Cyber Attack on the Australian Parliament and the Lessons Learned

The following article was published by the Australian Outlook on March 4th, 2019. It highlights some of the most important technical and political points regarding the recent cyber attack against the Australian Parliament Network and other political parties.

Risk Frontiers are a partner in the Optus Macquarie University Cyber Security Hub focusing on quantitative risk modelling of cyber risks.


In the lead up to the federal election, the Australian Parliament and multiple political parties have been hit by a sophisticated cyber attack. Experts are divided on who is to blame but the attackers had clear motives and there are some key lessons to learn from this incident.

By Associate Professor Christophe Doche, Dr Stephen McCombie and Dr Tahiry Rabehaja

On February 8, reports emerged regarding an attempt to infiltrate the Australian Parliament network, which is primarily used to exchange emails and store data. On February 18, Prime Minister Scott Morrison and Opposition Leader Bill Shorten addressed the Parliament to acknowledge the attack. The next day, the Australian Cyber Security Centre (ACSC), which is now part of the Australian Signals Directorate (ASD), confirmed that a cyber actor gained illegal access to the networks of the Liberal, Nationals and Labor parties.

Since then, investigations have revealed that the attack was sophisticated and most likely state-sponsored. It is understood the initial breach was the result of a phishing campaign, where a staff member opened an infected document attached to an email. Once the criminals got a foothold on a computer attached to the network, they scanned and infected other targets, including intranet servers. They were then able to redirect network traffic in order to exfiltrate data. They also erased logs to cover their tracks and placed additional malware to maintain control of the infected systems for later use.

digital forensics analysis has shown that the attack relied on a series of malware and exploits, which happened to be in several cases slight modifications of existing open source tools. That is what fooled primary anti-virus software. Many of these open source tools are ironically used by the ethical hacking community to find vulnerabilities in computers and systems with the aim to report and, ultimately, fix them. They are written in the popular language C# for the .NET framework. All these factors indicate there was a clear desire from the attackers to remain undetected for as long as possible and to make attribution – the identification of the perpetrators of the attack – a difficult task.

Figure 1: Reverse engineering some parts of the malware used by the hackers shows that they leverage on well-known penetration testing tools (source: Yoroi).

Although there is no clear evidence – at least none that has been released – the media speculation is that China is most likely behind this attack. China has a long history of cyber espionage operations globally and also locally against the Australian Government, our defence sector, mining industries and even universities. This incident happened on the back of the banning of Huawei from Australia’s 5G network, recent tensions in regard to trade and multiple claims of improper Chinese influence on Australian political parties. There have also been reports that Iran may have been the perpetrator but it is difficult to see what they would gain in Australia from such an action. They have been active in recent times against US targets and perhaps may see Australia as a way into the Five Eyes intelligence alliance or alternately our close relationship with Israel (their bitter enemy) and plans to formally recognise West Jerusalem as the capital of Israel may have made us a target.

Perhaps most surprising is that this attack was actually successful at getting into the Parliament and Australia’s major parties, despite the amount of warning of the potential for such attacks to occur. Attacks on the Democratic National Committee in the United States in 2016, which accessed multiple email accounts including that of Hillary Clinton’s campaign director, by Russian Military Intelligence (GRU) are well known and documented. In the aftermath, members of the Democratic Party visited a number of European countries and spoke to political parties to specifically warn of the risk of such cyber breaches. Similarly, the ASD briefed political parties on threats to our elections in 2017. In July 2018, the Australian Government also offered $300,000 to help political parties shore up their cyber security. In addition, the Government has significantly grown the scope and size of the ACSC and other cyber capabilities. Despite this, these attacks have penetrated our Parliament and major political parties just months before a highly contested election where matters of relations with China are likely to be debated.

One key observation here is that the Government has a very large cyber risk footprint. It employs tens of thousands of employees and human beings have always been part of cyber security issues and solutions. This incident is no exception. Governmental networks are complex, shared and scaled infrastructures, which greatly increases the chance of overlooking security lapses and facilitates the propagation and replication of attacks to other agencies cheaply and quickly. Government agencies are also very attractive targets. They hold a large volume of confidential and personally identifiable information, they are the top target for politically motivated attackers and cyber warfare, and they are amongst the main victims of cyber espionage. This means that they are attracting multiple categories of threat actors ranging from organised cyber criminals looking for financial gains to advanced persistent threats backed by state actors. The Australian Parliament network incident emphasises these three points, but also highlights the Government’s large cyber attack surface area, since such an attack could have occurred in any one of the many interlinked agencies’ digital information and infrastructure.

Although the response to this incident has been swift and there is no evidence that any data has been leaked, the ACSC has warned that the actor, whoever it may be, will probably further target other Australian Government departments. The Government needs to understand, build and protect its digital infrastructure, and associated exposure, with the appropriate controls and responses. The NSW Government and the Government Chief Information Security Officer have taken a leading role in this area by releasing in February 2019 the NSW Cyber Security Policy. Among other measures, this policy mandates every agency to identify its crown jewels – its most valuable or operationally vital systems or information – and implement regular cyber security education for all employees, contractors and outsourced ICT service providers. These two measures alone will go a long way to improve the cyber resilience of NSW Government agencies.


Associate Professor Christophe Doche is executive director of the Optus Macquarie University Cyber Security Hub, the first initiative of this kind in Australia, linking academics in information security, business, criminology, intelligence, law and psychology together with cyber security experts from industry. As part of his role, he oversees research, education and thought leadership activities in cyber security.

Dr Stephen McCombie is a senior lecturer in Cyber Security at Macquarie University. His current research interests are in digital forensics, cyber threat intelligence and information warfare. His research draws on a diverse background in policing, security and information technology over the last 30 years. He has also held senior positions in information security with IBM, RSA, National Australia Bank and most recently SecureWorks.

Dr Tahiry Rabehaja is a Software Engineer at Risk Frontiers and research fellow at the Optus Macquarie University Cyber Security Hub specialising in quantitative risk modelling. He has a background in information security and formal program verification and, in particular, the development of mathematical models for quantifying confidentiality in programs. His current research is on the quantification of cyber security risk.


Townsville 2019 flood – insights from the field

By Andrew Gissing, James O’Brien, Salomé Hussein, Jacob Evans and Thomas Mortlock

Flooding impacted large areas of Townsville from Wednesday 30th January 2019, as a consequence of heavy rainfall across the north of Queensland. The Bureau of Meteorology (BoM) noted that 370mm of rain fell within 24 hours at Paluma near Townsville. Almost 3300 properties were damaged, thousands were asked to evacuate and there were widespread blackouts . The flooding came in waves, with the initial rainfall causing around 30 cm of flooding in the worst affected areas. This subsided somewhat before more rain fell in the catchment, necessitating the release of water from the Ross River Dam, which led to flood depths of up to 1.6 m over floor height.

