Cyber Attack Nightmares Continue

While most of us were celebrating Mother’s Day on Sunday, Colonial Pipeline was attempting to assess the damage related to a cyber-attack last week. Colonial Pipeline accounts for 45% of the East Coast’s fuel (diesel and petroleum). Colonial has had to take 4 of their main pipelines offline; they are operating off of smaller lines and delivery points. Impacts from New Jersey down through Texas are expected. As a response to the cyber-attack and limitation of the company’s resources the US government issued emergency legislation to lighten the regulation on fuel transportation. Extended shutdowns are “fueling” fears over pump prices.

The 5 Key anticipated cybersecurity risks in 2021 were reported as Endpoint threats (servers, VPNs and cloud based software services), Remote workforce exposures (weakened network security of remote devices), Cloud Security (business-critical data on cloud platforms), and Shortage of security professionals or services (availability and affordability). You can check out the full article here of expected cyber threat trends for 2021.

Newer threats emerging are “multi-stage attacks like ransomware or “low and slow hacks”. Ransomware attacks gain exposure through stolen credentials and are designed with the goal of systems and data infiltration. While mutli-factor authentication (MFA) is an important security feature to mitigate ransomware attacks, it is reported that 78% of Microsoft 365 admin users don’t activate MFA.

Colonial Pipeline’s hack is reported to be a ransomware attack, ” Sources said the ransomware attack was likely to have been caused by a cyber-criminal gang called DarkSide, who infiltrated Colonial’s network and locked the data on some computers and servers, demanding a ransom on Friday.

The gang tried to take almost 100 gigabytes of data hostage, threatening to leak it onto the internet, but the FBI and other government agencies worked with private companies to respond. The cloud computing system the hackers used to collect the stolen data was taken offline on Saturday, Reuters reported.

Colonial’s data did not appear to have been transferred from that system anywhere else, potentially limiting the hackers’ leverage to extort or further embarrass the company, the news agency said.” You can read the full Colonial Pipeline article issued by BBC News here.

Mitigate Your Cyber Security Risks

1 – Identify and document asset vulnerabilities; What data are you storing?

2 – Identify and document internal and external threats; disgruntled employees, Dark Web techniques

3 – Assess your vulnerabilities; software security up to date and in place

4 – Identify potential business impacts; financial, operational, etc

5 – Identify and prioritize your risk responses; Response plan, best practices, documentation of procedures

Check out our previous articles on Cyber Risk at PEO Compass search Cyber. Libertate Insurance Services has Cyber Programs available to mitigate the loss.

Happy Mother’s Day 2021!

…from our family to yours.

As we all creep back towards normalcy, give your mom an extra hug today. We will.

As I go through ancestry with my mother, it amazes me the stories and characters behind them that built our family tree in the US and Canada. I have been especially keying in on the Great Expulsion of Scotland (Highlands) in the mid-1770’s. These families were practically exterminated after being chased off their land and forced off into the new unknown world of Halifax, Boston and Virginia.

My family stories of this era always seem to always involve a strong woman whose primary function was the operations of the overall family unit. With their goal of settlement on a remote land far away from the forces of the crown, these family units (average age 23 for adults) with 5, 8, 10+ children sometimes to raise found themselves on desolate islands such as Prince Edward Island (“PEI”), Newfoundland and Nova Scotia. Weather conditions were not optimal with the average temperatures on PEI being 13 degrees with a wind off the water.

While the father was on a boat chasing tuna and lobster or in the fields, the mothers brought up the next generation virtually on their own. They had no fear.

Pro Libertate!

Prayers for our friends around the world, but especially in India where this awful virus has recently surged.

“It may be possible to gild pure gold, but who can make his mother more beautiful?” —Mahatma Gandhi

“God could not be everywhere, and therefore he made mothers.” —Rudyard Kipling

and can’t leave Boston out for my mother…

“Mother is the name for God in the lips and hearts of little children” –Nathaniel Hawthorne

Happy Mothers’ Day from our family to yours!

Insurers Are Waking Up to Multi-Factor Authentication

Please enjoy this excellent article by Steven Kaye which was originally posted on the Carrier Management website. The original post can be found here.

Insurance use cases for multi-factor authentication (MFA) include distributor access, external user access (e.g., claims vendors, financial advisers), internal user access and policyholder access.

