RiskMD; Risk Management for Today and Beyond

Risk management is foundational to the insurance industry at large.  Not only as a means to ensure the pricing integrity of insurance products, but most importantly, to continue to achieve and maintain safer, healthier environments for all.   Innovation in this space should be recognized, encouraged and celebrated.  To that end, we celebrate RiskMD!

RiskMD holds one of (if not the) only patents specific to PEO.  This patented business intelligence platform organizes insurance-related data in a proprietary way to empower risk managers and insurance executives to completely change the way they approach decision making.

Risk managers and insurance executives spend countless hours poring over numbers in search of opportunities to mitigate losses and increase profitability. This requires many hours of tedious work, compiling and deciphering mountains data using multiple complex tools, and the experience and instincts to find actionable insights.

RiskMD completely reshapes this process. The technology seamlessly automates data aggregation and integration to provide clear and meaningful insights with detailed and impactful visualizations. It gives users the ability to schedule recurring reports for quick and easy insights on demand, while also allowing for more advanced users to dig deep into the numbers and find the most granular of opportunities.

What makes RiskMD unique? Where did the concept come from?

Risk MD is an insurance data analytics tool that was built with the goal of changing the way the industry uses data to understand loss ratios and maximize profitability for any given insurance transaction. It’s a system and method for the valuation, acquisition, and management of insurance data. The concept was developed by Paul Hughes, the Founder and CEO of RiskMD, with the idea of bringing the mentality of stock trading analytics to the insurance world.

This system follows a patented process that uses a common identifier, the Federal Employer Identification Number (FEIN) to efficiently and effectively aggregate data in a new and powerful way. The process makes it possible to funnel data into the system without the need for labor-intensive manual input.

The use of FEIN also enables a more precise normalization of the data so that it can be more easily manipulated. This allows users to easily drill down to a deeper level for more impactful insights.

Another unique feature of the tool is that it’s designed to produce insights, rather than requiring users to find the insights themselves. Without RiskMD, risk managers and insurance executives have to dedicate countless hours to building and manipulating spreadsheets and pivot tables, then try to search the resulting data points to verify whatever insights are available to be found. RiskMD compiles the data much more efficiently and can be pre-programmed to surface the most important insights automatically, presenting them visually through the use of graphs, tables, and charts.

Whether risk managers and insurance executives are using it to manipulate data in real-time on their own or relying on custom reports that are delivered automatically, those using RiskMD have a competitive advantage over those who don’t.

How is RiskMD relevant to core concerns of risk managers?

One of the most critically important concerns for insurance executives is to maintain profitability across a book of business. They manage the total cost of risk, which can come from claims paid, or dollar values that are paid internally within a deductible limit, and additional costs that aren’t easily quantified, like the value of opportunity costs missed. Their ability to do this depends heavily on using data to gain an understanding of which accounts might create profitability issues. Without knowing which accounts are presenting exposure points and fueling losses, a risk manager cannot effectively manage them. This leads to reactionary behaviors rather than proactive ones.  Minor “hot spots” can become major loss leaders.

It gives the ability to quickly and easily see loss ratios for each account or exposure in their book of business, in real-time, through visualizations. If profitability is the macro problem, RiskMD is a tool that helps take a granular look to find the micro issues that cause that macro problem.  This prevention-based approach maximizes profitability.

How is RiskMD effective in solving one or more problems in the risk management process?

Managing risk effectively and profitably relies on finding and addressing loss leaders proactively. To do this, risk managers face the problem of compiling and deciphering large quantities of data. This process is labor-intensive, time-consuming, and typically requires a deep knowledge of multiple data manipulation tools.  Even with all the tools and manpower, the problem is often compounded when insights are unfound, like a needle in a haystack.

At its core, RiskMD is a risk assessment and analysis tool. It simplifies the data evaluation process and allows C-Level Executives and Risk Managers to discover key insights that help them make better business decisions. Using visualizations for risk identification makes insights easier to find and understand at all levels. Delivering performance metrics in real time through visualizations ensures that the internal and external stakeholders of an insurance transaction can always “keep score.”

How is RiskMD presented to risk managers to ensure ease of understanding and use.

RiskMD is an incredibly robust data analysis tool. The sheer volume of information and insights that it provides can be overwhelming. With that in mind the platform was specifically designed to make those insights as easy to access as possible using Tableau Software, which is the industry standard for user-friendly data visualization.

Using the automatic data-input process and the interpretations made possible by the proprietary algorithms, RiskMD delivers insights to the user or insurance executive in the form of graphs, tables, and customizable gauges. These visualizations are designed to make understanding the insights simple and easy enough for any user to understand. They are color-coded in a green-to-red, “stoplight” method that makes quickly understanding areas of potential risk easier.

