Data Breach Response Plan

Our business associates at Regions Bank have put together a great article on creating a Data Breach Response Plan. Q1 2019 to Q1 2020 reported a 273% increase in data breach exposing 8.4 billion records, from insurance providers to credit bureaus, 2021 is expected to report higher threats. In the last couple of weeks there has been a lot of noise surrounding cyber security, which brings to light what the projections or expectations for this upcoming year are. IBM identified that it takes companies an average of 280 days to identify and contain a breach/cyber security occurrence.

So What is a Data Breach Response Plan? In short, it is a roadmap for your company to follow should a breach occur. Similar to an Emergency Response Plan but for your data and IT platform. Top points from Regions’ article:

  • Build a Response Team; from Executive level through HR down to customer support and external vendors
  • Include and detail specifics for the following in your plan:
    • Identify breach; triggering events
    • Contain the breach
    • Notify Data Breach Team and initiate plan
    • Investigate
    • Notify internal and external relations of breach; as required by law
    • Safeguard data
    • Conclusion and review meeting; team meets to analyze breach and make adjustments to the existing plan

My personal add on this is to research and obtain a cyber security insurance policy, mitigate your cyber risk. Cyber insurance protects against damages caused by electronic threats to your computer systems or data. Cyber threats can lead to the theft, damage or misuse of sensitive information or other vital technologies and can result in downtime and recovery costs that often include specialized repairs and legal fees

Forbes’ article “The Best Cybersecurity Predictions for 2021 Roundup” gives us some insight as to what we can expect. Here are some of the highlights, click on the article link above for the full article.

  • 2020 reported cyberattacks on healthcare facilities in the U.S. affecting 17.3 million people in 436 breaches tracked by the U.S. Department of Health and Human Services (HHS) Breach portal.
  • Amid an expectation of decline to revenues in 2021, 51% of executives plan to increase cybersecurity budgets

Govtech.com has also chimed in on where we need to protect ourselves for 2021 and what is expected to be at greatest risk; high points listed below, click link above for full article (interesting and informative read):

  • Increase attacks expected on home computers and networks; scary seeing as though many of us are still working remotely
  • Dark web expected to allow criminals access to purchase more sensitive corporate information
  • App stores through mobile devices and smartphones are expected to be attacked
  • Cloud base push for storage will likely create gaps in security
  • Application Programming Interfaces (API) threat models are high targets for enterprise breaches

Here at Libertate Insurance, data is a viable part of what allows us to do what we do for our clients. We hold data security at a high level of importance to our brand. We also know that the best reaction is a planned reaction. Putting a plan in place to protect your organization and your clients is important. We offer programs for cyber security that can further protect you, should you fall victim to the latest trends in the world of scams. Please contact us to review program details and understand the benefits of obtaining a cyber security policy.

Q4 2020 Cyber Risks & Liabilities Update

Some important trends that are threatening our businesses and ways to protect yourself.

How to Avoid Electronic Signing Service Scams

Although utilizing an electronic signing service can be a convenient way for your organization to digitally sign and exchange important documents (e.g., contracts, tax documents and legal materials) with stakeholders, doing so also carries significant cybersecurity risks.

Cybercriminals can utilize a variety of scamming techniques to trick electronic signing service users into sharing sensitive information, such as their signature, financial information and other personal data. From there, the criminals can use that information for a range of destructive purposes—including identity theft and other costly forms of fraud. These scams have become an increasingly prevalent threat in the midst of the ongoing COVID-19 pandemic, as many organizations have transitioned to fully remote operations.

In fact, DocuSign—a popular electronic signing service provider—recently released a statement regarding several new phishing scams that cybercriminals have implemented to fool victims into thinking they are using DocuSign’s services. These scams entail the victim receiving a fraudulent email that appears to be from DocuSign, urging them to either click on a malicious link (which then downloads malware on the individual’s device) or provide their personal information (which scammers then access to commit fraud).

Whether your organization uses DocuSign or a different electronic signing service, it’s important to educate yourself and your stakeholders—including employees, investors, customers and suppliers—on how to detect and avoid falling victim to these phishing scams. That being said, consider the following cybersecurity tips:

  • Be wary of responding to emails that claim to be an electronic signature request—especially if you weren’t expecting a request or don’t recognize the name of the individual or organization sending the request. Trusted senders would let you know they are sending a signature request before doing so.
  • Never click on links from electronic signature emails that appear suspicious—especially if the URLs for those links redirect to websites that aren’t secure or recognizable.
  • Review electronic signature emails for generic wording, grammatical errors and misspellings (both in the body of the email and within the sender’s email address). These mistakes are often key indicators of a phishing scam.

