This is really testing the whole industry

The wildfire season in California may be over, but insurers and their customers are still reeling from the aftermath of devastating losses relating to homes, businesses and vehicles.

On Jan. 31, California’s Department of Insurance released the final number of total claims and losses. While original estimates put the figure at $2 billion, Insurance Commissioner Dave Jones reported that insurers have received almost 45,000 insurance claims totalling close to $12 billion in losses.

In reaction to the announcement, Bill Gatewood, corporate vice-president and director, personal insurance, at Burns and Wilcox said: “It’s a tremendous number. It’s something that’s definitely going to impact the industry.”
The displacement of people from their homes and communities continues to be top of mind for the VP.

“The first thing that came out of it was trying to find accommodations for these people,” said Gatewood. “When one house burns downs, you have hotels and rental properties - there are a lot of options,” but with thousands of homes, rental properties and hotels gone, Gatewood said it became more difficult to find housing close to people’s communities where their children could continue going to school.

With losses this extensive, a swift conclusion to the process of assessing damage will not be coming any time soon.
“This is really testing the whole industry,” said the VP. “I think it’s going to take a couple of years to get all of the homes rebuilt, to get people back on their feet, to try to get them back to some form of their former life.”

Fine art insurers likewise saw losses from the fires and ensuing mudslides. Along with the hurricanes and floods that devastated parts of the US in 2017, Huntington T. Block’s President and CEO Joe Dunn said he’s seeing costly claims that are still coming in.

“From ourselves and what I’m hearing, the claims are into tens of millions, and potentially higher,” he said, adding, “I don’t think we’ve realized all the impacts,” pointing to an event like Hurricane Maria in Puerto Rico that also left damage in its wake.

Insiders predict that changes to the industry are coming as a result of natural disasters. In California, Gatewood pointed to one segment of the industry that could be altered by the wildfires.

“The thing that’s unique about this was that not all of the homes that burned down were in heavy brush zones,” he said. “I think that there will be some review of wildfire brush underwriting,” in terms of the properties considered to be at risk.

In the future, Gatewood sees a general rate increase in the market and points at the wildfires, as well as climate events affecting Texas and Florida, for this potential increase.

Globally, the cost to the industry from wildfires and other major catastrophes was huge in 2017. In fact, it was a record-breaking year for insurance losses from natural disasters around the world.

The effects of mass damage are already evident in company earnings. XL Group reported an operating net loss for the full year of US$521.6 million due to natural catastrophe pre-tax losses that came to US$315.2 million in the fourth quarter – almost US$70 million more than the previous quarter.

Santa Rosa Firestorm - 3 Months Later

It’s three months to the day since the October, 2017 firestorm raged through Northern California forcing about 90,000 people to evacuate their homes, killing 44, and hospitalizing about 185. According to Wikipedia, this has become the costliest group of wildfires on record causing at least $9.4 billion dollars in insured damages. In total, an estimated 8,900 structures were destroyed.

About 60 days in, our shout-out list of insurance “issues” from ground zero became an educational case study. Top 10 Santa Rosa Firestorm Issues.

Today, thirty days later, it’s time for an update.


1. Underinsured - Lots for Sale – The issue of inadequate insurance limits to replace or rebuild damaged property is still the number one issue for homeowners here. My guess is that at least 50% of policyholders do not have enough insurance to complete the rebuilding process. Just about now they are realizing that suing someone to help compensate for the missing dollars is an iffy proposition and that closure will take a very long time. One solution is to qualify for and take out a loan to cover the missing funds. Another is to use the insurance proceeds to pay-off the lender, settle any remaining balance for pennies on the dollar and sell the lot. As you can imagine, there are dozens of lots coming on the market every day.

Too many people purchase insurance as if a loss will never happen to them. The truth is that insurance should be purchased as if a loss will absolutely happen.

2. Debris Removal –We outlined the USACE/FEMA process for debris removal in Santa Rosa Homeowners Flip-Flop on Debris Removal. Today, many Santa Rosa home sites have been cleared. But the progress seems to have slowed dramatically especially in the Fountaingrove area. Wondering why, we contacted the U.S. Army Corp of Engineers. We learned that their priorities are currently the areas around schools, fire stations, hospitals, municipal buildings, river watersheds and the removal of thousands of automobiles holding up rebuild on cleared lots. Makes sense but not good news for everyone.

It will likely be another month or more before our homesite is cleared. Fortunately, private debris removal protocols are now in place allowing qualified independent general contractors to jump in. FEMA allows cancellation with 48-hours notice.

