White House Issues Ransomware Prevention Guidance to Businesses

In a recent letter addressed to corporate executives and business leaders, the White House emphasized that
bolstering the nation’s resilience against cyberattacks is a main priority for President Joe Biden’s administration.
Specifically, as ransomware attacks continue to rise in both cost and frequency throughout the country, the
federal government is urging businesses to take this evolving cyber threat seriously.

These attacks—which entail a cybercriminal deploying malicious software to compromise a business’s network or
sensitive data and demand a large payment be made before restoring this technology or information—have
quickly become a growing concern across industry lines. In fact, the latest research provides that ransomware
attacks have increased by nearly 150% in the past year alone, with the median ransom payment demand
totaling $178,000 and the average overall loss from such an attack exceeding $1 million.

While the White House has begun working with both domestic and international partners on various strategies to
prevent ransomware attacks, the Biden administration is also encouraging businesses to play their part in
minimizing this rising cyber concern. Rather than viewing ransomware attacks as a minor cyber risk, the federal
government is instructing businesses to view these attacks as a significant exposure—one with the potential to
wreak havoc on their key operations.

As such, the Biden administration is recommending that businesses convene with their senior leadership teams
to review their ransomware exposures and implement these top cybersecurity measures:


  • Utilize the federal government’s best practices. Businesses should be sure to incorporate the best
    practices outlined in the Biden administration’s Executive Order on Improving the Nation’s Cybersecurity. This
    includes the following practices:
    o Implementing multi-factor (MFT) authentication on all workplace technology
    o Leveraging endpoint detection and response tools to identify and deter suspicious network activity
    o Encrypting sensitive data to make it less accessible to cybercriminals
    o Developing a trusted and skilled workplace cybersecurity team
  • Ensure an effective incident response plan. All businesses should have cyber incident response plans in
    place. These plans outline proper response protocols and offer steps for minimizing potential damages during
    cyberattacks. Businesses should make sure to include several ransomware attack scenarios within their
    response plans and routinely test these scenarios with their cybersecurity teams. Based on test results,
    businesses should revise their response plans accordingly.
  • Conduct frequent data backups. In addition to the federal government’s best practices, businesses should
    also prioritize securely backing up all sensitive data, images and other important files on a regular basis.
    Conducting such backups can help businesses remain operational and continue to access crucial data in the
    event that any workplace technology is compromised in a ransomware attack. Data backups should remain
    offline (not connected to key business networks) and be routinely tested.
  • Keep critical networks separated. In order to keep ransomware attacks from fully disrupting their operations, businesses should attempt to segment their various workplace networks (e.g., sales production, and corporate) from one another rather than having a unified network. Access to each network should be restricted to those who use them to conduct their job tasks. Networks should only allow internet access as needed. That way, businesses can avoid becoming completely compromised by single-network ransomware attacks and continue performing critical functions.

  • Maintain updated security software. To help safeguard workplace technology from ransomware threats,
    businesses should equip their systems and devices with adequate security software—such as antivirus
    programs, firmware protections and firewalls. Further, this software must be regularly updated to remain
    effective. That being said, businesses should also consider utilizing centralized patch management systems to
    keep security software on a consistent update schedule.
  • Review workplace cyber security protocols. Apart from testing their response plans, businesses should
    also regularly assess whether their existing workplace cybersecurity policies, procedures and software are
    sufficient in protecting against current risks—such as ransomware threats. In particular, businesses should
    consider using a third-party penetration tester to review their ransomware defense tactics and overall
    cybersecurity capabilities. Businesses should work with their trusted cybersecurity teams and IT experts to
    make workplace adjustments as needed (e.g., updating policies or purchasing new security software).

For additional risk management guidance and insurance solutions email me James Buscarini, PCA at jbuscarini@libertateins.com or call me at 813.367.7574.

California Senate Rejects Workers’ Compensation Proposal

Close one!

SACRAMENTO, Calif. (AP) — The California Senate on Thursday rejected a bill aimed at making it easier for health care employees to have hospitals pay their medical bills related to COVID-19 and other diseases that may have been contracted on the job — a move business groups said would have cost them too much money.