These were the highest rainfall volumes on record for this area, with most rain gauges suggesting the rainfall volume was on the order of at least a 1:200 year event. In some areas, like Mt Margaret, it was much greater than this. This rain event was produced by the southern arm of a low pressure trough that was centred over the Gulf of Carpentaria, drawing rain in from the Coral Sea. The low pressure system was part of the monsoonal trough which occurs around this time of year. This same causal event was also responsible for the generation of Cyclone Oma, which has concerned people tuning in to the regular Bureau of Meteorology updates.

While it is not possible to say whether climate change played a role in the intensity of this event, the event occurred after the final breakdown of the blocking high pressure system in the Tasman Sea which was the cause of the sustained heatwave conditions over much of Southeast Australia in January and delayed the onset of the monsoon. There is some theoretical base to suggest the stationarity of synoptic weather systems may increase with a weakening of the summertime circulation associated with anthropogenic warming, although there is little coherent evidence for this at present.

Risk Frontiers and Insurance Council of Australia staff visited Townsville on 11th and 12th February, supported by a grant from the Bushfire and Natural Hazards CRC. The aim was to undertake unstructured interviews with residents and business operators to gain preliminary insights into impacts and responses to warnings and to examine initial recovery. In total, more than 20 residents and six business operators were spoken to. This briefing note highlights key preliminary themes that arose from this research.

Research Preparation

Before arriving in Townsville, Risk Frontiers acquired the Townsville city maps which indicated the likely flooding from a 2000 m3/s release from the Ross River dam and georeferenced that image onto the city. This was done by using the coordinates published on the frame of the map (the graticule) and linking that to points of reference on the ground. [See figure 1]

Image classification was then used to extract the colours from the map which corresponded to the different depths of potential inundation and a GIS layer corresponding to those depths was created. Depths were then determined for every G-NAF (Geocoded National Address File) point which fell within the inundation layer and were mapped accordingly. OpenStreetMap data was also incorporated for a reference to the streets and other points of interest in the city, and the landuse data from ABS meshblocks (the smallest statistical area containing around 20 households) was used to quickly separate residential from commercial and industrial building types.

The purpose of this map was to identify the most affected areas to prioritise the investigation and to assist in validating the modelled depths (which seemed to be very accurate, with minor exceptions usually being lower elevations in parkland or likely due to very minor shifts (e.g. <1m) in registration of the image prior to the analysis being performed).

Townsville map showing modelled floor extents and depths in Townsville 2019 floods
Figure 1: Sample Townsville map showing modelled flood extents and depths from Townsville City Council and inferred property depths


Residential flood damages in the main appear to have been restricted to the ground story areas of raised dwellings, with peak flood heights reaching roughly halfway through these first floor or understorey living areas. In many cases it would appear that these spaces were occupied at the time of the flood and, in some instances, rented to others. The majority were certainly used for extensive storage. There was a smaller number, approximately one quarter of lower-set, slab on ground dwellings in which flooding impacted main living areas.

Almost every home and business on the floodplain had a large muddy pile of possessions stacked by the roadside awaiting council pick-up [figure 2]. Common residential items damaged were carpets; household appliances such as fridges, washing machines, dryers; cupboards and drawers; fabric lounge chairs, chairs and tables; hardware; bedding; doors and outdoor furniture. Some residents mentioned stacking goods on tables or on shelves within the ground storey to attempt to put goods above the floodwaters or to relocate smaller, valuable items to the upper storey (where possible). At least one resident employed the creative solution of placing valuable items on inflatable platforms.

As many living spaces were spared damage on upper floors, the majority of people appeared to have remained living in their homes. Those whose dwelling was not habitable reported staying with friends.

Commercial damages largely varied with the type of business. We observed a number of businesses that had suffered significant losses. For example, the Townsville RSL suffered a total loss downstairs due to the floodwaters and was also in the process of stripping the upstairs due to mould that developed following the flooding. The RSL noted that they were receiving support from other clubs (e.g., supplying the RSL with their surplus equipment) and expected to have the upstairs of their business operating again within four weeks. However, they faced longer lead times for suppliers to fully refit the downstairs and were estimating business interruption of some six months.

Some businesses reported that they could not move large pieces of equipment to protect them in time. Most reported that they were insured and some said that they had sufficient warning time to relocate equipment, including stock and computers, with only minor damage suffered. An electrical / solar installation business had lost around $10k worth of stock after up to 1.5m of water affected their business. The manager said he had redeployed half of his workforce to make safe existing solar installations where the equipment (inverters or isolators) may have been damaged by brackish water while the other half of his workforce completed new installations. He estimated that, with 400 installations to inspect and make safe, it would be many weeks before his workforce would be back to business as usual.

Most flood-affected businesses had closed for a week to enable clean-up and restoration to occur, with some reporting slightly longer shutdowns as they had made preparations in the Thursday and Friday before flooding. They operated without electricity in general for four or more days (Monday 4 February to Thursday 8 February) but continued to clean up. The majority had restarted trading if they had power reconnected and had not suffered significant losses (e.g., the local Ford dealer, automotive workshops and electrical wholesalers were operational) but a number of restaurants and cafes were shut along Charters Towers Road in south Townsville, presumably due to a lack of electricity and spoiled food due to a lack of refrigeration and perhaps mould in their kitchens. Outside of the flood-affected areas a café operator reported that they had lost their food supplies and were still working to get back to being fully stocked.

roller doors damaged in Townsville 2019 flood
Figure 2: Roller doors in Eastern Idalia potentially damaged by an electrical short. High flow flood waters were ruled out as a cause based on lack of debris and vegetation.

While significant flood velocities were not reported in Adalia, some structural damage was observed to a few roller doors which were electrically operated. It was surmised that there may have been an electrical short causing the motor to attempt to open the door while it was locked in place, twisting and bending the door upwards within its frame. Figure 2 shows an example of this. There was also one occurrence of a tree having fallen on a building, seen in figure 3.

Debris and furniture destroyed in Townsville 2019 flood
Figure 3: Debris and furniture in the foreground. In the background, a tree has fallen on the roof of what appears to be a childcare centre.
Damage to commercial property following Townsville 2019 flood
Figure 4 – Showing damage to a commercial property’s roller doors in Hyde Park.

Across the wider Townsville community, many schools had been closed as flooding was occurring and have now reopened, but a number of early-childhood centres remain closed. Several parks with play equipment have also been closed.

Recent commercial developments were also subject to flooding. These buildings have floor levels set above the one in one hundred year flood level, but that wasn’t sufficient to prevent significant water depths flowing through them. This included a large number of shops in Fairfield where BP, Bunnings, the Fairfield Central Shopping Centre (Woolworths, Kmart and a number of smaller businesses) and Fairfield Homemaker Centre (Petbarn, Pillowtalk, Godfreys etc.), were all still closed a week after floodwaters had subsided.

