in it—we are looking to migrate our visitor and contractor experience to receive a notification linked to Honeywell’s access control system,” Shepherdson notes. They can present that barcode and receive access to the specific buildings they need on campus. </p><p>Shepherdson says that the Vector app not only improves security, but also increases business efficiency for Virgin Money employees. “This product is very much a convenience for people, rather than a barrier.”</p><p><br></p><p>For more information: Julio Ampuero, julio.ampuero@honeywell.com, www.honeywell.com, 480/606-9569 ​</p>
https://sm.asisonline.org/Pages/Insuring-Data-Loss.aspxInsuring Data LossGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Historically, one of the most catastrophic risks to cities was fire. Prior to the modern concept of fire departments, most businesses and residents relied on private departments that they funded to come put out the blaze, should the need arise.</p><p>In 1751, Benjamin Franklin created the first fire company in the U.S. colonies to sell fire insurance: the Philadelphia Contributionship. </p><p>Participants in Philadelphia paid fees that were then used to cover other participants’ fire-related losses, according to Allstate. The first year of the contributionship, 143 policies were purchased to cover a seven-year period. None of the insured properties caught fire during that time. </p><p>As time went on, society made greater strides in fire prevention, and insurance carriers gathered data on these measures to assess how they reduced or increased the risk of fire, adjusting premiums accordingly.</p><p>However, one of the newest forms of insurance on the market has forged a different path. Cyber insurers are still in the process of amassing data to price risks for a cyber incident that results in data theft—and no company has data to price risk for destructive attacks, according to Robert Knake, Whitney Shepardson senior fellow at the Council on Foreign Relations (CFR). </p><p><img src="/ASIS%20SM%20Product%20Images/0517%20Cybersecurity%20Facts.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:257px;" />“Moreov​er, insurers do not typically offer premium reductions in exchange for improving cybersecurity practices,” Knake wrote in a cyber brief for CFR’s Digital and Cyberspace Policy Program. “This market decision reflects a sad reality for the cybersecurity industry: there is no clear consensus on which cybersecurity practices work and which do not, though some insurers are developing closer relationships with cybersecurity providers in order to access information necessary to accurately price risk.”</p><p>Despite being unable to accurately price risks associated with cyberattacks, the cyber insurance market is projected to grow from approximately $2.75 billion to $7.5 billion by 2020, according to PricewaterhouseCoopers’ (PwC) Insurance 2020 & Beyond: Reaping the Dividends of Cyber Resilience. </p><p>“Businesses across all sectors are beginning to recognize the importance of cyber insurance in today’s increasingly complex and high risk digital landscape,” the report explained. But this awareness has been coupled with skepticism about the true value of cyber insurance.</p><p>“Given the high costs of coverage, the limits imposed, the tight terms and conditions, and the restrictions on whether policyholders can claim, many policyholders are questioning whether their policies are delivering real value,” said Paul Delbridge, an insurance partner at PwC, in a statement on the report. </p><p>Cyber insurance is a  relatively new concept in the insurance world that got its start in the 1990s. Businesses started to look to the insurance market to cover risks associated with e-commerce, but found that none of the existing insurance models were relevant, says Graeme Newman, chief innovation officer at CFC Underwriting.</p><p>“The worry wasn’t that the building would burn down, or that they wouldn’t be able to trade on their physical premises, it was that their systems would go down and they wouldn’t be able to trade,” he explains. “Their biggest asset was their data…. They wanted a product they could use to insure that data—and that’s where cyber insurance was born.”</p><p>Cyber liability policies were created to cover identity theft, business interruptions when hackers shut down a network, damage to a business’s reputation, and costs associated with damage to data records caused by a hacker. Policies can also cover the theft of digital assets, malicious attacks via computer code, human errors that disclose sensitive information, credit monitoring services, and lawsuits, according to the National Association of Insurance Commissioners.</p><p>In the late 2000s, society began to see a major shift in crime with physical crime morphing into cybercrime—phishing scams, business email compromise, ransomware, and more. This helped push cyber insurance as more of a mainstream line of insurance, Newman says, and health institutions are leading the way.</p><p>Hospitals generally have “lots of sensitive patient data on generally old, legacy IT systems with good risk management departments but little idea about IT security and really high penalties from regulators,” Newman adds, especially in the United States under the Health Insurance Portability and Accountability Act (HIPAA).</p><p>Retailers were the next major vertical to begin purchasing cyber insurance following the string of mega breaches at Target, Home Depot, and Neiman Marcus in 2013 and 2014 when hackers targeted retailers to acquire customer payment card information.</p><p>“That got the retailers to purchase cyber insurance, and we saw financial institutions buying cyber insurance,” Newman says.</p><p>This activity has created a cyber insurance market worth roughly $3 billion today, with 90 percent of all cyber insurance purchased in the United States. This is for a variety of reasons, including the aggressive class action lawsuit culture in the United States, state attorneys general who have taken a tough stance against businesses that compromise consumer data, and regulators who can levy fines under the law.</p><p>“When a business loses data, you’ve got a whole load of ambulance chasers trying to make a buck out of it,” Newman says. “They’ll bring lawsuits against businesses that lose data.” </p><p>Despite these motivators, however, only 25 percent of U.S. businesses and 2 percent of U.K. businesses have purchased cyber insurance policies. This could be because of the price of premiums due to the limited data on the scale and financial impact of attacks, according to the PwC report.