Insurers Are Waking Up to Multi-Factor Authentication

Please enjoy this excellent article by Steven Kaye which was originally posted on the Carrier Management website. The original post can be found here.

Insurance use cases for multi-factor authentication (MFA) include distributor access, external user access (e.g., claims vendors, financial advisers), internal user access and policyholder access.

Legislation and regulators are increasingly mandating MFA to ensure greater security as well as to reduce identity theft and other forms of fraud. Examples include the New York State cybersecurity regulation and the NAIC Insurance Data Security Model Law. Insurers have traditionally balanced security against expense and inconvenience to their users, especially if their coverages are marketed to older demographics (e.g., final expense policies). Regulatory mandates combined with growing digital adoption and criminals turning their eyes to life and annuities account takeover means the calculus has changed.

Despite these regulatory mandates, 80 percent of insurers say that risk management, rather than regulatory compliance, is driving their adoption of MFA.

There is minimal variation between size and sector of company when it comes to deployment rates, with the exception of large life/annuity/benefits insurers, which are much more likely to use MFA for policyholders than is any other class of insurer. A low deployment rate of MFA for policyholders among smaller property/casualty insurers reflects the fact that few small P/C insurers offer direct policyholder access at all.

Midsize P/C insurers lag behind other sizes and sectors in deployment of MFA for both distributors and policyholders but are ahead of large life/annuity/benefits insurers in deployment for other external parties. Midsize P/C insurers are also ahead of midsize life/annuity/benefits insurers in deployment internally.

How MFA Helps

As many knowledge workers moved from the office to home during the pandemic, securing infrastructure became another key driver. Hybrid work models that blend office and home working environments are gaining traction, and the need for MFA becomes more crucial to validate that users are actually employees.

In addition to security needs, carriers are obtaining policyholder emails and cellphone numbers as part of the MFA process. These bits of data, which are often difficult to obtain, can provide insurers with the opportunity to digitally connect with customers in their preferred channel.

There is no mandated number of identification methods for MFA, but the consensus is to have two at a minimum. Insurers are starting to use multi-factor or its equivalent for any interaction where an external network is accessing information behind a firewall. Some are taking this a step further to include role-based authentication for internal access as well.

The best defense is a layered approach, combining multiple authentication methods with secure and documented business processes and other security solutions. Some insurers are offering security audit services to agents they work with, while others are working with their distribution executives to change distribution agreements to mandate MFA and other security measures.

Insurers should ensure that MFA processes are documented and that solutions generate auditable logs. Some wholesale brokers require attestations from insurers they work with.Some insurers are offering security audit services to agents they work with, while others are working with their distribution executives to change distribution agreements to mandate MFA and other security measures.

For consumer-facing use cases, depending on the age of policyholders, insurers may wish to opt for MFA methods that are more straightforward (e.g., less complex knowledge-based authentication, voice print). Final expense and Medicare supplement are two lines of business where voice signatures are well established. Many solutions support establishing different access policies based on risk assessment, such as requiring MFA for new devices, or conversely accepting password-free authentication for low-risk access requests.

Types of Authentication

MFA relies on several of the following authentication methods:

  • Physical objects (e.g., laptops, mobile devices, security tokens) in possession of users.
  • Knowledge-based authentication (e.g., answers to questions, passwords or PIN codes, randomly generated authentication codes from authenticator apps).
  • Location (e.g., GPS or IP address).
  • User characteristics (behavioral or biometrics-based).

Some authentication methods are more secure than others. For example, sending codes or passwords via email or SMS runs the risk of interception by man-in-the-middle attacks. With many employees working from home, phishing and other identity theft methods are on the rise. Several solutions support adaptive authentication, with less risky access requests requiring fewer authentication methods than riskier ones, as determined by system-generated risk scoring and predefined security policies.20 percent of CIOs surveyed by Novarica said they are planning to require MFA for distributors and policyholders within six months, adding to 30 percent that already do so.

Novarica recently conducted a survey of insurer CIOs to understand their deployment of MFA, including business drivers, authentication methods and use cases. It is important to keep in mind that solution providers typically offer a range of authentication methods.