Legislation and regulators are increasingly mandating MFA to ensure greater security as well as to reduce identity theft and other forms of fraud. Examples include the New York State cybersecurity regulation and the NAIC Insurance Data Security Model Law. Insurers have traditionally balanced security against expense and inconvenience to their users, especially if their coverages are marketed to older demographics (e.g., final expense policies). Regulatory mandates combined with growing digital adoption and criminals turning their eyes to life and annuities account takeover means the calculus has changed.

Despite these regulatory mandates, 80 percent of insurers say that risk management, rather than regulatory compliance, is driving their adoption of MFA.

There is minimal variation between size and sector of company when it comes to deployment rates, with the exception of large life/annuity/benefits insurers, which are much more likely to use MFA for policyholders than is any other class of insurer. A low deployment rate of MFA for policyholders among smaller property/casualty insurers reflects the fact that few small P/C insurers offer direct policyholder access at all.

Midsize P/C insurers lag behind other sizes and sectors in deployment of MFA for both distributors and policyholders but are ahead of large life/annuity/benefits insurers in deployment for other external parties. Midsize P/C insurers are also ahead of midsize life/annuity/benefits insurers in deployment internally.

How MFA Helps

As many knowledge workers moved from the office to home during the pandemic, securing infrastructure became another key driver. Hybrid work models that blend office and home working environments are gaining traction, and the need for MFA becomes more crucial to validate that users are actually employees.

In addition to security needs, carriers are obtaining policyholder emails and cellphone numbers as part of the MFA process. These bits of data, which are often difficult to obtain, can provide insurers with the opportunity to digitally connect with customers in their preferred channel.

There is no mandated number of identification methods for MFA, but the consensus is to have two at a minimum. Insurers are starting to use multi-factor or its equivalent for any interaction where an external network is accessing information behind a firewall. Some are taking this a step further to include role-based authentication for internal access as well.

The best defense is a layered approach, combining multiple authentication methods with secure and documented business processes and other security solutions. Some insurers are offering security audit services to agents they work with, while others are working with their distribution executives to change distribution agreements to mandate MFA and other security measures.

Insurers should ensure that MFA processes are documented and that solutions generate auditable logs. Some wholesale brokers require attestations from insurers they work with.Some insurers are offering security audit services to agents they work with, while others are working with their distribution executives to change distribution agreements to mandate MFA and other security measures.

For consumer-facing use cases, depending on the age of policyholders, insurers may wish to opt for MFA methods that are more straightforward (e.g., less complex knowledge-based authentication, voice print). Final expense and Medicare supplement are two lines of business where voice signatures are well established. Many solutions support establishing different access policies based on risk assessment, such as requiring MFA for new devices, or conversely accepting password-free authentication for low-risk access requests.

Types of Authentication

MFA relies on several of the following authentication methods:

  • Physical objects (e.g., laptops, mobile devices, security tokens) in possession of users.
  • Knowledge-based authentication (e.g., answers to questions, passwords or PIN codes, randomly generated authentication codes from authenticator apps).
  • Location (e.g., GPS or IP address).
  • User characteristics (behavioral or biometrics-based).

Some authentication methods are more secure than others. For example, sending codes or passwords via email or SMS runs the risk of interception by man-in-the-middle attacks. With many employees working from home, phishing and other identity theft methods are on the rise. Several solutions support adaptive authentication, with less risky access requests requiring fewer authentication methods than riskier ones, as determined by system-generated risk scoring and predefined security policies.20 percent of CIOs surveyed by Novarica said they are planning to require MFA for distributors and policyholders within six months, adding to 30 percent that already do so.

Novarica recently conducted a survey of insurer CIOs to understand their deployment of MFA, including business drivers, authentication methods and use cases. It is important to keep in mind that solution providers typically offer a range of authentication methods.

Only 30 percent of participants currently require MFA for distributors or policyholders, but another 20 percent are planning to require MFA within six months. Roughly 80 percent of participants require MFA for most or all internal systems users.

Deploying MFA

The most common authentication methods deployed are mobile authenticator apps, used by 80 percent of participants. More than half of participants use SMS. Email and security keys are used by roughly 40 percent and 33 percent of participants, respectively. Behavioral authentication, voice-based authentication, IP location and knowledge-based authentication are used by fewer than a third of insurers.

