R&R Insurance Blog

It is every IT manager, CISO, CFO and CEO’s worst nightmare. The FBI has notified you that a cyber attack of unknown origin and scope has been identified as occurring in your network; An employee advises that a mobile device that contains personally identifiable information is missing; a ransomware note suddenly appears on a desktop computer indicating that your system has been encrypted by outside actors demanding payment in bitcoin; an employee was tricked via a phishing email into sending a spreadsheet containing W-2 information on your employees to an outside source.

These are just a few of the real life examples of cyber attacks and data breaches that companies have faced. Experts agree that cyber security will always be defensive in nature and how a company responds to the situation can mean life or death to a business.

How prepared are you to respond ? Do you even know what constitutes a “data breach” and if the situation you are experiencing meets the definition and triggers a response? Under what circumstances are you required to notify individuals, vendors, business associates, and regulators? Do you have contractual relationships that require the other party to be notified and if so, under what circumstances is notification required?

It is crucial for all businesses to have a Breach Response Plan that is well thought out, flexible enough to adapt to various scenarios, and tested. The first step in the plan is the ability to determine if the circumstances trigger your response plan. How do you determine, for example, if the data breach encompasses unauthorized access or unauthorized acquisition of personally identifiable information? Are you familiar with the various laws in the jurisdictions that the affected individuals reside to be able to determine your next steps? Within the United States there are 47 different breach laws. In addition, each country has their own set of laws that must be followed. Regulatory bodies such as HIPAA, FTC, PCI, have different requirements as well. How do you plan on conducting an investigation and who are the participants, internally and externally?

At what point does law enforcement need to be notified? Or should law enforcement be notified? If law enforcement takes control of your system or confiscates your computers, what impact does that have on your operations? But without their assistance how can the attack be stopped?

One thing however is clear, without a plan the response will be PANIC! Decisions will need to be made quickly and under pressure. Similar to the fire drills and tornado drills that we all experienced in school, preparation is key.
The first step is to identify stakeholders. This is not an IT only issue. Develop a CIRT – Computer Incident Response Team. Determine what positions need to be included on the team not the individuals. Before the plan is implemented individuals may have changed or left the company.

Establish a command center/war room where the team can convene. Remember, every minute that it takes to respond costs you money.

What is your communication plan both internally and externally? It is important that your employees be trained that they are not to communication anything that they “think” they know. Until the facts are determined communication channels need to be controlled.

It is likely that an outside forensic IT investigation firm will need to be engaged in order to determine what has happened, how it happened, and what is the status. What firm will you engage and what is the cost?

Do you have legal counsel that is prepared to respond ? Are they experts in this area of the law and familiar with the various statutory and jurisdictional requirements? What is the scope of your engagement with the firm and their fee? Will they be in a position to be your liaison with law enforcement and regulators? Will these attorneys be able to prepare notification letters?

Included with notification are the costs of paper, postage, call center, website management, etc. Are you prepared to make these arrangements and absorb these expenses?

When it comes to communication, maintaining your reputation with your customers, vendors, employees and the public will be crucial. Will you be engaging with a Public relations firm to manage these communications? How will the media be managed when reporters request information?

How will the communication with regulators be handled. Various bodies have the authority to fine and penalize a business.

Do you have experience in negotiating with cyber extortionists? Will you be in a position to decide to pay or not pay a ransom demand? How familiar are you with bitcoin?

According to a recent survey by 451 Research, 30% of businesses indicated that they have a breach response plan and only 25% have cyber insurance. However, various studies indicate that the cost of a data breach ranges from $160 to $360 per record, depending on the industry and specifics of the breach.

Cyber insurance can play an important role in this entire process. I say CAN because the scope of coverage, risk management services, and breach response vary greatly and significantly among the 60+ carriers that offer “cyber” insurance. The insurance is not an alternative to having a robust response plan but can complement and provide outside resources and vendor relationships. It is important to choose an insurance partner that can help you not only identify your risks and exposures, will provide you with a vital partnership in assessing and responding to situations as they arise.

 

 

What happens to your business in the aftermath of a disaster? That depends, in part, of the definition of disaster.