Only 30 percent of participants currently require MFA for distributors or policyholders, but another 20 percent are planning to require MFA within six months. Roughly 80 percent of participants require MFA for most or all internal systems users.

Deploying MFA

The most common authentication methods deployed are mobile authenticator apps, used by 80 percent of participants. More than half of participants use SMS. Email and security keys are used by roughly 40 percent and 33 percent of participants, respectively. Behavioral authentication, voice-based authentication, IP location and knowledge-based authentication are used by fewer than a third of insurers.

Note that only 16 percent of insurers report using just one method; overall, insurers said they use an average of 2.8 different authentication methods.Sending codes or passwords via email or SMS runs the risk of interception by man-in-the-middle attacks.

The security threat landscape continues to grow in number and impact. Although many carriers are not currently considering MFA, regulatory scrutiny and enforcement of IT security will only increase. The ability of most solutions to offer different levels of authentication for different access use cases means there is less of a tradeoff between customer experience and security. Many solution providers offer MFA as part of a broader portfolio of identity and access management and IT security solutions.

Insurers should consider MFA approaches as part of a broader IT security strategy.

CONTRIBUTOR

Steven Kaye, Novarica

Steven Kaye is Vice President of Research at Novarica and lead editor of the firm’s Business and Technology Trends in Insurance series. He has managed a wide range of research projects since joining the firm in 2008. Previously, Kaye worked for Accenture as an insurance researcher focused on the U.S. life and property/casualty markets. He also served in both knowledge management and research roles at Gemini Consulting (now part of Capgemini) for several of the firm’s industry practices. Kaye holds MILS and BA degrees from the University of Michigan at Ann Arbor. Reach him directly at skaye@novarica.com.

Workers’ Compensation Certificate of Insurance Guidelines – Florida Edition

I’d like to impress upon people how important it is to us to make sure that all employers properly provide workers’ compensation insurance to their employees; especially in these times. It is often difficult to understand the legal arrangements between employers and employees and contractors and subcontractors in who is defined as an employee for the purposes of workers’ compensation.  Who is ultimately responsible for occupational safety and workers compensation premium payments is our collective role to understand and enforce?  Our country is built on the back of the American worker it is up to all of us to make sure they are properly protected.

Before allowing contractors to perform work on your behalf, make sure to do your research. Below are a few tips.

  • Compliance Management – Verify that the contractor has workers’ comp insurance by requesting a COI. Make sure the COI has the complete company name and indicates coverage dates. There are web-based solutions that will help you automate this process as well.
  • Sign Up – The Construction Policy Tracking Database provides information to contractors regarding the coverage status of the contractor they use. This system will send automatic notification of any changes to their contractor’s coverage status. https://dwcdataportal.fldfs.com/POCData.aspx
  • Endorsement – Request 30 Day Notice of Cancellation Endorsement. This endorsement notifies the holder if the insured’s policy is under notice to cancel. *Not all carriers will offer this endorsement.
  • Proof of Coverage – Check the Proof of Coverage websites for coverage effective and cancellation dates. Also, check for Exemptions. *State website verification can vary. https://proofofcoverage.fldfs.com/Search or https://www.ewccv.com/cvs/?ref=https://www

What else can be done to protect employers with regards to uninsured subs? We would love to hear some of your tips and strategies! Contact Libertate Insurance at 407-445-2414 to learn more about how to protect your business.

How Can There Be a Gap in Coverage?

…if coverage does not exist in the first place!

We have argued appropriately that coverage cannot exist based on a lack of insurable interest of the non co-employed employee. Not co-employment, not who was or was not payrolled, someone in the system knowingly committed fraud or else coverage would exist. This is not a “gap”, it is “black and white” in terms of coverage being purchased/provided or not.  The beauty of the workers’ compensation system is “The Great Tradeoff” – if you as the employer buy workers’ compensation (wc), you are protected from suit. Said simply, pay the wc insurance premiums and the employee base will be taken care of to the letter of the law.  In all States and DC (except TX, OK and NJ have opt out provisions), workers’ compensation is a mandatory purchase at certain employee counts (4 + typically).  There is no excuse to be ignorant of the need for workers’ compensation nor to pay the premiums necessary to ensure the proper medical and lost time payments due to an injured worker.  In all States, penalties and misdemeanors/ felonies follow with the lack of purchase of wc. 

