In the last decade or so the potential of an Electro Magnetic Pulse (EMP) event* has become a regular trope of some types of science fiction/survivalist literature. The story often focuses on the prescient survivalists as they find ways to stay alive as the normal world of electrical/electronic everything shuts down, leading to widespread panic and civil insurrection**. As fiction, most of these stories are marginal at best, but we need to take the underlying subject seriously. An EMP "twin" coronal mass ejection has happened before (the Carrington Event in 1859) and more will follow, just like the "big one" will hit the San Andreas Fault if we wait long enough. Neither one is fiction; they just haven't happened recently.
One question for those of us who take the EMP/CME threat seriously is what impact it might have on the internet. As it happens, that issue was the subject of a recent study presented at SIGCOMM 2021 - the annual conference of the ACM Special Interest Group on Data Communication. In the research, Sangeetha Abdu Jyothi from the University of California, Irvine and VMware Research, assessed the robustness of the current internet infrastructure against a potential EMP/CME event. Some engineers have thought that the fiber optic cables used by the internet should be largely unaffected by such an event, but the most recent work presented at SIGCOMM 2021 focuses on the electrically driven repeaters and interfaces between cable sections. As the study's author, Dr. Jyothi, noted in a follow up tweet, "In short, we have NO IDEA how resilient the current Internet infrastructure is against the threat of CMEs!" We do know that the Carrington Event caused serious damage to early 19th Century telegraph systems, which were very robust compared to modern electronics.
What would you do if widespread outages hit the internet tomorrow? While we are looking at the major, potentially worldwide dangers here in EMP/CME events, regional internet outages could happen for any number of reasons, including hack attacks, mega storms, or very large, cable disrupting earthquakes. Do you have a fallback plan? Do all of your branches know what to do if, for any reason, your ability to communicate by normal net-based channels is interrupted? As interconnected and multilevel as modern communications are, they are not failure proof, as Dr. Jyothi's research reminds us.
We remember the 9/11 attacks very well. We were across the street from the Pentagon. Cell phones instantly became useless as circuits jammed. One private trunk line in the office building where we were at a meeting, however, was not jammed. We got the normally secret access codes and patched in - an unexpected benefit of having been in charge of a major corporate call center once upon a time. Do your senior managers know how to access a variety of backup/backchannel communication systems in case the usual lines aren't working? Bear in mind that, depending on your company's communications structures, there could be several viable options - if your people know how to access and use them. We never know when fiction might become fact.
*Sometimes in the novels it's a natural coronal mass ejection (CME) and sometimes it's an attack by a foreign power, but the effect on daily life is about the same either way - catastrophic.
**One of the better examples is One Second After by William R. Forstchen. It includes a cameo by a 1958 Edsel that still runs because it has no computerized control components.
A real life carrier pigeon - hey, you never know.
Potential High Scrabble Score
Depending on what squares you hit, "uninsurability"* may be a Scrabble slam dunk**, but that's about the only time you want to see that word. Unfortunately, it seems to be popping up more often - and, no, it's not something you're doing wrong. Check out a new article, "The Growing Number of Uninsurable Risks" by Barry Rabkin in ITL. The article quotes Senate testimony recently provided by Dr. Robert Hartwig, Director, Risk and Uncertainty Management Center, University of South Carolina, which made three major points:
There has been, and continues to be, an inexorable shift to (potentially uninsurable) severity from a small but expanding number of risks.
Not all the risks that fall into the uninsurable severity category are technology-related or technology-driven.... However, technology specifically in the form of web-enabled devices will push more risks - cyber risks - into the uninsurable category.
Regardless of the insurability or uninsurability of a risk, the risk itself doesn't disappear from a corporation's (or individual's) need to manage the impact of the risk in some manner. (Neither denial nor hope is a risk management strategy.)
The article provides valuable insight into each of these three areas. The following graphic (one of many) gives you an idea of the breadth of the discussion, although you really must read the text to get the full and subtle meaning of this representation, not to mention the others that follow it. The gist is that business increasingly finds itself confronted by new/expanding types of risk which have a scope and severity that make conventional insurance mechanisms a poor fit. Cyber risks may be today's poster child for the difficult to insure, but they are far from unique.
Back when Dr. Hartwig was the president and economist for the Insurance Information Institute, his summary of risk developments at the III's annual conference was always eagerly anticipated for its unparalleled breadth, insight, and dazzling speed. You had to listen fast. We recall being exhausted at the end from the pure mental effort of keeping up with his presentation.
