Month: January 2019

Stuart Browning

In light of underwhelming progress at COP-24 (the annual United Nations Framework Convention on Climate Change (UNFCCC) Conference Of the Parties (COP) in Katowice 2018), it is increasingly improbable the Paris Agreement’s ambitions will be achieved. Instead, it seems more likely that recommendations from the Financial Stability Board (FSB) will be the primary catalyst for effective action on climate change mitigation. Projections of the economic cost of climate change have always been somewhat dire (e.g. Stern (2006)); and have been mostly ignored by policy makers. However, the FSB have recommended financial risks due to climate change should be disclosed by all publicly listed companies. This is driving the financial sector to seriously consider the implications of climate change, and the results are likely to be sobering. With an understanding of risk comes investor pressure to minimise the risk, and this may well drive mitigation efforts above and beyond those achieved via the ‘heads-of-state’ level Paris Agreement.

Publicly listed companies are legally required to disclose material risks to their investors. This disclosure is especially relevant for banks, insurance companies, asset owners and managers when evaluating the allocation of trillions of dollars in investor capital. In 2017 the FSB released the final report of the Task Force on Climate-related Financial Disclosures (TFCD), which stresses that climate change is a material risk (and/or opportunity) that should be disclosed—preferably alongside other risks in annual reporting. The TFCD proposes a framework for climate risk determination and disclosure (Figure 1), where risk is classified into two main types: transitional and physical. Transitional risks are those that may impact business models through changing technologies and policies: examples would be a carbon tax, or stranded assets associated with redundant fossil fuel exploration and extraction. Physical risks are those associated with climate change itself: these could be chronic risks such as sea level rise, or acute risks such as more extreme storms, floods or droughts.

While climate change is expected to impact most businesses, even current exposure and vulnerability is not being adequately disclosed by most organisations. The Australian Securities and Investment Commission (ASIC) report in 2018 looked at climate risk disclosure in Australian companies and found that very few were providing adequate disclosure, thereby exposing themselves to legal implications; and more importantly, by failing to consider climate change as a risk, were potentially putting investor capital at risk. Companies that are attempting to disclose climate risk are typically doing so inconsistently, and with high-level statements of little use for investor decision-making (ASIC 2018). Quantifying organisational vulnerability and risk under climate change is a non-trivial task. Adequate implementation of the TFCD recommendations will likely occur over a >5 year timeframe (Figure 2). Initially companies are expected to develop some high level information on general risk under climate change. As research progresses, disclosure should become more specific.

Understanding risk in terms of weather and climate has long been of interest to the insurance sector, but is now something expected to be understood and disclosed by all sectors. The  Actuaries Institute have recently developed The Australian Actuaries Climate Index, which tracks the frequency of occurrence of extremes in variables of interest, such as temperature, precipitation, wind speed and sea level. The index provides a general level of information drawn from a distribution of observed variability. However, climate change will cause a shift in the distribution of events, meaning this information is of limited use for projections. The relationship between a warming climate and the frequency of extreme weather events is likely to be complex and peril and location specific. Quantifying physical climate risk requires an understanding of the physical processes driving climate variability, the technical expertise to work with petabytes of available data, and the capacity to run regional climate models for dynamical downscaling—these skills are typically restricted to research organisations and universities.

Useful risk disclosure will come from using the best available information to represent both past and projected climate variability. This means using a combination of observational and model based data. Exposure and vulnerability will need to be determined using weather station observations and reanalysis data. This will need to be organisation-specific and developed within the context of assets, operations, and physical locations. Risk projections can then be developed, and this should be done using scenario analysis across multiple time horizons: short, medium and long term. Short-term projections can be developed using established vulnerability together with seasonal forecasts. Medium- and long-term projections should be based on global climate model (GCM) projections developed within the framework of the Coupled Model Intercomparison Project (CMIP). These are the scenario-based industry-standard climate model projections used for the IPCC reports. The IPCC Fifth Assessment Report (AR5) was based on the CMIP5 suite of simulations. The next generation of simulations (CMIP6) are underway and should become publicly available from 2019-20 onwards. Projections of organisation-specific risk will need to be developed by downscaling GCM projections. The best results are likely to be achieved through a combination of statistical downscaling, dynamical downscaling, and machine learning.