In NO state is an industry group targeted as a proposed safety net to those that have failed to purchase insurance and committed fraud.  Instead, the fraudsters have a safety net to take the heat off them for not purchasing wc and doing the right thing in the first place. Since all states manage workers’ compensation differently with their own unique rules and rate sets, it falls upon each State to manage the occupational accident and illness exposure of its citizens.

Every state has some form of “subsequent” or “second injury” fund to make sure the cost of employers to hire prior workers’ comp claimants is offset and affordable.  This form of labor umbrella allows for employees to find gainful employment without putting their employers at increased financial risk based on prior events/claims.

Thirty-nine states/district out of 51 have what is generally known as an “Uninsured Employer Fund” (UEF).  In these states, it is all about making sure the injured worker(s) get treatment and benefits first, with the responsibility of the lack of insurance investigated at the same time with the appropriate parties.  The employer(s) whom were responsible for not buying insurance are held accountable, and most importantly, the claimant gets the benefits they deserve without delay and hopefully litigation.

The following 12 States do not have a UEF in order of population:

  • Texas (opt outs allowed)
  • Florida
  • Georgia
  • North Carolina
  • Indiana
  • Alabama
  • Louisiana
  • Iowa
  • Mississippi
  • Arkansas
  • Nebraska
  • Vermont

In these states, for the innocent claimants that have unscrupulous employers that do not wish to purchase workers’ compensation, there is little recourse outside of litigation.  

Not buying wc is fraud. Go after the perpetrators of the frauds and allow for a safety net for those that should matter the most – those the system is built to serve – the claimants.  An uninsured employer fund makes certain the Florida worker is covered, with the bill to be determined post-investigation.

It should be noted that either the Department of Labor or Department of Insurance of most UEF states are the governing authority and therefore something new would not need to be created.  A few states DCBS’ also handle.

MGU Updates: New Carrier Partners for 2021

Two of the MGU (Managing General Underwriter) partners we work with have announced new carrier partnerships for 2021. Read the exciting news below.

Workers’ Compensation Insurance MGU Method Adds Falls Lake as New Carrier

Method, a Managing General Underwriter wholly focused on Workers’ Compensation Insurance, has announced the addition of the Falls Lake National Insurance Company to its roster of carrier options.

Falls Lake is rated A XI (Excellent) by AM Best and covers 23 states mostly concentrated in the eastern half of the United States.

“We’re excited to partner with the great team at Falls Lake to dramatically expand options for our customers east of the Mississippi.” said Greg Donsbach, President of Method.

Falls Lake shares a similar, broad risk appetite to Method’s existing carriers, Incline Casualty and Service American Indemnity Company.

“Falls Lake is pleased to partner with Method for this new product which combines Method’s industry-leading claims management protocols with Falls Lakes’ risk-driven underwriting philosophies.” said Paul Kearns, Senior Vice President of Underwriting at Falls Lake.

FUBA Adds Second A- Rated Carrier

FUBA Workers’ Comp now has underwriting authority with two insurance carriers that are rated A- (Excellent) by A.M. Best. Effective 1/1/21, Service Lloyds Insurance Company will become part of the FUBA family. Service Lloyds is a workers’ compensation specialist with almost four decades in the market. 

New business with effective dates through 12/31/20 will continue to be placed with Lancer Indemnity Company and will stay with Lancer for the first policy term. 

New business with effective dates of 1/1/21 and after will be placed with Service Lloyds. 

As your clients’ policies come up for renewal, we will transfer them from Lancer Indemnity Company to Service Lloyds. No action is needed on your part; the transfer will be automatic and seamless. The Service Lloyds policies will replace the policies from Lancer, and your clients will keep the same policy number.  

FUBA is pleased to be able to continue to offer stable and rated coverage to your small business clients.

Cyber Crime Continues to Rise. Are you protected?