Community response to warnings

The Bureau of Meteorology, Townsville Council and the QLD Fire and Emergency Services (QFES) provided warnings and information to the community throughout the event via websites, traditional media, door-knocking and social media. The local Council also utilised text messages and other social and traditional media to convey information during the flooding and the dam release.

Many in the community appeared to be caught off-guard by the scale and speed at which the flood occurred. Others believed that residents simply did not believe that the magnitude of the flood would eventuate. They discussed how their decision-making was influenced by a number of past flood events and many spoke of their memories of previous events and then the realisation that this was going to be a larger event when their local landmarks of previous flood extents were submerged.

Overall, people described flood warnings as ‘okay’. Some implied they had found the warnings and particularly the maps difficult to understand and, as a result, misinterpreted the potential level of floodwaters at their house. Others, however, noted that, while text message warnings were vague, it had prompted them to seek further information from the range of sources available and to “take responsibility” for what might happen to them. Suggestions for improvement included providing warnings more regularly and, in regard to the dam release warning, earlier. The suggestion that “if council knew there was a hard limit and the gates would open automatically that should have been conveyed” was repeated a number of times. There was limited criticism of the dam operators, with the majority feeling that “they had done a good job” under difficult circumstances and had the water not been released “it would have been a lot worse”. A dissenting opinion was that, if the dam is to be used for flood control, it should be largely empty before the wet season to maximise the ability of the dam to retain flood waters.

There was significant local flood experience among the worst affected areas in Hermit Park and Rosslea, with many locals stating they had lived in the area for a long time (some with family experience back to the 1940s) and they were well aware of the nature of flooding in the area. They hypothesised that some development had made the flooding worse (infilling of an old rubbish dump with a retaining wall that acted as a dam or levee at Bicentennial Park, for example); recollections of watching floodwaters overtop what is now Idalia while remaining dry in Rosslea were also common. The refrain “how could they have allowed that development” was heard from a number of long term-residents.

Initial Recovery

Both formal and informal mechanisms were observed to have assisted recovery efforts. Emergency services, defence personnel and council staff were assisting with the clean-up. Others brought assistance for those affected on an informal level, and family and friends assisted in the clean-up. In general, the mood among those we spoke to was upbeat, with the majority having insurance and stating “it could have been worse” or “I’m lucky, others have it worse than me” – often while standing beside a pile of ruined belongings on their lawn. The generosity of the flood victims was also apparent, with most people offering us water, food, a spare hat etc. despite having had a difficult time already and with likely more hard work ahead of them.

The resilience of the community was reassuring and inspiring.

Discussion and conclusions

Though Townsville had just experienced a significant and very damaging event, we were left with a sense that the community was functioning, and that there was resilience amongst community members, who seemed to be getting on with the job of cleaning up despite significant uncertainty over the coming weeks through the recovery.

Despite commentary about the size of this flood being unprecedented, bigger floods are definitely possible in Townsville (even denoting this event as a 1 in 500 year event it is far below the potential extent and depths likely to be experienced by a Probable Maximum Flood (1 in 10,000 year event)) and there is much to be learnt from this event. The physical and social impacts would have been far greater had the floods been only a little higher as they would have inundated living spaces of two-storey homes, making them entirely uninhabitable and doubling (or worse) losses for families and debris to be collected and dramatically increasing the displaced population.

There are significant opportunities to better understand community risk perceptions, responses to warnings, sheltering behaviours and flood damages, as well as gaining evidence of the effectiveness of flood mitigation and flood warning systems.

Several policy and communication issues are already apparent, including:

  • what should be done to reduce flood damages in enclosed ground floor areas of raised dwellings? At the least these areas should not be rented as habitable space to others
  • while the Townsville community is fortunate to have the resources of the Australian Defence Force nearby, a larger flood would have necessitated many more rescues which might have overwhelmed their capability. In any case, without local defence resources, a much wider emergency response would have been required
  • as raised in our previous briefing note on land-use planning in flood prone areas, it is essential to adopt a risk-based approach to floodplain management and to ensure that the disclosure of risk considers all event magnitudes.


To build or not build: that is the Townsville question

Andrew Gissing

Many would remember the computer game SimCity, an opportunity to build fictitious cities, with the aim of being re-elected as mayor and generating enough tax revenue to maintain vital community infrastructure. Despite, the advanced level requiring some consideration of fires, alien attack and other hazards, for the average player it was all about city growth. In real life, however, hazards occur, and we need to plan for them whilst balancing numerous competing priorities. ‘How’ is often a hotly debated topic.

Planning for floods

Media criticism has been levelled at the development of flood prone areas in Townsville with some of the flooded areas described as ‘newly built’, implying that they were approved in the modern era when there should have been a good understanding of the flood problem. Land use planning is an essential component of disaster risk management and hence is vital in managing existing, residual and future flood risks.

Australian Defence Force members assist with the clean-up of a newly developed Townsville Estate

Many areas of Australia have adopted land use planning policies for residential buildings based on the 1% Annual Exceedance Probability (AEP) flood with an additional level of freeboard applied (safety factor). There is no national standard to define flood planning levels and such policies must be suitable for individual communities ((National guidance regarding the floodplain management process including key considerations for managing flood risk can be found at

A community survey undertaken by Townsville City Council in 2015 identified the risk appetite of residents for different classes of development. Flooding of residential and commercial buildings in the 1% AEP event (1 in 100-year Average Recurrence Interval (ARI)) was viewed as unacceptable but flooding in the 0.2% AEP event (1 in 500 yr ARI) was acceptable to most.

For many years in Townsville land use planning was based on the 2% AEP event (1 in 50 yr ARI) ((The 2009 Townsville Natural Disaster Risk Assessment Study says that the 1% AEP standard was only recently introduced.)). Other Queensland communities, for example Bundaberg, have also used this level in the past ((Since changed to the 2013 flood level which is equivalent to the 1% AEP event and largest flood on record.)). In recent times Townsville City Council adopted the 1% AEP event as the defined flood level with four classes of flood hazard to establish development controls as shown in Appendix 1. Given that the flooding experienced in the 2019 event was significantly greater than the 1% AEP event it is not surprising that many newly developed suburbs where affected.

Whilst development in High hazard areas is avoided, development in areas of Medium hazard within the extent of the 1% AEP flood (( appears allowable, but with buildings needing to have floor levels above the 1% AEP flood level ((Essential infrastructure at a minimum is required to be developed above the 0.5% AEP level. Higher requirements are set for hospitals, emergency service facilities and major electricity infrastructure which are restricted to areas above the 0.2% AEP event.)) to limit flood damage. Such an approach is not necessarily uncommon but should require an assessment of access and egress safety and require the continued policing of regulations to prevent development below approved floor levels. Previous Risk Frontiers flood investigations have observed development of ground floor spaces for habitation, and in some instances renting of these spaces to vulnerable or low-income tenants (e.g. Lismore).