Most businesses are familiar with Business Interruption/Income Insurance. The first Business Interruption policy was issued by London Underwriters in 1939 and is designed to put the insured company back into the same financial position that which it would have enjoyed had the disaster not occurred. However, according to the American Insurance Association , the coverage is only triggered in three limited circumstances:

• There is physical damage to the premises of such magnitude that the business must suspend its operations
• There is physical damage to other property caused by a loss that would be covered under the company’s insurance policy, and that damage totally or partially prevents customers or employees from gaining access to the business
• The government shuts down an area due to property damage caused by a peril covered by the company’s insurance policy that prevents customers or employees from gaining access to the premises

So what happens in the event of a cyber attack? Unfortunately, a Network attack is not considered a disaster and is not covered by the standard Business Interruption/Income insurance policy.
What constitutes a network attack? Consider the following:

• The intentional and unauthorized gaining of access to or use of the insured’s network (computer hardware, software, firmware, electronic data stored on or within the network, connected by two or more computers including networks accessible through the internet, intranet, extranets, virtual private networks)
• Receipt of targeted malicious code from an external source
• A targeted denial of service attack

According to a report recently released by EMC Corporation for its Global Data Protection Index 2016, the average cost of a data loss and disruption is $913,958 per organization. In addition, the average costs of unplanned system downtime is $550,000 and the average length of downtime is 22 hours. Over 70% of study participants responded that they did not think that their organization would be able to fully recover their system or data.

How do you recoup data forensic expenses, costs to restore or replace digital assets, extra expenses, and the reduction in business income? Fortunately, insurance coverage can be obtained through a Cyber Insurance Policy. Unfortunately, coverage is not offered by all carriers, is frequently overlooked and not understood. This creates a significant risk to any business operations.

References:
American Insurance Association
EMC Corporation, Global Protection Index 2016
Allied World Insurance policy forms SRVS2 00002 and SRVS2 00052 00

In the marketplace, drones are on the rise as a commercially used technology. When looking to insure them, there are questions that need to be answered when discussing coverage options.

1. Are all drones registered with the FAA?
2. Are all operators certified to fly drones?
3. Can the operator provide evidence of his/her certification?
4. How will the drone be used?
5. Where will it take off, land, and what is the flight path?
6. Will flights take place around the public?
7. Will the unnamed aerial vehicle remain within its operator’s line of sight?
8. How high and how fast will it fly? (Right now drones are limited to an altitude of 400 feet and a speed of 100 mph)
9. Is there a maintained log kept to show all flight activity?
10. Will the drone collect data; including pictures, video, or sound?
11. How will the data be used?
12. What are the possibilities for unintended eavesdropping?
13. Has the drone owner or operator had any drone related incidents that could lead to a claim?

These questions are based on an article found in Best’s Review, April 2016, article, Flight Risk, by Angela Adams.

For further information about drones and their rules and regulations, hazards, and coverage under commercial insurance, check out this article from the R&R blog.

It wasn’t long ago that once we deposited money received for goods and services into our bank account, we were able to sleep comfortably knowing that our money was safe.  After all, vaults and the security surrounding them were so secure that breaking into was left to the imagination of Hollywood producers.  But with the dawn of the technology age has also come the era of cyber heists with unknown and unseen actors hacking into computers and fooling people into parting with their hard earned cash.

There a number of ways that a business can insure for these risks.  But, as is common in the world of insurance, coverage is dependent on a number of factors including how the crime was perpetrated. 

Adding to the confusion is the term “cyber” which leads to misunderstanding that all crime committed with a computer is covered in the same way.  It is not. 

Crime policies have been available in the market for years.  Most insureds are more familiar with the term Employee Dishonesty and ERISA bond which are only part of what can be covered by a Crime policy.  I want to address two additional insuring agreements that are available on Crime policy and the new Social Engineering Fraud agreement that is available from some carriers. 

The first of these is Computer Fraud.  This part of the crime policy is intended to coverage a loss when the instruction received by the financial institution to transfer money from one account into another or to a location outside of the premises,  is fraudulent.  Typically the customer would have no knowledge that money has been transferred from their account until they review their account or statement.

The next is Electronic Funds Transfer.  As is the case with the Computer fraud , this agreement requires that an electronic , telegraphic, cable, teletype or telephone instruction be fraudulently sent to the financial institution directing the transfer of money from the account. 

The important part of both of these definitions, for purposes of this article is the instruction is fraudulent.

That is different from Social Engineering Fraud.  In this scheme, the account holder (financial institution customer) is tricked into believing that the transaction that they, the customer,  are sending to the financial institution to transfer money is legitimate.  In other words, the instruction being sent to the financial institution is correct.  This type of fraud is increasingly common.  Bad actors are drafting emails to trick people into believing that they are being instructed to transfer money from their account usually by someone in authority at their company.   

In considering this insurance it is important to understand how these terms are defined in the policy rather than assume that all things computer related and cyber mean the same in every instance. 

Do you know what a phishing attack is and how to recognize them? Are you training you training your employees?

Wombat Security recently published a report on the State of Phishing attacks. The report highlights that phishing attacks are increasing, becoming more sophisticated and varied in their approach to tricking potential victims. These come in the form of emails, phone calls, SMS messaging and USB attacks.

