Today, one of our staff received an email from my email address stating that I needed her to send a wire transfer, and was she available to do so.  We have spent hours discussing cyber threats to our company and our clients, and our staff is trained to be aware of suspicious emails, but in this case, the email address sending it was not just similar to my email address, but it was my actual email address!  Ultimately, our staff member was able to determine that the email was fraudulent and no harm was done, thanks in part to our policies and procedures. 

This type of social engineering is on the rise and is a great concern to every company.  There are several popular types of attacks, including:

• Baiting- an attacker may provide a device, like a flash drive which is infected with some type of malware.  The recipient of the flash drive loads in on their computer, installing the malware, and affecting their workstation or server.  Often, the USB flash drive is just left lying around and the person unwittingly loads it to determine what it is.

• Phishing- Often a fraudulent email is sent, disguised as a legitimate email, but is intended to trick the recipient into taking some action, divulging personal information, or somehow deviating from your normal technology protocol. 

• Scareware- Often an attacker will attempt to trick the recipient into thinking their computer is infected with malware or illegal content that has been downloaded inadvertently.  A solution is then offered which allegedly fixes the problem; the alleged fix is really malware.

• Spoofing- This is probably one of the hardest ones to defend against, in that the email address appears to be exactly the same as an email address you are familiar with, or exactly the same as an internal email address.  It is generated from an external source, often from an origin that cannot be traced.

There are many types of attacks, and dealing with them should include a sound cyber security policy addressing the policies and procedures your company has implemented to keep your systems safe.  There are insurance products that can provide coverage for the ensuing damages from an attack.

A big issue we have seen on the rise is a type of phishing where the sender asks the recipient to wire transfer a sum of money to a specific location.  Since the email is bogus if the money is wired it is tough, if not impossible, to recover.  This presents a unique problem for the client in that many crime policies will not respond as it is considered voluntary parting with the money and not a theft or employee dishonesty loss.  Many insurance companies are able to endorse their policy to include social engineering losses.

At Insurance Solutions & Services, Inc., we assist our clients by reviewing their security procedures and protocols to determine the appropriate risk management and insurance program to respond.  Feel free to contact us for a review of your cyber security program.

If you are a contractor who bids for local or state jobs, you may have experienced losing a bid every now and then.  While I am sure you simply moved on to the next bidding process, did you stop to wonder how the winning bidder was able to bid so low and still maintain profitability? Obviously, the contractor that keeps his expenses the lowest will see the highest profits. What is not so obvious is how to keep one particular expense, which likely adds the most to your bottom line, the lowest it can be. The culprit expense is your Workers’ Compensation premium. If you haven’t reviewed your classification codes, your claims history or haven’t implemented back-to-work or safety programs, read on. We'll cover how to lower your Workers’ Compensation premium which will ultimately make your company more competitive when bidding for municipal or state contracts.

The first step to ensuring that your Workers’ Compensation is priced correctly is to review your classification codes.  Are your office personal classified as roofers or other field titles? If so, this can make your Workers’ Compensation much higher than it should be. Review the Workers’ Compensation policy to see what each of your employees is classified as and make changes if necessary.  Auditing and review of your current payroll for inaccuracies or deductions you can take, like overtime, Davis-Bacon Act wages, etc. can help lower your cost.  Confirming that subcontractors have valid certificates of insurance, and deducting valid business expenses like auto allowances can have the same effect. Your organization’s classification codes and payroll dollars are the foundation for the base premium.  An error on these numbers could cost severely.

The next factor in determining a Workers’ Compensation rate is the past three years of claims history, which contributes to your experience modifier.  The more claims against your Workers Compensation policy, the higher your experience modifier will be.  This, of course, increases your premiums. If you haven’t had an accident, ask your carrier for a loss run just to make sure there aren’t any accidents incorrectly reported. If you had an accident, unfortunately, this will show on your loss runs for the next three years. You can, however, control how much these claims will cost by implementing “back to work” programs.  The gist of these programs is that employers maintain communication with injured workers and, if possible and through permission of the physician, find work that can accommodate the worker’s injury.  By bringing the employee back to work, the claim will cost less by mitigating lost wage payments and ultimately will affect the claims reporting on your policy and shouldn’t hit your experience modifier as hard.

Various States have programs that can assist in lowering workers compensation costs, e.g. a certified safety committee credit, a contactors credit program, etc.  Utilize these whenever possible to lower your costs.

Finally, making sure safety procedures are developed and enforced will mitigate the risk of an injury. Depending on the type of work your organization does, you may want to institute a two-person rule when workers need to carry heavy objects over a certain weight limit; institute the use of safety harnesses for employees working in high areas or other procedures that would make sense for your individual organization.  After these policies are put into place, be sure to they are communicated to the employees and enforced.  

Keeping your Workers’ Compensation premiums low will take investigating your current policy and pre-planning when it comes to implementing procedures that keep your claims  low or non-existent.  While this takes effort, it will be worth it if you are able to keep your expenses low enough to be the lowest bidder in municipal and state bid processes.

Cyber risk entails more than you think. Given the latest reported data breach from Yahoo (again), people constantly think of hackers when they hear “cyber risk." It is important for executives whose responsibilities include protecting the financial welfare of their companies to understand that cyber risk goes much deeper than the highly publicized security/data breach.  Learning all facets of cyber risk, ways to protect a company’s data infrastructure and financial well being and what remedies are available in the event of a loss, are all paramount to any financial executive in today’s digital world.

If cyber risk isn’t just data breach, what exactly does cyber risk involve? In addition to intentional hacking, cyber risk can include accidental loss of employee or client data, actual physical damage to computers, servers or other networking materials, or even lawsuits resulting from web activities. Comments made on public websites by an executive or employee, inaccurate or libelous statements made online, and a third party sustaining losses from a virus picked up from a company website, can all be considered “cyber risk”. The potential scenarios presented are not an exhaustive list of risk possibilities, but it is safe to say that if your company operates online - including accepting payments, storing/transmitting data, or using social media or web pages to advertise, analyzing your cyber risk should be a top priority.

Proactive IT security measures including implementing security tools, disaster recovery plans and training employees on policies and procedures are essential to mitigating cyber risk.  Many companies already take these precautions.  According to a September 7th, 2012 published report, 8 Surprising Disaster Recovery Stats by CRN.com, “Only 51% of small businesses have an IT business continuity plan…compared to 74% of large businesses.”  Furthermore, downtime created by disasters such as fires (26% of the time), human error (60%), server room issues (44%) and power outages (29%) lasted on average of 2.2 days and cost the companies $366,363 a year.   While having disaster recovery procedures in place to mitigate downtime is essential, these plans don’t take into account recuperating lost revenue, money spent on fixing the problem and possible branding damage.  This is where learning remedies available to companies in the event of a loss become vital.

The first step is to analyze your exposures to loss, considering the type of business you are involved in.  For example, if you have a media company, you should have cyber risk coverage that guards against digital copyright infringement and libel suits.  If you are in the  healthcare industry and are subject to HIPPA laws, you need to have cyber risk insurance that covers breach or negligence events.  After your consideration of the potential exposures, review your current insurance for coverage for loss of equipment, media, business income loss, etc. Often, the standard property and general liability policies provide some coverage that addresses some of your exposures, but more likely, there may be gaps that need to be addressed.

Keep in mind that we are available to assist you in addressing your exposures, and developing an insurance and risk management program to address them