October is National Cybersecurity Awareness Month and a good time to insure your business is protected. The continued rise in the amount of information stored and transferred electronically has resulted in a remarkable increase in the potential exposures facing businesses. In an age where a stolen laptop or hacked account can instantly compromise the personal data of thousands of customers, or an ill-advised post on a social media site can be read by hundreds in a matter of minutes, protecting yourself from cyber liability is just as important as some of the more traditional exposures businesses account for in their general commercial liability policies.

Why Cyber Liability Insurance?

A traditional business liability policy is extremely unlikely to protect against most cyber exposures. Standard commercial policies are written to insure against injury or physical loss and will do little, if anything, to shield you from electronic damages and the associated costs they may incur. Exposures are vast, ranging from the content you put on your website to stored customer data. Awareness of the potential cyber liabilities your company faces is essential to managing risk through proper coverage.

Possible exposures covered by a typical cyber liability policy may include the following:

  • Data breaches: Increased government regulations have placed more responsibility on companies to protect clients’ personal information. In the event of a breach, notification of the affected parties is now required by law. This will add to costs that will also include security fixes, identity theft protection for the affected and protection from possible legal action. While companies operating online are at a heightened risk, even companies that don’t transmit personal data over the internet, but still store it in electronic form, could be susceptible to breaches through data lost to unauthorized employee access or hardware theft.
  • Intellectual property rights: Your company’s online presence, whether it be through a corporate website, blogs or social media, opens you up to some of the same exposures faced by publishers. This can include libel, copyright or trademark infringement and defamation, among other things.
  • Damages to a third-party system: If an email sent from your server has a virus that crashes the system of a customer, or the software your company distributes fails, resulting in a loss for a third party, you could be held liable for the damages.
  • System failure: A natural disaster, malicious activity or fire could all cause physical damages that could result in data or code loss. While the physical damages to your system hardware would be covered under your existing business liability policy, data or code loss due to the incident would not be.
  • Cyber extortion: Hackers can hijack websites, networks and stored data, denying access to you or your customers. They often demand money to restore your systems to working order. This can cause a temporary loss of revenue plus generate costs associated with paying the hacker’s demands or rebuilding if damage is done.
  • Business interruption: If your primary business operations require the use of computer systems, a disaster that cripples your ability to transmit data could cause you, or a third party that depends on your services, to lose potential revenue. From a server failure to a data breach, such an incident can affect your day-to-day operations. Time and resources that normally would have gone elsewhere will need to be directed towards the problem, which could result in further losses. This is especially important as denial of service attacks by hackers have been on the rise. Such attacks block access to certain websites by either rerouting traffic to a different site or overloading an organizations server.

Cyber liability insurance is specifically designed to address the risks that come with using modern technology; risks that other types of business liability coverage simply won’t. The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. It is important to work with a broker that can identify your areas of risk so a policy can be tailored to fit your unique situation.

Libertate Insurance, Your Coverage Guide

As reliance on technology continues to increase, new exposures continue to emerge. As your business grows, make sure your cyber liability coverage grows with it. Libertate Insurance is here to help you analyze your needs and make the right coverage decisions to protect your operations from unnecessary risk.

Hurricane Laura: Tips for our Friends and Clients

Hurricane Season is always a time of anxiety and concern.  Now that the impacts of the season are being felt we have compiled a summary of useful contacts/information to help our friends.  Be Safe and let us know if we can help!

National Flood Insurance Program (NFIP) – for those with an NFIP policy, here is a direct link to their site fema.gov/flood-insurance. Here you can find Claim Forms, Disaster Relief Fund: Monthly Reports, by State, for the progress of Disaster Relief and Emergency Assistance being offered. You can also apply for Emergency Assistance.

Tips from Ready.gov.  Ready.gov is a great place to go in preparing for hurricanes but also has tips to support the aftermath.

Returning Home After a Hurricane

  • Listen to local officials for information and special instructions.
  • Be careful during clean-up. Wear protective clothing and work with someone else.
  • Do not touch electrical equipment if it is wet or if you are standing in water. If it is safe to do so, turn off electricity at the main breaker or fuse box to prevent electric shock.
  • Avoid wading in flood water, which can contain dangerous debris. Underground or downed power lines can also electrically charge the water.
  • Save phone calls for emergencies. Phone systems are often down or busy after a disaster. Use text messages or social media to communicate with family and friends.
  • Document any property damage with photographs. Contact your insurance company for assistance.