Note that only 16 percent of insurers report using just one method; overall, insurers said they use an average of 2.8 different authentication methods.Sending codes or passwords via email or SMS runs the risk of interception by man-in-the-middle attacks.

The security threat landscape continues to grow in number and impact. Although many carriers are not currently considering MFA, regulatory scrutiny and enforcement of IT security will only increase. The ability of most solutions to offer different levels of authentication for different access use cases means there is less of a tradeoff between customer experience and security. Many solution providers offer MFA as part of a broader portfolio of identity and access management and IT security solutions.

Insurers should consider MFA approaches as part of a broader IT security strategy.

CONTRIBUTOR

Steven Kaye, Novarica

Steven Kaye is Vice President of Research at Novarica and lead editor of the firm’s Business and Technology Trends in Insurance series. He has managed a wide range of research projects since joining the firm in 2008. Previously, Kaye worked for Accenture as an insurance researcher focused on the U.S. life and property/casualty markets. He also served in both knowledge management and research roles at Gemini Consulting (now part of Capgemini) for several of the firm’s industry practices. Kaye holds MILS and BA degrees from the University of Michigan at Ann Arbor. Reach him directly at skaye@novarica.com.

5 Ways Employers Can Support Employees’ Mental Health

5 Ways Employers Can Support Employees’ Mental Health

An employee’s mental health includes how they think, feel and act, and includes their emotional and social well-being. While mental health includes mental illness, the two aren’t interchangeable. An employee can go through a period of poor mental health but not necessarily have a clear, diagnosable mental illness. Additionally, an employee’s mental health can change over time, depending on factors such as their workload, stress and work-life balance.

While 1 in 5 U.S. adults experience mental illness annually, a recent study by Deloitte revealed that less than half receive treatment. A study from the Mental Health in the Workplace Summit also found that mental illness is the leading cause of disability for U.S. adults aged 15 to 44 and that more workdays are lost to mental health-related absenteeism than any other injury or illness.

Given its prevalence, you can expect that employees at your organization are experiencing mental health challenges or mental illness. That’s why it’s so important that your organization creates a culture that is supports employees’ mental health. While this may sound complicated, creating a workplace that is supportive of mental health and illness is easier than it seems. Here are five simple ways that your company can support employees and their mental health.

Promote Mental Health Awareness in the Office

The first step to creating a workplace that is supportive of employees’ mental health is promoting awareness and destigmatizing mental health or illness. Provide resources to help employees learn more about mental health or mental illnesses, and give information about how employees who may be struggling can seek out help. When you openly talk about mental health, employees are more likely to feel comfortable about the concept and reach out to managers or co-workers if they’re struggling.

You can also establish a workplace environment that is supportive of mental health by:

  • Encouraging social support among employees, such as an organized support group that meets regularly
  • Setting up an anonymous portal through which employees can reach out to let managers know that they’re struggling with high stress and need help
  • Providing training on problem solving, effective communication and conflict resolution
  • Promoting your employee assistance program (EAP), if you offer one

Offer Flexible Scheduling

Work-life balance, or a lack thereof, can affect an employee’s mental health. To help employees better balance their work and personal lives, employers across the country are embracing workplace flexibility. While this looks different at every company, workplace flexibility can include flextime, telecommuting and unlimited paid time off (PTO) policies. Flexible schedules provide employees with

job satisfaction, better health, increased work-life balance and less stress.

Address Workplace Stress

Nearly 80% of Americans consider their jobs stressful. Chronic workplace stress can contribute to increased employee fatigue, irritability and health problems. Additionally, workplace stress costs U.S. employers approximately $300 billion in lost productivity annually.

While it may not be possible to eliminate job stress altogether for your employees, you can help them learn how to manage it effectively. Common job stressors include a heavy workload, intense pressure to perform at high levels, job insecurity, long work hours, excessive travel, office politics and conflicts with co-workers.

You can implement various activities to help reduce employee stress, which can improve health and morale—and productivity.