Included in this report are some of the common messages that are being utilized so beware when they appear in your inbox.

• Delivery Status Notification
• Full mailbox notification
• Spam quarantines
• Benefits enrollment messages
• Invoices
• Confidential HR documents
• Shipping confirmations
• Wire transfers
• Insurance notification
• Auto insurance renewal
• Frequent flier accounts
• Bonus miles
• Photo tagging
• Frozen accounts,
• Big-box store memberships
• Social networking
• Gift cards

The aftermath of phishing attacks can be devasting to an organization, whether through loss of employee productivity, damage to reputation, or money lost.

At R&R we strive to continually educate our business partners on various Cyber risks. Download our Cyber e-Book for more information on protecting your business.

Every business has an exposure and risk of becoming a cyber crime victim. While most businesses are familiar with insuring for traditional risks, there are a range of exposures that your business may need to be protected from. The following questionnaire provides in depth insight into risks you may not have previously contemplated.

Do you accept credit card payments? 

If yes, any merchant or organization, regardless of size or  number of transactions, that accepts, transmits or stores any cardholder data is required to be PCI (Payment Credit Card Industry) compliant. This includes any debit, credit, and prepaid cards branded with one of the 5 associated/brand logos  that participant in PCI SSC—American Express, Discover, JCB, Mastercard, Visa International.  Using a third party processor does not exclude a company from PCI compliance.  Check your merchant services agreement which outlines your exposure.

 

Do you process payroll? 

If yes, you are responsible for the safekeeping of this data even if outsourcing to a payroll data company.

 

Does your business utilize computers/software to run any part of operations?    

If yes, what is the potential loss of income should the system be non-operational?

 

Do you offer any employee benefits to your employees? (health insurance/life insurance/ disability)?

If yes, you have Personally identifiable information on your employees, spouses and children that you are required to protect, whether in paper or electronic  format.

 

Does your company offer a wellness plan?

If yes, according to the Office for Civil Rights (enforcement body for HIPAA), providing workplace wellness programs to employees requires employers to gather health data through health risk assessments and various other means and those data must be protected under HIPAA.  The HIPAA Safety Rule requires that all covered entities to implement technical, administrative and physical safeguards to prevent protected health information from being viewed or accessed by unauthorized individuals.  Fines of more than $50,000 can be assess for each violation up to $1.5 million per calendar year.  Even companies that are not covered entities may be subject to HIPAA rules should PHI be breached.

 

Does your company allow employees to connect mobile storage devices to office computers?

If yes, malware and virus can infect your system via these devices.  If you have a policy that prohibits these activities, are you certain that all your employees follow the policy all of the time?

 

Have you ever received an email that appears to come from a known party directing you to transfer money? 

If yes, this is an example of a phishing scheme. 

 

Do you allow access to your system to outside parties using a VPN?

If yes, open portals are gateways into your system and are being utilized by hackers.

 

Do you conduct business over the internet or through your website?

 If yes, what impact would your business experience if it was no longer operational?

Do you provide for an EFT option to either accept payments from your vendors or to pay your vendors?

If yes, you have personally identifying information for either individuals or businesses – i.e. bank account information.

 

Do you require employment applications?

If yes, you have personally identifiable information.  Where is this information kept?  What do you do with applicant information for individuals that you do not ultimately employ?

 

Do you store, process, transmit any personally identifiable personal or health information for employees, customers, patients, students, companies, vendors, etc?

If yes, you have a legal obligation to protect that information. 

 

Contact us for additional information, or download our cyber liablity e-book to learn more about properly protecting the business you've worked so hard to build.

With Memorial Day around the corner, you’re probably planning which local parades you’ll be attending. And we all know that when kids hear “parade” they also think…candy! We’ve participated in a few parades ourselves and know how important it is to keep the little ones happy.

Here are a few tips and tricks for bringing home the maximum amount of candy:

• Positioning: Don’t take your chances and position yourself at the end of the parade. You never know how much candy is stock-piled on the floats, and there’s a good chance they’ll be out by the end of the route. Find a good spot up front, and claim it.
• Children: Also known as, Candy Magnets. Everyone likes to make a child smile, and for that reason kids are much more likely to be tossed handfuls of candy. Be sure to find a nice family-friendly, child-filled spot to claim as your own.
• Acknowledgement: You’d be surprised what flashing a smile or giving a friendly wave can do. Show your excitement and interest in being there and you’re bound to get acknowledged by the candy tossers.

With nice weather on the radar, we hope you’re able to get out and make the most of these summer celebrations. And wish you nothing but candy-filled success.

