…was yesterday and we did not celebrate it here on the Compass where we take that title as a compliment!
25% of insurance professionals will reach retirement age by 2018 and only 5% of college graduates are very interested in pursuing a career in the insurance industry. That will create huge opportunity for newly-minted insurance nerds of all ages in the near future. Data management and predictive modeling are going to make this industry far sexier in the years to come…
Does your company have a process in place to combat and/or react to a ransomware attack? If not, you should. The below article published on krebsonsecurity.com outlines one of the newest ransomware threats.
———–
A new strain of ransomware dubbed “Petya” is worming its way around the world with alarming speed. The malware is spreading using a vulnerability in Microsoft Windows that the software giant patched in March 2017 — the same bug that was exploited by the recent and prolific WannaCry ransomware strain.
The ransom note that gets displayed on screens of Microsoft Windows computers infected with Petya.
According to multiple news reports, Ukraine appears to be among the hardest hit by Petya. The country’s government, some domestic banks and largest power companies all warned today that they were dealing with fallout from Petya infections.
Danish transport and energy firm Maersk said in a statement on its Web site that “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.” In addition, Russian energy giant Rosneft said on Twitter that it was facing a “powerful hacker attack.” However, neither company referenced ransomware or Petya.
Security firm Symantec confirmed that Petya uses the “Eternal Blue” exploit, a digital weapon that was believed to have been developed by the U.S. National Security Agency and in April 2017 leaked online by a hacker group calling itself the Shadow Brokers.
Microsoft released a patch for the Eternal Blue exploit in March (MS17-010), but many businesses put off installing the fix. Many of those that procrastinated were hit with the WannaCry ransomware attacks in May. U.S. intelligence agencies assess with medium confidence that WannaCry was the work of North Korean hackers.
Organizations and individuals who have not yet applied the Windows update for the Eternal Blue exploit should patch now. However, there are indications that Petya may have other tricks up its sleeve to spread inside of large networks.
Russian security firm Group-IB reports that Petya bundles a tool called “LSADump,” which can gather passwords and credential data from Windows computers and domain controllers on the network.
Petya seems to be primarily impacting organizations in Europe, however the malware is starting to show up in the United States. Legal Week reports that global law firm DLA Piper has experienced issues with its systems in the U.S. as a result of the outbreak.
Through its twitter account, the Ukrainian Cyber Police said the attack appears to have been seeded through a software update mechanism built into M.E.Doc, an accounting program that companies working with the Ukranian government need to use.
Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley, said Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain.
Weaver noted that Petya’s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim.
Also, he said, Petya urges victims to communicate with the extortionists via an email address, while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor, a global anonymity network that can be used to host Web sites which can be very difficult to take down.
“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” Weaver said. “The best way to put it is that Petya’s payment infrastructure is a fecal theater.”
Ransomware encrypts important documents and files on infected computers and then demands a ransom (usually in Bitcoin) for a digital key needed to unlock the files. With most ransomware strains, victims who do not have recent backups of their files are faced with a decision to either pay the ransom or kiss their files goodbye.
Ransomware attacks like Petya have become such a common pestilence that many companies are now reportedly stockpiling Bitcoin in case they need to quickly unlock files that are being held hostage by ransomware.
Security experts warn that Petya and other ransomware strains will continue to proliferate as long as companies delay patching and fail to develop a robust response plan for dealing with ransomware infestations.
According to ISACA, a nonprofit that advocates for professionals involved in information security, assurance, risk management and governance, 62 percent of organizations surveyed recently reported experiencing ransomware in 2016, but only 53 percent said they had a formal process in place to address it.
Unfortunately, cybercrime isn’t going anywhere anytime soon. Below is a brief update from the FBI on the topic.
Losses from cyber crimes rose 24 percent in 2016 to over $1.33 billion, according to a report by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3).
The center, which was set up in 2000 to receive complaints of internet crime, received 300,000 complaints during the year from hacking victims.