3. Contents Coverage – On December 21, 2017, the CA Department of Insurance issued a notice to all Property/Casualty Insurance Companies regarding Personal Property Coverage for Wildfire Claims. Insurance Commissioner Dave Jones, called on all carriers to provide up to 100% of the Contents coverage limits without requiring the insureds to undertake the onerous task of completing a detailed inventory. The DOI received numerous complaints from insureds about the monumental task of attempting to identify every item of personal property they may have amassed, over years or decades, in order to collect replacement cost. Some insurers have complied…most are simply continuing to adjust claims on a case by case basis.

Initially we were told we would receive 75% of our contents limit without an inventory but this was revised a few days later to 50%. My thought is that the real number will emerge when we get to the point of restocking the rebuilt home. Very few people have the time or energy to compile a detailed contents list from memory.

4. Delays – Delay is the name of the game. Ample insurance limits and broad coverage provisions open the door to recovery. But there are obstacles on the path. Has your site been cleared? Were there environmental issues? Are architectural plans ready for the rebuild? Are the building permits in place? Is your lender onboard to help expedite the process?

While our architectural plans and permits have been filed with the city, we are weeks behind on the clean-up. To add insult to injury, the delivery of the furniture we’ve been waiting for, to furnish our temporary home, was just delayed another 3 weeks.

5. Cat Issues – Ok, I’m throwing this one in simply because it is fire-related and a little bizarre. Featured in The Press Democrat is the story of a cat that was picked up about a block from our home a couple of days after the fire by a family who refuses to let us see him to verify he is our cat Mack, let alone give him back. Long story (check out The Press Democrat article) but we are now awaiting DNA results of the cat they have and that of Mack’s sister Darcy who was returned to us after the fire. The shelter told us this is the first time they have ever had to do a DNA test.

Lynne L. Wallace, CPCU

A Broke, and Broken, Flood Insurance Program

In August, when Hurricane Harvey was bearing down on Texas, David Clutter was in court, trying one more time to make his insurer pay his flood claim — from Hurricane Sandy, five years before.

Mr. Clutter’s insurer is the federal government. As it resists his claims, he has been forced to take out a third mortgage on his house in Long Beach, N.Y., to pay for repairs to make it habitable for his wife and three children. He owes more than the house is worth, and his flood-insurance premiums just went up.

The government-run National Flood Insurance Program is, for now, virtually the only source of flood insurance for more than five million households in the United States. This hurricane season, as tens of thousands of Americans seek compensation for storm-inflicted water damage, they face a problem: The flood insurance program is broke and broken.

The program, administered by the Federal Emergency Management Agency, has been in the red since Hurricane Katrina flooded New Orleans in 2005. It still has more than a thousand disputed claims left over from Sandy. And in October, it exhausted its $30 billion borrowing capacity and had to get a bailout just to keep paying current claims.

Congress must decide by Dec. 8 whether to keep the program going. An unusual coalition of insurers, environmentalists and fiscal conservatives has joined the Trump administration in calling for fundamental changes in the program, including direct competition from private insurers. The fiscal conservatives note that the program was supposed to take the burden off taxpayers but has not, and environmentalists argue that it has become an enabler of construction on flood-prone coastlines, by charging premiums too low to reflect the true cost of building there.

The program has other troubles as well. It cannot force vulnerable households to buy insurance, even though they are required by law to have it. Its flood maps can’t keep up with new construction that can change an area’s flood risk. It has spent billions of dollars repairing houses that just flood again. Its records, for instance, show that a house in Spring, Tex., has been repaired 19 times, for a total of $912,732 — even though it is worth only $42,024.

And after really big floods, the program must rely on armies of subcontractors to determine payments, baffling and infuriating policyholders, like Mr. Clutter, who cannot figure out who is opposing their claims, or why.

“The administration feels very strongly that there needs to be reform this year,” he said. “I believe strongly that we need to expand flood coverage in the United States, and the private insurers are part of that.”

The federal program was created to fill a void left after the Great Mississippi Flood of 1927, when multiple levees failed, swamping an area bigger than West Virginia and leaving hundreds of thousands homeless. Insurers, terrified of the never-ending claims they might have to pay, started to exclude flooding from homeowners’ insurance policies. For decades, your only hope if your home was damaged in a flood was disaster relief from the government.

Policymakers thought an insurance program would be better than ad hoc bailouts. If crafted properly, it would make developers and homeowners pay for the risks they took.

When Congress established the National Flood Insurance Program in 1968, it hoped to revive the private flood-insurance market. Initially about 130 insurers gave it a shot, pooling their capital with the government. But there were clashes, and eventually the government drove out the insurers and took over most operations.

Since 1983, Washington has set the insurance rates, mapped the floodplains, written the rules and borne all of the risk. The role of private insurers has been confined to marketing policies and processing claims, as government contractors.

Put plainly, the N.F.I.P. is not designed to handle catastrophic losses like those caused by Harvey, Irma and Maria,” Mick Mulvaney, the director of the White House Office of Management and Budget, said in a letter to members of Congress after the three huge hurricanes barreled into the United States this season.