</p><p>“Insurers and reinsurers are charging high prices for cyber insurance relative to other types of liability coverage to cushion some of the uncertainty,” the report explained. </p><p>PwC’s former U.S. Cybercrime and Breach Response Senior Managing Director Don Ulsch saw this in action just two years ago. One of his clients, a global manufacturing firm, attempted to buy cyber insurance and found that the carrier would only provide $1 of coverage for each $1 in premiums. The client ultimately purchased the policy because it felt it was necessary to meet U.S. Securities and Exchange Commission (SEC) guidelines, Ulsch says.</p><p>“As you start looking at what your requirements are as an SEC registrant, you will likely start looking at cyber insurance,” he explains. This is because in 2011, the SEC released guidance on cyber insurance and has since adopted a prebreach‑centric approach to managing cyber risks—meaning that boards have informed investors and shareholders how they will manage a cyber risk in the event of a cyber breach. </p><p>And for those carriers that do issue cyber insurance policies, PwC found that they are putting a ceiling on potential losses through restrictive limits, exclusions, and conditions. For instance, common conditions include state-of-the-art data encryption or 100 percent updated security patch clauses, which are difficult for businesses to maintain.</p><p>Another area that may be stalling actual growth is confusion over how to cover new risks associated with cybersecurity. One area that Ulsch says carriers are still assessing is how to cover a physical event that stems from a cyber incident.</p><p>For instance, Internet of Things devices at a restaurant could be compromised, allowing a hacker to leverage them in an attack that causes a gas line in the restaurant to malfunction, resulting in an explosion.</p><p>Since an incident like this would cause bodily injury and property damage, “should that be an extension of cyber insurance?” Ulsch asks. “Or should it be part of your commercial general liability insurance? How does it get covered?”</p><p>This is one of the big questions that insurers have today in response to new kinds of cyberattacks that are emerging on an almost daily basis. “This is something that is relatively new, but it’s growing in significance,” he adds.</p><p>One development that might help spur the adoption of cyber insurance policies, however, came in December 2016 when the U.S. Department of the Treasury issued guidance in the Federal Register that included these policies in the Terrorism Risk Insurance Program (TRIP).</p><p>TRIP was initially created in the aftermath of 9/11 as part of the Terrorism Risk Insurance Act (TRIA) as a federal stopgap to allow private companies to purchase terrorism insurance. Under the program, the U.S. treasury secretary and the attorney general can certify an event as an act of terrorism. If damages from the act exceed $200 million, TRIP is triggered to cover the remaining losses. </p><p>Before 2016, there was confusion as to whether TRIP would be triggered for cyber incidents. To clarify, Treasury issued the new guidance confirming that “stand-alone cyber insurance policies” reported as “Cyber Liability” are included in the “property and casualty insurance” under TRIP. </p><p>Security Management reached out to Treasury for further explanation about the guidance, but it did not return requests for comment.</p><p>Adding cyber insurance to TRIP is a step that Knake recommended in his cyber brief, published prior to Treasury’s guidance. He advocated for the creation of a federally sponsored cyber insurance program.</p><p>“The federal cyber insurance program should be developed under TRIP…given that much like terrorist attacks, catastrophic cyber incidents affecting the United States will be rare,” Knake wrote. “TRIP should be expanded to cover cyber events and renamed to allow for coverage of all catastrophic cyberattacks—whether they are carried out by terrorists, state actors, or criminals—including cases in which attribution cannot be determined.”</p><p>One way that TRIP falls short, Knake tells Security Management, is that it doesn’t place requirements on insurance policies and on companies themselves to improve their own security. Knake, who is the former U.S. National Security Council director for cybersecurity policy, says this was discussed at the time that TRIP was created but ultimately decided against.</p><p>When it comes to cybersecurity, where the threat and the fundamental responsibility is on companies to protect themselves, a “model that is like TRIA but creates a situation in which the insurance is being used to promote cyber hygiene, better practices, and information sharing makes a lot of sense,” he says.</p><p>For instance, Knake recommends that regulators set minimum requirements for cyber insurance for companies that want to take advantage of TRIP’s protections. One example of this is the approach that U.S. financial regulators have taken to cybersecurity to address the potential of systemic risk throughout the entire system should a major financial institution be hit with a cyberattack.</p><p>“Being able to quantify that risk and then say, ‘You need to have insurance up to that amount,’” Knake says. “It’s like car insurance. You need to have car insurance, as the minimum standard.”</p><p>Ultimately, a federally sponsored cyber insurance program should be used to limit financial liability and promote participation in “initiatives that benefit the security of the Internet as a whole and reduce systemic risk,” Knake wrote. </p><p>“Initially, the government’s goal should be to use the program to promote the sharing of data on incidents so that insurers can accurately price risk and set premiums. Doing so could provide the data necessary to judge the effectiveness of existing best practices and identify new practices that should be widely adopted.” </p><p>Whether that happens remains to be seen, but insurance carriers are already projecting that the international market for cyber insurance will grow by 400 percent. Most forms of insurance typically only see 1 to 2 percent growth year over year, Newman says.</p><p>“Cyber insurance is exciting,” Newman adds. “Cyber is the class of insurance that is growing in the world.” ​</p>