Cybersecurity Trends to Prepare for in 2021

This past year saw a wide range of changes and advancements in workplace technology utilization for organizations of varying sectors and sizes. But as digital offerings continue to evolve, so do cybersecurity threats. That’s why it’s crucial to remain up-to-date on the latest technology trends and adjust your cyber risk management strategies accordingly. As your organization starts to prepare for 2021, keep the following emerging cybersecurity concerns in mind:

  • Remote work issues—While remote working is a valuable method for protecting staff from the ongoing COVID-19 pandemic, this practice can also lead to increased cybersecurity vulnerabilities for your organization. After all, many employees may not have the same security capabilities in their work-from-home arrangements as they do in the workplace. As such, make sure your organization provides remote staff with appropriate cybersecurity training and resources, as well as implements effective workplace policies and procedures regarding cybersecurity.   
  • Cloud hijacking concerns—Especially with more employees working from home than ever before, maintaining cloud security is crucial. Cloud breaches have become more common in the past year, as cybercriminals have developed a method for hijacking cloud infrastructures via credential-stealing malware. To avoid this concern, utilize trusted anti-malware software and update this software regularly.   
  • Elevated ransomware threats—Cybercriminals continue to create new and improved ransomware attack methods each year. According to recent research from Cybersecurity Ventures, ransomware attacks are expected to cost organizations more than $20 billion in 2021, with an attack estimated to take place every 11 seconds. To help protect your organization from ransomware attacks, use a virtual private network, place security filters on your email server and educate staff on ransomware prevention.
  • Data privacy expectations—As more and more organizations start storing sensitive information on digital platforms, data privacy is a growing concern. If your organization stores sensitive information digitally, it’s vital to utilize proper security techniques to protect such data (e.g., encryption) and abide by all relevant data privacy regulations.
  • Skills shortages—Despite ongoing advancements in workplace technology, cybersecurity skills shortages have become a major issue for many organizations—with the demand for cybersecurity professionals exceeding the number of individuals that are qualified for such a role. This shortage emphasizes the importance of investing in effective cybersecurity tools across all workplace devices to help minimize your risks. 

With these trends in mind, it’s important now more than ever for your organization to secure adequate cyber insurance. Otherwise, you run the risk of your organization lacking the appropriate coverage and dealing with hefty out-of-pocket costs in the event of a cyber incident.

Smart Device Security Best Practices

As remote work continues to be a popular offering for many organizations, some employees have begun taking advantage of their own smart devices—such as smartphones or tablets—for work-related purposes.

While this practice can certainly help employees expand their remote work capabilities, utilizing smart devices within a work setting can lead to elevated cybersecurity risks. This is because your employees’ smart devices may not be initially equipped with the security measures necessary to defend against cybercriminals, thus increasing the likelihood of a cyberattack taking place.

Don’t let employees’ smart devices lead to a cybersecurity disaster within your organization. Utilize the following guidance to promote smart device security:

  • Establish a Bring Your Own Device (BYOD) policy that includes standards employees must uphold when using their smart devices for work-related purposes.
  • Have employees create complex passwords for their smart devices. Encourage staff to enable multifactor authentication on their devices, if possible.
  • Restrict employees from connecting to public Wi-Fi networks on their smart devices. Be sure to establish a virtual private network for staff to use to ensure a safe, secure connection.

Have employees conduct routine software updates on their smart devices to prevent potential security gaps.

For additional cybersecurity guidance and coverage, contact Libertate Insurance today, we are offering Cybersecurity Programs.

Phishing Scam Targeting PEOs

See below from our friends at NAPEO…

 

 

 

 

Today, a PEO notified NAPEO that they and their clients were the victims of a novel phishing scam. Under this scheme, fake Google advertisements were created to mimick the PEO’s legitimate ads and appeared when any variation of the PEO’s name was searched. The phony ads then redirected anyone who clicked on them to a phony log-in page for the PEO’s payroll software. The unaware victims had their personal information captured, including usernames and passwords.