The program, however, needs more than a financial lifeline: Without major, long-term changes, it will just burn through the $16 billion in savings and be back for more.

The White House is hoping to lure companies back into the market, letting them try to turn a profit on underwriting flood policies instead of simply processing claims for the government.

One measure proposed by the Trump administration is for the government to stop writing coverage on newly built houses on floodplains, starting in 2021. New construction there is supposed to be flood-resistant, and if the government retreats, private insurers may step in. Or so the theory goes.

“The private market is anxious, willing and completely able to take everything except the severe repetitive-loss properties,” said Craig Poulton, chief executive of Poulton Associates, which underwrites American risks for Lloyd’s of London, the big international insurance marketplace.

“Severe repetitive-loss properties” is FEMA’s term for houses that are flooded again and again. There are tens of thousands of them. While they account for fewer than 1 percent of the government’s policies, they make up more than 10 percent of the insurance claims, according to the Natural Resources Defense Council, which sued FEMA to get the data.

The Trump administration has also proposed creating a new category of properties that are at extreme risk of repeat flooding and that could have their insurance cut off the next time they flooded.

That might sound harsh. Environmental groups, though, argue it’s worse to repeatedly repair doomed houses on flood-prone sites as oceans warm and sea levels rise. The Natural Resources Defense Council argues that the flood-insurance program should buy such properties so the owners can move somewhere safer.

“I have mounds and mounds of paper, and I’m still waiting,” said Olga McKissic of Louisville, Ky., who applied for a buyout in 2015 after her house flooded for the fifth time. “I want them to tear it down.”

Ms. McKissic even had her house classified as a severe repetitive-loss property, thinking FEMA would give it higher priority. But FEMA has not responded to her application. Instead, it doubled her premiums.

That’s what happens when there’s a monopoly, said Mr. Poulton, the Lloyd’s underwriter.

Over the years, he said, he has noticed that his customers are buying Lloyd’s earthquake insurance because it includes flood coverage. They do not like the government’s flood insurance because payouts are capped at $250,000 and have other limits.

Such as basements.

Matt Herr of Superior Flood in Brighton, Colo., another underwriter for Lloyd’s, recalled a client whose handicapped son lived in a “sunken living room,” eight inches lower than the rest of the house. When the neighborhood flooded, $22,000 of medical equipment was ruined. The government refused to pay, calling the living room a basement. Its policies exclude basements.

While the government program insures more than five million homeowners, that is just a small fraction of the number of people who live on floodplains.

Mr. Poulton researched the flood insurance program and eventually found a public report that explained how its pricing worked. The program, he learned, was not using the detailed, house-by-house information on flood risk that is available through satellite imagery and other sources.

That’s because Congress gave the program a legal mandate to work with communities, not individual households. So the program was surveying floodplains, then calculating an “average annual loss” for all the houses there. Its insurance rates were based on those averages.

“It undercharges 50 percent of its risks, and it overcharges 50 percent of its risks, on an equal weighting,” Mr. Poulton said.

But the government does not readily divulge all of its historical claims data, so insurers cannot comb through them and analyze the risks.

“What we know is snippets,” said Martin Hartley, chief operating officer of Pure Insurance in White Plains, which offers supplementary flood insurance to homeowners who want more than the government’s $250,000 coverage.

Also, the government relies on mortgage lenders to enforce the rule requiring at-risk homeowners to buy flood insurance. Mr. Poulton said he found that FEMA officials had told lenders that, in effect, they shouldn’t trust private insurance.

That’s because Congress gave the program a legal mandate to work with communities, not individual households. So the program was surveying floodplains, then calculating an “average annual loss” for all the houses there. Its insurance rates were based on those averages.

“It undercharges 50 percent of its risks, and it overcharges 50 percent of its risks, on an equal weighting,” Mr. Poulton said.

But the government does not readily divulge all of its historical claims data, so insurers cannot comb through them and analyze the risks.

“What we know is snippets,” said Martin Hartley, chief operating officer of Pure Insurance in White Plains, which offers supplementary flood insurance to homeowners who want more than the government’s $250,000 coverage.

Also, the government relies on mortgage lenders to enforce the rule requiring at-risk homeowners to buy flood insurance. Mr. Poulton said he found that FEMA officials had told lenders that, in effect, they shouldn’t trust private insurance.

Michael Sloane, Wright Flood’s executive vice president, said in an email that while the company could not comment on Mr. Clutter’s case, “we are always committed to working with our customers to keep the lines of communication open as we continue working toward resolution.”

Mr. Wright, the program director, acknowledged the problems after Sandy but said corrective measures had been taken “so that it doesn’t happen again.”