RiskMD provides automated reports that can be built once and then scheduled for direct delivery at the desired interval. This allows a more hands-off approach in which the most important indicators are delivered directly to the user’s desk, ensuring consistent oversight.

For users with a higher degree of data acumen, RiskMD allows them to pull various levers and manipulate data to gain deep and precise insights that would otherwise be extremely time-consuming to uncover. This ability to “slice and dice” information provides a level of understanding that makes a user’s ability to mitigate potential losses invaluable.

What results and objectives are achieved by RiskMD in a risk management setting.

Benchmarks are instrumental in providing key insights using data. RiskMD houses more than 100,000 claims files and exposure data for more than 20,000 client companies. This cache of data allows RiskMD users to benchmark against RiskMD proprietary data, as well as industry data. That ability to benchmark against the proprietary data became incredibly useful during the COVID-19 outbreak.

The insurance industry cycles through exposure, premium, and claims data on a period of about 12-18 months when accounting for audit periods. RiskMD cycles through this data on a bi-monthly basis due to data ingestion from its expansive PEO clientele, which report on a “pay-as-you-go” basis. When the global Coronavirus pandemic shut down the economy and upended the industry, NCCI, the preeminent Workers’ Compensation Bureau, contacted RiskMD for insights on how COVID was affecting claims and payroll.  RiskMD was the only known source that could provide real-time insights on jobs and job-related COVID claims. RiskMD provided NCCI with important insights as to how COVID affected jobs and payroll nationwide by quantifying claims incurred versus the reduced premiums collected.  This accurate capture of loss ratio was simply not available anywhere else due to the proprietary source of “pay-as-you-go” payroll exposure information.

Critical Infrastructure Cyberattacks on the Rise

Critical infrastructure cyberattacks are increasing in frequency according to Advisen’s loss database, and some experts are worried the worst is yet to come.

There are sixteen industry sectors in the United States that make up the country’s critical infrastructure. These sectors are considered so vital their incapacitation or destruction would have a debilitating effect on national security, economic security and/or national public health and safety, according to the United States’ Cybersecurity and Infrastructure Security Agency (CISA). Poisoned water supplies, opened dam floodgates and pipeline spills are a few of the many worst-case scenarios that could result from a cyberattack on critical infrastructure. The sectors that have been designated as critical infrastructure include the following:


  • Chemical
  • Commercial facilities
  • Communications
  • Critical manufacturing
  • Dams
  • Defense industrial base
  • Emergency services
  • Energy
  • Financial services
  • Food and agriculture
  • Government facilities
  • Health care and public health
  • Information technology
  • Nuclear reactors
  • Materials and waste
  • Transportation systems
  • Water and wastewater systems

Further, recent critical infrastructure attacks in Advisen’s loss database include:

  • A ransomware attack in June 2021 on JBS meatpacking temporarily shut down all operations. The meatpacking company—which processes roughly one-fifth of the nation’s meat supply—paid an $11 million ransom to become operational again.
  • A ransomware attack on the Colonial Pipeline, the nation’s largest fuel pipeline, occurred in May and temporarily shut down all operations, causing a temporary increase in gas prices in the United States. The Colonial Pipeline paid nearly $5 million in ransom to restore operations, although some of the ransom was later recovered, according to Advisen loss data.
  • Hackers briefly attempted to increase the levels of sodium hydroxide to a lethal amount as part of a February cyberattack on a water treatment plant in Florida. The plant operator quickly noticed the increase in sodium hydroxide levels and lowered it to the original amount, preventing anyone from being harmed, according to Advisen loss data

Frequency of Critical Infrastructure Cyberattacks

Unfortunately, cyberattacks on critical infrastructure are becoming increasingly common. Since 2008, the frequency of cyberattacks on critical infrastructure has been trending upwards, according to Advisen loss data. The drop-off in 2019 is likely due to a data lag and is not reflective of an actual decrease in frequency.
Looking specifically at the sectors designated as critical infrastructure, the utilities sector was the most frequent target of cyberattacks – accounting for 26% of total losses, according to Advisen loss data. Manufacturing had the second-highest percentage at 23%, followed by government entities (shown AS PUBLIC ADMINISTRATION) at 17%
The vast majority of critical infrastructure cyberattacks come from external sources. Unidentified external hackers account for the greatest percentage of these attacks at 39%, followed by nation-state attacks at 34%, according to Advisen data. These attacks typically involve malware.

*Advisen’s loss data is curated from a wide variety of public sources. Our collection efforts focus on larger and more significant cases. For this reason, the figures in this article may not be fully representative of all cases of this type.