The PEO is working with Google to take down the fraudulent ads. They have also notified all victims and have secured any jeopardized accounts.

Please remain vigilant against these types of scams. You should also consider checking to see if any of your company’s Google ads are being mimicked to commit fraud. Additionally, you should consider recommending that all clients and employees enable two factor authentication, where available.

 

Brief Update on Recent Activities By David Daniel, Florida PEO Lobbyist

Image result for florida

Update on Recent Activities related to COVID-19 from FAPEO –

There is a lot of COVID-19 related activity we have been working on for Florida PEOs as we face these uncertain times.  This email is intended summarize our recent work.

Emergency Orders at DBPR

With the required annual financial reports due to the Department of Business and Professional Regulation we contacted Secretary Beshears and asked that he issue an order delaying their due date.  Secretary Beshears indicated to us would be taken care of.

DBPR Emergency Order 2020 – 01 was issued March 16.  In the order Secretary Beshears suspends and tolls for 30 days any existing renewal deadline for a license, permit registration or certificate.

DBPR Emergency Order 2020 – 03 was issued March 23, 2020.  The order suspends and tolls through May 31, 2020 all time requirements, notice requirements and deadlines for final agency action or applications for permits, licenses, rates and other approvals under any statutes or rules.

Unemployment Compensation

As you can imagine there are reports from DEO of increased filings for unemployment compensation insurance.  While the UC Fund has significant resources available, as we have seen in the last recession, the unemployment compensation trust fund can go from flush to negative in a short amount of time.

It is expected with the dramatic decline in business activity related to the social distancing and businesses closures, employers will be forced to make some tough decisions with their workforce.  As you know, 443.131 F.S allows the Department of Economic Opportunity the ability to not charge an employer’s unemployment compensation contribution rate for a declared national disaster or an disaster of national significance.  Further, 443. 116 F.S. creates the short-time compensation program which allows an employer to reduce work for employees in lieu of layoffs with DEO approval.  We have requested DEO make the decision that this event and the subsequent layoffs which will follow are not chargeable to an employer’s unemployment compensation rate.  Further we have asked that if an employer chooses a short-time compensation arrangement it would also not be chargeable to their UC rate.

To that end, last week Governor DeSantis indicated in a press conference this event would not be charged to an employer’s unemployment compensation rate.  We are awaiting the official announcement from DEO.  There is no word yet on the short-time compensation and will let you know when we hear more from DEO.

Essential Business Sectors under CISA Guidance

The state and the country have been grappling with the impacts of decisions on social distancing, shelter in place orders and mandatory business closures.  Several counties have already issued emergency orders closing non-essential employers including Miami-Dade, Broward, Alachua and Duval counties.  We have asked the Governor’s Office to include professional employer organizations as essential critical infrastructure workers in any statewide emergency order mandating business closure.  At the direction of the Governor’s Office, we have based our request on Cybersecurity and Infrastructure Security Agency guidance.  (See attached)

While the decision to issue a statewide emergency order closing all non-essential businesses has as not been made to date, our proactive efforts have placed us in the best possible position to remain open.

Additional Readings – Statues Issued

443.131 F.S. – Click here to read more.

443.1116-F.S. – Click here to read more.

DBPR – Emergency Order 2020 – Click here to read more.

CISA Guidance on Essential Critical Infrastructure Workers – Click here to read more. 

State of Florida Emergency Order – Click here to read more.

 

NAPEO’s Risk Management Conference Ready to Invade Nashville on March 6th and 7th!

NAPEO’s annual Risk Management Conference is right around the corner! It’s a must see conference for those interested in risk management and other related areas of focus. Click here to access the agenda. Below are presentation topics:

  • Workers’ Compensation Rate Update
  • Crime Insurance
  • Big Data
  • Cyber Security
  • PEOs and Cannabis
  • Payroll Fraud

Libertate is proud to be a sponsor of this wonderful conference. We hope to see you there. If attending, we would love to buy you a drink and talk about insurance, data and the PEO industry!

Paul – phughes@libertateins.com

David – dburgess@libertateins.com

Sharlie – sreynolds@libertateins.com

The E-merging Risk that Keeps on E-volving: Cyber

As providers of service and insurance to PEO’s, small and medium-sized businesses are the “bread and butter” of clients targeted.