Much of Long Beach has been rebuilt since Sandy. Small houses like Mr. Clutter’s are being torn down and replaced with bigger ones that sprawl across two lots. Mr. Clutter worries that if insurers, not the government, set the prices, premiums will soar.

“Then, what happens to me?” he asked. “I’m essentially being driven out of my home that I have three mortgages on.”

This is an article from New York Times.

Live in California? Get lots of insurance says leading expert

An expert says that Californians should be more careful about purchasing insurance for their homes, as there is no guarantee that their policies can completely pay for claims such as severe wildfire damage.

In an opinion piece in the Los Angeles Times, California Western School of Law professor Kenneth S. Klein discussed the reasons why so many Californians lacked adequate insurance following the latest strings of wildfire incidents across the state.

“Insurance industry data reveals that for a score of reasons — inflation of the cost of work and supplies after a mass disaster, the rising cost of home construction, the difference between the cost of construction and the cost of buying an existing home — at least 80% of the homes in the United States have less than 80% of the coverage required to completely rebuild after a fire,” Klein wrote.

“Almost everyone assumes they have enough insurance, but evidently they don’t.”

Klein pointed out that the Californian insurance inadequacy could be traced back to a clause hidden in most policies that says that the homeowner is the expert on the value of his or her home. Under this clause, this means that if the amount of insurance purchased for a home is not enough, it falls on the homeowner to pick up the difference.

Unfortunately for Californian homeowners, that clause is often enforced by state courts.

“You may say, ‘My insurance provides 125% coverage of my home value, so I am comfortable that I have enough insurance.’ Don’t take comfort in that policy,” Klein explained.

“The percentage is pegged to the value of the home at the time of purchase, meaning it can sound like a lot more than it is in reality. Real estate values rise — sometimes quickly — and building costs rise after large-scale disasters due to simple supply-and-demand economics.”

Klein believes that the state should change its fire insurance regulation laws to allow for full home replacements, but noted that such an overhaul would take years to go through red tape.

Until state insurance rules can be fixed, Klein suggested that homeowners should purchase insurance for their properties with enough coverage to pay for a full reconstruction.

“Before you purchase or renew a home insurance policy, send an email to the insurance broker/agent that says: ‘I want enough insurance that if my home burns down in a wildfire, I have enough coverage to rebuild my home. Please tell me what amount of coverage I should have, and quote me the rate for that amount of coverage. Please respond by email rather than by telephone or in person. Thank you.’”

“When the broker/agent responds to that email, purchase the amount quoted immediately,” he added. “Keep a record of the correspondence somewhere other than in your house — even documents in a fire safe are not “safe” in a fire. Repeat this exercise every single time that you renew your homeowner’s insurance.”

Article by; Insurance Business America.

Aftermath of the Fires in our Communities

Team Insurance & Financial Services, Inc. has 4 owners with a combined 100 years of insurance experience. And a sales staff with a combined 19 years’ experience. Our service staff with combined years of experience of 25 years. We have a total of 144 years to assist you in your claims and insurance needs.

We have compiled a list of things to remember while we go through this rebuild process together.

  • Please remember when you are dealing with insurance companies in the claims process they are required to follow state law.

  • If you do not understand what the claims representative is telling you, reach out to our staff, and we can guide you in the claims process.

  • We are reminding all our clients to continue to pay your homeowners insurance premiums and be sure your current home policy remains in force during the rebuild process.

  • If you acquire temporary housing during your rebuild, your current insurance will extend to a rented home or an apartment with liability and personal property coverage. Also, your new home will be covered during the course of construction process. Your liability will remain in place during this process as well. You will not need to obtain any other policy during your rebuilding process.

  • If you are going to do “owner/builder” please make sure you discuss your options with your insurance company. All insurance companies offer workers compensation coverage on a homeowners policy but this is limited coverage and refers to your policy wording as in-servants and out-servants only. We are recommending that our customers obtain a workers compensation policy from State Fund during the rebuild process. We, at Team Insurance, can help you in acquiring such coverage. Again, have the discussion with insurance company first.

  • With all of the home losses, there will be many out of the area contractors offering their services. We are recommending that you do not give any money or sign any contracts until you do your homework. Get a copy of the driver’s license, social security number and contractor’s license number. With this information you can run a background check to verify who they are. Also request a copy of their insurance policies to verify coverage. Workers compensation, general liability and business auto policies should all be covered and a certificate of insurance should be obtained before your rebuild begins. Call the insurance agency to make sure their policies are in good standing and if they would offer a recommendation on their behalf.

  • Most importantly, stay in touch with your agency! They can help you in this process. If you are not one of our clients, we can help you understand your policy at no cost to you.

White House wants $5 billion to ease fiscal crisis

The White House on Tuesday asked Congress for $5 billion to ease a fiscal crisis striking the government of Puerto Rico in the wake of Hurricane Maria.