OSHA Will Not Amend its COVID-19 ETS Despite CDC Guidance

OSHA recently determined it will not be making changes to the healthcare emergency temporary standard (ETS) after reviewing the latest guidance, science and data on COVID-19, and the recently updated CDC face mask guidance. However, OSHA will continue to monitor and assess the need for changes monthly.

OSHA determined that neither the CDC’s guidance on health care settings nor the underlying science and data on COVID-19 in health care settings has materially changed in a way to necessitate changes in the June 10, 2021 ETS.

Revised CDC Guidance

The CDC recently announced updates to its face mask guidelines, recommending that fully vaccinated individuals should wear a mask in public, indoor settings in areas where there is high or substantial COVID-19 transmission, including of the new coronavirus delta variant. Prior to this update, the CDC guidance allowed fully vaccinated individuals to stop wearing a mask in most settings.

OSHA’s Healthcare ETS

Since OSHA has not changed its requirements for the healthcare ETS, the face mask exceptions under the standard still apply. The healthcare ETS covers employers in various health care industries, such as hospitals, nursing homes, assisted living facilities, emergency responders, home health workers and employees in ambulatory care settings where suspected or confirmed COVID-19 patients are treated.

Next Steps

Health care employers should continue to monitor the OSHA website for updates on how changes in COVID-19 transmission affect agency policy and guidance. OSHA will continue to assess the need for changes monthly.

ETS Face Mask Exceptions:

Employees are not required under the healthcare ETS to wear face masks when:

  • They are alone in a room;
  • They are eating & drinking;
  • It is important to see a person’s mouth while communicating;
  • Employees are unable to wear face masks due to a medical necessity or condition; or
  • Use of a face mask presents a hazard to an employee of serious death or injury.

FAPEO Annual Business Meeting arrives in Tampa Bay August 4, 2021

The Florida Association of Professional Employer Organizations is comprised of organizations which provide integrated, cost effective solutions for the management and administration of human resources for its clients by contractually assuming employer rights, responsibilities, and risk, and by establishing and maintaining an employer relationship with the workers assigned to client companies.

As mentioned in a post by Libertate Insurance’s Vice President, Sharlie Reynolds last Friday FAPEO will hold their Annual Business Meeting and Board of Directors Meeting on August 4th, 2021 at the Tampa Marriott Westshore. In addition to plenty of discussion surrounding the ongoing wave of ransomware attacks and coverage options to help client company’s offset potential losses from said attacks, there are currently a plethora of ongoing bills that could impact PEOs. FAPEO has shown their commitment to making sure that the professional employer organization industry has the appropriate representation and necessary spotlight in favor of or against the following list of bills in circulation – https://www.fapeo.org/legislation-impacting-peos/


A look at the history of the PEO Industry in Florida

FAPEO provides a colorful timeline as to how PEO’s came into existence in the state of Florida (click on https://wwww.fapeo.org/history/

Listening to early participants in the PEO industry describe how the industry came to be established in Florida, Margaret Mead’s inspirational quote comes to mind. Attorney Michael R. Miller, the general counsel of the Florida Association of Professional Employer Organizations (FAPEO) since its inception, says that the biggest surprise looking back at the history of the industry and the association is that “a ragtag band of novice employee leasing entrepreneurs” could get bills passed to establish and license PEOs in Florida.

Interviews with several of these “novice employee leasing entrepreneurs” form the basis of this history of the PEO industry in Florida, and their stories are compelling, inspiring, and yes, surprising.

Early History of the PEO Concept

Employee leasing in the United States began as early as the 1940s. In the early 1970s, the concept was popularized by a consultant named Marvin Selter, who leased the employees of a doctor’s office in Southern California. The Employee Retirement Income Security Act of 1974 (ERISA) contained an exemption for multiple employer welfare arrangements (MEWA), which provided a loophole for employers with leased employees to claim they were exempt from the ERISA requirements. Passage of the Tax Equity and Fiscal Responsibility Act of 1982 (TEFRA) further encouraged employee leasing by providing a tax shelter for employers who contributed a minimum amount to employee plans. More stringent guidelines in the Tax Reform Act of 1986 later eliminated most of the TEFRA incentive, however.1