Companies pay their workers’ medical bills if they get sick or injured while on the job. In some cases, workers must prove their injury or illness is work-related to get the benefits. Last year, the California Legislature passed a law that assumed COVID-19 was work-related, shifting the burden to employers to prove it wasn’t.

Photo by Hush Naidoo on Unsplash

That law is scheduled to expire in 2023. A bill by Sen. Dave Cortese, a Democrat from San Jose, would have made it permanent. It would have also added other presumptions to the workers’ compensation law for hospital workers, including cancer under some circumstances, post traumatic stress disorder, certain respiratory diseases and muscle or ligament injuries.

The bill had to pass the Senate by Friday to have a chance at becoming law this year. But it fell short on Thursday before the Senate adjourned for the week. Lawmakers are not meeting Friday.

Cortese on Thursday agreed to change the bill to remove respiratory illnesses such as asthma and chronic obstructive pulmonary disease (COPD). But it wasn’t enough to get the bill passed.

Cortese said his goal was to give hospital workers, of whom he says 90% are women, the same protections as other medical professions, including emergency medical technicians.

“It really comes down to equal work, equal compensation,” he said.

Business groups, led by the California Chamber of Commerce, opposed the bill, labeling it a “job killer.”

“Such a drastic shift in the law will create an astronomical financial burden on healthcare employers and the system, creating an appreciable pact on the cost of healthcare at a time when we are trying to make healthcare more affordable,” Ashley Hoffman, policy advocate for the California Chamber of Commerce, wrote in a letter to lawmakers that was signed by 35 other groups.

The bill is part of a broader discussion in California about which coronavirus modifications should continue. Gov. Gavin Newsom said he will lift most of the state’s coronavirus rules on June 15.

The state Senate passed a bill earlier this week that would let restaurants continue to serve alcohol outside. The state Assembly passed a bill that would require local governments to keep letting people comment during their meetings by telephone or the internet. Both bills still must pass the other legislative chamber and be signed by the governor before becoming law.

Written by Adam Beam, Associated Press (June 3, 2021)

https://www.westport-news.com/news/article/California-Senate-rejects-workers-compensation-16223712.php

Benefits of Utilizing Post-Offer Medical Questionnaires in Your Hiring Practices

Prescient National produced this thought provoking look at how to effectively use Post-Offer Medical Questionnaires as a part of your hiring practices. The original post can be found by clicking here.

When companies think of managing their Workers’ Compensation costs, several key programs may come to mind. For example, Early Return to Work, Post-Accident Drug Testing, and establishing a network of medical providers have become second nature in the course of doing business.  While these post-claim activities will reduce costs after a claim has been filed, preventing a loss starts with strong hiring practices.

A comprehensive hiring program contains several standard components, such as pre-employment drug screening, criminal background checks, and reference checks. But perhaps none are more important than the Post-Offer Medical Questionnaire (POMQ). As health conditions, such as obesity, diabetes, and previous surgeries continue to contribute to Workers’ Compensation costs, employers who incorporate the POMQ can rest easy knowing they’ve taken every step necessary to ensure that employees can perform the essential functions of the job, without endangering themselves or others.

What is a POMQ and How Does it Mitigate Potential Injuries?

The POMQ is a document with questions about a prospective employee’s prior medical history.  The POMQ helps an employer understand if the individual will be able to complete the essential functions of the job with or without a reasonable accommodation. Its goal is to help match the candidate to the physical requirements of the job and prevent putting an employee in a job that could be unsafe for him or her, other employees, and the company. It’s good stewardship. 