  • Make sure that workloads are appropriate.
  • Have managers meet regularly with employees to facilitate communication.
  • Address negative and illegal actions in the workplace immediately—do not tolerate bullying, discrimination or any other similar behaviors.
  • Recognize and celebrate employees’ successes. This contributes to morale and decreases stress levels.

Evaluate Your Benefits Offerings

Review the benefits you offer to ensure that they support mental well-being, too. Evaluate your current health plan designs. Do they cover mental health services? Reviewing the offerings that your organization provides is essential to creating a culture that supports employee mental health.

In similar fashion, look to see what voluntary benefits you can offer to support mental well-being. Consider offering simple perks like financial planning assistance (as financial stress often contributes to poor mental health), employee discount programs (where employees can receive gym memberships, stress-reducing massages or acupuncture at a lower cost) and EAPs to support your employees.

Provide Mental Health Training for Managers

One of the most significant problems hindering mental health support at work is the stigma that surrounds mental health. Despite the recent moves in society toward destigmatizing mental health, issues still persist. To ensure that no stigma surrounding mental health exists at your organization, it’s important that you properly train management in recognizing the signs of mental illness, excessive workplace stress, workplace bullying and fatigue. Moreover, managers should be trained to handle potentially difficult conversations with employees surrounding their mental health. Ultimately, they should be prepared to speak openly about mental health rather than avoid the topic. Visit the Substance Abuse and Mental Health Services Administration’s Workforce webpage to learn more.

NAPEO announces in-person conference opening back up for September 27-29, 2021

NAPEO‘s President, Mr. Pat Cleary has exciting news about future in-person meetings and events!

The following post was from an eMail to the members from NAPEO’s President, Mr.Pat Cleary regarding the status of upcoming events and the status on in-person attendance.


Ten months ago to the day, I sent an email stating that due to COVID-19 and the associated risks that the committee voted against having the annual SAGE event and conference. It was a heartbreaking email to write, in that the conference was a speck of hope for us all, something out in the far distance that we all looked forward to, when this damned thing would be over. But it was not to be. I attached the email here because re-reading it today, it’s a bit of a time capsule, and reminds us of a low point that we experienced – and survived – together.

So today I’m writing with some very good news: I just this hour signed our contract with the JW Marriott San Antonio Hill Country to hold our conference there – in person – on September 27 – 29 this year. Just about every conversation I have had with any NAPEO member over the past few months has included a discussion of when we would be able to meet again in person. We are all suffering Zoom fatigue, that’s for sure. Looking at the email below, I said, “We want to gather with our members, and as soon as it’s safe to do so, we will.” Every organization has its own level of risk tolerance. Our litmus throughout has been the health and safety of our members and of our team here at NAPEO. Comforted and fortified by the upward trend in vaccinations and downward trend in cases – and the slow easing of restrictions – we will hold our first in-person meeting, our CFO Seminar, at the end of June (location TBD) and hold our Georgia Leadership Council Forum in-person on June 28. And the conference in September. 

I’ve said so many times that the arc of meetings during COVID was like this: Plan the meeting, book the hotel, promote the meeting, watch the registrations climb, meeting draws near, registrations begin to cancel, then the meeting cancels. We did that dance too many times in 2020. For our November Board of Directors meeting, we asked our 24 Board members if they wanted to meet virtually or in person. Twenty two said they wanted to meet in person, so we planned the meeting. The week before, in the face of too many cancellations, we moved the meeting to virtual. It was a discouraging, defeating, and tiresome cycle.

So if the cancellation of the 2020 in-person conference was a sign of despair, let this now be a sign of hope, of light, and of hopefully reaching the end of this pernicious thing that has dogged us for so long. As I said in the email below, “The sun will shine again.” And indeed it will – in San Antonio, in September.

I want to thank all of you who have stood by us, who have gamely pivoted with us to the virtual world. It wasn’t a world we wanted, but it was the world we were handed. I want to especially thank our associate members. The face to face meeting is their lifeblood, an option they didn’t have for the past year. They, too, stood with us, and we are grateful. And finally, I want to thank my team here at NAPEO. I use the royal “we” all the time, but the truth is they are the ones who are doing the innovating, the pivoting, the work. 

As I always say, this thing isn’t completely over yet, but we appear to be moving in the right direction. I look forward to seeing – and celebrating with – you all in San Antonio. 