Tips for filing an insurance claim after the storm

  1. Contact your insurer as soon as possible, have a copy of your insurance policy handy and in a safe place.
  2. Start documenting loss (property and contents), as soon as it is safe to.  Pictures are a great way to document damage, hopefully you already have pictures of your property from before the storm.
  3. Locate information of emergency services and where they are available in your immediate area. Houston Emergency Operations Center , Louisiana Office of the Governor 
  4. Begin mitigating the damage to your property (temporary repairs), safely, to prevent further damage.  Maintain all receipts related to temporary repairs. Using reputable and licensed/insured contractors for temporary repairs is a good choice for those larger issues that you are unable to address yourself.
  5. Confirm with your insurer before you start discarding of damaged items
  6. Start a claim file, to keep track of calls, damage, and overall progress.  Log contractors that you have spoken with.  You will likely start getting visits from a lot of different service providers; take notes!

Hopefully you have prepared your businesses with a Hurricane Preparedness Plan and are rolling out the phases of such, but if not here is a link for some additional pointers OSHA.gov.

Ready.gov has also prepared an Emergency Financial First Aid kit.

If you have successfully come through this unscathed and want to help here are a few links:

American Red Cross you can make financial donations or sign up to volunteer

Global Giving has set up a Hurricane Laura Relief Fund and also offers a Corporate Giving platform

Gulf Coast Regional Blood Center It’s easy to forget during times of Hurricanes that the simple task of donating blood also helps restock the shelves, so to speak. Those injured from the storm may need blood and this a great way to prevent shortages.  Gulf Coast Regional Blood Centers have information on mobile sites, by day. Locations are already available today.

** As always, with donations, a little due diligence goes a long way.  Make sure you understand the organization that you are contributing to and where your contribution goes.

Be Well, Stay Safe

The New Normal….Pandemic Insurance Products

It was only a matter of time before insurers began to develop products to cover pandemics.  The products range from traffic monitor apps that pay insureds based on a minimum threshold to relapse coverage that protects businesses forced to shut down a second time.  The complete article from Reuters is below.

————————-

Insurers are creating products for a world where virus outbreaks could become the new normal after many businesses were left out in the cold during the COVID-19 crisis.

While new pandemic-proof policies might not be cheap, they offer businesses from restaurants to film production companies to e-commerce retailers ways of insuring against disruptions and losses if another virus strikes.

The providers include big insurers and brokers adding new products to existing coverage, as well as niche players that see an opportunity in filling the void left by mainstream firms that categorize virus outbreaks like wars or nuclear explosions.

Tech firm Machine Cover, for example, aims to offer policies next year that would give relief during lockdowns. Using apps and other data sources, the Boston-based company measures traffic levels around businesses such as restaurants, department stores, hairdressers and car dealers.

If traffic drops below a certain level, it pays out, whatever the reason.

“This is the type of coverage which … businesses thought they had paid for when they bought their current business interruption policies before the coronavirus pandemic,” the company’s founder Inder-Jeet Gujral told Reuters.

“I believe this will be a major opportunity because post-COVID, it would be as irresponsible to not buy insurance against pandemics as it would be to not buy insurance against fire.”

The company is backed by insurer Hiscox and individual investors, mostly from the insurance and private equity world.

Restaurants in Florida’s Miami-Dade County, where Mayor Carlos Gimenez on Monday ordered dining to shut down soon after reopening, are now reeling, said Andrew Giambarba, a broker for Insurance Office of America in Doral, Florida.

“It’s been like they made it to the ninth round of the fight and were holding on when this punch came out of nowhere,” said Giambarba, whose clients include restaurants that did not get payouts under their business interruption coverage.

“Every niche that is dealing with insurance that is affected by business interruption needs every new product they can have.”

Filling the Void

Pandemic exemptions have helped some insurers emerge relatively unscathed and the sector has largely resisted pressure to provide more virus cover. Indeed, some insurers that paid out for event cancellations and other losses have removed pandemics from their coverage.

