R&R Insurance Blog

It wasn’t long ago that once we deposited money received for goods and services into our bank account, we were able to sleep comfortably knowing that our money was safe.  After all, vaults and the security surrounding them were so secure that breaking into was left to the imagination of Hollywood producers.  But with the dawn of the technology age has also come the era of cyber heists with unknown and unseen actors hacking into computers and fooling people into parting with their hard earned cash.

There a number of ways that a business can insure for these risks.  But, as is common in the world of insurance, coverage is dependent on a number of factors including how the crime was perpetrated. 

Adding to the confusion is the term “cyber” which leads to misunderstanding that all crime committed with a computer is covered in the same way.  It is not. 

Crime policies have been available in the market for years.  Most insureds are more familiar with the term Employee Dishonesty and ERISA bond which are only part of what can be covered by a Crime policy.  I want to address two additional insuring agreements that are available on Crime policy and the new Social Engineering Fraud agreement that is available from some carriers. 

The first of these is Computer Fraud.  This part of the crime policy is intended to coverage a loss when the instruction received by the financial institution to transfer money from one account into another or to a location outside of the premises,  is fraudulent.  Typically the customer would have no knowledge that money has been transferred from their account until they review their account or statement.

The next is Electronic Funds Transfer.  As is the case with the Computer fraud , this agreement requires that an electronic , telegraphic, cable, teletype or telephone instruction be fraudulently sent to the financial institution directing the transfer of money from the account. 

The important part of both of these definitions, for purposes of this article is the instruction is fraudulent.

That is different from Social Engineering Fraud.  In this scheme, the account holder (financial institution customer) is tricked into believing that the transaction that they, the customer,  are sending to the financial institution to transfer money is legitimate.  In other words, the instruction being sent to the financial institution is correct.  This type of fraud is increasingly common.  Bad actors are drafting emails to trick people into believing that they are being instructed to transfer money from their account usually by someone in authority at their company.   

In considering this insurance it is important to understand how these terms are defined in the policy rather than assume that all things computer related and cyber mean the same in every instance. 

In the midst of summer, many of us are spending long weekends in the car. Whether we're traveling a few hundred miles up north, or a few thousand miles down south, we're probably all looking for a distraction during the drive. While cell phones can provide great entertainment, it's important to remember the laws surrounding their use in vehicles. Below is an update on what is currently prohibited in Wisconsin:

• Text messaging outlawed for all drivers. Fines from $20 to $400 with a possible 4 points against the driver’s license. Primary enforcement.
• Drivers with restricted licenses prohibited from using cell phones.
• Drivers may not watch devices within vehicle providing entertainment through “primarily visual means.”
• Drivers prohibited from using handheld cell phones in construction zones. Takes effect Oct. 1, 2016.
• The state outlaws distracted driving, or “being so engaged or occupied as to interfere with the safe driving of that vehicle.” The fine is $173 and 4 points.

Click here to learn more about these laws and the fines associated with them. We hope you have a happy, safe and enjoyable summer with family and friends!

Contact a Knowledge Broker for more information.

While the terms Loss Payee and Lender’s Loss Payee may sound similar, there is a difference between them in regards to the insurance protection given the lender in the event of a loss and recovery for the same.

If the lender is properly named (endorsed) as a Loss Payee on a policy and there is a covered loss that occurs for which the insured is entitled to payment, the payment would be made to both. That is, both the insured and lender would be listed on the check.

If due to any non-compliance, wrongful act, or policy provision, the insurance company would not be required to make payment to the insured, then the lender would not receive payment either.

If the lender is properly named (endorsed) as a Lender’s Loss Payable, that  is a benefit to the lender. If a covered loss occurs, the lender would have the right to the loss payment, even if non-compliance of terms by the insured or wrongful acts of the insured came into play. The Lenders Loss Payable status and endorsement will also  provide that the lender be given notice from the insurance company in the event of a cancellation (non-payment or other reasons)  or non-renewal by the carrier.