Our looming insurability crisis is deep, broad and, unfortunately, very technical, but reading through this piece from ITL is the least painful way we've seen of getting your mind around what is happening and what it means to all of us. Hint: it means a lot.
*I'm assuming someone has already spelled "ABILITY" and just left it there for you to pounce on and your seven tiles are N, N, U, U, I, S, R.
**True, the highest score ever officially recorded for one play was QUIXOTRY for 365 points. If you get that, they retire your jersey.
High Stakes Scrabble
Quick Take 1:
So - How Intelligent Is Your Smart Building?
We grew up in the building business in the boom years following WWII. We didn't know it then, but all the buildings of that era were pretty dumb. Nowadays we have smart buildings. But how smart are smart buildings, really? That other Journal, the Wall Street version, asked this question a couple of weeks ago and the answer might surprise you. In a sentence: "Buildings are getting smarter, and that opens them up to a host of new cybersecurity risks." Well, how smart is that?
The array of systems in smart buildings is dazzling: "computer networks to manage pretty much any part of a building you can think of -- including elevators and escalators; ventilation, heating and air conditioning systems; office machines like printers and conference-room audiovisual equipment; security and fire-safety systems; and appliances like refrigerators and coffee makers." So, what's not to like? Consider that all these systems may be hackable. As the author, Suman Bhattacharyya, points out, "hackers who infiltrate building-management systems might also be able to work their way into a company's corporate communications and databases, where they can loot the company's proprietary information or hold it for ransom."
We've written about this risk before, but as the Journal article underscores, companies have been slow to tumble to the real risks involved. One expert quoted in the article pointed out, "It has been my experience that operators do not tend to think of these smart devices -- your coffee maker, for example -- in the same way that they would think of a server or desktop computer...." How about your organization? Do you have a rigorous process for guarding your coffee pots - and your copiers and HVAC systems and CCTV installations, and all the other Internet of Things components scattered around your operations? The bottom line for risk is that any smart system can be a really dumb mistake if not treated seriously.
Stephane Nappo, the Global Head of Information Security for Societe Generale International Banking, put it nicely in a recent interview: "The Internet of Things (IoT) devoid of comprehensive security management is tantamount to the Internet of Threats." Which version of IoT do you have?
Quick Take 2:
The Latest Scoop on Work Comp Pharma
Let's have a show of hands. How many think that, among other shortages, the world has run out of solvable problems? That many? Wow.
Your pessimism is understandable, but consider the following three bullet points from the recently released 17th annual survey of Prescription Drug Management in Workers' Compensation:
Total work comp drug spend for 2020 was about $3 billion, or about 10% of total medical spend.
That's down from $4.8 billion a decade ago.
Opioid spend decreased 19.3% from 2019 to 2020 [emphasis added].
We suggest that you check out the summary report for a fuller account, but these headlines give you the heart of the story. Yes, we are making progress. If you like graphs, try this one:
What you see here, as we pointed out recently concerning a more narrowly focused WCRI study, is the result of relentless focus and coordination of effort between carriers, TPAs, employers and regulators. Two serious studies by different organizations are showing strongly similar results. That's encouraging.
Sir Thomas More* once pointed out that earth has no sorrow that Heaven cannot heal. Perhaps it is equally true that we mere humans cannot create problems that we cannot solve if we will but put our minds to it. Climate change, pandemics, and economic chaos notwithstanding, we retain the ability to make things better. Stay focused, my friends.
*Or Saint Thomas More if you're Catholic. The complete prayer: "Here see the Bread of Life, see waters flowing forth from the Throne of God, pure from above. Come to the Feast of Love, come, ever knowing Earth has no sorrow that Heaven cannot heal."
For every ill, there's a pill and a bill..., unless we remain vigilant.
Say It Isn't So...
When the Zeitgeist* speaks, the voice can come from any direction. This thought impressed itself on us when we read the following in the "Ask the Advisors" section of this month's Men's Health (of all places):
How do you know when you should quit your job?
We've mentioned in previous issues the coming Great Resignation and its implicit risks, but it's no longer coming. It's here. Consider this a nudge to keep very close to the needs, attitudes, and perceptions of your risk management staff. Good risk people are hard to find (need we tell you?) and we hope it wasn't one of your people who sent this question to the magazine. Always make certain that your good people know you cherish them. That's a controllable risk.
*The spirit of the age - i.e., the defining spirit or mood of a particular moment in history. Right now, in this case.
Words to Remember
So how many words is a picture worth these days? In this case, a bunch.
See anyone you recognize?