In communities that may become isolated in frequent events but inundated in rarer events or for which isolation duration is intolerable, consideration should be given to the feasibility of community evacuation in events rarer than the 1% AEP flood. This should avoid the creation of low flood islands where evacuation access is lost early in a flood only for residents to later experience inundation. Adequate warning time for residents to evacuate is of course essential.

Existing land-use planning policies in Australia are largely probability based, reliant on set thresholds and do not fully account for the level of flood risk that would require wider consideration of possible flood consequences above a defined flood level. After the 2011 Queensland floods, the Queensland Chief Scientist stated ((

Currently nearly everywhere in Australia the 1% AEP event, or ‘1 in 100 year flood’, with an appropriate additional height (or freeboard) for buildings is designated as having an ‘acceptable’ risk for planning purposes, regardless of the potential consequences of the flood.

Other countries such as the United Kingdom and the Netherlands ((Other cities globally have very little building controls as was apparent after Hurricane Harvey in Houston – have adopted higher standards. For other hazards in Australia more stringent regulations have been adopted: for example, building standards for earthquakes are based on a 1 in 475-year ARI event. Floodplain Management Australia (the peak body for floodplain management practitioners in Australia) has long supported the need to adopt a risk-based approach. Some South East Queensland councils have adopted such an approach, including the application of building controls above the 1% AEP flood. The national flood manual states ((

Considering the full range of flood risk in zonings can encourage development in locations where it is compatible with flood function and flood hazard, and where emergency response arrangements are sustainable.

As Townsville recovers and continues to grow as a major Australian regional city it will need to balance multiple competing interests. There is an opportunity cost involved in prohibiting development that must be balanced against the level of flood risk. In NSW, for example, this balance has long been referred to as involving a ‘merits-based’ approach that requires the balancing of social, economic, ecological and flooding factors.

Policy makers should also consider whether existing policies are consistent with the risk appetite of local communities, which is not often well defined.  The Queensland Floods Commission of Inquiry (( stated:

Whether the 1% AEP flood constitutes an acceptable level of risk for development, and in particular residential development, is a vexed issue. The consequences of flooding are likely to be at their most disastrous for residents and homeowners. Floodplain Management in Australia recognises this: according to it, the community must play a role in determining what level of flood risk it is prepared to live with.

The 1% AEP flood level is not necessarily fixed and should also be expected to evolve over time. The introduction of the new Australian Rainfall and Runoff guidelines and collection of new flood and rainfall data may alter understanding of flood risk. Climate change impacts must also be considered as flood frequency may change in the future.

There is a need to inform residents of the full extent of the risk

Though it is obviously possible to identify flood levels beyond the 1% AEP event, flood mapping available online through the Townsville City Council (“Townsville Maps Flooding”) does not provide information for this. This is not uncommon in Australia, which has inconsistent practices concerning the disclosure of flood risk information across local authorities. Often risk disclosure is limited to areas subject to planning overlays defined typically by the 1% AEP flood.  Without risk disclosure, residents living in areas susceptible to rarer events may be unaware of their risk. This may result in residents opting out of flood insurance believing their property is flood free.

Eburn and Handmer (2012) ((Eburn, M and Handmer, J., ‘Legal Issues and Information on Natural Hazards’ (2012) 17 Local Government Law Journal, 19-26)) suggest that the reluctance, at least anecdotally, to disclose risk information is driven by legal liability. It is subsequently argued that the risk of disclosing reasonably accurate hazard information in a planned manner is less than deliberately withholding information.

This issue requires further consideration and action. The Victorian Government for example has committed to ensuring the full disclosure of flood risks to individuals beyond the 1% AEP event through the Victorian Flood Management Strategy (( and some local councils in other areas already disclose the risks associated with extreme flood events.

Of course, consideration must be given as to the most effective manner of communicating such information so that it is easily understood. It is well known that the ‘1 in 100-year flood’ is a widely misunderstood concept amongst community members. Further risk communication efforts are necessary in this regard.

Risk Frontiers regularly undertakes post event research to inform future policy and to improve the estimation of damages. Risk Frontiers visited Townsville this week with the support of the Bushfire and Natural Hazards Cooperative Research Centre. A further Briefing Note is under preparation to outline our key findings. Please contact Andrew Gissing for further detail (

Appendix 1


Global Tropical Cyclone Landfalls, 1970 to 2018

Roger Pielke, Jr. (University of Colorado and Associate of Risk Frontiers) and Ryan Maue (Cato Institute and

In 2012 we (along with Jessica Weinkle) published a time series of historical global tropical cyclone landfalls (available here in PDF). Much to our surprise at the time, no such database had previously been assembled. Since then we have updated our dataset on an annual basis, and report here some details of our 2019 update, which extends our global time series to 1970 to 2018.

We employ the definition of a tropical cyclone landfall used by the U.S. National Hurricane Center as “the intersection of the surface center of a tropical cyclone with a coastline.” We include all major land areas and islands, but do not include some tiny islands (see our paper for details). Also, landfall data are available for many basins prior to 1970, which we employ as the starting date for our comprehensive, homogenous, global dataset. Finally, for consistency we categorize tropical cyclones using the Saffir/Simpson scale, recognizing that other metrics of intensity are used around the world.

The figure below shows the total number of tropical landfalls at hurricane strength for 1970 through 2018. Note that 2018 data are preliminary, and will be finalized when each reporting agency finalizes their “best track” data. There is no obvious or simple trend in the data, and one can generate up or down trends by picking and choosing dates to examine.

Similarly, the figure below shows these data separating out S/S category 1 and 2 storms (black bars) from those at S/S category 3+. Again, there are no simple trends observable over this period.

Here are some summary statistics for these data:

  • All landfalls: 15 (median), 15.3 (average), 4.4 (sd)
  • Categories 1 & 2 at landfall: 10, 10.5, 3.8
  • Category 3+ at landfall: 4, 4.8, 2.5
  • Most total landfalls in one year: 30 (1970)
  • Fewest total landfalls in one year: 7 (1978)
  • Most Category 3+ landfalls in one year: 9, (1999, 2004, 2005, 2007, 2008)
  • Fewest Category 3+ landfalls in one year: 0 (1981)
  • Most total landfalls over a 10-year period: 177 (1988-1997)
  • Fewest total landfalls over a 10-year period: 120 (1975-1984)
  • Total landfalls 2009-2018: 140
  • Most Category 3+ landfalls over a 10-year period: 65 (1999-2008)
  • Fewest Category 3+ landfalls over a 10-year period: 33 (1978-1987)
  • Total Category 3+ landfalls 2009-2018: 44
  • Total landfalls 1970-2018: 750, (516 were Categories 1 & 2, 234 were Category 3+)

While data on global tropical cyclone occurrence are of utmost importance in understanding storm dynamics and how they may be changing, now and in the future, landfall data are of particular importance to those whose focus is on damage, including insurance and reinsurance.