All the best,

Pat Cleary
President & CEO
NAPEO
707 N. St. Asaph St.
Alexandria, Va. 22314
703-739-8163

Restaurant Revitalization Fund – Act Now – the Portal is Open

The American Rescue Plan Act put in place the Restaurant Revitalization Fund (RRF) to help restaurants and other eligible businesses with funding. The Small Business Administration (SBA) application portal opens today, Friday, April 30, 2021 at 9 am. Applications will be available on Monday, May 3, 2021 at noon.

If you have been in business from January 2020 through March 2021, start pulling the information together now so you can apply when the portal application opens. Below, we have pulled some of the important items to know from SBA.gov .

Who is Eligible

Eligible entities who have experienced pandemic-related revenue loss include:

  • Restaurants
  • Food stands, food trucks, food carts
  • Caterers
  • Bars, saloons, lounges, taverns
  • Snack and nonalcoholic beverage bars
  • Bakeries (onsite sales to the public comprise at least 33% of gross receipts)
  • Brewpubs, tasting rooms, taprooms (onsite sales to the public comprise at least 33% of gross receipts)
  • Breweries and/or microbreweries (onsite sales to the public comprise at least 33% of gross receipts)
  • Wineries and distilleries (onsite sales to the public comprise at least 33% of gross receipts)
  • Inns (onsite sales of food and beverage to the public comprise at least 33% of gross receipts)
  • Licensed facilities or premises of a beverage alcohol producer where the public may taste, sample, or purchase products

Even those that were just starting out in Q1 of 2020, and unable to prove loss of gross receipts, are still eligible for assistance. This is great, as mostly everything offered previously has been weighted on the previous revenues and incurred loss. Instead of prior year proof of receipts, they will take into account the business plan/model for the newly opened business in 2020.

How to Apply

Check out the RRF page, here, on the SBA website for application process. You have 2 options, you can apply through your SBA-recognized Point of Sale system or through the online application portal. Use this link to access the sample application, SBA Form 3172, and prepare what will be needed to apply. You can also access this RRF guide to help you through the process.

Additional Documentation Needed to Apply

Additional documentation required:

  • Verification for Tax Information: IRS Form 4506-T, completed and signed by Applicant. Completion of this form digitally on the SBA platform will satisfy this requirement.
  • Gross Receipts Documentation: Any of the following documents demonstrating gross receipts and, if applicable, eligible expenses
    • Business tax returns (IRS Form 1120 or IRS 1120-S)
    • IRS Forms 1040 Schedule C; IRS Forms 1040 Schedule F
    • For a partnership: partnership’s IRS Form 1065 (including K-1s)
    • Bank statements
    • Externally or internally prepared financial statements such as Income Statements or Profit and Loss Statements
    • Point of sale report(s), including IRS Form 1099-K

For applicants that are a brewpub, tasting room, taproom, brewery, winery, distillery, or bakery:

  • Documents evidencing that onsite sales to the public comprise at least 33.00% of gross receipts for 2019, which may include Tax and Trade Bureau (TTB) Forms 5130.9 or TTB. For businesses who opened in 2020, the Applicant’s original business model should have contemplated at least 33.00% of gross receipts in onsite sales to the public. 

For applicants that are an inn:

  • Documents evidencing that onsite sales of food and beverage to the public comprise at least 33.00% of gross receipts for 2019.

Other Important Items to Highlight

For businesses who opened in 2020, the Applicant’s original business model should have contemplated at least 33.00% of gross receipts in onsite sales to the public.

The PPP loan dollars that you previously applied for and received will be deducted from the gross receipts calculation. So as long as your 2019 gross receipts exceed what you received in gross receipts for 2020 and the funds received under the PPP loan in 2020 you will be able to apply for relief through this fund.

EIDL loan amounts received are not included in this application calculation consideration.

Allowable Use of the Funds

  • Business payroll costs (including sick leave)
  • Payments on any business mortgage obligation
  • Business rent payments (note: this does not include prepayment of rent)
  • Business debt service (both principal and interest; note: this does not include any prepayment of principal or interest)
  • Business utility payments
  • Business maintenance expenses
  • Construction of outdoor seating
  • Business supplies (including protective equipment and cleaning materials)
  • Business food and beverage expenses (including raw materials)
  • Covered supplier costs
  • Business operating expenses

We, at Libertate Insurance Services, wish you luck in this process.