Puerto Rico’s central government and various municipalities and other local governments are suffering unsustainable cash shortfalls as Maria has choked off revenues and strained resources. The administration’s request, so far delivered informally, would provide $4.9 billion for Puerto Rico and its local jurisdictions. Celebrate excellence in insurance. Join us at the Insurance Business Awards in Chicago.

The White House also requested $150 million to help Puerto Rico with the 10% match required for Federal Emergency Management Agency disaster relief.

A senior administration official confirmed the request, requiring anonymity because it is not yet official. The official stressed that jurisdictions other than Puerto Rico are eligible, but acknowledged the cash-strapped territory is sure to receive the bulk of the money.

On Saturday, Puerto Rico Gov. Ricardo Rossello sent a letter to lawmakers asking for $500 million for the community disaster loan program, which is designed to help local governments deal with tax revenue shortfalls caused by disasters. He requested almost $4 billion in other aid. Learn more about flood insurance at the Future of Flood event being held in Miami, Florida on November 16. Click here for more details and to register.

“In addition to the immediate humanitarian crisis, Puerto Rico is on the brink of a massive liquidity crisis that will intensify in the immediate future,” Rossello wrote.

Hours after the request, the House Appropriations Committee unveiled a $36.5 billion emergency spending bill that merged Tuesday’s request with a proposal that the White House sent to Capitol Hill last week to replenish disaster funds and ease a cash crunch in the federal flood insurance program. A Thursday vote is expected.

“These funds are urgently needed to get resources to families and communities that are still suffering. This legislation will continue immediate relief efforts, and help jump-start the rebuilding process,” said Appropriations Committee Chairman Rodney Frelinghuysen, R-N.J.

Puerto Rico was already suffering from a lengthy recession and its government was beset with fiscal struggles to begin with. A financial control board is overseeing its debt problems and austerity plans.

The administration asked for $29 billion last week for FEMA disaster relief efforts and to pay federal flood insurance claims. House Majority Leader Kevin McCarthy said a vote is likely this week. The White House also requested $577 million to replenish federal firefighting accounts depleted by this year’s bad spate of western wildfires.

The leadership-backed House aid bill ignores requests made last week by the Texas and Florida delegations last week for tens of billions of dollars in additional assistance. Texas requested $19 billion in Harvey relief, while Florida asked for $27 billion for Hurricane Irma damage. House Democratic leader Nancy Pelosi, D-Calif., issued a statement Tuesday that said funding is also needed to help California recover from ongoing wildfires.

But GOP leaders want to avoid costly add-ons that could slow the package, though the Senate could add funding to the measure as it did when advancing a $15 billion aid package last month.
Congress last month approved a $15 billion first instalment for disaster relief. Final estimates for the massive relief and rebuilding effort won’t be ready for a while, but a huge year-end relief and reconstruction measure is expected.

Associated Press

Could the Equifax hack have been state-sponsored?

In the corridors and break rooms of Equifax Inc.’s giant Atlanta headquarters, employees used to joke that their enormously successful credit reporting company was just one hack away from bankruptcy. They weren’t being disparaging, just darkly honest: Founded in the 19th century as a retail credit company, Equifax had over the years morphed into one of the largest repositories of Americans’ most sensitive financial data, which the company sliced and diced and sold to banks and hedge funds. In short, the viability of Equifax and the security of its data were one and the same.

Nike Zheng, a Chinese cybersecurity researcher from a bustling industrial center near Shanghai, probably knew little about Equifax or the value of the data pulsing through its servers when he exposed a flaw in popular backend software for web applications called Apache Struts. Information he provided to Apache, which published it along with a fix on March 6, showed how the flaw could be used to steal data from any company using the software.

The average American had no reason to notice Apache’s post but it caught the attention of the global hacking community. Within 24 hours, the information was posted to, a Chinese security website, and showed up the same day in Metasploit, a popular free hacking tool. On March 10, hackers scanning the internet for computer systems vulnerable to the attack got a hit on an Equifax server in Atlanta, according to people familiar with the investigation.

Before long, hackers had penetrated Equifax. They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group—known as an entry crew—handed off to a more sophisticated team of hackers. They homed in on a bounty of staggering scale: the financial data—Social Security numbers, birth dates, addresses and more—of at least 143 million Americans. By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax’s computer systems. The hackers were finally discovered on July 29, but were so deeply embedded that the company was forced to take a consumer complaint portal offline for 11 days while the security team found and closed the backdoors the intruders had set up.

The handoff to more sophisticated hackers is among the evidence that led some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions in recent years at giant health insurer Anthem Inc. and the US Office of Personnel Management; both were ultimately attributed to hackers working for Chinese intelligence.

