This is Why You Should Double Check Your Cyber Insurance Policy

Image

Whether a business is in healthcare, accounting, legal, real estate, manufacturing, etc., most of a business’ important assets are digital. (Government municipalities are included too.) To make matters complicated, it’s very common for these digital assets to be stored in various systems and locations, intertwined with a third party’s digital information. With so many opportunities for disaster, steps must be taken to insure this critical information.

Cyber insurance is a new frontier that is rapidly evolving as the industry gets its bearings. Many companies are finding that their current cyber policies have very minimal coverage in case of a cyber breach, and the majority of these policies will not come close to providing the necessary breach coverages to the business or municipality.

When looking at your existing or new cyber policy, it’s important to consider these types of coverages:


As we have come to realize, the idea that security starts and ends with the purchase of a pre-packed firewall is simply misguided

Art Wittman

1. Privacy Breach Notification

Some reports estimate the notification and credit monitoring costs alone are over $100 per record, so if you had 1,000 compromised records, this alone could cost $100,000 or more.

2.Data Loss Restoration

Believe it or not, many large insurance carriers have policy exclusions for the replacement and restoration of data, so be very careful in this area when reviewing your policy.

3. Privacy Liability

This covers for the theft or loss of private information related to customers and other third-party information that is in your care.

4. Regulatory and PCI Defense

Many industries are under strict regulatory control, and breaches may result in fines and other penalties from these regulatory agencies.

5. Public Relations

If an enterprise has a breach, the bad press they receive can do significant long term reputational damage and can also be used by competitors to their advantage. This coverage will help hire a public relations firm to mitigate the reputational damage your name brand might incur.

6. Cyber Crime

If your organization is threatened with various cyber threats such as malicious code that will result in financial loss or data loss, this coverage is needed for the reimbursement of the costs associated with these threats.

7. Defense and Settlement costs

A breach affecting a lot of customers may result in lawsuits and financial settlements, so insurance coverage is needed to offset these potentially enormous costs.

8. Consulting and Forensic Fees

If a breach does occur, the upfront investigative process will require a lot of professional expertise and a lot of money, and this specific coverage will offset these significant costs.

9. Business Continuity

If a hack causes your business to lose income, this coverage will reimburse you for these losses.

It takes 20 years to build a brand or company reputation and a few minutes within a cyber incident to ruin it

Stephane Nappo

For a free cyber insurance policy evaluation, contact Libertate Insurance today at 813-367-7574 or email me, James Buscarini at jbuscarini@libertateins.com.

Our professionals are happy to review and discuss your firm’s existing cyber liability insurance policy and the relation to your unique business requirements, needs and cyber coverage. Our goal is to help your PEO and client companies navigate the cyber liability insurance landscape and identify potential vulnerabilities that could be exposed based on your existing technology network and infrastructure. Finally, we want to make sure that in the event of a ransomware attack, business email compromise or phishing expedition your firm has adequate coverage in each of the areas that you might be vulnerable to be targeted in.

White House Issues Ransomware Prevention Guidance to Businesses

In a recent letter addressed to corporate executives and business leaders, the White House emphasized that
bolstering the nation’s resilience against cyberattacks is a main priority for President Joe Biden’s administration.
Specifically, as ransomware attacks continue to rise in both cost and frequency throughout the country, the
federal government is urging businesses to take this evolving cyber threat seriously.

These attacks—which entail a cybercriminal deploying malicious software to compromise a business’s network or
sensitive data and demand a large payment be made before restoring this technology or information—have
quickly become a growing concern across industry lines. In fact, the latest research provides that ransomware
attacks have increased by nearly 150% in the past year alone, with the median ransom payment demand
totaling $178,000 and the average overall loss from such an attack exceeding $1 million.

While the White House has begun working with both domestic and international partners on various strategies to
prevent ransomware attacks, the Biden administration is also encouraging businesses to play their part in
minimizing this rising cyber concern. Rather than viewing ransomware attacks as a minor cyber risk, the federal
government is instructing businesses to view these attacks as a significant exposure—one with the potential to
wreak havoc on their key operations.