For more information, contact a knowledge broker.

Insuring precious metal - like gold or silver - is one thing, but when it's cast into a priceless Olympic medal, and won with the dedication of a supreme athlete - it's a different story. Luckily, Olympian's today are covered by a special policy for the Olympic athletes - in case their medals are lost or stolen, but that protection hasn't always been there. Many Olympians have had their medals stolen, or damaged in transport from one speaking enagagement to another.

Based on the amounts of precious metals used in the Olympic medals, a gold medal would be worth about $632, a silver medal $367, and a bronze medal less than $5.

Speed skater Apolo Ohno used to keep his eight medals in a sock drawer! Precious Medals: Olympians treasure their trophies (and dread having them stolen).

If you do have something as precious as an Olympic medal, how do you insure it?

If you own something that is irreplaceable like an Olympic medal, you would want to schedule it under your homeowners policy with an “other” category.

You and the insurance company will need to come to some sort of “agreed value” for the object. You would need to provide a complete description and most likely a photo of the object you want to insure. It is highly suggested that you also review your schedules with your knowledgebroker on a yearly basis.

Wisconsin residents, for more information about your homeowner’s policy or special coverages for your priceless items, contact a knowledgebroker today.

So we finally get a change in the Wisconsin Worker’s Compensation Act that supports an employer’s post-accident drug testing program, and then “OSHA” happens…

On May 11, 2016, the Occupational Safety and Health Administration (OSHA) published a final rule revising its Recording and Reporting Occupational Injuries and Illnesses regulations. In addition to addressing many aspects of the claim reporting process, OSHA has prohibited employers from using drug testing (or the threat of drug testing) as a form of adverse action against employees who report injuries or illnesses. They indicate that employers should limit post-accident testing to situations in which employee drug use is likely to have contributed to the incident.

So what does that mean to you? If you have a post-accident testing program that requires testing after any and all injuries, you will need to re-evaluate your program and implement changes by August 16, 2016. This is when the part of this rule takes effect.

If you have questions about whether or not your current policy will be in violation, please contact me so that we can discuss.

About 9 months ago, my dad called me concerned about a message that he had gotten on his computer at home. My dad and his wife are both retired and live up in a small town in northern Wisconsin.

The message on the screen said that he had a virus on his computer and it provided a phone number to call to get it fixed. How convenient. Turns out he wasn’t as concerned about the message as he was about what he did after he got the message.

By the time my dad had reached out to me, he had already called the number on the message and had paid to have a “tech” on the other end of the line diagnose what was wrong with his computer. My dad was calling to get my thoughts on whether or not he had done the right thing. Turns out he had not.

Click here to learn more about how this scam works and hopefully avoid it happening to you or a family member.

Cyber-attacks at work and at home are a growing trend and all indications are that they will continue to grow in numbers and methods. Be sure that you are doing all that you can to protect yourself and your business.

For additional resources on cyber security, click here to download our Cyber e-Book.

Orlando. 

San Bernardino.

The Boston Marathon Bombing.

Fort Hood.   

9/11.

Terrorism is again at the forefront of nearly everyone’s minds.  It is no longer something happening "over there."

After 9/11/01, terrorist attacks and fatalities in the United States dropped to nearly zero from 2002 until 2009.  However, since 2009, the number of incidents and the number of fatalities has been rising, including the most recent and horrendous attacks in Orlando and San Bernardino.  It is clear that terrorism can occur anywhere and is not going away. 

What Is My Business’ Risk from a Terrorist Act?

Statistically speaking, the average American is far more likely to die from other causes than from terrorism.  For example, the Centers for Disease Control reports the following:

• You are 271 times more likely to die in a workplace accident than a terrorist act. 
• You are 1,904 times more likely to die in a traffic accident than a terrorist act. 
• You are 35,079 times more likely to die from heart disease than a terrorist act. 