Risk Frontiers utilises these projections within its suite of natural catastrophe (Nat Cat) loss models to investigate how losses may change in the future under different climate scenarios. Risk Frontiers adapts these Nat Cat models, developed for the insurance industry over the past 30 or so years to assist decision makers in estimating and managing catastrophe risk, to assess the impact of projected changes in weather-related hazard activity due to climate change as well as changes in vulnerability and exposure (Walker et al. 2016). In November 2018, The Geneva Association reported on the benefits of the integration of climate science and catastrophe modelling to understand the impacts of climate change stating that “Cat modelling is more relevant than ever”. With Nat Cat models being the ideal tool for this type of analysis, Risk Frontiers is strongly positioned to address the need for climate risk disclosure.

References

ASIC (2018) REPORT 593: Climate risk disclosure by Australia’s listed companies. (https://asic.gov.au/regulatory-resources/find-a-document/reports/rep-593-climate-risk-disclosure-by-australia-s-listed-companies/)

The Geneva Association (2018) Managing Physical Climate Risk: Leveraging Innovations in Catastrophe Modelling. [Available Online] https://www.genevaassociation.org/research-topics/extreme-events-and-climate-risk/managing-physical-climate-risk%E2%80%94leveraging?utm_source=PRfullreport&utm_medium=media&utm_campaign=risk+modelling

Stern, N. (2006) “Stern Review on The Economics of Climate Change (pre-publication edition). Executive Summary”. HM Treasury, London. Archived from the original on 31 January 2010. Retrieved 31 January 2010.

TFCD (2017) Financial Stability Board, Final Report: Recommendations of the Task Force on Climate-related Financial Disclosures. (https://www.fsb-tcfd.org/publications/final-recommendations-report/)

TFCD (2017) Financial Stability Board, Final Report: Implementing the Recommendations of the Task Force on Climate-related Financial Disclosures. (https://www.fsb-tcfd.org/wp-content/uploads/…/FINAL-TCFD-Annex-062817.pdf)

Walker, G. R., M. S. Mason, R. P. Crompton, and R. T. Musulin, 2016. Application of insurance modelling tools to climate change adaptation decision-making relating to the built environment. Struct Infrastruct E., 12, 450-462.

By Denny Wan^[1] and Tahiry Rabehaja[2]

^[1] Denny Wan is the principal consultant of Security Express and a postgraduate researcher at the Optus Macquarie University Cyber Security Hub. He has deep expertise in cyber risk quantification. His research focuses on applying cyber insurance concepts to supply chain risk management. He is the chair of the Sydney Chapter for the Open Group FAIR cyber risk framework.

[2] Dr. Tahiry Rabehaja is a Software Engineer at Risk Frontiers and a Research Fellow at the Optus Macquarie University Cyber Security Hub with expertise in probabilistic modelling and Information Security.

---

Synopsis

In November 2018, the Australian Prudential Regulation Authority (APRA) released Prudential Standard CPS 234 making the board of regulated entities accountable for ensuring the adequacy and sustainability of their information security program. APRA’s standard was published 9 months after the Notifiable Data Breach scheme^[1] came into effect in the first quarter of 2018.  The CPS 234 comes into full force in July 2019 with a 12 month extension for third party supplier contracts until July 2020.

Prudential Practice Guide CPG 234, expected to be updated in the first half of 2019, is the primary guidance for the implementation of this prudential standard. However, APRA has confirmed that it will not provide guidance or method for the classification of the materiality of an information asset. A structured approach to cyber risk quantification similar to the now mature natural catastrophe risk modelling or operational risk management is important to ensure the impartiality of the classification methods.

What is CPS 234

The goals of CPS 234, as stated in the policy release announcement^[2], are to:

shore up APRA-regulated entities’ resilience against information security incidents (including cyber-attacks), and their ability to respond swiftly and effectively in the event of a breach

ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold, and the significance of the threats they face

Regulated entities are required to:

• clearly define information-security related roles and responsibilities;
• maintain an information security capability commensurate with the size and extent of threats to their information assets;
• implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
• promptly notify APRA of material information security incidents.