As such, the Biden administration is recommending that businesses convene with their senior leadership teams
to review their ransomware exposures and implement these top cybersecurity measures:


  • Utilize the federal government’s best practices. Businesses should be sure to incorporate the best
    practices outlined in the Biden administration’s Executive Order on Improving the Nation’s Cybersecurity. This
    includes the following practices:
    o Implementing multi-factor (MFT) authentication on all workplace technology
    o Leveraging endpoint detection and response tools to identify and deter suspicious network activity
    o Encrypting sensitive data to make it less accessible to cybercriminals
    o Developing a trusted and skilled workplace cybersecurity team
  • Ensure an effective incident response plan. All businesses should have cyber incident response plans in
    place. These plans outline proper response protocols and offer steps for minimizing potential damages during
    cyberattacks. Businesses should make sure to include several ransomware attack scenarios within their
    response plans and routinely test these scenarios with their cybersecurity teams. Based on test results,
    businesses should revise their response plans accordingly.
  • Conduct frequent data backups. In addition to the federal government’s best practices, businesses should
    also prioritize securely backing up all sensitive data, images and other important files on a regular basis.
    Conducting such backups can help businesses remain operational and continue to access crucial data in the
    event that any workplace technology is compromised in a ransomware attack. Data backups should remain
    offline (not connected to key business networks) and be routinely tested.
  • Keep critical networks separated. In order to keep ransomware attacks from fully disrupting their operations, businesses should attempt to segment their various workplace networks (e.g., sales production, and corporate) from one another rather than having a unified network. Access to each network should be restricted to those who use them to conduct their job tasks. Networks should only allow internet access as needed. That way, businesses can avoid becoming completely compromised by single-network ransomware attacks and continue performing critical functions.

  • Maintain updated security software. To help safeguard workplace technology from ransomware threats,
    businesses should equip their systems and devices with adequate security software—such as antivirus
    programs, firmware protections and firewalls. Further, this software must be regularly updated to remain
    effective. That being said, businesses should also consider utilizing centralized patch management systems to
    keep security software on a consistent update schedule.
  • Review workplace cyber security protocols. Apart from testing their response plans, businesses should
    also regularly assess whether their existing workplace cybersecurity policies, procedures and software are
    sufficient in protecting against current risks—such as ransomware threats. In particular, businesses should
    consider using a third-party penetration tester to review their ransomware defense tactics and overall
    cybersecurity capabilities. Businesses should work with their trusted cybersecurity teams and IT experts to
    make workplace adjustments as needed (e.g., updating policies or purchasing new security software).

For additional risk management guidance and insurance solutions email me James Buscarini, PCA at jbuscarini@libertateins.com or call me at 813.367.7574.

The Risk with Search Engines

It’s no secret that your technology company depends on the capabilities of your computer systems to function. You should be aware that simple actions your employees take could be putting your company’s equipment and networks at risk of cyber-crime, including cyber-attacks, cyber theft and other computer security incidents. The average cost of a single cyber-attack is incalculable—cyber-attacks can directly target finances and ruin a business’ reputation. Your business is at stake, and you should do everything you can to protect yourself.


The Risks of Web Searches

As an employer, you should educate your employees about searching for certain topics on the internet due to the risk of coming across websites encrypted with viruses or malware that could be detrimental to your computer systems. Stress that the potential for cybercrime could affect employees individually as well as the business as a whole. More than 90 percent of companies surveyed by the DOJ incurred either monetary loss, system downtime loss or both because of cybercrime, so take it upon yourself to put search engine guidelines in place.


The Web’s Most Dangerous Search Terms

Common term searches conducted online one can expose your business to the risk of cyber-crime. Encourage employees to avoid following suspicious results in search engines. Any result that promises free products or materials is suspect. The least risky search terms are usually health-related topics and searches about economic news. It is essential to remember that the number of dangerous search terms is ever changing. Hackers want to impact

the highest amount of people with the least amount of effort, so they aim for popular search terms most. Ill-intentioned hackers also adapt quickly to the fast-paced nature of the internet and the public circle, so oftentimes social or celebrity events popular at a given moment climb quickly to the top of the internet’s most dangerous search terms and are a high risk for infecting your company’s computers. According to the DOJ, industries considered a part of critical infrastructure businesses account for a


Simple actions your employees take could put your company’s equipment and networks at risk of cyber-crime, including cyber-attack, cyber theft and other computer security incidents.


