Managing Malicious Attacks15th October 2021
A recent knife attack in a New Zealand supermarket that injured six people. A shooting in Plymouth in the UK that took the lives of five people. A staggering 14 mass shootings in the USA over the 4th of July holiday weekend alone. These events are a stark and tragic reminder of the ongoing risk of malicious attack – a violent incident where an individual or small number of individuals set out to inflict violence on others.
“Sadly these can be attacks involving a lone gunman, or anyone with any sort of handheld weapon, or the use of a vehicle,” says James Short – Senior Underwriter for War, Terrorism and Political Violence at Hiscox London Market. “Sometimes these incidents are related to a workplace grudge, for example, but equally they can be politically or religiously motivated, or sometimes it is simply an individual looking to secure some form of notoriety.”
Whatever the motivation, one other factor that appears to influence the frequency of such attacks may be related to economic conditions and prevalence of financial hardship.
In 2008, there were nine active shootings in the US says Andre Simons – a Principal in Control Risks’ Crisis and Security Consulting practice, and a former FBI Unit Chief – but as the effects of the global financial crisis of 2008/9 hit home, 2009 saw 19 incidents and a further 27 in 2010. “The rise in the number of attacks in the US may have been influenced by the financial downturn and the recession of 2008,” says Simons, adding that the same effect may be once again appearing following the pandemic-induced financial downturn, with 40 active shootings recorded by the FBI in 2020 compared to 30 in 2019 and a similar number in 2018. For businesses it’s an upward trend in the risk of malicious attack impacting their people and operations, emphasising the need to take action to manage and mitigate the risk.
Active shooter risk
In the US, says Simons, “an active shooter is the most common form of active assailant attack that we see. Usually it’s a deliberate attack, methodically planned and targeted in execution.” And, while attacks are often targeted at public spaces to gain maximum publicity, others are aimed at businesses not open to public access. “If you look at FBI data for the last 20 years related to businesses that are closed to pedestrian traffic in the US, the top five targets for malicious attacks are manufacturing, distribution, warehouses, transportation facilities and office buildings. Many of these facilities likely feature porous boundaries or multiple points of entry and exit,” says Simons.
In these instances, adds Simons, attacks are more likely to be perpetrated by individuals who have a relationship with the company or the employer attacked, with employee terminations or sensitive separations being examples of flashpoints for workplace violence. When considering businesses open to pedestrian traffic, motive is less clear. “Approximately two thirds of the time there is no direct relationship between the offender and the target,” says Simons. “They might simply be drawn to it because people are densely clustered together and vulnerable.” But, he adds, for every assailant – whatever the venue – it is often a complex cocktail of motivations that drive the attack.
Prevention and mitigation
Given the threat, what should businesses be doing both to reduce the chances of an incident happening and to reduce the impact on people and operations if an attack does take place? According to Simons, the three cornerstones of a strategy are for organisations to have a policy, programme and a plan. “A workplace violence prevention policy has to be sanctioned by the organisation’s executive staff and adopted enterprise wide to make sure it is embraced as a cultural aspect that workplace violence won’t be tolerated,” says Simons. Then there’s the adoption of a robust programme which, says Simons, is not just a response programme. “It’s a prevention programme that has a multi-disciplinary threat assessment team, often housed within the organisation and supplemented by external experts which is able to handle reports of concerning or problematic behaviours in a thorough yet compassionate way.”
The final cornerstone of the strategy is the crisis management plan detailing how the organisation is going to respond if there is an incident; a key component in managing the chaos that inevitably follows a malicious attack. “Throughout my career in the FBI, I’ve responded to many active shootings. In the immediate aftermath, no matter the venue, it’s very common for organisations to experience confusion and chaos in striving to manage an unimaginable crisis . So, the more planning and preparation an organisation has, then the better suited it is to managing the initial chaos and mitigating its impact,” says Simons.
It's that emphasis on preparedness that plays an important part of Hiscox’s Malicious Attack insurance product, designed to both help prevent and respond to these types of incidents says Short. “Control Risks has developed an extensive desktop training programme – as well as tailored advice where necessary – which is exclusively available to Hiscox clients to help reduce the likelihood of a successful attack through the adoption of best practice when it comes to de-escalation and threat assessment. In the event of an incident, clients also benefit from a 24/7 crisis management response helpline and the insurance element which provides financial cover for physical damage, business interruption, loss of attraction and liability. It also includes extras that might be needed after an incident such as counselling, relocation, and retraining.”
It’s a product, given the uncertain risk environment, that is likely to see more take-up amongst businesses of all sizes. “Traditionally it might have largely been only big companies interested in buying cover,” says Short, “but we’re increasingly seeing interest from SME businesses such as smaller manufacturing risks, office chains and retail stores who recognise the possibility of an attack disrupting their business.” And, as the risk evolves, the product will continue to help businesses adapt to the threat. “The attack threat is becoming more dynamic over time, and so too will our product to support businesses with that,” says Simons.