Businesses lost $360 million to cyber criminals, who tricked them into wiring money using fraudulent emails that appeared to be from corporate executives and suppliers, according to the report released on Wednesday.
IC3 said it received 2,673 complaints last year from victims of ransomware, with losses totaling over $2.4 million.
In May, the WannaCry ransomware attack infected 300,000 computers in more than 150 countries, disrupting factories, hospitals, shops and schools.
Ransomware is a form of malware that encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.
Cyber Insurance is quite possibly one of the most discussed and equally misunderstood concepts over the past several years. If you own a business, you must ensure you are protected from cybercrime. Libertate Insurance has access to several markets one of which is a new PEO Cyber Master program. Contact us today for more information.
Sharlie Reynolds, 305.495.5173 / sreynolds@libertateins.com
The decision to expand into a new state for a PEO can be a daunting decision with many elements to consider. One item of consideration is the registration fees charged by the state in question. These upfront fees impact your Risk Manager’s decision when contemplating profitability of a new client company with operations in a state new to your PEO.
Nebraska just make this decision a little easier.
Nebraska has lowered the barrier of entry for a PEO looking to do business in their state. The new fee structure change is as follows:
For initial registration, the fee changed from $2,500 to $250
For annual renewal of registration, the fee changed from $1,500 to $150.
For initial limited registration, the fee changed from $1,000 to $100.
For the full regulation filing Click Here
-David Campbell
JUNE 02, 2017 BY ED ZOLLARS, CPA
In News Release IR-2017-103 the IRS announced that it has finally approved the first batch of certified professional employer organizations (CPEOs) The legislation authorizing CPEOs was passed in late 2015 and the legislation originally targeted January 1, 2016 as the date employers could begin using such organizations.
However, the IRS took time to publish the rules under which an application could be made and to process such an application, so the program got off to a late start. Now the IRS has issued notices of certification to 84 organizations.
The new release indicates that once an approved organization provides the IRS with a surety bond, the CPEO’s name, address and effective date of certification will be published on irs.gov.
The news release describes the program as follows:
Certification affects the employment tax liabilities of both the CPEO and its clients. A CPEO is generally treated as the employer of any individual performing services for a client of the CPEO and covered by a CPEO contract between the CPEO with the client, but only for wages and other compensation paid to the individual by the CPEO.
As a practical matter this means that if the requirements are met (including the organization agreeing to act as a CPEO for the employer as part of its engagement) the employer will no longer be at risk for unpaid payroll taxes. Normally a business remained liable for the payroll taxes being paid to the IRS should the PEO fail to actually pay over the tax money it had obtained from the business.
CPEOs have to meet certain requirements to maintain that status. As the news release notes:
To become and remain certified under the new program, CPEOs must meet tax compliance, background, experience, business location, financial reporting, bonding, and other requirements.
The release concludes by noting the IRS is continuing to process applications, and those who weren’t included in the first batch of 84 certifications should receive a decision from the IRS “in the coming weeks and months.”
Rada Kleyman
Risk Manager
GILLIAN MOHNEY – Good Morning America May 4, 2017
After weeks of wrangling, protests and pressure from the White House, a new health care bill was passed by the House of Representatives today. The new bill has changed multiple times since Republicans originally introduced it in March.
Here are some key takeaways about the newest version of the American Health Care Act (AHCA), also referred to as Trumpcare.
Pre-existing conditions
Technically, people with pre-existing conditions may not be barred from obtaining insurance coverage under the AHCA. However, their coverage options could be seriously affected by this bill. States would be permitted to apply for waivers to exempt insurance companies from a community rating provision and allow them to charge far higher premiums for people with pre-existing conditions.
The community rating provision is a way of setting premiums and is designed to ensure risk is spread evenly across a larger pool. This means that people are charged the same rate regardless of factors like health status. Under the Affordable Care Act, insurance companies may charge different rates for identical plans only on the basis of age, geographic location, the number of people covered and tobacco use, according to the Kaiser Family Foundation.