However, these statistics do not make the threat of terrorism any less frightening. Clearly, some parts of the country have a greater exposure than other parts.  For sure, the recent events lead typical business owners to ask:

Does my insurance cover my business if something happens to me like what happened to Pulse in Orlando?

Unfortunately, that is not a simple “yes” or “no” answer.  It all depends on what line of coverage you’re talking about.  For example, Worker's Compensation does not exclude terrorism.  For all other lines of commercial coverage, the answer is a little trickier.  It involves something called TRIA.   

What is TRIA?

The 9/11 attacks resulted in insured losses of $23 billion.  As a result, the Terrorism Risk Insurance Act (TRIA) was enacted by the U.S. Government.  It acts as a re-insurance to the insurance industry to cover insured losses from terrorism.  In exchange for this backing, the law requires insurers to allow businesses the option of buying terrorism coverage.

TRIA defines an act of terrorism as an act committed in the United States by individual(s) to coerce the civilian population of the U.S. or influence the policy or conduct of the U.S. by coercion.  There is currently no distinction between foreign or domestic terrorism. 

The act also specifies that an incident must reach $5 million before it can be certified as an act of terrorism.  The U.S. Secretary of the Treasury, in concurrence with the U.S. Attorney General, makes that determination.  Then there is a complicated set of conditions and thresholds that must be met before the U.S. Government re-insures a particular incident.  Since TRIA was signed into law by George W. Bush in 2002, no incident has been designated as an “act of terrorism”. 

What happens if I Accept or Reject Terrorism Coverage?   

If you reject the offer to add terrorism coverage for your standard policy, and an event is certified as “an act of terrorism”, then you will NOT have a covered loss.

If you buy the add terrorism coverage, and there is a certified “act of terrorism”, then you will have a covered loss.

What happens if an incident occurs that is not certified as “an act of terrorism”?

As previously mentioned, there has not been one certified “act of terrorism”.  So what happens to businesses’ affected by what seems to be an “act of terrorism”, but has not been certified by the U.S. Department of Treasury as one. 

The Boston Marathon Bombing was not certified, but several businesses were obviously affected.  In this situation, a typical property casualty policy should cover acts of malicious mischief, vandalism, fire, and explosion. 

Business interruption and extra expense coverages would also apply if purchased.  One coverage to consider is for business income or extra expense for “dependent properties”.  These are other business that your business relies on for your continued operations.  What if they are the victims of an attack and are shut down? 

If your employees travel frequently, do you have travel policies that cover terrorist acts?           

Some insurance carriers are offering stand-alone terrorism policies.  These are typically property policies that respond only to acts of terrorism, no matter if they have been certified by TRIA.   

Every situation will raise insurance coverage questions, and all the facts must be investigated to determine how coverage applies. 

The most important task you can do is to consult with your agent and review all of your exposures and policies to determine what makes sense for your business. 

Do you know what a phishing attack is and how to recognize them? Are you training you training your employees?

Wombat Security recently published a report on the State of Phishing attacks. The report highlights that phishing attacks are increasing, becoming more sophisticated and varied in their approach to tricking potential victims. These come in the form of emails, phone calls, SMS messaging and USB attacks.

• Delivery Status Notification
• Full mailbox notification
• Spam quarantines
• Benefits enrollment messages
• Invoices
• Confidential HR documents
• Shipping confirmations
• Wire transfers
• Insurance notification
• Auto insurance renewal
• Frequent flier accounts
• Bonus miles
• Photo tagging
• Frozen accounts,
• Big-box store memberships
• Social networking
• Gift cards

With more recent research being done on employee health and its effects on companies, it is now safe to conclude that the benefits from encouraging and implementing a wellness program are no longer disputable. Whether it is lower health care costs, greater productivity, lower absenteeism, or higher morale, healthy employees cost you less and have a noticeable impact on the company in both the short and long term.

Over time, you are able to drive down health care costs by positively influencing your employees’ health and well being. You can impact the healthy employees by maintaining their wellness, and even get some employees who are on the edge of being unhealthy back into good health. 