Let’s use an example to illustrate:  An employer in the home healthcare industry employs nurses who travel from one home to another to provide care. The company conducts pre-employment drug screening, motor vehicle record checks, as well as criminal background checks and reference checks, but it does not use a POMQ as part of its hiring practices.  One day, while making a sandwich for a client, an employee bends over to pick up a piece of silverware that has fallen off the counter. When he stands up, he feels pain in his lower back and decides to file a Workers’ Compensation claim. When the claim is received by the insurance carrier, it is determined that the employee has had two prior back surgeries and that picking up the piece of silverware has aggravated his pre-existing back condition. After a doctor’s assessment, the employee is scheduled for a third back surgery, which will cost approximately $100,000. It is estimated that this claim alone will increase the employer’s experience modification rate from a 1.00 to a 1.50, which will cost the firm $500,000 in additional Workers’ Compensation premiums over the next three years. The employer was shocked to learn of the employee’s prior health condition and is frustrated that the employee cannot return to a “light duty” job, because the employee has been written completely out of work.  Additionally, the employer is worried that the employee was placed in a position that required lifting and walking assistance for an elderly client, and wonder about future lawsuits from “negligent hiring” practices.

In the example above, the employer could benefit greatly from the effective use of a POMQ.  Uncovering the prospective employee’s prior back surgeries would have allowed the employer to make a well-informed hiring decision, which would protect both the employee and its client population from injuries. For the POMQ to be “effective”, an employer must follow the rules of its use.

How to Use the POMQ

Under the Americans with Disabilities Act (ADA), employers are allowed to conduct medical inquiries of prospective employees as long as certain rules are followed. First, the document can only be used after a job offer has been made (i.e., “post-offer”), but before the employee is placed into the job. This means, for example, an employer cannot ask an applicant to complete a POMQ while filling out an application. Just as with background checks and drug tests, POMQs can also be part of the contingent post-offer process, but only if all new employees in the same job category are required to complete a POMQ.  All information on the POMQ is protected health information and must be handled responsibly (typically by HR), kept confidential, and secured separately. 

An applicant must be provided with a copy of the written job description that outlines the physical requirements of the job. The questions on the POMQ must be “job-related and consistent with business necessity.” This means that the job must contain physical exertion that has been documented and is essential. It also means that employers cannot inquire about any family medical history. The job description in our home healthcare scenario, for example, may require employees in the position to be able to lift 50 lbs. The POMQ will include a question related to the amount of weight an individual can comfortably lift unassisted. If the candidate is unable to meet this requirement, the employer will solicit a medical opinion and provide the doctor with a copy of the written job description. The candidate can meet with his or her own physician or with the company physician to determine if the job requirement can be met and what, if any, accommodations can be made to meet those requirements.  

Depending on the physician’s medical assessment, the employer (assisted by feedback from the candidate), must determine if the recommended “reasonable accommodation(s)” can be made to enable the candidate to meet the essential requirements of the job. This may involve modifying the job, if possible, or purchasing additional equipment to help with the task, depending on whether this is a reasonable expectation for the business to undertake. If no reasonable accommodation is available, an employer can withdraw the offer. 

POMQ Red Flags

There are certain red flags to look for in a POMQ. Ensure that every question on the POMQ is answered. Often, we see a candidate forget to complete a question or perhaps even refuse to answer a question. All questions should be addressed to avoid potential issues down the road. Look carefully to see if the candidate documents something that doesn’t match with the requirements of the job to address any discrepancies or potential problems. Also, make sure the document is signed by the candidate. 

Note: If a candidate is untruthful on the POMQ and aggravates a pre-existing injury on the job, in many states the claim may be denied. In most cases, the injury/aggravation must be to the same body part where he or she suffered a prior injury which was not disclosed. Typically, it must also be established that the employer would not have hired the employee if he or she had indeed disclosed the prior injury and the injury would not have allowed him or her to safely perform the essential functions of the job, with or without a reasonable accommodation.

At Prescient National, we believe that well-informed hiring decisions drive down costs and improve employers’ profitability. Used correctly, a POMQ is a good tool to optimize employee safety and to help mitigate potential claims. Hiring employees fit for duty is productive for the staff, insulates an employer from legal liability, and enhances safety throughout the organization.

Moody’s Says COVID Impact on Insurance was ‘Moderate’

Moody’s opinion echos that of NCCI regarding the impact of COVID on the Workers’ Compensation system. More rate decreases to come???