Others involved in the investigation aren’t so sure, saying the evidence is inconclusive at best or points in other directions. One person briefed on the probe being conducted by the Federal Bureau of Investigation and US intelligence agencies said that there is evidence that a nation-state may have played a role, but that it doesn’t point to China. The person declined to name the country involved because the details are classified. Mandiant, the security consulting firm hired by Equifax to
investigate the breach, said in a report distributed to Equifax clients on Sept. 19 that it didn’t have enough data to identify either the attackers or their country of origin.

Wherever the digital trail ultimately leads, one thing is clear: The scant details about the breach so far released by Equifax—besides angering millions of Americans—omit some of the most important elements of the intrusion and what the company has since learned about the hackers’ tactics and motives. Bloomberg has reconstructed the chain of events through interviews with more than a dozen people familiar with twin probes being conducted by Equifax and US law enforcement.

In one of the most telling revelations, Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company’s network. That rift, which appears to have squelched a broader look at weaknesses in the company’s security posture, looks to have given the intruders room to operate freely within the company’s network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax’s software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company’s grasp through the summer. In an e-mailed statement, an Equifax spokesperson said: “We have had a professional, highly valuable relationship with Mandiant. We have no comment on the Mandiant investigation at this time.”

The massive breach occurred even though Equifax had invested millions in sophisticated security measures, ran a dedicated operations center and deployed a suite of expensive anti-intrusion software. The effectiveness of that armory appears to have been compromised by poor implementation and the departure of key personnel in recent years. But the company’s challenges may go still deeper. One US government official said leads being pursued by investigators include the possibility that the hackers had help from someone inside the company. “We have no evidence of malicious inside activity,” the Equifax spokesperson said. ”We understand that law enforcement has an ongoing investigation.”

The nature of the attack makes it harder to pin on particular perpetrators than either the Anthem or OPM hacks, said four people briefed on the probe. The attackers avoided using tools that investigators can use to fingerprint known groups. One of the tools used by the hackers—China Chopper—has a Chinese-language interface, but is also in use outside China, people familiar with the malware said.

The impact of the Equifax breach will echo for years. Millions of consumers will live with the worry that the hackers—either criminals or spies—hold the keys to their financial identity, and could use them to do serious harm. The ramifications for Equifax and the larger credit reporting industry could be equally severe. The crisis has already claimed the scalp of Richard Smith, the chief executive officer. Meanwhile, the federal government has launched several probes, and the company has been hit with a flurry of lawsuits. “I think Equifax is going to pay or settle for an amount that has a ‘b’ in it,” says Erik Gordon, a University of Michigan business professor.

When Smith became Equifax CEO in 2005, the former General Electric Co. executive was underwhelmed by what he found. In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a “culture of tenure” and “average talent.” However, Smith also saw enormous potential because Equifax inhabited a uniquely lucrative niche in the modern global economy.

In the speech, Smith explained that the company gets its data for free (because regular consumers hand it over to the banks when they apply for credit). Then, he said, the company crunches the data
with the help of computer scientists and artificial intelligence and sells it back to the banks that gave Equifax the data in the first place. The business generates a gross margin of about 90 percent. “That’s a pretty unique model,” Smith said.

And one that he fully exploited. Smith acquired two dozen companies that have given Equifax new ways to package and sell data, while expanding operations to 25 countries and 10,000 employees. Business was good—the company’s stock price quadrupled under Smith’s watch, before the breach was announced—and its leaders lived well. Equifax executives were prone to bragging about their mansions and expensive gadgets. They took lavish trips to Miami, where they stayed in luxury hotels costing as much as $1,000 a night. Last year, Smith’s compensation was almost $15 million.

But the man who transformed Equifax was plagued each and every day by the fear that hackers would penetrate the company’s firewall and make off with the personal data of millions of people. By the time he gave the speech on Aug. 17, Smith knew of the hack but the public didn’t. He told the audience the risk of a breach was “my No. 1 worry” and lingered on the threats posed by spies and state-sponsored hackers.  Not long after becoming CEO, he hired Tony Spinelli, a well-regarded cyber expert, to overhaul the company’s security. The new team rehearsed breach scenarios, which involved 24-hour crisismanagement squads taking turns to address each given issue until it was resolved. Protocol included alerting the chief of security, who determined the severity of the breach, and then telling the executive leadership if a threat was considered serious.

Apparently, gaps remained. After the breach became public in September, Steve VanWieren, a vice president of data quality who left Equifax in January 2012 after almost 15 years, wrote in a post on LinkedIn that “it bothered me how much access just about any employee had to the personally identifiable attributes. I would see printed credit files sitting near shredders, and I would hear people speaking about specific cases, speaking aloud consumer’s personally identifiable information.”Spinelli left in 2013, followed less than a year later by his top deputy, Nick Nedostup. Many rank and file followed them out the door, and key positions were filled by people who were not well-known in the clubby cybersecurity industry. The company hired Susan Mauldin, a former security chief at First Data Corp., to run the global security team. Mauldin introduced herself to colleagues as a card-carrying member of the National Rifle Association, according to a person familiar with the changes.