“According to an ISO analysis, 80 percent of cyber breach victims in 2017 were small and medium-sized businesses.” — Neil Spector, president, ISO, a Verisk business

Great article on the current state of cyber from our friends at insurancejournal.com

The E-merging Risk that Keeps on E-volving: Cyber

    6 Reasons Cyber Remains Top Emerging Risk

    Property/casualty insurance experts may not agree on everything but there is a consensus that the most important emerging risk for the industry remains the five-letter word: CYBER. It is not new, of course, but it stays atop emerging risk lists because of its dynamic and pervasive nature.

    Insurance Journal defines emerging risks as those that are new and not yet widely recognized, or perhaps recognized but not well understood. A number of industry leaders explain why cyber remains such an important risk to watch.

    Not Slowing Down

    The number of data breaches and the average costs of cyber-crime are rising every year. These trends show no signs of slowing down. In fact, cyber risk is becoming more concerning as crime-as-a-service gains popularity and artificial intelligence technologies are used more frequently in attacks. Internet of Thing devices are increasing the attack surface and providing more ammo for hackers. One of the more difficult aspects about insuring cyber risk is the dynamic nature of the risk. Just a few years ago, cyber-attacks primarily involved stealing private credit card and health information from large companies. Today, cyber criminals focus on completely different tactics for making money, such as locking out users from computer systems using ransomware, or secretly hijacking computers to mine cryptocurrency. And large corporations aren’t the only targets. According to an ISO analysis, 80 percent of cyber breach victims in 2017 were small and medium-sized businesses. — Neil Spector, president, ISO, a Verisk business

    Keeping Up with IoT

    The biggest risks involve cyber crime. Under “emerging risks,” one of the biggest is the Internet of Things (IoT), and the cybersecurity risks created by billions of interconnected devices. The challenges for agents and brokers multiply in regard to understanding the potential implications, such as IoT devices in homes and businesses — tracking sensors, fire/flooding/intrusion warning devices and more. Agents need to be aware of the questions to ask clients to ensure they are offering complete coverages. They need to be vigilant in keeping up with the IoT devices emerging at an astonishing pace. — Robert Rusbuldt, CEO, Big “I” Independent Insurance Agents & Brokers of America.

    High Severity

    There are many scenarios where cyber risk comes into play, but one example is related to vehicle systems. Luxury automobiles, for example, have up to 150 or more computer programs that impact vehicle performance. Tractor trailer technology is also advancing rapidly, and just one of those systems being hacked could have catastrophic results. WSIA conducts a biennial survey of members regarding emerging issues. Cyber exposure jumped in priority this year, with members agreeing the issue has high severity in terms of current impact industrywide. — Jacqueline Schaendorf, president and CEO, Wholesale & Specialty Insurance Association

    Cyber Property Damage

    One definite area of emerging peril is the threat of substantial property destruction caused by intrusions into sensitive computer networks and connected hardware devices. Long gone are the days where the worst aspect of cyber vulnerabilities amounted to stolen credit card information or lost privacy. Instead, a new breed of cyber exposure is unfolding whereby energy infrastructure facilities and other industrial works have been targeted with cyber attacks causing explosions, wreckage and business interruption. Most expect these risks will soon expand to domestic infrastructure and transportation operations with the prospect of major instances of property damage and life-threatening injuries.

    — Joshua Gold, shareholder attorney, Anderson Kill

    Immature Market

    Cyber comes with a bit of a double-edge sword. On one hand, it is a new market that is growing faster than any other for the industry. But being an immature market means more time is needed to flesh out the data to improve underwriting. Where cyber may be a more interesting market — perhaps even one that helps us peer into the future value of insurance — is how risk mitigation tools are being incorporated into the mix. We are seeing many carriers partner with technology companies in order to assess the actual vulnerabilities within the customers. This presents more stability for underwriting. Customers’ value may evolve in the future toward risk mitigation and resilience building. This would be a shift for an industry that — at least for the past several decades — has based its value on price. — Sean Kevelighan, president and CEO, Insurance Information Institute

    Accumulation Risks

    In a study titled “Advancing Accumulation Risk Management in Cyber Insurance,” global insurance think tank The Geneva Association focused on the danger of accumulation risks as a threat to cyber insurance. The report highlights several cyber accumulation risk challenges:

    • Insurers and reinsurers could underestimate non-affirmative cyber exposure leading to an unplanned shock from a major event. Non-affirmative cyber exposure occurs when a cyber attack causes major losses by triggering coverages in other classes.
    • Data are of insufficient quality, are incomplete and/or lack the necessary consistency for more advanced modeling techniques.
    • Governments predominantly fail to provide frameworks for the sharing of large- scale cyber-terrorism-losses.