Neither COVID-19 nor legislation enacted because of it has seriously harmed the creditworthiness of the property and casualty insurance sector, according to a report released by Moody’s Investors Service on Friday.

Businesses have filed about 1,700 business-interruption claims because of COVID-19 shutdowns, but those cases are largely being decided in favor of insurers, Moody’s said.

“US property policies typically require direct physical loss or damage to the property for business interruption losses to be compensated,” Moody’s said. “Moreover, most policies specifically exclude coverage for losses caused by a virus or communicable disease.”

But the battle for coverage, of course, is far from over. Only 20% of the cases filed have been resolved so far.

“A handful of courts have recently ruled in favor of insured parties despite standard policy wordings,” the report says. “Additionally, court decisions are subject to appeal, a process that could take years to resolve.”

Moody’s says it believes that ultimately, policy provisions will limit insurers’ business-interruption losses is the United States.

Photo by Nick Fewings on Unsplash

“Nevertheless, we expect the ongoing litigation will lead to inconsistent outcomes, appeals to higher courts, elevated legal costs, and some uncertainty on this matter for the next couple of years,” the report says.

For workers’ compensation, which makes up 14% of commercial line P&C premiums, the coronavirus pandemic has had only a “moderate” impact on claim costs, the report says. Moody’s echoed a report by the National Council on Compensation Insurance released earlier this month that said total COVID-19 workers’ comp losses amounted to $260 million in the US.

“The severity of these claims was generally low with 95% of the claims less than $10,000,” Moody’s said. “With more states enacting presumption laws in 2021, insurers will see additional claims but we expect them to be moderate.”

While the passage of presumption laws led to more claims for work comp, state lawmakers also enacted laws that limit exposure for commercial liability. Moody’s said the coronavirus liability protection for businesses that was adopted by most states is a “credit positive” for insurers.

The report says eventually, government might step in to create a public-private risk sharing agreement to cover business interruptions caused by future pandemics. Moody’s said bills were introduced in a number of states last year that would have required insurers to pay COVID-19 business-interruption claims, but none passed.

“With an eye toward future pandemics, some insurers and US legislators are considering public-private risk sharing arrangements to compensate small and large businesses for business interruption caused by pandemics,” the report says. “Common elements of these proposals are that P&C insurers would administer the coverage and assume a limited portion of the risk, while the US government would assume the bulk of the risk.”

The Risk with Search Engines

It’s no secret that your technology company depends on the capabilities of your computer systems to function. You should be aware that simple actions your employees take could be putting your company’s equipment and networks at risk of cyber-crime, including cyber-attacks, cyber theft and other computer security incidents. The average cost of a single cyber-attack is incalculable—cyber-attacks can directly target finances and ruin a business’ reputation. Your business is at stake, and you should do everything you can to protect yourself.


The Risks of Web Searches

As an employer, you should educate your employees about searching for certain topics on the internet due to the risk of coming across websites encrypted with viruses or malware that could be detrimental to your computer systems. Stress that the potential for cybercrime could affect employees individually as well as the business as a whole. More than 90 percent of companies surveyed by the DOJ incurred either monetary loss, system downtime loss or both because of cybercrime, so take it upon yourself to put search engine guidelines in place.


The Web’s Most Dangerous Search Terms

Common term searches conducted online one can expose your business to the risk of cyber-crime. Encourage employees to avoid following suspicious results in search engines. Any result that promises free products or materials is suspect. The least risky search terms are usually health-related topics and searches about economic news. It is essential to remember that the number of dangerous search terms is ever changing. Hackers want to impact

the highest amount of people with the least amount of effort, so they aim for popular search terms most. Ill-intentioned hackers also adapt quickly to the fast-paced nature of the internet and the public circle, so oftentimes social or celebrity events popular at a given moment climb quickly to the top of the internet’s most dangerous search terms and are a high risk for infecting your company’s computers. According to the DOJ, industries considered a part of critical infrastructure businesses account for a


Simple actions your employees take could put your company’s equipment and networks at risk of cyber-crime, including cyber-attack, cyber theft and other computer security incidents.