Under the AHCA, people in certain states could face far higher premiums for pre-existing conditions. States that apply for this waiver would have to implement high-risk insurance pools to accommodate them. But health care experts are skeptical that these high-risk pools would have enough money to fully cover people in need.
Karen Pollitz, a senior fellow at the Kaiser Family Foundation, told ABC News that if there is no protection from higher costs for their specialized insurance plans, people with pre-existing conditions would likely be priced out of
coverage. In the 1990s, she added, people with pre-existing conditions who recently lost their jobs were supposed to be protected by the Health Insurance Portability and Accountability Act and not be barred from obtaining insurance coverage. However, insurance companies charged far higher premiums for people with pre-existing conditions.
“To actually protect someone with pre-existing condition … they need full protection. Otherwise, it’s like giving someone half a bulletproof vest,” Pollitz said. Top ‘Trumpcare’ takeaways, changes How the new ‘Trumpcare’ proposal could affect consumers
High-risk pools
The newest version of the bill allocates $8 billion over five years for states that apply for the waiver, to help cover the costs of care for people with pre-existing conditions. Most likely, the states would use this money to help fund a high-risk insurance pool for residents with pre-existing conditions.
Pollitz said it’s unclear why $8 billion was picked as an appropriate number to fund a high-risk insurance pool, especially since it’s unknown how many states would apply for the waiver and how many people with pre-existing conditions would need help paying for care.
“Eight billion is not a number that bears any resemblance … to what this would cost,” she told ABC News. Before the Affordable Care Act, 35 states had high-risk pools to cover residents who otherwise would not be insured because of pre-existing conditions. The Kaiser Family Foundation found that state high-risk pools often had significantly higher premiums and likely included just a small fraction of people who needed coverage.
Health care mandate
The Trumpcare bill does away with the mandate under the ACA that requires people have health insurance or pay a fine. Under the new bill, people who go 60 days without health coverage would be penalized if they rejoin a health plan; they would face a 30 percent penalty on their insurance policy for one year.
Christine Eibner, a senior economist and professor at the Pardee Rand Graduate School, told ABC News in an earlier interview that some people would likely not view insurance as a necessity and be more willing to bet that they could afford the 30 percent surcharge on health insurance down the line.
“It doesn’t seem that punitive,” she said. “You’re still guaranteed that you can get health insurance … For some people, that might be affordable, and you might end up with employer coverage in the interim.”
Essential health benefits
Under the ACA, certain essential health benefits — including maternal care, prescription coverage and mental health care — must be a part of any insurance plan. Under the new Trumpcare bill, states could apply for a waiver to exempt insurance plans from including these benefits in their plans. To qualify, the states would need to prove they could either lower the cost of health care for people or increase the number of people covered by insurance.
Health experts say that if this provision is enacted, costs for people in need of specific essential health benefits will likely face higher premiums because insurance companies will assume that a person who signs up for a plan with maternal care or prescription benefits will be likely to use those benefits.
“If somebody needs maternity care, it will be much more expensive,” Eibner said.
Pollitz said that insurance companies would likely offer cheaper plans but that under those plans, people would be left vulnerable to high medical costs.
“If you waive hospitalization or prescription drugs, then it starts to make the policy cheaper, for sure,” she said. “But you’re also back to part of the [bulletproof] vest again.”
Tax credit changes
Under the new bill, qualifications for tax credits to help pay for health insurance would change significantly.
While the ACA offers a scale of credits that take into account family income, cost of insurance and age, the Trumpcare plan would offer flat tax credits per individual, focused on age. The House GOP bill would provide tax credits of $2,000 to $14,000 a year for individuals who don’t get insurance coverage from an employer or the government. The credits would be based on age instead of income and would be capped for higher earners.
People who are older, are lower-income or live in areas with high insurance premiums would likely receive smaller tax credits under the new bill than they do under the ACA. Those who are younger, have higher incomes or live in areas with lower insurance premiums would likely receive more government assistance than they currently do, according to the Kaiser Family Foundation.