disproportionate amount of computer security incidents. If your company is in any of these industries, be especially careful about internet searches to ensure computer safety and protect against potentially devastating loss, both monetary and in down time:

  • Agriculture
  • Chemical and drug manufacturing
  • Computer system design
  • Finance
  • Health care
  • Internet service providers
  • Petroleum mining and manufacturing
  • Publications/broadcasting
  • Real estate
  • Telecommunications
  • Transportation and pipelines

Take Precautions to Protect Your Business


There are examples of companies and organizations around the globe that had to shut down operations to address a large-scale virus or other malware issue. These problems can affect both large and small businesses and can cost hundreds of thousands of dollars to fix. Avoid putting yourself at risk by doing the following:

  • Enact a stricter internet use policy
  • Put more strict website blockers or filters in place
  • Educate employees about the hazards that risky search engine exploration can present

Some of these solutions may cost you in the short run but lowering your risk will ultimately save your company in potential identity fraud, monetary cyber theft or informational cyber theft in the future.

NAPEO announces in-person conference opening back up for September 27-29, 2021

NAPEO‘s President, Mr. Pat Cleary has exciting news about future in-person meetings and events!

The following post was from an eMail to the members from NAPEO’s President, Mr.Pat Cleary regarding the status of upcoming events and the status on in-person attendance.


Ten months ago to the day, I sent an email stating that due to COVID-19 and the associated risks that the committee voted against having the annual SAGE event and conference. It was a heartbreaking email to write, in that the conference was a speck of hope for us all, something out in the far distance that we all looked forward to, when this damned thing would be over. But it was not to be. I attached the email here because re-reading it today, it’s a bit of a time capsule, and reminds us of a low point that we experienced – and survived – together.

So today I’m writing with some very good news: I just this hour signed our contract with the JW Marriott San Antonio Hill Country to hold our conference there – in person – on September 27 – 29 this year. Just about every conversation I have had with any NAPEO member over the past few months has included a discussion of when we would be able to meet again in person. We are all suffering Zoom fatigue, that’s for sure. Looking at the email below, I said, “We want to gather with our members, and as soon as it’s safe to do so, we will.” Every organization has its own level of risk tolerance. Our litmus throughout has been the health and safety of our members and of our team here at NAPEO. Comforted and fortified by the upward trend in vaccinations and downward trend in cases – and the slow easing of restrictions – we will hold our first in-person meeting, our CFO Seminar, at the end of June (location TBD) and hold our Georgia Leadership Council Forum in-person on June 28. And the conference in September. 

I’ve said so many times that the arc of meetings during COVID was like this: Plan the meeting, book the hotel, promote the meeting, watch the registrations climb, meeting draws near, registrations begin to cancel, then the meeting cancels. We did that dance too many times in 2020. For our November Board of Directors meeting, we asked our 24 Board members if they wanted to meet virtually or in person. Twenty two said they wanted to meet in person, so we planned the meeting. The week before, in the face of too many cancellations, we moved the meeting to virtual. It was a discouraging, defeating, and tiresome cycle.

So if the cancellation of the 2020 in-person conference was a sign of despair, let this now be a sign of hope, of light, and of hopefully reaching the end of this pernicious thing that has dogged us for so long. As I said in the email below, “The sun will shine again.” And indeed it will – in San Antonio, in September.

I want to thank all of you who have stood by us, who have gamely pivoted with us to the virtual world. It wasn’t a world we wanted, but it was the world we were handed. I want to especially thank our associate members. The face to face meeting is their lifeblood, an option they didn’t have for the past year. They, too, stood with us, and we are grateful. And finally, I want to thank my team here at NAPEO. I use the royal “we” all the time, but the truth is they are the ones who are doing the innovating, the pivoting, the work. 

As I always say, this thing isn’t completely over yet, but we appear to be moving in the right direction. I look forward to seeing – and celebrating with – you all in San Antonio. 

All the best,

Pat Cleary
President & CEO
NAPEO
707 N. St. Asaph St.
Alexandria, Va. 22314
703-739-8163

Disruption in the Marketplace

This post utilized content from Property Casualty 360’s Heather Turner & PRNewswire.

