Last week I attended the Family Office Exchange’s Fall Forum in Chicago for a chance to spend time with high net worth families and their advisors, a number of whom attended my special session on family security. FOX is a leading group in the HNW space, and it’s always valuable to hear input and feedback from their members.

This year, the top concern I heard from a number of participants, particularly families in metropolitan areas, is the lack of confidence in plans to prepare for emergencies and disasters. Despite government efforts over the past 8 years, families are still unsure of how best to prepare for or how to respond to a wide range of crucial scenarios, spanning weather emergencies to a potential terrorist attack.

The second issue on the minds of families and advisors is a concern over the role of staff when responding to emergencies. Household staff are eager to help and protect their employers and their children in adverse circumstances, but their good intensions may be misplaced or go awry. For example, staff may engage an unfamiliar trespasser directly without any protocol for making sure this person is not a threat or a plan for how to respond by securing the family and getting help if it turns out they are. Training staff is a key area when it comes to keeping families safe, and I’m glad family members and advisors are recognizing the issue and looking for solutions.

I discussed many more meaningful security issues and challenges with the FOX members and attendees. This year’s forum was engaging and educational, as always, and I’m looking forward to implementing some of what I learned.

New Resources Enhance Protection for Individuals with Complex Risks

NEW YORK–Chartis today announced the expansion of personal security services from its Private Client Group. Two complimentary resources, emergency preparedness services and access to Insite Security, have been introduced to supplement Private Client Group’s comprehensive property and liability insurance offerings for high net worth individuals and families.

The new offerings, which are in addition to an already extensive suite of risk management services designed to reduce the likelihood and severity of property damage, as well as maximize safety, are designed for policyholders with complex exposures resulting from worldwide travel; private home staff; multiple residences; yacht ownership; or extensive collections of art, jewelry or cars.

Emergency preparedness services help reduce threats to family safety, security and personal wealth through activities such as evacuation and communication planning, home security assessments, personal liability assessments, and crisis management. Consultations, either by phone or in person, are conducted by Private Client Group’s team of emergency preparedness specialists who have backgrounds in personal and corporate security and substantial experience advising individuals, families and companies. The consultations can cover:

• Lifestyle risks, such as how often one travels, who has access to the home and the safety of children away at school;
• Strategies to handle an incidental house fire or community-wide emergency; and
• Personalized emergency action plan development.

When needed, policyholders may be referred to a network of third-party vendors to assist with plan implementation. A 24-hour emergency preparedness and response hotline is also provided.

Private Client Group also has partnered with Insite Security, an industry leader in personal security for high net worth individuals that employs law enforcement veterans. Eligible policyholders can receive a one-on-one, at-home consultation (followed by an individualized report outlining potential vulnerabilities and customized solutions); proposals for long-term security; and ongoing security training for staff and family.

“We strive to help our policyholders protect what’s precious to them, and that often means looking beyond material possessions,” said Charles Williamson, President of Private Client Group. “By analyzing their lifestyles and preparing for even the rarest of scenarios, we can maximize safety as well as preserve assets.”

For more information on Private Client Group’s personal security services, please contact Todd Triano at (908) 679-3066 or todd.triano@chartisinsurance.com or Christopher Falkenberg at (212) 362-5700 or cfalkenberg@insitesecurity.com

Chartis Expands Personal Security Services for High Net Worth Clients

Insurance Journal

December 8, 2009

Chartis is offering expanded personal security services from its Private Client Group. The insurer has introduced two complimentary resources, emergency preparedness services and access to Insite Security, to supplement Private Client Group’s property and liability insurance offerings for high net worth individuals and families.

The new offerings, which are in addition to existing risk management services designed to reduce the likelihood and severity of property damage, as well as maximize safety, are designed for policyholders with complex exposures resulting from worldwide travel; private home staff; multiple residences; yacht ownership; or extensive collections of art, jewelry or cars.