To that end, Aon has also started to publish annual statistics on global landfalls (available here in PDF). The Aon dataset, which uses slightly different definitions and methods than we do, is for 1980 through 2018 and is correlated with our dataset at 0.96 (more precisely: our counts differ only in 6 of 39 years, in most cases by just 1 storm).

Both datasets indicate for the world as a whole, and in each of its ocean basins that experience tropical cyclones, there is at present little empirical evidence to support claims that land-falling tropical cyclones have increased in number or intensity on climate time scales.

In an era where the weather is often the subject of contentious political debate and modern communication technologies can bring every disaster to our living rooms, it remains important to maintain an empirical perspective on long-term trends in those extreme events which cause death and destruction around the world.

Disclosure of climate-related financial risk

Stuart Browning

In light of underwhelming progress at COP-24 (the annual United Nations Framework Convention on Climate Change (UNFCCC) Conference Of the Parties (COP) in Katowice 2018), it is increasingly improbable the Paris Agreement’s ambitions will be achieved. Instead, it seems more likely that recommendations from the Financial Stability Board (FSB) will be the primary catalyst for effective action on climate change mitigation. Projections of the economic cost of climate change have always been somewhat dire (e.g. Stern (2006)); and have been mostly ignored by policy makers. However, the FSB have recommended financial risks due to climate change should be disclosed by all publicly listed companies. This is driving the financial sector to seriously consider the implications of climate change, and the results are likely to be sobering. With an understanding of risk comes investor pressure to minimise the risk, and this may well drive mitigation efforts above and beyond those achieved via the ‘heads-of-state’ level Paris Agreement.

Publicly listed companies are legally required to disclose material risks to their investors. This disclosure is especially relevant for banks, insurance companies, asset owners and managers when evaluating the allocation of trillions of dollars in investor capital. In 2017 the FSB released the final report of the Task Force on Climate-related Financial Disclosures (TFCD), which stresses that climate change is a material risk (and/or opportunity) that should be disclosed—preferably alongside other risks in annual reporting. The TFCD proposes a framework for climate risk determination and disclosure (Figure 1), where risk is classified into two main types: transitional and physical. Transitional risks are those that may impact business models through changing technologies and policies: examples would be a carbon tax, or stranded assets associated with redundant fossil fuel exploration and extraction. Physical risks are those associated with climate change itself: these could be chronic risks such as sea level rise, or acute risks such as more extreme storms, floods or droughts.

While climate change is expected to impact most businesses, even current exposure and vulnerability is not being adequately disclosed by most organisations. The Australian Securities and Investment Commission (ASIC) report in 2018 looked at climate risk disclosure in Australian companies and found that very few were providing adequate disclosure, thereby exposing themselves to legal implications; and more importantly, by failing to consider climate change as a risk, were potentially putting investor capital at risk. Companies that are attempting to disclose climate risk are typically doing so inconsistently, and with high-level statements of little use for investor decision-making (ASIC 2018). Quantifying organisational vulnerability and risk under climate change is a non-trivial task. Adequate implementation of the TFCD recommendations will likely occur over a >5 year timeframe (Figure 2). Initially companies are expected to develop some high level information on general risk under climate change. As research progresses, disclosure should become more specific.

Understanding risk in terms of weather and climate has long been of interest to the insurance sector, but is now something expected to be understood and disclosed by all sectors. The  Actuaries Institute have recently developed The Australian Actuaries Climate Index, which tracks the frequency of occurrence of extremes in variables of interest, such as temperature, precipitation, wind speed and sea level. The index provides a general level of information drawn from a distribution of observed variability. However, climate change will cause a shift in the distribution of events, meaning this information is of limited use for projections. The relationship between a warming climate and the frequency of extreme weather events is likely to be complex and peril and location specific. Quantifying physical climate risk requires an understanding of the physical processes driving climate variability, the technical expertise to work with petabytes of available data, and the capacity to run regional climate models for dynamical downscaling—these skills are typically restricted to research organisations and universities.

Useful risk disclosure will come from using the best available information to represent both past and projected climate variability. This means using a combination of observational and model based data. Exposure and vulnerability will need to be determined using weather station observations and reanalysis data. This will need to be organisation-specific and developed within the context of assets, operations, and physical locations. Risk projections can then be developed, and this should be done using scenario analysis across multiple time horizons: short, medium and long term. Short-term projections can be developed using established vulnerability together with seasonal forecasts. Medium- and long-term projections should be based on global climate model (GCM) projections developed within the framework of the Coupled Model Intercomparison Project (CMIP). These are the scenario-based industry-standard climate model projections used for the IPCC reports. The IPCC Fifth Assessment Report (AR5) was based on the CMIP5 suite of simulations. The next generation of simulations (CMIP6) are underway and should become publicly available from 2019-20 onwards. Projections of organisation-specific risk will need to be developed by downscaling GCM projections. The best results are likely to be achieved through a combination of statistical downscaling, dynamical downscaling, and machine learning.

Risk Frontiers utilises these projections within its suite of natural catastrophe (Nat Cat) loss models to investigate how losses may change in the future under different climate scenarios. Risk Frontiers adapts these Nat Cat models, developed for the insurance industry over the past 30 or so years to assist decision makers in estimating and managing catastrophe risk, to assess the impact of projected changes in weather-related hazard activity due to climate change as well as changes in vulnerability and exposure (Walker et al. 2016). In November 2018, The Geneva Association reported on the benefits of the integration of climate science and catastrophe modelling to understand the impacts of climate change stating that “Cat modelling is more relevant than ever”. With Nat Cat models being the ideal tool for this type of analysis, Risk Frontiers is strongly positioned to address the need for climate risk disclosure.

Figure 1 Factors identified in the TCFD report contributing to financial risk and opportunities under climate change (TFCD 2017)

Figure 2 Milestones in the implementation of the TCFD (TFCD 2017).


ASIC (2018) REPORT 593: Climate risk disclosure by Australia’s listed companies. (

The Geneva Association (2018) Managing Physical Climate Risk: Leveraging Innovations in Catastrophe Modelling. [Available Online]

Stern, N. (2006) “Stern Review on The Economics of Climate Change (pre-publication edition). Executive Summary”. HM Treasury, London. Archived from the original on 31 January 2010. Retrieved 31 January 2010.

TFCD (2017) Financial Stability Board, Final Report: Recommendations of the Task Force on Climate-related Financial Disclosures. (

TFCD (2017) Financial Stability Board, Final Report: Implementing the Recommendations of the Task Force on Climate-related Financial Disclosures. (…/FINAL-TCFD-Annex-062817.pdf)

Walker, G. R., M. S. Mason, R. P. Crompton, and R. T. Musulin, 2016. Application of insurance modelling tools to climate change adaptation decision-making relating to the built environment. Struct Infrastruct E., 12, 450-462.