Here is a list of the upcoming Memorial Day Parades in Wisconsin. Take a look and see what’s going on near you!

If you’re like most of the employees here at R&R, you’re obsessed with HGTV’s hit TV Show “Fixer Upper.”  Chip and Joanna Gains give us major house envy with each episode, and we can’t help but see our own honey-do lists growing each week. 

If you’ve successfully tackled some home projects and are currently admiring the fruits of your labor, we want to hear from you!  Things like updated roofs and furnaces, alarm system installations and changes to your fireplace setup can provide instant premium savings if we notify your carrier about these improvements. On the opposite end, cosmetic upgrades and additional square footage may or may not need to be reflected on your existing policy’s coverage limitations (but we should talk about it either way). 

So when your next home project has been finished, and the paint and sawdust have settled, give us a call so we can review your policy together and make the necessary coverage recommendations to ensure your policy will respond appropriately in the event that you need it.  If you have pictures for us to admire, we love those, too.

Still in need of some inspiration?  Click here for Joanna’s favorite “Fixer Upper” renovation of all time!

Click here to contact a Knowledge Broker at R&R!

Most of us are familiar with the run-of-the-mill claims that typical home & auto insurance policies cover. You’re having a summer barbeque and the deck catches on fire. Covered. You’re teaching your teenage son to drive and he rear-ends the neighbor’s car. Covered.

Accidents, while unfortunate and unexpected, do happen. But the peace of mind that comes with buying a quality insurance product and knowing it will be there to help you pick up the pieces can help ease the anxiety that is associated with these unexpected events. (It may not help calm your nerves when getting back in the car with your teen driver, however.)

But what about those rare instances when the truly unexpected claim arises?  You know, the type of claim that you never thought would happen to you?  Do you know how (or if) your insurance policy will respond? Take the test below to find out if these bizarre incidents are covered by your home and auto policies, and start building your insurance knowledge!

• You finally get those pesky mice out of the basement only to find they’ve made a home in your car. They’ve created a beauty of a nest and chewed away at the electrical system. Covered?
• Your full-time college student forgets to lock her dorm room when she leaves for class one morning. She comes back to find that her brand new flat screen TV and shiny laptop are gone. Covered?
• A nasty summer storm strikes and you’re left with no power. The fridge you filled on Sunday starts to warm up and all of your fresh groceries are now spoiled. Covered?
• You’re doing the annual spring tree trimming and decide to tackle those annoying branches hanging above your bathroom skylight. You make one wrong move and a branch goes straight through the window. Covered?

If you answered yes to the questions above you are an expert insurance policy holder! All of the incidents above would be covered under your home or auto policies.

It’s important to remember that all insurance policies do have coverage gaps and exclusions, so we recommend reviewing your policy annually to ensure that it continues to meet your family’s ever-changing needs.  If reading insurance contracts does not sound like your idea of a good time, please contact us – we’d love the opportunity to walk you through this process!

Since the beginning of the year there have been numerous reports of data breaches where criminals are gaining access to personal W-2, tax and payroll information by either hacking into on-line payroll systems or tricking employees into allowing access to this information.

On March 8, 2016 Ozaukee County reported that their payroll and tax portal “Greenshades” had been breached and the personal information of approximately 200 employees was compromised. According to the Greenshades website, they are experiencing an abnormal increase in identity thieves using personal information to log into the company’s system to access personal tax information.

Sequoia Union High School reported on February 3, 2016 that an unauthorized third party gained access to an office computer and accessed information on employees and retirees as a result of a phishing incident.

On February 24, 2016 Central Concrete Supply Co., Inc., Right Away Redy Mix, Inc, and Rock Transport, Inc. became aware of a data breach in which they believe a third party gained access to copies of 2015 W-2 income and tax withholding statements. The information was stolen through a sophisticated social engineering scheme in which an outside party posing as another person convinced a Central Concrete Supply employee to provide copies of documents by email.

In another breach, Turner Construction Company reported that certain person information was disclosed in an email to an unauthorized recipient. As a result, other persons may have obtained personal identifying information including name, social security number, name of each state in which wages or taxes were reported for the affected residents, and federal, state, local and Medicare earnings and tax withholding data.

Earlier this year a former records clerk at Tampa General Hospital was arrested for theft when it was learned that she accessed personal identifying information of patients and used that information to file $671,022 in fraudulent tax returns.

As these cases exemplify, criminals are targeting all types of businesses in order to gain access to the personal information of employees.  It appears that they have shifted their focus from credit card data to the personal employee information that all businesses have. Whether that information is outsourced to a payroll firm or retained internally, they are using sophisticated social engineering and phishing schemes to trick unsuspecting employees to provide access to this information.