To ensure compliance, clause 13 explicitly makes the board of the regulated entities be ultimately accountable:

13. The Board[4] of an APRA-regulated entity (Board) is ultimately responsible for the information security of the entity. The Board must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and wbles the continued sound operation of the entity.[5]

Information security is a business problem

APRA has made it clear in its response to the submission to the draft CPS 234^[3]  that it intentionally makes the boards accountable for information security. This clearly means that information security is a business problem and not just an IT challenge. In its response, APRA explained that some submissions sought clarification on the “materiality rules”. Page 7 of the response gives one example of such a request:

various requests for the application of a materiality threshold in relation to certain requirements in CPS 234 as the basis for determining the need to apply requirements or the degree of work required in applying certain requirements in the standard. For example, some submissions argued for a materiality threshold to apply in relation to testing the effectiveness of information security controls, and in determining the need to escalate and report testing results to the Board or senior management where security control deficiencies are identified that cannot be remediated in a timely manner;

The following emphasis is further stated on page 8 under the section “APRA Response”:

This reflects the fact that ensuring the information security of all information assets remains the responsibility of the regulated entity and that the Board is ultimately responsible for the information security of the regulated entity.

A reasonable interpretation of APRA’s response is that the board is responsible for determining the materiality of information risk and adequacy of the controls. This interpretation is echoed by several commentators ^{[4] [5] [6]}.

How to comply with CPS 234

A key challenge in preparing for compliance with CPS 234 is the lack of prescriptive compliance guidelines. This concern is discussed by other commentators ^[7] and was also echoed in some submissions. APRA noted on page 8 in its response to the submission regarding the materiality of an information asset:

CPS 234 prescribes neither the classification method nor the level of granularity — these are left to the regulated entity to determine, as appropriate for the entity’s size and complexity

The standard identifies nine compliance areas:

1. Roles and responsibilities (clause 13 – 14)
2. Information security capability (clause 15 – 17)
3. Policy framework (clause 18 – 19)
4. Information asset identification and classification (clause 20)
5. Implementation of controls (clause 21 – 22)
6. Incident management (clause 23 – 26)
7. Testing control effectiveness (clause 27 – 31)
8. Internal audit (clause 32 – 34)
9. APRA notification (clause 35 – 36)

CPG 234 released in May 2013 is the practice guide referenced in CPS 234 covering most of these areas except information security capability (clause 15 – 17). APRA is expected to release a revised CPG 234 in the first half of 2019 to provide guidance on the implementation of CPS 234. However, it is clear from APRA’s response to the submission that the update to CPG 234 will not provide specific guidance on classification method nor the level of granularity in determining the materiality of an information asset. This can potentially create a challenge to comply with clause 15:

15. An APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.

As a result, the absence of a national cyber security standard or metric prompts the board to be responsible for eyeballing the materiality criteria and assess the sufficiency of their information security program under clause 13 and 15.

This is where a structured cyber risk quantification approach is important to provide an objective and quantifiable implementation of the compliance program. Currently, Risk Frontiers is partnering with the Optus Macquarie University Cyber Security Hub to develop a model for cyber security risk, parallel to its extensive work in natural catastrophe and rare event modelling. The cyber model aims at forecasting potential losses from tangible cyber-attacks given the profile of the victim. Such a model would provide the required metric to assess the potential severities of Information Security breaches for the underlying company.

^[1] https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

^[2]https://www.apra.gov.au/media-centre/media-releases/apra-finalises-prudential-standard-aimed-combating-threat-cyber-attacks

^[3]https://www.apra.gov.au/sites/default/files/response_to_submissions_-_information_security_cross-industry_prudential_standard.pdf

^[4] https://www.ey.com/Publication/vwLUAssets/ey-CPS-234/$FILE/ey-CPS-234.pdf

^[5]https://www.minterellison.com/articles/apra-prudential-standard-cps-234-information-security-has-been-released

^[6] https://www2.deloitte.com/au/en/pages/risk/articles/apra-cps-234.html#

^[7] https://blog.compliancecouncil.com.au/blog/what-are-the-information-security-requirements-of-cps-234

Andrew Gissing

This week the World Economic Forum again published its Global Risk Report. The report is based on a survey that accesses insights across the Forum’s vast network of business, government and community leaders.

For the third year running, extreme weather was listed as the top global risk in likelihood of occurrence and within the top 5 in impact. Overall, environmental risks dominated the assessment with failure of climate-change mitigation and adaptation and natural disasters also recorded amongst the top risks. These risks were rated above others that commonly occupy the minds of policy makers and the media such as asset bubbles, terrorist attacks, energy price shocks, financial crises and many more. (See Figure 1)

The report expresses rising concerns regarding climate inaction stating that: “of all risks, it is in relation to the environment that the world is most clearly sleepwalking into catastrophe”. The report further reiterates recent messages from the IPCC about the extent of the global struggle to restrict warming and the dire warning by the recent United States National Climate Assessment that without significant reductions in emissions, average temperatures could rise by five degrees Celsius by 2100.