disproportionate amount of computer security incidents. If your company is in any of these industries, be especially careful about internet searches to ensure computer safety and protect against potentially devastating loss, both monetary and in down time:

  • Agriculture
  • Chemical and drug manufacturing
  • Computer system design
  • Finance
  • Health care
  • Internet service providers
  • Petroleum mining and manufacturing
  • Publications/broadcasting
  • Real estate
  • Telecommunications
  • Transportation and pipelines

Take Precautions to Protect Your Business


There are examples of companies and organizations around the globe that had to shut down operations to address a large-scale virus or other malware issue. These problems can affect both large and small businesses and can cost hundreds of thousands of dollars to fix. Avoid putting yourself at risk by doing the following:

  • Enact a stricter internet use policy
  • Put more strict website blockers or filters in place
  • Educate employees about the hazards that risky search engine exploration can present

Some of these solutions may cost you in the short run but lowering your risk will ultimately save your company in potential identity fraud, monetary cyber theft or informational cyber theft in the future.

Friday, May 14th, 2021

Happy Friday Everyone!

As the 19th week of 2021 draws to a close, we would like to remind you of a few great posts from this week – in case you missed them!

Paul Hughes provided us with an excellent update on the PEO footprint across the country at this time.  As Economy and Industry both seek to find firm footing in this new (almost) post-pandemic reality, PEOs will continue to emerge as an intelligent and refreshing solution for employers of mobile, diverse and complex workforces.  Enjoy his piece discussing 10-99 Employee Firms and PEOs via the following link.

Angela Slaney reminded us of the ever present threat of cyber exposures in this tech savvy modern age.  Her piece provided us with some great recommendations on how to be proactive in protecting your organization by implementing some of the latest technology in cyber protection.  Check out her post at the following link.

Stay safe, stay health, and be happy this weekend!! 

Bill Attacking PEOs in FL House Commerce Committee Not Being Heard This Week

I am happy to understand from our friends at the Florida Association of Professional Employer Organizations (“FAPEO”) that Florida House Bill 1305 will not be heard by The House Commerce Committee Agenda for their Tuesday, April 6’th meeting. The House Commerce Committee agenda can be found here – https://www.myfloridahouse.gov/Sections/Committees/committeesdetail.aspx?CommitteeId=3098

…along with all of the members of this committee.

While FAPEO and NAPEO will continue working with members of committee to help them understand this is a bad bill, it cannot be stressed enough how much your grass roots efforts has slowed down the momentum of what seemed to be a runaway freight train a few weeks back. Thanks for stepping up, but its not over yet this year never mind in the future. There has never been a gap in what a PEO covers and we need to use this opportunity to memorialize this lack of issue. It should be noted this bill can still appear on a future committee meeting agenda this year and for sure if not passed, will be teed up for another run next year at PEO. 

Thank you for all of your help with this bill and let’s not just defeat it this year, let’s bury it for good.

*** A reminder announcement from FAPEO on the bill below ***

From: Robert Skrob 
Subject: Bill Attacking PEO

HB 1305 – Workers’ Compensation Insurance for Employee Leasing Companies has been assigned to the House Commerce Committee.  At 4:30 pm this Friday we will find out if the bill will be considered at the House Commerce Committee next Tuesday.  

The time for outreach to members of the committee is NOW.   

Here’s text of the bill so you can see how damaging that language could be to the PEO Industry. 

Like the bill before, the amended bill shifts liability from construction contractors to PEOs for workers compensation fraud.  

Will you support our efforts to kill this bad bill by sending  an email to members of the House Commerce Committee? If this bill moves forward, these are the individuals who will consider this bad proposal.  It’s important to start our outreach now.  

If you know any of these Representatives personally, please let me know.  

Here are some talking points to select from and adapt for this communication:  

  • An employee leasing company covers 100 percent of their employees with workers compensation coverage.
  • What bill proponents call a “gap in coverage” is simply workers compensation fraud in construction (paying under the table) and has been persistent in Florida in the traditional business model as well with subcontractors utilizing an employee leasing company arrangement.
  • Rather than work to address the underlying problem of workers comp fraud, the bill only shifts liability from general contractors to employee leasing companies for workers comp fraud.
  • This bill would only increase workers compensation fraud in construction in Florida.
  • It financially encourages general contractors to turn a blind eye to both the price of a subcontractors work and checking workers for employees of subcontractors who are on their jobsite for without  required workers compensation coverage. 