Emergency preparedness services help reduce threats to family safety, security and personal wealth through activities such as evacuation and communication planning, home security assessments, personal liability assessments, and crisis management. Consultations, either by phone or in person, are conducted by Private Client Group’s specialists who have backgrounds in personal and corporate security. The consultations can cover lifestyle risks, such as how often one travels, who has access to the home and the safety of children away at school; strategies to handle an incidental house fire or community-wide emergency; and personalized emergency action plan development.

Policyholders may be referred to a network of third-party vendors to assist with plan implementation. A 24-hour emergency preparedness and response hotline is also provided.

Private Client Group also has partnered with Insite Security so that policyholders can receive a one-on-one, at-home consultation (followed by a report outlining potential vulnerabilities and customized solutions); proposals for long-term security; and ongoing security training for staff and family.

Supply Chain Security Threats: 5 Game-Changing Forces

CSO

December 16, 2009

By LAUREN GIBBONS PAUL

As any CSO knows, it’s not enough to mind your own business. You have to look after your business partners as well, across all links that connect to your supply chain—whether that chain is physical or virtual. And that goes double in times of rapid change and high stress.

“The threat environment is constantly changing,” says Ryan Brewer, CISO for the Centers for Medicare and Medicaid Services. “Sometimes it’s hard to put your finger on what’s most important.”

Who would have thought three years ago that piracy on the supply chain would be such a big concern? Sometimes the big worry is terrorism, sometimes it’s natural disasters, lately it’s malware. Here are the top five developments CSOs say have the biggest potential to wreak havoc on their supply chains.

No. 1 Game-Changing Force: ‘Black Swan’ Events

As Nassim Nicholas Taleb explained in his 2007 book of the same name, the term “black swan” refers to an event that is high-impact, hard to predict and rare. Black swans need not be negative (as in the case of 9/11) and can present times of great opportunity, but CSOs rightfully spend their time worrying about the former scenario.

When it comes to the supply chain, black swan events can include everything from disastrous weather to global pandemicto terrorist attacks. The problem is, if you prepare for the worry du jour, you may leave yourself exposed on other fronts. Case in point: avian flu. Warned that a large-scale outbreak of Asian bird flu would put supply chains at risk, global businesses braced for the worst. Executives discussed how the supply chain might be affected if the flu broke out in China. Their plans rested on transporting and storing materials in other places around the world.

Then, early this year, H1N1 flu broke out in Mexico and spread quickly to unexpected regions like Australia. “Companies had to immediately reassess their plans because they were based on specific scenarios,” says Adam Sager, senior manager of business continuity consulting at Control Risks, a security consulting firm in Washington. This was a major wake-up call. “Companies realized they needed to better prepare for unexpected events and increase their knowledge of how their organizations could be impacted. If something is emerging on a global basis, they need to act before it affects their supply chain,” says Sager.

When a crisis hits—no matter where on the globe—you need to be able to understand and assess the situation using firsthand country- and location-specific information, says Sager. And you need bi­directional communication between crisis managers and the locale where the event is occurring. Sager notes that companies are discovering gaps between their crisis plans and their operations.

“They had security management and crisis management plans in place, but the missing link was integrating them with the business so people around the world could understand management’s position regarding critical things such as uptime, issue resolution and who’s responsible,” he says. This type of information is often not conveyed to the field in advance, a crucial error. Management needs to empower local decision-makers in advance to take action quickly to mitigate damage if certain conditions are met.

The plans have to address not just key supply chain nodes and specific scenarios that could occur, but also emerging security vulnerabilities. “That is a different mind-set and way of planning,” Sager says. “The security department has to come together with the operational/financial side of the business,” looking at all aspects of the supply chain, including where the different components are located and alternative sourcing arrangements. Sager puts his clients through tabletop testing, in which executives sit in a conference room and go through a scenario point by point with the key decision-makers, reviewing how they would respond.