An example of this written in the Harvard Business Journal, explains that doctors who conducted a study, at a single employer, researched a random sample of 185 employees and their spouses. The participants were not heart patients, but they received cardiac rehabilitation and exercise training from an expert team. Of those participants classified as high risk at the beginning of the study (according to body fat, blood pressure, anxiety, and other measures), 57% were converted to low-risk status by the end of the six-month program. Furthermore, medical claim costs declined by $1,421 per participant, compared with those from the previous year. A control group showed no such improvements. The bottom line: every dollar invested in the intervention yielded $6 in health care savings for that company.

A wellness program is not only a strategy for cutting avoidable costs, but also functions as a commitment to your employees and the overall health of your organization.

Wellness initiatives provide opportunities to help brand the company and drive change to the organizational culture. Here are some outcomes that result from developing your company brand and culture that could emerge from the pursuit of a healthy company lifestyle:

• Increased leadership opportunities
• Educated and empowered employees
• Ability to build connections and make cross-department communication easier
• Positive perceptions of the company and the workplace
• New, unique company and employee needs can be identified and acted upon

For further reading on workplace wellness check out this article.

Every business has an exposure and risk of becoming a cyber crime victim. While most businesses are familiar with insuring for traditional risks, there are a range of exposures that your business may need to be protected from. The following questionnaire provides in depth insight into risks you may not have previously contemplated.

Do you accept credit card payments? 

If yes, any merchant or organization, regardless of size or  number of transactions, that accepts, transmits or stores any cardholder data is required to be PCI (Payment Credit Card Industry) compliant. This includes any debit, credit, and prepaid cards branded with one of the 5 associated/brand logos  that participant in PCI SSC—American Express, Discover, JCB, Mastercard, Visa International.  Using a third party processor does not exclude a company from PCI compliance.  Check your merchant services agreement which outlines your exposure.

Do you process payroll? 

If yes, you are responsible for the safekeeping of this data even if outsourcing to a payroll data company.

Does your business utilize computers/software to run any part of operations?    

If yes, what is the potential loss of income should the system be non-operational?

Do you offer any employee benefits to your employees? (health insurance/life insurance/ disability)?

If yes, you have Personally identifiable information on your employees, spouses and children that you are required to protect, whether in paper or electronic  format.

Does your company offer a wellness plan?

If yes, according to the Office for Civil Rights (enforcement body for HIPAA), providing workplace wellness programs to employees requires employers to gather health data through health risk assessments and various other means and those data must be protected under HIPAA.  The HIPAA Safety Rule requires that all covered entities to implement technical, administrative and physical safeguards to prevent protected health information from being viewed or accessed by unauthorized individuals.  Fines of more than $50,000 can be assess for each violation up to $1.5 million per calendar year.  Even companies that are not covered entities may be subject to HIPAA rules should PHI be breached.

Does your company allow employees to connect mobile storage devices to office computers?

If yes, malware and virus can infect your system via these devices.  If you have a policy that prohibits these activities, are you certain that all your employees follow the policy all of the time?

Have you ever received an email that appears to come from a known party directing you to transfer money? 

If yes, this is an example of a phishing scheme. 

Do you allow access to your system to outside parties using a VPN?

If yes, open portals are gateways into your system and are being utilized by hackers.

Do you conduct business over the internet or through your website?

 If yes, what impact would your business experience if it was no longer operational?

Do you provide for an EFT option to either accept payments from your vendors or to pay your vendors?

If yes, you have personally identifying information for either individuals or businesses – i.e. bank account information.

Do you require employment applications?

If yes, you have personally identifiable information.  Where is this information kept?  What do you do with applicant information for individuals that you do not ultimately employ?

Do you store, process, transmit any personally identifiable personal or health information for employees, customers, patients, students, companies, vendors, etc?

If yes, you have a legal obligation to protect that information. 

Contact us for additional information, or download our cyber liablity e-book to learn more about properly protecting the business you've worked so hard to build.