On January 4th, 2021 PRNewswire announced Philadelphia Insurance Companies (PHLY) acquisition of the Staffing Insurance Business offered by Worldwide Specialty Programs, Inc. The transaction closed on December 31, 2020 complimenting PHLY’s broad suite of specialty services. PHLY markets and underwrites commercial property/casualty & professional liability insurance products. PHLY has an “A++” (Superior) rating by AM Best Company.

We anticipated the post-acquisition news being focused on PHLY’s delivery of industry-specific services to the temporary staffing space. Similarly, we are committed to a different industry niche, the Professional Employer Organization (PEO). We remain hopeful that PHLY will continue to support PEO, just as World-Wide has done for many years.

Entering the 2nd Quarter of 2021, uncertainty has become part of our new normal. In a recent article, Property Casualty 360 discussed fluctuation within the marketplace (4th Quarter 2020 – 1st Quarter 2021). Pre-COVID validated the firming of the marketplace. The initial impact increased underwriting scrutiny, rate increases, higher retentions, jurisdictional scrutiny and capacity reduction. As a result of COVID-19 related case uncertainty, higher than normal judgements, and developing CAT losses, there has been a continual hardening of the market. We expect rate increases, lowering capacity, limiting or transferring risk, and insurers scrutinization of risk profiles.

In conclusion, industry and marketplace changes or shifts have always been and will continue to be.  As the industry constricts, options, terms and conditions tend to constrict with it.  Your upcoming casualty lines renewal may look different, and we highly recommend staying out in front of it.

With that being said, contact Libertate Insurance Services for all your PEO-related insurance needs by emailing us here.

Managing COVID-19 Vaccine Policies

THIS ARTICLE IS BEING REPOSTED BY LIBERTATE INSURANCES JAMES BUSCARINI. THE ORIGINAL CONTENT WAS WRITTEN IN THE FEBRUARY 2021 EDITION OF RISK MANAGEMENT MAGAZINE. ARTICLE WRITTEN BY JODY MCLEOD, ESQUIRE AND GARY PEARCE

As COVID-19 vaccines become more available and companies return to the office, employers may want to protect their workforce by mandating vaccinations. However, it is essential that they keep in mind certain risks and how to mitigate them, including the legal limits of what they can ask of employees.

When approaching mandatory vaccinations for workers, the legal rules are reasonably established. Employers can mandate vaccinations as long as they have processes to deal with exceptions. The key exceptions concern medical disabilities covered by the Americans with Disabilities Act (ADA), and bona fide religious objections covered by Title VII of the Civil Rights Act of 1964. Because a vaccination is not a medical examination, it does not inherently trigger certain aspects of the ADA.  But beware of violating ADA obligations in the course of asking pre-screening questions or securing proof of vaccinations. Unvaccinated employees—particularly those who refuse or are unable to take a vaccine for medical or religious reasons—may be excluded from the workplace if they pose a direct threat, subject to ADA and Title VII ­obligations to pursue a reasonable accommodation. The ADA accommodation standard is somewhat more favorable to the employee than the Title VII standard. Determining whether an unvaccinated employee poses a direct threat requires a fact-specific determination, considering the duration of risk, the nature and severity of potential harm, and the likelihood and imminence of potential harm.

Excluding an employee from a workplace because they pose a direct threat does not automatically mean termination is justified. The employer first needs to determine whether there is a feasible alternative arrangement that would not impose undue hardship, such as remote work. There remains a general duty under the federal Occupational Safety and Health Act (OSHA) to provide a workplace free from serious recognized hazards, and COVID-19 exposure will typically qualify. Of course, organizations that expose the general public to COVID-19 risk being sued.

If a company imposes a vaccination mandate, it must consistently administer exception processes regarding reasonable medical accommodations and religious objections.  It will need to understand what constitutes business necessity, and must be able to identify reasonable accommodations on a fact-specific, individualized basis. The company will need to decide whether to assume the risks and obligations arising from self-administering vaccinations, or instead depend on collecting evidence of third-party administration. Lastly, it will need to minimize the prevalence of medical inquiries—including medical details unexpectedly proffered by the employee—and preserve the confidentiality of any protected information that may thereby be received.

Other potential issues include whether there is a union contract that the company must consider, or whether any state or local laws forbid mandatory vaccination policies.  