CPS 234: Will you comply? Information Security standard for APRA regulated organisations

By Denny Wan[1] and Tahiry Rabehaja[2]

[1] Denny Wan is the principal consultant of Security Express and a postgraduate researcher at the Optus Macquarie University Cyber Security Hub. He has deep expertise in cyber risk quantification. His research focuses on applying cyber insurance concepts to supply chain risk management. He is the chair of the Sydney Chapter for the Open Group FAIR cyber risk framework.

[2] Dr. Tahiry Rabehaja is a Software Engineer at Risk Frontiers and a Research Fellow at the Optus Macquarie University Cyber Security Hub with expertise in probabilistic modelling and Information Security.


In November 2018, the Australian Prudential Regulation Authority (APRA) released Prudential Standard CPS 234 making the board of regulated entities accountable for ensuring the adequacy and sustainability of their information security program. APRA’s standard was published 9 months after the Notifiable Data Breach scheme[1] came into effect in the first quarter of 2018.  The CPS 234 comes into full force in July 2019 with a 12 month extension for third party supplier contracts until July 2020.

Prudential Practice Guide CPG 234, expected to be updated in the first half of 2019, is the primary guidance for the implementation of this prudential standard. However, APRA has confirmed that it will not provide guidance or method for the classification of the materiality of an information asset. A structured approach to cyber risk quantification similar to the now mature natural catastrophe risk modelling or operational risk management is important to ensure the impartiality of the classification methods.

What is CPS 234

The goals of CPS 234, as stated in the policy release announcement[2], are to:

shore up APRA-regulated entities’ resilience against information security incidents (including cyber-attacks), and their ability to respond swiftly and effectively in the event of a breach

ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold, and the significance of the threats they face

Regulated entities are required to:

  • clearly define information-security related roles and responsibilities;
  • maintain an information security capability commensurate with the size and extent of threats to their information assets;
  • implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
  • promptly notify APRA of material information security incidents.

To ensure compliance, clause 13 explicitly makes the board of the regulated entities be ultimately accountable:

13. The Board[4] of an APRA-regulated entity (Board) is ultimately responsible for the information security of the entity. The Board must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and wbles the continued sound operation of the entity.[5]

Information security is a business problem

APRA has made it clear in its response to the submission to the draft CPS 234[3]  that it intentionally makes the boards accountable for information security. This clearly means that information security is a business problem and not just an IT challenge. In its response, APRA explained that some submissions sought clarification on the “materiality rules”. Page 7 of the response gives one example of such a request:

various requests for the application of a materiality threshold in relation to certain requirements in CPS 234 as the basis for determining the need to apply requirements or the degree of work required in applying certain requirements in the standard. For example, some submissions argued for a materiality threshold to apply in relation to testing the effectiveness of information security controls, and in determining the need to escalate and report testing results to the Board or senior management where security control deficiencies are identified that cannot be remediated in a timely manner;

The following emphasis is further stated on page 8 under the section “APRA Response”:

This reflects the fact that ensuring the information security of all information assets remains the responsibility of the regulated entity and that the Board is ultimately responsible for the information security of the regulated entity.

A reasonable interpretation of APRA’s response is that the board is responsible for determining the materiality of information risk and adequacy of the controls. This interpretation is echoed by several commentators [4] [5] [6].

How to comply with CPS 234

A key challenge in preparing for compliance with CPS 234 is the lack of prescriptive compliance guidelines. This concern is discussed by other commentators [7] and was also echoed in some submissions. APRA noted on page 8 in its response to the submission regarding the materiality of an information asset:

CPS 234 prescribes neither the classification method nor the level of granularity — these are left to the regulated entity to determine, as appropriate for the entity’s size and complexity

The standard identifies nine compliance areas:

  1. Roles and responsibilities (clause 13 – 14)
  2. Information security capability (clause 15 – 17)
  3. Policy framework (clause 18 – 19)
  4. Information asset identification and classification (clause 20)
  5. Implementation of controls (clause 21 – 22)
  6. Incident management (clause 23 – 26)
  7. Testing control effectiveness (clause 27 – 31)
  8. Internal audit (clause 32 – 34)
  9. APRA notification (clause 35 – 36)

CPG 234 released in May 2013 is the practice guide referenced in CPS 234 covering most of these areas except information security capability (clause 15 – 17). APRA is expected to release a revised CPG 234 in the first half of 2019 to provide guidance on the implementation of CPS 234. However, it is clear from APRA’s response to the submission that the update to CPG 234 will not provide specific guidance on classification method nor the level of granularity in determining the materiality of an information asset. This can potentially create a challenge to comply with clause 15:

15. An APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.

As a result, the absence of a national cyber security standard or metric prompts the board to be responsible for eyeballing the materiality criteria and assess the sufficiency of their information security program under clause 13 and 15.

This is where a structured cyber risk quantification approach is important to provide an objective and quantifiable implementation of the compliance program. Currently, Risk Frontiers is partnering with the Optus Macquarie University Cyber Security Hub to develop a model for cyber security risk, parallel to its extensive work in natural catastrophe and rare event modelling. The cyber model aims at forecasting potential losses from tangible cyber-attacks given the profile of the victim. Such a model would provide the required metric to assess the potential severities of Information Security breaches for the underlying company.








Extreme weather tops global risks

Andrew Gissing

This week the World Economic Forum again published its Global Risk Report. The report is based on a survey that accesses insights across the Forum’s vast network of business, government and community leaders.

For the third year running, extreme weather was listed as the top global risk in likelihood of occurrence and within the top 5 in impact. Overall, environmental risks dominated the assessment with failure of climate-change mitigation and adaptation and natural disasters also recorded amongst the top risks. These risks were rated above others that commonly occupy the minds of policy makers and the media such as asset bubbles, terrorist attacks, energy price shocks, financial crises and many more. (See Figure 1)

The report expresses rising concerns regarding climate inaction stating that: “of all risks, it is in relation to the environment that the world is most clearly sleepwalking into catastrophe”. The report further reiterates recent messages from the IPCC about the extent of the global struggle to restrict warming and the dire warning by the recent United States National Climate Assessment that without significant reductions in emissions, average temperatures could rise by five degrees Celsius by 2100.

It is claimed that the disruption to the production and delivery of goods and services due to environmental disasters has risen by 29% since 2012, placing additional strain on the resilience of organisations and their customers.

The growing threat of sea level rise and the rising population of coastal megacities globally was featured. Some 800 million people already live in cities vulnerable to sea level rise up to 0.5 metres. According to the World Bank, 70% of the largest cities in Europe are susceptible to sea level rise. The phenomena pose significant risks to properties and infrastructure, though the economic risk globally is concentrated in low-lying coastal areas with significant asset values. The report cites research that $14.1 Billion was lost from home values in parts of the US east coast due to sea level rise between 2005 and 2017.

Cyber risk was also rated highly with both massive data fraud and theft, and cyber-attacks being among the top five risks in likelihood of occurrence. Interestingly, respondents expected that cyber risks would increase in 2019. The associated vulnerabilities of essential infrastructure were a concern given recent examples of hackers gaining access to the control rooms of some utility companies in the United States.