A 64-year-old who makes $26,500 a year could see net out-of-pocket costs increase from $1,700 a year under the current law to $14,600 a year under the GOP plan, according to Congressional Budget Office estimates. A 40-year-old making the same amount would pay a few hundred dollars more after the tax credits, from $1,700 under Obamacare to $2,400 under the GOP bill.
Medicaid
The new bill calls for major changes to the way Medicaid is funded. First, the federal support of expanded Medicaid coverage, to those earning no more than 133 percent of the federal poverty level, would be rolled back. States that expanded Medicaid would no longer receive extra funds for new expansion beneficiaries after 2020, Kaiser Health News said.
People who receive Medicaid would be required to work unless they are disabled, pregnant or elderly.
Beginning in 2020, federal Medicaid financing would be changed to a per capita cap rather than a matching program, under which the federal government has supplied funds based on the number and needs of the enrollees.
Additionally, after 2020, state Medicaid plans would no longer be required to provide ACA-designated essential health benefits, including emergency services, pregnancy and newborn care, prescription drugs and pediatric services. Capping federal funds for Medicaid could have a huge impact on seniors and disabled children who depend on that coverage, according to Pollitz.
“There are 75 million people on Medicaid today. It’s the second-largest source of coverage,” she said. Employer coverage is the largest.
She pointed out that without federal funds to help with Medicaid coverage, states may have less money to help fund high-risk pools or other subsidies to help people afford health care. The changes would reduce $880 billion in federal spending on Medicaid over the next decade, pushing onto the states more of the financial burden for covering more than 74 million people in the program, according to the Kaiser Family Foundation
“It would be a big hit for states,” Pollitz said. “It matters for the coverage and what states are going to be willing to spend in addition to this federal grant money. They’re going to have their hands full.”
Older adults vs. younger adults
Under the ACA, insurance companies may charge an older person no more than three times its premium for a younger person with an identical plan. The new bill would increase the maximum allowable ratio to 5 to 1, which could significantly increase older people’s premiums for comparable plans. States would be able to set different maximum ratios.
Eibner said that older Americans not yet eligible for Medicare would be at risk for expensive premiums.
“They will face higher premiums than they currently do, and the younger people will face [lower] premiums.”
http://www.vorys.com/publications-2001.html
Today, the U.S. Department of Labor (DOL) announced that it is withdrawing two Administrator’s Interpretations on joint employment and independent contractors that were issued under the Obama administration. Both interpretations had the potential to increase employers’ liability for misclassification and for wage-hour penalties for being deemed a joint employer.
In 2015, the DOL released an Administrator’s Interpretation discussing misclassification of employees as independent contractors. There, the DOL took the position that “most workers are employees under the Fair Labor Standard Act’s broad definitions.” And so, the DOL reasoned, this intended “expansive coverage for workers” had to be considered when determining whether a worker would be deemed an employee or an independent contractor. In 2016, the DOL released an Administrator’s Interpretation on joint employment. There, the DOL took the position that joint employment is “more common” and “should be defined expansively.” Consequently, the DOL “may consider joint employment to achieve statutory coverage, financial recovery [i.e., the deep pocket], and future compliance, and to hold all responsible parties accountable for their legal obligations.”
Despite the DOL’s withdrawal of these Administrator’s Interpretations, misclassification and joint employment will continue to be important issues for employers. For example, in January 2017, the Fourth Circuit Court of Appeals recently created its own test for determining joint employment under the Fair Labor Standards Act. And in May 2017, the New York City “Freelance Isn’t Free Act” became effective. This law significantly enhances protections for the city’s 1.3 million freelance workers (in other words, independent contractors).
Rada Kleyman
Risk Manager
The Ups and Downs of the Federal and State Framework
http://www.napeo.org/peo-resources/publications-products/peo-insider/issue
Here we go: Up and down, around and around. Step right up and hop on the legal and
regulatory roller coaster.