 

 

https://sm.asisonline.org/Pages/Access-and-IRIS-Scans.aspx2017-04-01T04:00:00ZAccess and Iris Scans
https://sm.asisonline.org/Pages/ERM-Best-Practices.aspx2017-04-01T04:00:00ZERM Best Practices
https://sm.asisonline.org/Pages/The-Evolution-of-Airport-Attacks.aspx2017-04-01T04:00:00ZThe Evolution of Airport Attacks
https://sm.asisonline.org/Pages/Redefining-Loss.aspx2017-04-01T04:00:00ZRedefining Loss
https://sm.asisonline.org/Pages/Legal-Report-Resources-April-2017.aspx2017-04-01T04:00:00ZLegal Report Resources April 2017
https://sm.asisonline.org/Pages/Book-Review---Disaster-Management.aspx2017-04-01T04:00:00ZBook Review: Disaster Management
https://sm.asisonline.org/Pages/ASIS-News-April-2017.aspx2017-04-01T04:00:00ZASIS News April 2017
https://sm.asisonline.org/Pages/Surveillance-and-Stereotypes.aspx2017-04-01T04:00:00ZSurveillance and Stereotypes
https://sm.asisonline.org/Pages/Cyber-War-Games.aspx2017-04-01T04:00:00ZCyber War Games
https://sm.asisonline.org/Pages/Industry-News-April-2017.aspx2017-04-01T04:00:00ZIndustry News April 2017
https://sm.asisonline.org/Pages/Certification-Profile---Timothy-McCreight,-CPP.aspx2017-04-01T04:00:00ZCertification Profile: Timothy McCreight, CPP
https://sm.asisonline.org/Pages/How-Organizations-Prompt-Different-Levels-of-Engagement.aspx2017-04-01T04:00:00ZHow Organizations Prompt Different Levels of Engagement

 

 

https://sm.asisonline.org/Pages/Five-SSH-Facts.aspx2017-03-01T05:00:00ZFive SSH Facts
https://sm.asisonline.org/Pages/Stopping-the-Cyber-Buck.aspx2017-03-01T05:00:00ZStopping the Cyber Buck
https://sm.asisonline.org/Pages/Lessons-in-Liability.aspx2017-03-01T05:00:00ZLessons in Liability
https://sm.asisonline.org/Pages/Message-to-the-Masses.aspx2017-03-01T05:00:00ZMessage to the Masses
https://sm.asisonline.org/Pages/The-Art-of-Servant-Leadership.aspx2017-03-01T05:00:00ZThe Art of Servant Leadership
https://sm.asisonline.org/Pages/Teller-Trouble.aspx2017-03-01T05:00:00ZTeller Trouble

- Issues

May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 June 2002 May 2002 April 2002 March 2002 February 2002 January 2002 December 2001 November 2001 October 2001 September 2001 August 2001 July 2001 June 2001 May 2001 April 2001 March 2001 February 2001 January 2001 December 2000 November 2000 October 2000 September 2000 August 2000 July 2000 June 2000 May 2000 April 2000 March 2000 February 2000 January 2000