Marc Siegel, commissioner for the ASIS International Global Standards Initiative, is leading the charge to develop an ISO standard for supply chain resilience. ASIS has already published SPC.1, its first organizational resilience standard, which it expects will be ready by the end of the year. “We think standards are the answer for dealing with [black swans],” Siegel says. “Companies have to develop a comprehensive [supply chain resilience] strategy because their resources are limited. This allows you to look at the full picture, rather than just separate out the different things.” For example, a strategy to prevent terrorism might work against piracy or help during an earthquake as well.

Organizations need to approach risk from a holistic standpoint, Siegel adds. “The problem with the risk du jour is that the likelihood of it happening varies so greatly between organizations that it can divert your attention away from doing a comprehensive risk assessment.” In short, it can make you take your eye off the ball.

No. 2 Game-Changing Force: The Rise of Malware

Information security matters also weigh on CSOs’ minds, though they are not as visibly related to the supply chain as physical security is. An organization (and therefore its supply chain) can be brought low by an attack on its information network as surely as it can be hurt by an attack on its cargo. Many CSOs say they are worried about botnets; two of the most pressing threats related to botnets are spam/phishing attacks on employees and the possibility of a resurgence in the denial-of-service (DoS) attacks that first appeared 10 or more years ago.

Ed Amoroso, CISO of AT&T, blames rampant technological complexity for the rise in malware. “The primary root cause for almost everything we deal with—commercial customers and everything—is complexity. The computers and networks that people set up and use have become way too complicated,” says Amoroso. Since no one knows exactly where all the connection points between systems lie, it is easy for wrongdoers to exploit them. “I’ve read that 95 percent of the spam that is floating around is botnet-originated,” he adds. “It’s all about complexity—people not knowing how to stop it on an individual, corporate and information security level.”

Like Amoroso, Joonho Lee worries a lot about the advent of integrated DoS attacks. “DoS used to be about large-volume traffic hitting your network,” says Lee, an officer for the National Incident Response Team and assistant vice president at the Federal Reserve Bank of New York. “Now, there are so many different types of attacks. It’s not just flooding you with traffic anymore. It’s flooding you with traffic that you can’t block.

“We have all the DoS protections, but I’m very skeptical about them always working. If you get hit by a 40-gig-per-second pipe, it’s going to knock you out, either your network or your provider,” says Lee. “The hackers are leveraging hundreds of thousands of machines. DoS is definitely back on the horizon.”

Rena Mears, a partner in security and privacy services for Deloitte & Touche, believes the malware supply chain is itself approaching maturity. “You go back a decade, and it was a few people doing mental gymnastics. Then we moved to an era where it was monetized [via phishing and spam]. The next step was the massive quick hit—equivalent to a bank robbery. Now we are seeing something much more insidious,” says Mears. Malware and its perpetrators are growing increasingly sophisticated.

Rather than carrying out the massive hit-and-run DoS attacks of the past, today’s malware seeks to sustain itself at a relatively low level, similar to the way a parasite survives in nature. “This is more of a constant-stream-of-revenue strategy. The malware agent can live below the organization’s pain threshold, but it siphons off information to compromise intellectual property or scoop up credit card information,” Mears says.

Lee, for one, does not believe that network service providers can adequately protect against the threats posed by new-breed malware. Amoroso of AT&T acknowledges that the situation is difficult, saying only that, like other providers, AT&T has developed multiple strategies for handling new-breed DoS attacks. He believes that the increasing popularity of thin clients will help thwart these attacks because they are simpler, with fewer moving parts to attack.

No. 3 Game-Changing Force: Economic Downturn

It is axiomatic that crime increases as the economy deteriorates. A number of threats—to physical security as well as information security—have become more pressing in the past year or so. Many CSOs expect the associated threat pool to continue to widen. Although the economy is forecast to improve slowly in the coming year or two, many experts expect the reshaped landscape will not necessarily signal a return to prosperity for all, or even most, of society. Some people will be desperate and therefore prone to desperate actions.

As the economy continues to falter, more and more people are losing their jobs, which often means losing their health insurance as well. Ray Biondo, CISO at Health Care Services (which runs four Blue Cross Blue Shield plans in Illinois), fears ongoing economic problems will cause wide-scale employee layoffs, which the company has so far managed to avoid. He fears the coming of a national healthcare plan could have the same effect. Biondo finds himself worrying more about insider threats to information and physical safety than he did a few years ago.