Risks of Vaccination Mandates

If an employer requires vaccinations, it must administer the mandate consistently and consider whether the additional risk is justified. If the employer imposes the mandate for only certain categories (e.g., for customer-facing staff but not home-based workers), it will need a rational basis for its determinations. Also, a mandate could bring any adverse reactions into the realm of compensability for workers compensation, and time spent receiving a mandatory vaccine is most likely compensable for purposes of wage and hour compliance. Data privacy and retention of medical records also need to be considered in the record-keeping process as the relevant regulations and laws are quite demanding. If the company provides financial incentives to encourage compliance, income may need to be reported and taxes owed as well.

Changing and Varying Rules

It was not until December 2020 that the Equal Employment Opportunity Commission issued substantial additional guidance regarding COVID-19 obligations under prominent employment laws. As of this writing, OSHA has yet to issue any rules specific to COVID-19, but the Biden administration is expected to issue a broad rule in the coming months. States and municipalities issue executive orders and ordinances at a pace that only specialists can keep up with. Even if all the written rules are known, there is no assurance that they will be administered in alignment with what governed parties might expect. “Guidance” may become a de-facto obligation.

For all these reasons, companies cannot base their protection and recovery program solely on compliance with current legal requirements. Nor can a static “one and done” determination be sufficient. In light of all these issues, duties and uncertainties, companies should determine whether a vaccine mandate is an effective use of their administrative resources.

Business Expectations

Requiring vaccinations does not mean employers can forego the rest of their COVID-19 management protocol. Employers need to keep in mind that there is no proof that vaccinated people cannot transmit the virus to others, the vaccination seems likely to be less than 100% effective, and some people either will be unable to get the vaccine or at least will not yet have received it. Worry about a new pandemic episode will persist for years.

Many employees likely regard safety as the highest organizational priority and will look to their employer to provide reliable information about COVID-19 risk management. Failure by the organization to respect these new expectations could trigger negative social media reactions, unwanted attention from plaintiffs’ attorneys, and difficulty attracting and retaining valuable talent. While this may be a threat to some managers, it is an unprecedented opportunity to strengthen the bond of trust between employee and employer. 

As a practical matter, legal regulations tend to react to changing circumstances.  This makes it likely that any rescinding of temporary standards will occur in a somewhat tardy fashion. To date, the volume of litigation related to COVID-19 has been less than feared. However, do not take too much comfort in this. Courts have been shut down, causal connections are likely to be better understood as experience accumulates, and plaintiffs’ attorneys may surmise that juries will be more sympathetic after the worst of the crisis has passed. 

Employees Who Refuse

Surveys show that a significant portion of the population would choose not to take a COVID-19 vaccine. Some may eventually be persuaded, while others have deeper objections. Some may be uncomfortable as long as deployment is under emergency use authorizations. This unease reinforces the need to be collaborative in pandemic management and transition planning, and to communicate the reasoning behind critical decisions or policies.

The entire workforce will never agree on how best to emerge from the pandemic. Although communication is important and stakeholder feedback is necessary, securing unanimity is unrealistic. On the other hand, if a significant number of workers refuse to accept a vaccine, even in the face of an employer mandate, is the organization prepared to redeploy or replace these workers?

There is no risk-free path to a post-COVID environment. Employers must continuously assess conditions and be prepared to act promptly despite incomplete information, changing circumstances and inherent uncertainties.

Lifting Travel Restrictions

As the country slowly starts to reopen and travel restrictions begin to be lifted, it reminds me of how hard the travel industry has been impacted by COVID-19. Finding workers compensation coverage for this industry can be difficult due to the exposures associated with these risks. Libertate Insurance Services works closely with Beacon Aviation in placing coverage for this industry.  Beacon Aviation Insurance Services knows the ins-and-outs and provides workers compensation coverage for general aviation businesses.

Beacon’s Program offers the following:

Payment Options

  • Pay As You Owe
  • Carrier Direct Bill
  • Carrier Direct Debit
  • Credit Card

Endorsement Options

  • Foreign Voluntary Compensation
  • Voluntary Compensation
  • Waiver of Subrogation
  • Defense Base Act (DBA) Coverage
  • Employer Liability Coverage “Stop GAP”

If you need help placing your workers compensation with your travel or aviation risk, contact Jenny Bush, at jbush@libertateins.com. Click the link below for more details on Beacon’s Program.

Beacon Aviation Program Appetite