Two people who worked with Mauldin at Equifax say she seemed to be putting the right programs in place, or trying to. “Internally, security was viewed as a bottleneck,” one person said. “There was a lot of pressure to get things done. Anything related to IT was supposed to go through security.” Mauldin couldn’t be reached for comment.

Besides amassing data on nearly every American adult, the hackers also sought information on specific people.

The company continued to invest heavily in state-of-the-art technology, and had a dedicated team to quickly patch vulnerabilities like the one identified by Zheng. Overseeing technology for Equifax was David Webb, a Kellogg MBA and Russian-language major hired in 2010 from Silicon Valley Bank, where he had been chief operations officer. But one former security leader said he finally joined the talent exodus because it felt like he was working with the “B team.”

Lapses in security began to catch up to the company in myriad ways beginning early this year. Since at least Feb. 1, Equifax had been aware that identity thieves were abusing a service that manages payroll data for companies, according to notices sent to victims.
Criminals were feeding stolen Social Security numbers and other personal information into login pages for Equifax Workforce Solutions, downloading W-2 and other tax forms for dozens of employees of clients including Northrop Grumman Corp., Whole Foods Market Inc. and Allegis Global Solutions Inc., a human resources company. They accessed the data freely for over a year to file fraudulent tax returns and steal the refunds before Equifax learned of the incidents. (, a cybersecurity blog, first reported the thefts in May.)

Equifax hired Mandiant in March to investigate any security weaknesses related to the scams, and in notifications mailed to victims throughout the summer, Equifax eventually said its systems weren’t breached to acquire the personal data used in the fraud.
However, there are signs that Smith and others were aware something far more serious was going on. The investigation in March was described internally as “a top-secret project” and one that Smith was overseeing personally, according to one person with direct knowledge of the matter.
The relationship with Mandiant broke down sometime over the next several weeks—a period that would later turn out to be critical in how the breach unfolded. Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said. For its part, Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company. A Mandiant spokesman declined to comment on the March investigation.

Although the hackers inside Equifax were able to evade detection for months, once the hack was discovered on July 29, investigators quickly reconstructed their movements down to the individual commands they used. The company’s suite of tools included Moloch, which works much like a black box after an airliner crash by keeping a record of a network’s internal communications and data traffic. Using Moloch, investigators reconstructed every step.

Once the hackers found the vulnerability Zheng reported, they installed a simple backdoor known as a web shell. It didn’t matter if Equifax fixed the vulnerability after that. The hackers had an invisible portal into the company’s network. The Moloch data suggests the initial group of hackers struggled to jump through internal roadblocks like firewalls and security policies, but that changed once the advanced team took over. Those intruders used special tunneling tools to slide around firewalls, analyzing and cracking one database after the next—while stockpiling data on the company’s own storage systems.

Besides amassing data on nearly every American adult, the hackers also sought information on specific people. It’s not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value.

Eventually the intruders installed more than 30 web shells, each on a different web address, so they could continue operating in case some were discovered. Groups known to exploit web shells most effectively include teams with links to Chinese intelligence, including one nicknamed Shell Crew. Some investigators within Equifax reached the conclusion that they were facing Chinese state hackers relatively quickly after analyzing the Moloch data, according to a person briefed on those discussions. If the Equifax breach was a purely criminal act, one would expect at least some of the

stolen data, especially the credit card numbers that were taken, to have showed up for sale on the black market. That hasn’t happened.

What’s more, banks are typically asked to shut down all stolen cards if investigators are near certain who is behind a hack. In this case, they still aren’t sure. That’s why on Sept. 11, the FBI asked several major banks to monitor the credit card accounts of small batches of consumers—in one case just 20 people—for suspicious activity. Investigators were still looking for anything that could give them insight into the hackers’ identity and motives, according to security experts.

“This wasn’t a credit card play,” said one person familiar with the investigation. “This was a ‘get as much data as you can on every American’ play.” But it probably won’t be known if state hackers— from China or another country—were involved until US intelligence agencies and law enforcement complete their work.

That could take weeks or months, but Equifax is already a changed company. Smith has handed the reins to Paulino do Rego Barros, who will be interim CEO until the board finds a permanent replacement. Smith’s departure was preceded by the early retirement of the company’s two top security officials, chief information officer Webb and chief security officer Mauldin. Federal investigators are probing suspicious stock sales by other executives that happened not long after Equifax discovered the breach. And lawmakers are making ominous noises about boosting oversight of the credit reporting industry, which is largely unregulated.