British risk managers association Airmic said last week that the pandemic had contributed to a lack of adequate insurance at an affordable price and most of its members were looking at other ways to reduce risk.

To help fill the void in a locked-down world, Lloyd’s of London insurer Beazley Plc, started selling a contingency policy last month to insure organizers of streamed music, cultural and business events against technical glitches.

“These events are completely reliant on the technology working and a failure can be financially crippling,” said Mark Symons, contingency underwriter at Beazley.

Marsh, the world’s biggest insurance broker, has teamed up with AXA XL, part of France’s AXA, and data firm Arity, which is part of Allstate, to help businesses such as U.S. supermarket chains, restaurants and e-commerce retailers cope with the challenges of social distancing.

With home deliveries surging, firms have hired individual drivers to meet demand, but commercial auto liability insurance for “gig” contractors with their own vehicles is hard to find.

Marsh and its partners devised a policy based on usage with a price-by-mile insurance, which can be cheaper than typical commercial auto cover as delivering a pizza doesn’t have the same risks as driving people around.

“Even when the pandemic is over, we believe last-mile delivery will continue to grow,” said Robert Bauer, head of Marsh’s U.S. sharing economy and mobility practice.

A report by consultants Capgemini showed that demand for usage-based insurance has skyrocketed since COVID-19 first broke out and more than 50% of the customers it surveyed wanted it.

However, only half of the insurers interviewed by Capgemini for its World Insurance Report said they offered it.

Bespoke Cover

Since businesses are only now learning how outbreaks can affect them, some new products are effectively custom-made.

Elite Risk Insurance in Newport Beach, California, has been offering “COVID outbreak relapse coverage” since May for businesses forced to shut down a second time, its founder Jeff Kleid said.

The policies are crafted around specific businesses and only pay out when certain conditions are met, Kleid said.

For film and television production companies that could be when a cast member contracts the virus, forcing them to stop shooting. Another client, which raises livestock for restaurants, is covered for a scenario in which it would be impossible to get animal feed.

Such policies do not come cheap. A $1 million policy could cost between about $80,000 to $100,000 depending on the terms.

“The insurance … is costly because it covers a risk that does not have a historical basis for calculating the price,” Kleid says.

And in March, when COVID-19 ravaged northern Italy, Generali’s Europ Assistance offered medical help, financial support and teleconsultations for sufferers when discharged from hospital, on top of regular health insurance.

It sold 1.5 million policies in just two weeks and now has 3 million customers in Europe and United States.

Some insurers are also working on changes to employee compensation and health insurance schemes. With millions of workers not expected to return to offices anytime soon, some large insurers in Asia are preparing coverage to account for that, according to people familiar with those efforts.

At least one Japanese insurer has started work on a product to cover employees for injury while working at home, they said.

“Working from home will be the new normal for years to come. That would make the scope of the employee compensation scheme meaningless if a person suffers an injury while at home,” said a Hong Kong-based senior executive at a European insurer.

(Reporting by Noor Zainab Hussain in Bengaluru, Suzanne Barlyn in Washington Crossing, Pennsylvania, Carolyn Cohn in London and Sumeet Chatterjee in Hong Kong; additional reporting by Muvija M; Editing by Tomasz Janowski and David Clarke)

https://www.insurancejournal.com/news/international/2020/07/10/575081.htm

 

Hurricane Season Reminders

This year’s hurricane season runs from June 1st to November 30th. We encourage our clients to prepare their business for the 2020 Hurricane Season. Take action early to protect your assets and your people.

Pre-Planning

Review all of your insurance policies and understand what is covered.

Verify Employee Contact Information

Maintaining accurate employee contact information is critical during an emergency. COVID-19 has led to an increase in remote working and the need to know where each employee is located-not just in a directory, but in real time. Send a quick memo to your employees asking them to update their contact information. This will help management check on their well-being and keep them informed.

Build Your Emergency Plan

Refer to websites like FEMA and National Hurricane Survival Initiative to help you build your company’s emergency plan. You will want to include details on securing your business assets, ensure your data is backed up, review contracts, customer communication strategies, and recovery plan.

Create an Emergency Response Team

Define clear roles and responsibilities for essential staff members.