10 Workplace Safety Considerations for Small Business Owners

Image

Content utilized to create this post was from Forbes Magazine’s Human Resources Council (includes Megan Leasher, Nicole Smartt Serres, Sameer Penakalapati, Tracy Cote, Chris Stanzione, Subhashree Chaudhuri, Courtney Peterson, Tina R. Walker, Kristin Fowler & Madhukar. Govindaraju)

The vaccines have arrived and the numbers are trending up, down and all around depending on what network your watching and who you are speaking with. The fact is small, midsize and enterprise level businesses are considering what approach they should take for getting their staff back to work in an office environment. The majority of small and mid-sized employers are looking at using a blended approach, meaning they plan on implementing more work from home flexibility with their existing in office staff. 59% of those that are working from home support a work schedule that allows working from the office and at home. We wanted to provide 10 impactful considerations for employers as they forge forward.

TEN WAYS TO CREATE A SAFE WORK ENVIRONMENT


  1. There is no one-size-fits-all approach

Have a plan that fits your cultural goals and direction. Your plan should be a blend of meeting all safety & risk management guidelines from a legal perspective along with proper consideration for what the organization and its people need.

2. Communication is not a one way street

Involve trusted staff to carry the message of your risk & safety policies. Encourage employee participation in the development process. When your employees feel that their input is valued your office will be engaged in carrying your message. Design the process to be sustainable at all levels of your organization.

3. Proper work-life balance impacts mental health

Employees may be asked to get used to another new normal. Whether that means coming back into the office on a more regular basis or permanently, try and remember that by and large employee mental wellness suffered throughout the pandemic. As you take steps to protect the safety and health of your workforce, do not overlook mental health and wellness. Everybody has unique circumstances that may adversely impact their mental well being so little adjustments like extending flexible work hours can go a long way to employee satisfaction.

4. Play by the same set of rules – that means everybody

It is easy to become disregardful of even the most sensible of guidelines that have been established for the greater good of the group. Implementing common-sense guidelines supported by your state or OSHA need to be followed by everybody. Consistency is the key for resonating the message. Send out reminders as often as necessary and echo your message firmly. Somebody who refuses to abide by clearly defined rules may need to be sent home. Be relentless about making sure everybody is playing by the same set up rules.

5. Be mindful of each other’s responsibilities

Small to mid-sized businesses need to be aware of the risk and safety management responsibilities and the varying degrees the employer and the employee are responsible for. When it comes to providing a safe working environment, provide safety options, consider alternative ways of doing a job safely, and engage employees in a mutually agreeable way. Remaining open-minded and reserving judgement is crucial as well.


6. Tap into available consultative and training resources

Shameless self-promotion is coming in five, four, three, two and one; do you have access to safety and health resources through an agency, consultant or expert… such as a Libertate Insurance for example? Inquire about the available voluminous resources that your reliable partners posses when it comes to evolving environments, laws and compliance requirements! Leverage your partnerships especially those involved in your firm’s best interest and you will be amazed at what “we”, I mean they will be able to help you with.

7. Put safety policies front and center

Do you remind employees about the ongoing safety and mask campaign? Chances are safety policies are not necessarily the primary thought running through your employees minds while racing from desk to printer and back. Your firm’s culture needs to foster regular engagement to the point it becomes second nature. Emotional intelligence goes a long way in the delivery of your message. Remind employees of the care and concern leadership has for their well being, it will be appreciated.

8. Make health and safety part of your organization’s culture

It is all of our responsibility to protect each other and minimize risks. When you see something, say something. Avoid expecting somebody else to see and say something. Every member of the organization can play an active role and should.

9. Do they understand your expectations

If you create a health and safety culture with team members that own the message and every member of the organization is singing the same safety tune, you have won the expectation battle. Do not allow the loose ends or the uninformed be the squeaky wheel. Be consistent, be vigilant and be clear about what is expected.

10. Get creative about getting input from office and field staff

Companies have implemented daily check-ins, reporting processes and employee task forces to encourage information about risk and safety to flow in daily. Create a safety game, make sure managers are listening, remember one voice and one message. Make safety and risk management happen.