“I worry about internal physical threats and threats to our data. People become very anxious, and data leakage becomes an issue,” says Biondo. He believes he has taken all available measures to protect information and physical security, but he remains uneasy. Chris Falkenberg foresees increased threats to personal security, including the kidnapping of business executives abroad and attacks on high-net-worth individuals. “CSOs will have to deal with these things because they have to protect their executives,” says Falkenberg, president of security services firm Insite Security. He also worries that personal kidnapping could become a problem in the United States, though the country does not have the widespread governmental corruption that typically allows such activities to take root. He believes most CSOs do not have the internal expertise to handle this type of threat.

Lee, of the Federal Reserve Bank, believes emerging threats such as malware and attacks by insiders require stronger communication between the information security and physical security groups, as well as any other departments that get involved when there is a problem, such as legal. “There needs to be better teamwork. It’s not just training,” he says. “Even if these groups do speak to each other, they usually would just offload the case onto the other side. Everyone involved needs to know the logical next steps. There needs to be recognition of joint ownership of the problem.”

No. 4 Game-Changing Force: Data Explosion

Data is now so ubiquitous and so pervasive that people lose sight of it. Even many manufacturers today are so massively involved in data, they never think of themselves as anything other than purveyors and users of information. The level of integration companies have with their processes and business partners is something they could not have contemplated just five years ago, says Mears. The explosion in both data itself and the practice of sharing data outside organizational boundaries presents a number of different kinds of risk.

Companies of all types and sizes share infinite amounts of information with business partners. This data is constantly updated and flows back and forth. “This is a two-way chain,” says Mears. “That means you are replicating data. We used to say ‘defend the perimeter.’ Many companies don’t even have a perimeter anymore.”

Data and information are assets, but executives don’t know what they have, where it all is and who is (and isn’t) protecting it. “It is very difficult to secure data when you don’t know exactly what it is and who you’re sharing it with and no one is on the hook for those decisions,” says Mears. This reality necessitates a risk-based approach to data protection. “You cannot protect all data anymore. Not all data assets are worth the same amount. You have to be sure there is a return on that data asset, just as you would with any other asset. You should provide security commensurate with the value of the information asset,” she says.

Deloitte is advising its clients to develop a more focused response to information security. In a highly integrated global environment, companies understand that their core intellectual property is at risk, but they cannot afford to protect the daily flotsam that is part of business as usual. “Data protection is now a C-suite and a board-level issue. Executives are beginning to think about how to maximize the return on their data assets,” says Mears.

No. 5 Game-Changing Force: Regulatory Burdens

Since Sept. 11, 2001, and the passage of the Sarbanes-Oxley Act in 2002, regulatory activity has been high in virtually every industry. This is certainly true in the food/beverage/agribusiness industry, due to the obvious importance of maintaining a food supply that’s safe from contamination, whether malicious or innocent. H.R. 2749, the Food Safety Enhancement Act of 2009, just passed. And Walmart made news in 2008 when it required all of its food suppliers to comply with the stringent GFSI (Global Food Safety Initiative) standard. According to Rick Shanks, this standard above all mandates traceability within the food supply chain.

“Many food processors are not prepared to deal with the level of traceability required by the regulation,” says Shanks, national managing director of Aon Risk Services, the risk advisory division of Aon Corp. Traceability requires a high level of supply chain visibility, which has not always been available. That makes it more difficult to mitigate a food contamination incident such as salmonella in peanut butter or listeria on deli slicers. “When you have a food event, you have to be able to trace it back to its source,” says Shanks. Aon recently announced a service offering that helps food processors and producers achieve the necessary visibility.