    – Anna Maria D’Hulster, secretary general, The Geneva Association

    Young Consumers Willing to Let Insurers Spy on Digital Data – If It Cuts Premiums

    As a sociology major and Orwellian it is hard for me to not think about “Big Brother” when reading these types of reports.  My gut would tell me that the younger generation of people that understand data management the most would be most conference about data collection – seemingly not the case –

    The majority of people between 18 and 34 would be willing to let insurance companies dig through their digital data from social media to health devices if it meant lowering their premiums, a survey shows.

    In the younger group, 62 percent said they’d be happy for insurers to use third-party data from the likes of Facebook, fitness apps and smart-home devices to lower prices, according to a survey of more than 8,000 consumers globally by Salesforce.com Inc.’s MuleSoft Inc. That drops to 44 percent when the older generations are included.

    As consumers share more of their personal data online, governments increased their scrutiny of how it’s collected and used following the harvest of 61 millions Facebook users’ accounts by U.K. firm Cambridge Analytica. The European Union’s new privacy law, known as the General Data Protection Rules, took effect on May 25.
    Of the older generations, 45 percent of 35- to 54-year-olds are happy to allow insurers broad access to their digital identity, while 27 percent of those 55 and older would do so.

    Insurers are investing millions improving their digital offerings amid growing competition from fintech startups. But that’s a work in progress: 58 percent of the survey’s respondents said that systems don’t work seamlessly for them, with many citing difficulty filling out a form online. And 56 percent said they would switch their insurance provider if digital service is poor.

    “Insurers are already struggling to deliver a connected experience,” said Jerome Bugnet, EMEA client architect at MuleSoft. That is happening “before even considering how they bring all these new data sources into the equation.”

    Buffett Not Eager for Berkshire to Be Cyber Insurance Leader

    https://www.insurancejournal.com/news/national/2018/05/07/488425.htm

    Some intriguing comments from Warren Buffet on the State of cyber insurance.  My favorite (which I agree with), “I don’t think we or anybody else really knows what they’re doing when writing cyber” insurance, Buffett said Saturday at his firm’s annual meeting in Omaha, Nebraska. “We don’t want to be a pioneer on this.”

    From both sides off the table (agent and underwriter) there is still much more to learn in this burgeoning insurance product line which has increased premiums written 35% in the last two years.

    Buffett Not Eager for Berkshire to Be Cyber Insurance Leader

    By and | May 7, 2018

     

    Warren Buffett said he doesn’t want Berkshire Hathaway Inc. being a leader on cyber insurance because neither he nor others in the industry really know the risk.

    “I don’t think we or anybody else really knows what they’re doing when writing cyber” insurance, Buffett said Saturday at his firm’s annual meeting in Omaha, Nebraska. “We don’t want to be a pioneer on this.”

    Buffett said that cyber risk is part of his estimate that every year carries about a 2 percent chance of a super catastrophe that would cause $400 billion or more of insured losses. While that kind of disaster will wipe out many companies, Berkshire will aim to keep its exposure low enough to remain profitable in such a year, the 87-year-old chairman said.

    Buffett said he’s fine with writing some cyber policies to remain competitive, but doesn’t want to be among the top three in the industry. Anyone who claims to know the base case or worst case for losses is “kidding themselves,” he said.

    [Property/casualty insurers wrote $1.35 billion in direct written premium for cyber insurance in 2016, a 35 percent jump from 2015, according to reports by Fitch Ratings and A.M. Best.

    According to the reports, the largest cyber insurance writers are American International Group, XL Group and Chubb. These companies had a combined market share of approximately 40 percent at year-end 2016. The top 15 writers of cyber held approximately 83 percent of the market in 2016.

    Completing the top 10 writers of cyber ranked by direct premium written are: Travelers, Beazley, CNA, Liberty Mutual, BCS Insurance (owned by Blue Cross licensees), AXIS Insurance Group and Allied World.]