For solutions, the report supports the need for action to rapidly decarbonize agriculture, energy, transport and industry to limit the rise of global temperatures and to establish plans for adaptation. The challenge of promoting proactive adaptation investment is, however, highlighted by citing statistics showing that spending on flood recovery is nine times greater than investment in flood mitigation.

Interestingly the report offers advice on conceptualising the unimaginable through promoting a technique of imagining failure and then thinking why such a failure may have occurred. Doing so is known as “prospective hindsight” and according to psychologists enables us to anticipate a broader and more vivid set of problems.

Risk Frontiers will continue to support our clients in addressing these top risks in 2019 through the continued licensing and development of our suite of natural hazard catastrophe loss models for Australia and New Zealand. Our partnership with the ARC Centre of Excellence for Climate Extremes will allow us to give our clients unique insights into how climate change may affect their business. Furthermore, we will continue our work on building a cyber loss model through the Optus Macquarie University Cyber Security Hub and in assisting Government clients to build safer and more resilient communities in partnership with organisations including the Bushfire and Natural Hazards Cooperative Research Centre.

For more on the report visit:

Figure 1: Global Risk Landscape 2019 (The Global Risk Report 2019, pp 5)


Analysis of fatalities attributed to Hurricane Florence in the US.

Jonathan van Leeuwen

Hurricane Florence impacted the US East Coast in September 2018 resulting in dangerous surf conditions, strong winds, storm surge and heavy rain producing significant flooding. The system made landfall over North Carolina as a Category 1 hurricane. While 1.7 million people received evacuation orders (The Independent, 2018), estimates of evacuees in shelters were around 30 thousand people (VOA, 2018), and total flood loss for residential and commercial properties in North Carolina, South Carolina and Virginia were estimated to be between $19 billion and $28.5 billion. Around 85 percent of residential loss is estimated to be uninsured (CoreLogic, 2018).
This article aims to identify key circumstances and demographic factors common in those who lost their lives as a result of Hurricane Florence.

We define a hurricane death as one which would not have occurred if the hurricane had not impacted, i.e. any death directly or indirectly caused by that hurricane. This includes deaths from the potential mechanisms of rain (e.g., filling a depression into which an individual may fall and drown) and its associated flooding (riverine, flash), storm surge, strong winds and high seas. It also includes deaths of persons carrying out activities specifically associated with the hurricane – e.g., taking measurements, preparing people, goods or buildings to evacuate or endure the event, and cleaning up after the event (e.g., an accident whilst running a generator that was required because strong winds from the hurricane have taken out the electricity supplies). Care needs to be taken with timing – for example, how long after a hurricane has passed should one attribute flood deaths to that hurricane? This will vary from one event to another and is best defined by the weather authorities as (e.g., for Australia) in the case of a tropical cyclone decaying to a tropical low which can produce rain long after the initial impact of the tropical cyclone.

By searching through articles from numerous media outlets, we have identified 53 hurricane deaths. Where possible, records were verified against multiple news sources. We also classified each record by the state and county in which the death occurred, 10 year age bracket, and by category of cause of death (e.g., deaths occurred while in a vehicle, deaths caused by falling debris). The results are also compared with previous research on fatalities associated with Australian Tropical Cyclones by Coates, et al. (2017).

Results and analysis

The most common circumstances that caused fatalities were related to vehicles (n=26, 49%) and flooding (n=23, 43%). Only one vehicle incident causing multiple deaths was identified. Fourteen (26%) fatalities resulted from vehicles being washed off roads and nine (17%) from vehicles colliding with obstacles due to water on the road causing aquaplaning or heavy rain causing low visibility. Most incidents involved only private vehicles, but two people died when a prison transport van was driven into floodwater and one person died driving a semi-trailer truck which aquaplaned, left the road and struck an undescribed obstacle. Only two flooding related fatalities were not also related to vehicles: a child playing in water which was deeper than normal due to preparatory release from a dam and a man who refused mandatory evacuation and was subsequently trapped in a caravan trailer.

Four people died as a result of a tree falling on their residence or vehicle during the hurricane, while other debris related circumstances included vehicle striking fallen tree, tree falling during clean-up operations and a woman who died after suffering a heart attack as emergency services could not get to her due to debris on roads. Two people died from carbon monoxide poisoning while running a generator indoors due to power outages, while other circumstances relating to death included loss of power for an oxygen concentrator and electrocution while attempting to connect extension cords to a generator in heavy rain. Two people died in a house fire which was caused by candles used after a loss of power. Two people fell from ladders and another person suffered unspecified injuries while cleaning debris from the storm or making repairs. Three people died in circumstances relating to evacuation, one of whom fell while packing for evacuation, one on a moped while evacuating and one who fell and struck his head in a hotel to which he had evacuated.

Victims were most commonly 70 years old and above. No deaths were recorded for people between 10 and 19 years old, but there were a few fatalities under 10 years old. The deaths of those under 10 years old were caused primarily by trees falling on homes, and being in cars that were driven into floodwater by an accompanying adult. Figure 1 shows fatalities in 10-year age categories as a percentage of all fatalities where age was reported.

Figure 1: % of fatalities by 10-year age category

Males represented 74% of the deaths where the gender of the deceased was specified; however, a higher proportion of females died in circumstances relating to vehicles (58%) compared to males at 35%. More males died in circumstances relating to preparing for, activities during, and clean-up after the event such as checking on possessions, setting up generators, swimming in dangerous conditions or clearing debris.

Discussion and conclusion

The consequences of Hurricane Florence provide a clear reminder of the dangers associated with driving vehicles during and after severe weather, and the importance of avoiding driving through floodwater. Severe weather is shown to increase risks associated with evacuating by vehicle.

Figures 2 and 3 compare key demographics between fatalities from Hurricane Florence and a historical analysis of fatalities due to tropical cyclones in Australia from 1970 to 2015 by Coates, et al. (2017). Our analysis of deaths resulting from Hurricane Florence demonstrates a consistent gender distribution with Australian historical data. This supports the conclusion that males are more likely to be in hazardous situations or undertake risky behaviours than females in these types of events. However, the two data sets differ markedly in age demographics, with much younger victims in Australia than Hurricane Florence.

Figure 2: Comparison of Hurricane Florence fatalities by age with historical Australia cyclone fatalities (Coates, 2018)

Figure 3: Comparison of Hurricane Florence fatalities by gender with historical Australia cyclone fatalities (Coates, 2018)


The Independent, 2018. Hurricane Florence: Residents ignore evacuation orders in North Carolina ‘hoping God protects us’ as storm hits. The Independent. [Online] Available at: [Accessed 3 December 2018]

VOA, 2018. What’s Happening: Florence by the Numbers. VOA News. [Online] Available at: [Accessed 3 December 2018]

CoreLogic, 2018. The Aftermath of Hurricane Florence is Estimated to Have Caused Between $20 Billion and $30 Billion in Flood and Wind Losses, CoreLogic Analysis Shows. CoreLogic. [Online] Available at: [Accessed 4th December 2018]

Coates, L., Haynes, K., Radford, D., D’Arcy, R., Smith, C., van den Honert, R., Gissing, A. 2018. An analysis of human fatalities from cyclones, earthquakes and severe storms in Australia. Report for the Bushfire and Natural Hazard Cooperative Research Centre.