A related force reshaping supply chains in the food and beverage industry is consumers’ increasing demand for visibility into the provenance of their food. Produce and seafood have been labeled to indicate origin for a few years now. The current “locavore” trend—which emphasizes eating locally grown food—stems in part from consumers’ beliefs that food grown and consumed nearby is less likely to become contaminated. Here, supply chains are shedding links to help allay consumer fears.

The earthquake in Haiti gives rise to questions about emergency preparedness in general for those traveling to third world countries. Although there is little tourism in Haiti, there is a great deal in the Dominican Republic, which shares the island of Hispaniola. The Caribbean in general is an active seismic area, and travelers to Caribbean islands put themselves at risk from earthquake, tsunami, flooding and severe tropical storms.

The results of the earthquake in Haiti are predictable. There is no communication and the transportation infrastructure is compromised. No one can get calls in or out of Haiti, and even calls to the Dominican Republic are exceedingly slow. Both cell and landline phone services are either out of service or severely compromised. I expect it will soon become hard to find potable water in Port Au Prince. The environment is dusty, hot and humid, with little safe shelter due to the risk of aftershocks and fire.

What should travelers do to prepare for these risks? The first step is to contemplate them: how many people go on a trip with no thought to the safety and security issues that they commonly consider at home? There is a broad range of issues one should consider prior to travel, including medical care, road safety and crime, to name a few. Specific to natural disaster, we advise clients to prepare for a few contingencies:

Loss of communication: people traveling in the third world should travel with satellite phones. They are the only reliable form of communication following a real emergency. Even cities will have overloaded cell and local circuits, but satellite telephone is a means of keeping in touch on the go.

Clean water: water safety in urban areas is a rare but hugely dangerous issue. When supplies of bottled water either dry up or lose their integrity, travelers risk diseases such as widespread dysentery, particularly cholera. It is therefore useful to pack a water treatment kit to insure that you can convert water from whatever source into drinking water and avoid dangerous dehydration. Use a filter rather than IR purification to minimize risks from inorganic substances that may be in the water.

Lighting: in my earlier career as a Secret Service agent, I found no tool as useful as a good flashlight. Its uses are limitless, but include signaling, evacuation and crime prevention. Travelers should get a good LED flashlight with a clip and carry it on their person or in their handbag.

Air safety: N95 masks protect against a wide variety of problems, but in this case can permit the user to breathe more easily in the midst of dust and other contaminants soiling the air. A smoke mask is also a good idea, and both masks can fit easily into a small luggage compartment or pocket.

This equipment takes up little space and may never be used, but when needed these items can prove essential.

The earthquakes in Haiti and Chile, as well as other recent natural disasters, raise questions regarding disaster preparedness for travelers. Much thought is given to man-made disasters such as terrorism, but relatively little to natural and unpredictable catastrophes. It is important for the corporate security manager or other c-level executives to embrace a holistic approach to risk mitigation including natural disasters and their results.

In the recent earthquakes, steps such as redundant communication systems and basic survival supplies could have helped travelers tremendously. Issuing satellite phones, like we do for Insite’s clients travelling to remote and less developed locales, would have helped tremendously in Haiti for example. Similarly, preparing travelers with basic medical supplies and the means of contacting a physician can also be of great help in emergencies where resources are stretched. Our partnership with World Clinic (www.worldclinic.com) provides our clients with a concierge medical solution that is prepared for disasters like the earthquakes of 2010 and other disasters we’ve witnessed over the past few years.

Lastly, where possible, security advisors should consider things such as building safety, construction standards and building codes in recommending hotel choices for travelers, as a variety of emergencies, such as fire, flood or earthquake, may make these judgments very important.  Prior to the Haitian earthquake we would have scoped out the hotels our clients were planning on staying in to ensure the soundness of their construction and would have planned for and provided evacuation planning.

Travel security goes well beyond the hiring of a driver or a physical security presence when traveling overseas; it requires a deeper level of thinking and preparation than can usually be handled in-house. Working with experts in this field can help mitigate problems when they arise thanks to proper planning and the ability to execute in difficult situations.

Has anyone recently dealt with a travel emergency? Be it foreign or domestic? Feel free to post and discuss!