PEOs are no strangers to this wild ride, but in times like these, it’s not any less exhilarating, or nauseating, as the case may be.
On the federal level, these measures are currently in flux as the new administration comes in:
One thing that is not in flux is the new EEO-1 form: The old form had 121 data points, while the new one has 3,360. PEOs should be ready for this new twist, however, because the Equal Employment Opportunity Commission (EEOC) for the first time will use analytics software to identify indicators of potential discrimination on the front end.
On the state level, the rules in the states and local jurisdictions remain a jumble. State licensing and registration laws offer a mix and match variety of provisions addressing everything from direction and control to hiring and firing and treatment of taxes to benefits payments. Human resources and employment laws, governing things such as “ban the box” rules and paid sick leave, can vary down to the local level. Proposals designed to raise revenue, which affect PEOs, are on the rise among the states.
Finally, two PEO execs offer their experience keeping up with and navigating issues in the states, which may make your journey a bit smoother.
So, hang on, and don’t be surprised if by the end of the ride things have changed again.
The Effect of the Department of Labor Fiduciary Rule on PEOs
On April 8, 2016, the Department of Labor (DOL) published a final regulation defining who is a fiduciary of an employee benefit plan under Section 3(21)(A)(ii) of the Employee Retirement Income Security Act (ERISA) as a result of giving investment advice to a plan or its participants. The final rule also applies to the definition of a fiduciary of a plan under Section 4975e(3)(B) of the Internal Revenue Code of 1986, as amended (Code), which includes individual retirement accounts (IRAs).
The final rule treats persons who provide investment advice or recommendations for a fee or other compensation with respect to assets of a plan or IRA as fiduciaries to a wider array of advice relationships than was true of the definition under DOL regulations issued in 1975. On the same date, the DOL published a new prohibited transaction class exemption and amended existing prohibited transaction class exemptions the purpose of which was to allow, subject to appropriate safeguards, certain broker-dealers, insurance agents, and others who previously did not regard themselves as ERISA fiduciaries, that act as investment advice fiduciaries, to continue to receive a variety of forms of compensation that would otherwise violate prohibited transaction rules, triggering excise taxes and civil liability.
The new definition of fiduciary and the related prohibited transaction exemptions became effective on June 7, 2016, with an applicability date of April 10, 2017. President Trump, by memorandum to the secretary of labor dated February 3, 2017, directed the DOL to examine whether the final fiduciary rule may adversely affect the ability of Americans to gain access to retirement information and financial advice, and to prepare an updated economic and legal analysis concerning the likely impact of that final rule as part of the examination.
In response to the memorandum, on March 2, 2017, the DOL proposed a 60-day delay of the applicability date, until June 9, 2017. The DOL proposed a 15-day comment period, which would provide the DOL with slightly more than two weeks to review the comments and publish a final rule. However, the comment period for the broader purpose of examining the final fiduciary rule and exemptions is a 45-day period, ending on April 17. Upon completion of its examination, the DOL could allow the final rule and prohibited transaction exemptions associated with it to become applicable, issue a further extension of the applicability date, propose to withdraw the rule, or propose amendment to the rule and the prohibited transaction exemptions. At the time this article was drafted, it was uncertain which of these outcomes would occur.
THE EFFECT ON PEOS
How would PEOs be affected if the DOL Fiduciary Rules were to be implemented without any modifications? PEOs were certainly not the targets of the revised fiduciary rule—entities that were primarily affected were broker-dealers, consultants, and insurance agents who under the 1975 regulations were able to take the position that they were not ERISA fiduciaries. For example, broker-dealers need to satisfy the Financial Industry Regulatory Authority (FINRA, formerly the National Association of Securities Dealers, or NASD) standards of suitability when selling to a plan or a participant, but they would not be subject to the ERISA fiduciary standards. In contrast, under the DOL fiduciary rule and particularly under the Best Interest Contract Exemption, if an individual or a plan fiduciary hired a financial advisor to assist with retirement planning and assets, the financial advisor would need to act in the best interest of the plan or the participant, avoid prohibited transactions, and be transparent with his or her compensation.