It is claimed that the disruption to the production and delivery of goods and services due to environmental disasters has risen by 29% since 2012, placing additional strain on the resilience of organisations and their customers.

The growing threat of sea level rise and the rising population of coastal megacities globally was featured. Some 800 million people already live in cities vulnerable to sea level rise up to 0.5 metres. According to the World Bank, 70% of the largest cities in Europe are susceptible to sea level rise. The phenomena pose significant risks to properties and infrastructure, though the economic risk globally is concentrated in low-lying coastal areas with significant asset values. The report cites research that $14.1 Billion was lost from home values in parts of the US east coast due to sea level rise between 2005 and 2017.

Cyber risk was also rated highly with both massive data fraud and theft, and cyber-attacks being among the top five risks in likelihood of occurrence. Interestingly, respondents expected that cyber risks would increase in 2019. The associated vulnerabilities of essential infrastructure were a concern given recent examples of hackers gaining access to the control rooms of some utility companies in the United States.

For solutions, the report supports the need for action to rapidly decarbonize agriculture, energy, transport and industry to limit the rise of global temperatures and to establish plans for adaptation. The challenge of promoting proactive adaptation investment is, however, highlighted by citing statistics showing that spending on flood recovery is nine times greater than investment in flood mitigation.

Interestingly the report offers advice on conceptualising the unimaginable through promoting a technique of imagining failure and then thinking why such a failure may have occurred. Doing so is known as “prospective hindsight” and according to psychologists enables us to anticipate a broader and more vivid set of problems.

Risk Frontiers will continue to support our clients in addressing these top risks in 2019 through the continued licensing and development of our suite of natural hazard catastrophe loss models for Australia and New Zealand. Our partnership with the ARC Centre of Excellence for Climate Extremes will allow us to give our clients unique insights into how climate change may affect their business. Furthermore, we will continue our work on building a cyber loss model through the Optus Macquarie University Cyber Security Hub and in assisting Government clients to build safer and more resilient communities in partnership with organisations including the Bushfire and Natural Hazards Cooperative Research Centre.

For more on the report visit: www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf

 

Jonathan van Leeuwen

Hurricane Florence impacted the US East Coast in September 2018 resulting in dangerous surf conditions, strong winds, storm surge and heavy rain producing significant flooding. The system made landfall over North Carolina as a Category 1 hurricane. While 1.7 million people received evacuation orders (The Independent, 2018), estimates of evacuees in shelters were around 30 thousand people (VOA, 2018), and total flood loss for residential and commercial properties in North Carolina, South Carolina and Virginia were estimated to be between $19 billion and $28.5 billion. Around 85 percent of residential loss is estimated to be uninsured (CoreLogic, 2018).
This article aims to identify key circumstances and demographic factors common in those who lost their lives as a result of Hurricane Florence.

We define a hurricane death as one which would not have occurred if the hurricane had not impacted, i.e. any death directly or indirectly caused by that hurricane. This includes deaths from the potential mechanisms of rain (e.g., filling a depression into which an individual may fall and drown) and its associated flooding (riverine, flash), storm surge, strong winds and high seas. It also includes deaths of persons carrying out activities specifically associated with the hurricane – e.g., taking measurements, preparing people, goods or buildings to evacuate or endure the event, and cleaning up after the event (e.g., an accident whilst running a generator that was required because strong winds from the hurricane have taken out the electricity supplies). Care needs to be taken with timing – for example, how long after a hurricane has passed should one attribute flood deaths to that hurricane? This will vary from one event to another and is best defined by the weather authorities as (e.g., for Australia) in the case of a tropical cyclone decaying to a tropical low which can produce rain long after the initial impact of the tropical cyclone.

By searching through articles from numerous media outlets, we have identified 53 hurricane deaths. Where possible, records were verified against multiple news sources. We also classified each record by the state and county in which the death occurred, 10 year age bracket, and by category of cause of death (e.g., deaths occurred while in a vehicle, deaths caused by falling debris). The results are also compared with previous research on fatalities associated with Australian Tropical Cyclones by Coates, et al. (2017).