Here are the individuals to contact: 

Representative Webster Barnaby (Orange City)  Webster.Barnaby@myfloridahouse.gov

Representative Dan Daley (Sunrise) Dan.Daley@myfloridahouse.gov

Representative Brad Drake (DeFuniak Springs) rad.drake@myfloridahouse.gov

Representative Joe Geller (Dania Beach) joseph.geller@myfloridahouse.gov

Representative Chris Latvala (Clearwater) Chris.Latvala@myfloridahouse.gov

Representative Randy Maggard (Zephyrhills) randy.maggard@myfloridahouse.gov

Representative Lawrence McClure (Plant City) Lawrence.McClure@myfloridahouse.gov

Representative Angela ‘Angie’ Nixon (Jacksonville) Angie.Nixon@myfloridahouse.gov

Representative Anika Tene Omphroy (Sunrise) Anika.Omphroy@myfloridahouse.gov

Representative Scott Plakon (Longwood) Scott.Plakon@myfloridahouse.gov

Representative Rene Plasencia (Titusville) Rene.Plasencia@myfloridahouse.gov

Representative Anthony Rodriguez (Miami) Anthony.Rodriguez@myfloridahouse.gov

Representative Bob Rommel (Naples) Bob.Rommel@myfloridahouse.gov

Representative Jason Shoaf (Blountstown) jason.shoaf@myfloridahouse.gov

Representative David Silvers (West Palm Beach) David.Silvers@myfloridahouse.gov

Representative Emily Slosberg (Delray Beach) Emily.Slosberg@myfloridahouse.gov

Representative Josie Tomkow (Auburndale) Josie.Tomkow@myfloridahouse.gov

Representative Matt Willhite (Wellington)   Matt.Willhite@myfloridahouse.gov

Thank you for your help. 

To give you a bit of perspective on where this bill is in the Legislative process.  To become law this bill would have to pass House Commerce Committee before reaching the House floor, getting on the agenda and passing the House.  In addition, this bill would need to pass through three committees in the Senate and pass through the Senate floor vote with the exact same language as the House bill.  And, all of this would have to happen by April 30th

We are fighting to kill this bill every step of the way.  Your efforts are a huge help. Thank you! 

Ransom seeking hackers taking advantage of server flaws

Image

Content was taken from Reuters, Mr. Raphael Satter click here for original article from The Insurance Journal’s Mr. Jeff Mason click here for original article.

Since Microsoft announced a series of vulnerabilities in it’s widely used mail server software on March 2, 2021 the biggest threat has been from hacker groups holding users hostage by preventing access to their data unless large sums of money are paid. One security firm had counted 10 separate hacking groups taking advantage of the flaws – with ransomware targeting being the most serious of the threats.

On Sunday, The White House urged computer network operators to “take further steps to gauge whether their systems were targeted?” Despite a recent software patch concerns over remaining vulnerabilities continued to loom. The remedy still leaves open a so-called back door that can allow access to compromised servers and perpetuating further attacks by others. The back channels for remote access can impact credit unions, town governments and small business, and have left U.S. officials scrambling to reach victims, with the FBI on Sunday urging them to contact the law enforcement agency.

CNN reported that the Biden administration was forming a task force to address the hack. The White House official, in a statement, said the administration was making “a whole of government response.” A Microsoft representative said that the company is working with the government and others to help guide them accordingly. Secondly, Microsoft has urged the impacted to install patch updates as soon as possible.

Neither the company nor the White House has specified the scale of the hack. Microsoft initially said it was limited, but the White House last week expressed concern about the potential for “a large number of victims.” So far, only a small percentage of infected networks have been compromised through the back door, the source previously told Reuters, but more attacks are expected. We will continue to monitor the situation as it develops.