Queensland bushfires 2018

Mingzhu Wang, Lucinda Coates and Thomas Mortlock.

In 2018, Queensland had the third-warmest spring and forth-warmest November on record, in terms of mean temperature (BoM, 2018d). At the end of November, exceptional heat affected eastern Queensland, with some locations reaching their highest annual maximum temperatures ever recorded. Wildfires raged across central Queensland and more than 140 fires were burning throughout the State during the last week of November (BoM, 2018d), due to a combination of the prolonged heatwave and other “unprecedented” conditions. More than a million hectares have been burnt out, with 15 dwellings and more than 60 sheds or other structures being reported as damaged (Caldwell, 2018). Given the human population in the affected area, casualties were light: one man died after being hit by a falling tree while clearing a firebreak at Rolleston in the Central Highlands. All the threatening fires were contained by 5 December, with weather conditions easing due to severe storms sweeping across Queensland. Figure 1 shows all the fire hotspots for Queensland from 26 November to 5 December.

Figure 1. Recorded fire hotspots derived from VIIRS imagery for Queensland from 26 November to 5 December. Data Source: Geoscience Australia (2018)

Record-breaking heatwave and catastrophic fire risk

Extreme heatwave conditions started developing in far north Queensland from 23 November 2018, and then spread across the north-east and central regions of the State (Figure 2). This heatwave was unusual as the temperatures were 5-10 °C above the November average, the humidity was exceptionally low for this time of year and the extreme hot conditions extended over a much longer period than “usual” heatwaves. The above-average temperature and unseasonally dry and hot westerly winds led to severe to locally extreme fire danger over large parts of eastern Queensland. The fire danger conditions peaked on 28 November, reaching a catastrophic level for the Capricornia, Central Highlands and Coalfields regions (Figure 3). Cairns hit 42 °C two days (27 & 28 November) in a row, which are the hottest days on record for the region in November.

Figure 2. Three-day heatwave assessment from 27 November to 29 November. Source: BoM (2018b)

Figure 3. Fire danger rating map for Queensland on 28 November. Source: BoM_QLD (2018)

According to Phoenix fire simulation technology (Figure 4), about 8,000 residents needed to be evacuated from Gracemere, west of Rockhampton. The town was subsequently saved, using a combination of water bombing aircraft and fire-fighting crews on the ground. Another significant bushfire originating in the Deepwater National Park on the central Queensland coast burnt out more than 17,000 hectares and forced hundreds of people to evacuate (Figure 5). This Deepwater blaze was extremely dangerous due to erratic wind direction changes, high fuel loads and low humidity, having a 66-kilometre perimeter and flames up to 10 metres in height (Ferrier et al., 2018).

Figure 4. The predicted fire burning pathways through Gracemere. Source: Doman (2018)

Figure 5. False colour Sentinel 2 image showing the burnt areas in black at Deepwater on 26 November. Source: Sentinel Hub (2018)

Comparison with previous bushfire events in Queensland in Risk Frontiers’ natural hazards database (PerilAUS) show that bushfire events around Brisbane, in 1994, also occurred after a heatwave. However, no event in PerilAUS has ever covered such a vast expanse of Queensland as this recent one. And there have been relatively few properties lost in any previous fires.

Connected systems

As discussed in our Briefing Note 381, a heavy rain event on 28 November affected the Illawarra, Sydney Metropolitan and Central Coast areas in New South Wales. At the same time, Queensland was suffering extreme heatwave and fire danger conditions (Figure 6). Sarah Fitton of BoM indicated these two contrasting events were driven by connected systems (Doyle, 2018). Figure 7 shows that the abnormal westerly flow to the north of the low was responsible for the catastrophic fire danger ratings along the tropical QLD coast and it extended down into the low-pressure system across the New South Wales south coast. The two events were linked and influencing each other. The low over New South Wales was pushing warm air and stronger winds to Queensland through the connected system, intensifying fire danger conditions (Yeo, 2018).

Figure 6. Australian daily maximum & minimum temperature & rainfall extreme area maps on 28 November. Source: BoM (2018a)

Figure 7. The connected low-pressure systems that drove the heavy rain event in New South Wales and Queensland catastrophic fire conditions on 28 November. Source: BoM (2018c)


When considering these recent fire events in Queensland, it is clear that the catastrophic fire risk is substantially influenced by record extreme weather events. Clarke et al. (2012) has shown increased fire weather conditions in Australia since the 1970s. Unprecedented conditions may become a new normal and peril factors correlating together can worsen local situations.

Risk Frontiers is currently building a new bushfire model using the latest remote sensing technologies and machine learning models. This model, along with Risk Frontiers’ loss models for other meteorological disasters, will soon be correlated on the Multi-Peril Workbench to better price cascading hazards.


Bureau of Meteorology [BoM] (2018a), Australian daily maximum temperature extreme area maps, available at, accessed 08/12/18.

Bureau of Meteorology [BoM] (2018b), Heatwave Service for Australia, available at, accessed 27/11/18.

Bureau of Meteorology [BoM] (2018c), Latest colour mean sea-level pressure analysis, available at, accessed 29/11/18.

Bureau of Meteorology [BoM] (2018d), Queensland in November 2018: Exceptional heat along the east coast at the end of the month, available at, accessed 08/12/18.

Bureau of Meteorology, Queensland [BoM_QLD] (2018), Fire Danger Rating, available at, accessed 27/11/18.

Caldwell, F. (2018), Almost $1 million in hardship grants paid to bushfire victims, The Sydney Morning Herald, available at, accessed 08/12/18.

Clarke, H., Lucas, C., & Smith, P. (2012), Changes in Australian fire weather between 1973 and 2010. International Journal of Climatology, 33(4), 931-944

Doman, M. (2018), From space, the ferocity of Queensland’s bushfires is revealed, ABC, available at,-the-ferocity-of-queenslands-bushfires-is-revealed/10594662, accessed 08/12/18.

Doyle, K. (2018), Sydney weather and Queensland bushfire extremes have a common thread, ABC, available at, accessed 08/12/18.

Ferrier, T., Layt, S., & Kohlbacher, S. (2018), The Australian, available at, accessed 08/12/18.

Geoscience Australia (2018), Historic Hotspot data, available at, accessed 08/12/18.

Sentinel Hub (2018), EO Browser, available at, accessed 08/12/18.

Yeo, C. (2018), Sydney storms could be making the Queensland fires worse, The Conversation, available at, accessed 08/12/18.