Results and analysis

The most common circumstances that caused fatalities were related to vehicles (n=26, 49%) and flooding (n=23, 43%). Only one vehicle incident causing multiple deaths was identified. Fourteen (26%) fatalities resulted from vehicles being washed off roads and nine (17%) from vehicles colliding with obstacles due to water on the road causing aquaplaning or heavy rain causing low visibility. Most incidents involved only private vehicles, but two people died when a prison transport van was driven into floodwater and one person died driving a semi-trailer truck which aquaplaned, left the road and struck an undescribed obstacle. Only two flooding related fatalities were not also related to vehicles: a child playing in water which was deeper than normal due to preparatory release from a dam and a man who refused mandatory evacuation and was subsequently trapped in a caravan trailer.

Four people died as a result of a tree falling on their residence or vehicle during the hurricane, while other debris related circumstances included vehicle striking fallen tree, tree falling during clean-up operations and a woman who died after suffering a heart attack as emergency services could not get to her due to debris on roads. Two people died from carbon monoxide poisoning while running a generator indoors due to power outages, while other circumstances relating to death included loss of power for an oxygen concentrator and electrocution while attempting to connect extension cords to a generator in heavy rain. Two people died in a house fire which was caused by candles used after a loss of power. Two people fell from ladders and another person suffered unspecified injuries while cleaning debris from the storm or making repairs. Three people died in circumstances relating to evacuation, one of whom fell while packing for evacuation, one on a moped while evacuating and one who fell and struck his head in a hotel to which he had evacuated.

Victims were most commonly 70 years old and above. No deaths were recorded for people between 10 and 19 years old, but there were a few fatalities under 10 years old. The deaths of those under 10 years old were caused primarily by trees falling on homes, and being in cars that were driven into floodwater by an accompanying adult. Figure 1 shows fatalities in 10-year age categories as a percentage of all fatalities where age was reported.

Males represented 74% of the deaths where the gender of the deceased was specified; however, a higher proportion of females died in circumstances relating to vehicles (58%) compared to males at 35%. More males died in circumstances relating to preparing for, activities during, and clean-up after the event such as checking on possessions, setting up generators, swimming in dangerous conditions or clearing debris.

Discussion and conclusion

The consequences of Hurricane Florence provide a clear reminder of the dangers associated with driving vehicles during and after severe weather, and the importance of avoiding driving through floodwater. Severe weather is shown to increase risks associated with evacuating by vehicle.

Figures 2 and 3 compare key demographics between fatalities from Hurricane Florence and a historical analysis of fatalities due to tropical cyclones in Australia from 1970 to 2015 by Coates, et al. (2017). Our analysis of deaths resulting from Hurricane Florence demonstrates a consistent gender distribution with Australian historical data. This supports the conclusion that males are more likely to be in hazardous situations or undertake risky behaviours than females in these types of events. However, the two data sets differ markedly in age demographics, with much younger victims in Australia than Hurricane Florence.

References

The Independent, 2018. Hurricane Florence: Residents ignore evacuation orders in North Carolina ‘hoping God protects us’ as storm hits. The Independent. [Online] Available at: https://www.independent.co.uk/news/world/americas/hurricane-florence-nc-residents-evacuation-god-north-carolina-evacuate-storm-a8536611.html [Accessed 3 December 2018]

VOA, 2018. What’s Happening: Florence by the Numbers. VOA News. [Online] Available at: https://www.voanews.com/a/whats-happening-florence-by-the-numbers/4573595.html [Accessed 3 December 2018]

CoreLogic, 2018. The Aftermath of Hurricane Florence is Estimated to Have Caused Between $20 Billion and $30 Billion in Flood and Wind Losses, CoreLogic Analysis Shows. CoreLogic. [Online] Available at: https://www.corelogic.com/news/the-aftermath-of-hurricane-florence-is-estimated-to-have-caused-between-20-billion-and-30-billion-in-flood-and-wind-losses-cor.aspx [Accessed 4th December 2018]

Coates, L., Haynes, K., Radford, D., D’Arcy, R., Smith, C., van den Honert, R., Gissing, A. 2018. An analysis of human fatalities from cyclones, earthquakes and severe storms in Australia. Report for the Bushfire and Natural Hazard Cooperative Research Centre.