“What member of Congress can vote against tighter regulation when every congressional district has nearly half its voters affected by this?” says Gordon, the Michigan business professor. “The lobbying wins when there is no organized group fighting back, but you don’t need an organized group when you have 143 million angry people

With Dune Lawrence and Jennifer Surane

Allstate releases its Harvey loss estimate (and it’s big)

Allstate is expecting insurance losses of about $593 million in August in the wake of Hurricane Harvey.

That’s more than three times the $181 million in losses recorded in July – and Allstate’s August insurance losses may not yet be fully accounted for.

Allstate said that because of the widespread nature of the damage inflicted by Harvey, which slammed into Texas on August 25, its estimated losses for the month may still grow. The devastation from the storm has also prevented some people from reaching their homes or cars, meaning there may be other losses yet to be accounted for, according to local news station NBC 5.

The Insurance Council of Texas has estimated overall insured losses from Harvey to be nearly $19 billion. That includes an estimated $11 billion in payments to homeowners with flood insurance, NBC 5 reported.

Harvey impacted an area stretching from Houston to Louisiana, killing more than 70 people and damaging or destroying more than 250,000 homes. Days later, Hurricane Irma devastated the Caribbean and Florida. Last week, German reinsurer Munich Re became the first to warn that it might not hit previous financial goals thanks to the impact of the hurricanes, NBC 5 reported.

Hurricane Irma claims in Florida worth $3.1 billion so far

Based on reports by property and casualty insurers to Florida’s Office of Insurance Regulation, the total number of insurance claims filed following Hurricane Irma to date is 496,532 – worth an estimated $3.1 billion.

The state’s insurance regulator revealed the numbers yesterday, which included claims to private companies that underwrite flood coverage. However, the numbers do not include the roughly 17,000 claims (as of Thursday) filed in the state to the National Flood Insurance Program (NFIP). Of the tallied claims, 428,269 were for residential properties and 18,239 for commercial properties.

Florida Association of Insurance Agents president and CEO Jeff Grady believes the inflow of Irma-related claims has peaked and he would be surprised if damage totals hit the much higher levels projected by catastrophe modeling firms such as AIR Worldwide and CoreLogic.

“It seems the initial damage estimates might have been high based on the lack of structural damage in many parts of the state,” Grady told Sun Sentinel.

Grady explained that most of the total claims tallied by the state will likely not result in payouts because they will not exceed their hurricane deductibles, which is usually equal to 2%-5% of their insured value.

Sun Sentinel reported that only 46,060 claims have been closed so far – 17,784 of those claims were closed with no payments.

The largest number of claims was filed in Miami-Dade County – 55,012, followed by Orange County with 44,696 claims, and Broward with 38,836 claims.

The most heavily-impacted community when comparing claims as a percentage of population is Monroe County, with 15.3 claims for every 100 residents. It was followed by Rural Highlands County with 10.2 claims per 100 residents and Seminole County with 8.5 claims per 100 residents.

Florida International University’s College of Business released a report yesterday that projected total wind loss in Florida reaching $19.4 billion. Insurers, however, will only have to pay out $6.3 billion of the total, since most of the damage will not exceed hurricane deductibles.

California insurance regulator orders companies to stop discriminatory pricing

In response to an investigative report, the California Department of Insurance has ordered Nationwide and USAA to not charge motorists in minority neighborhoods more than policyholders with similar risk profiles who live in predominantly white neighborhoods.

Released in April 2017, a report by ProPublica examined publicly-available auto insurance pricing data in four states – Illinois, Missouri, Texas and California. ProPublica found that many insurance companies were penalizing motorists in minority neighborhoods with higher auto insurance costs.

While California fared better than the other states featured in the report, ProPublica found that Safeco, Liberty Mutual, Nationwide and USAA charged at least 10% more in minority zip codes than in predominantly white zip codes with the same risk. Liberty Mutual was deemed the worst offender among the major insurers, with a 32% difference in certain zip codes.

Proposition 103 exists in California law to prevent auto insurers from discriminating against minority motorists.

“California drivers are once again benefitting from Proposition 103: to our knowledge, no other state besides California investigated the overcharges exposed in ProPublica’s study,” said initiative author Harvey Rosenfield. “Insurance Commissioner Dave Jones correctly recognized the need to follow up on the ProPublica report…”

The state Department of Insurance has not published the results of its own investigation into the matter. The agency has also chosen not to seek refunds for consumers who may have been overcharged in the past, and it has not revealed what measures it will take to prevent other insurers from committing the same mistake.

Consumer Watchdog has sworn to press for further action from the insurance regulator.

“The Department must provide the public with a full explanation of how it conducted its investigation, and exactly what it found, particularly the data that would show how much people already have been overcharged,” the consumer advocate said in a statement.

“The Department must also ensure that every insurance company doing business in California obey the law that the voters put into place to prevent these kinds of overcharges.”