If a PEO is the sponsor of a 401(k) plan, it almost certainly is already an ERISA fiduciary, and probably in multiple capacities. Under Section 3(21) of ERISA, without regard to the DOL Fiduciary Rule or even its predecessor regulation, a person is a fiduciary if he or she:
Applying these rules, the PEO will be the administrator of the plan under Section 3(16) of ERISA because it will either be designated as the administrator in the plan document, or, if the plan document is silent, it will be the administrator. An administrator is a per se fiduciary under ERISA, and while this might appear to be a status that the PEO could live with—because under ERISA, being a fiduciary for one purpose generally does not make an entity a fiduciary for all purposes—it is one that under current law exposes the PEO to potential significant liability if the DOL were actively to pursue its closed multiple-employer plan (MEP) theory to PEOs. Under that theory, a PEO sponsoring a multiple-employer plan under Internal Revenue Code Section 413(c) would be regarded as sponsoring a series of single-employer plans under ERISA. The plan document would most likely provide that the PEO is the party that has the ability to interpret the plan, which is another type of fiduciary activity. The PEO would also be the party that selects and monitors the performance of the service providers to the plan, which involves not only ensuring that the fees are reasonable, but also evaluating the quality of services. Most importantly, under Section 402(a)(1) of ERISA, an employee benefit plan such as a 401(k) plan must have a named fiduciary who has the authority to control and manage the operation of the plan, and the PEO is the likely candidate here as well.
Unlike other fiduciaries under ERISA Section 3(21), who are fiduciaries only to the extent that they perform certain functions, the named fiduciary is effectively the quarterback of the 401(k) plan and needs to understand all of its operations. This is not to say that there are no circumstances under which a PEO could become an ERISA fiduciary by providing investment advice for compensation. For example, if a PEO were speaking to a potential client that was operating its own 401(k) plan unsuccessfully and was considering entering into a client service agreement (CSA) with a PEO, if the PEO were, as part of its description of the 401(k) plan, to reference the successful performance of the investment options under the plan, that recommendation would make the PEO an investment advice fiduciary. However, if a PEO is dealing with a potential client that does not maintain a plan and is solely an employer, the fiduciary rule would have no effect, because under ERISA no fiduciary obligations are owed to an employer, and an employer who is not also a plan fiduciary generally cannot maintain a civil action under Section 502 of ERISA for breach of fiduciary duty.
However, the PEO could be affected by the DOL fiduciary rule in its capacity as a plan sponsor. In one sense, the DOL fiduciary rule has no effect upon plan sponsors, who will be subject to the same basic fiduciary duties as they currently are:
However, a plan sponsor’s relationship with its service providers may change, particularly if the DOL fiduciary rule changes that person’s status from non-fiduciary to fiduciary. The disclosure required under ERISA Section 408(b)(2) will change because additional disclosure is required from fiduciaries, and the contract with that service provider will also need to be modified. The service provider may increase its fees to address the increased exposure that it has as an ERISA fiduciary. While this is entirely permissible under ERISA, the PEO will need to ensure that the increased fees are within the reasonable range. Also, there is a concept under ERISA of co-fiduciary responsibility, and the presence of another fiduciary means that there is also an increased risk of co-fiduciary liability.
The usual cautionary note about needing to consult with counsel is multiplied with respect to the DOL fiduciary rule because it is such a moving target. For example, efforts by the DOL to delay the applicability date of the fiduciary rule may be subject to legal challenge, or the rule may be rescinded. It is safe to say that a regulatory update one year from now will almost certainly be quite different from this one.
Barry Salkin, Esq. is of counsel at Wagner Law Group, Boston, Massachusetts.
This article is designed to give general and timely information about the subjects covered. It is not intended as legal advice or assistance with individual problems. Readers should consult competent counsel of their own choosing about how the matters relate to their own affairs.
Posted by:
Rada Kleyman
Risk Manager