To read the entire history of the PEO industry in Florida, as provided by and written by FAPEO (found on their website, click on https://www.fapeo.org/history/. Take the historical journey of what initially started as employee leasing in the 70’s and 80’s with business being done with a handshake on through to when H. Britt Landrum, Jr., started asking questions as the first CEO of LandrumHR in Pensacola, who founded AmStaff in 1970, an employee staffing company that later became the full-service PEO it is today. He remembers reading an article in Inc. magazine in 1981 about a company called Staff Leasing of America. The leadership of Staff Leasing had been successful in getting a bill passed in Congress that made it possible for highly compensated professionals such as doctors and lawyers to exclude their employees from their pension plans if they leased the employees from an employee leasing company. “When I saw that article, I picked up the phone and talked to the owner of Staff Leasing of America,” Landrum recalls. “By that time he wanted to sell franchises or license others to be involved with him so they could pay him a royalty.” also called a Staff Leasing client who had been mentioned in the Inc. article to find out why a business would want to use an employee leasing company. The answer was simple and direct: “It makes it much easier for me as an employer to handle some of those employer-employee administrative things.”


Libertate Insurance hopes to see everybody at FAPEO in Tampa for the Annual Business Meeting; August 4th’s agenda is as follows:

This is Why You Should Double Check Your Cyber Insurance Policy

Image

Whether a business is in healthcare, accounting, legal, real estate, manufacturing, etc., most of a business’ important assets are digital. (Government municipalities are included too.) To make matters complicated, it’s very common for these digital assets to be stored in various systems and locations, intertwined with a third party’s digital information. With so many opportunities for disaster, steps must be taken to insure this critical information.

Cyber insurance is a new frontier that is rapidly evolving as the industry gets its bearings. Many companies are finding that their current cyber policies have very minimal coverage in case of a cyber breach, and the majority of these policies will not come close to providing the necessary breach coverages to the business or municipality.

When looking at your existing or new cyber policy, it’s important to consider these types of coverages:


As we have come to realize, the idea that security starts and ends with the purchase of a pre-packed firewall is simply misguided

Art Wittman

1. Privacy Breach Notification

Some reports estimate the notification and credit monitoring costs alone are over $100 per record, so if you had 1,000 compromised records, this alone could cost $100,000 or more.

2.Data Loss Restoration

Believe it or not, many large insurance carriers have policy exclusions for the replacement and restoration of data, so be very careful in this area when reviewing your policy.

3. Privacy Liability

This covers for the theft or loss of private information related to customers and other third-party information that is in your care.

4. Regulatory and PCI Defense

Many industries are under strict regulatory control, and breaches may result in fines and other penalties from these regulatory agencies.

5. Public Relations

If an enterprise has a breach, the bad press they receive can do significant long term reputational damage and can also be used by competitors to their advantage. This coverage will help hire a public relations firm to mitigate the reputational damage your name brand might incur.

6. Cyber Crime

If your organization is threatened with various cyber threats such as malicious code that will result in financial loss or data loss, this coverage is needed for the reimbursement of the costs associated with these threats.

7. Defense and Settlement costs

A breach affecting a lot of customers may result in lawsuits and financial settlements, so insurance coverage is needed to offset these potentially enormous costs.

8. Consulting and Forensic Fees

If a breach does occur, the upfront investigative process will require a lot of professional expertise and a lot of money, and this specific coverage will offset these significant costs.

9. Business Continuity

If a hack causes your business to lose income, this coverage will reimburse you for these losses.

It takes 20 years to build a brand or company reputation and a few minutes within a cyber incident to ruin it

Stephane Nappo

For a free cyber insurance policy evaluation, contact Libertate Insurance today at 813-367-7574 or email me, James Buscarini at jbuscarini@libertateins.com.

Our professionals are happy to review and discuss your firm’s existing cyber liability insurance policy and the relation to your unique business requirements, needs and cyber coverage. Our goal is to help your PEO and client companies navigate the cyber liability insurance landscape and identify potential vulnerabilities that could be exposed based on your existing technology network and infrastructure. Finally, we want to make sure that in the event of a ransomware attack, business email compromise or phishing expedition your firm has adequate coverage in each of the areas that you might be vulnerable to be targeted in.

EEO-1 Deadline For 2019 & 2020 Now Extended to August 23, 2021

Employers now have some extra time to submit equal employment opportunity (EEO-1) workforce data from 2019 and 2020, the U.S. Equal Employment Opportunity Commission (EEOC) announced on June 28, 2021. These reports were previously due by July 19, 2021. Employers now have until Aug. 23, 2021, to complete their submissions.

The EEOC’s collection of this data, the portal for which opened on April 26, 2021, had been delayed numerous other times due to the coronavirus pandemic. Under Title VII of the Civil Rights Act, the EEO-1 Report is usually due by March 31 every year.

EEO-1 Reporting Background

The EEO-1 Report is an annual survey that requires certain employers to submit data about their workforces by race or ethnicity, gender and job category. The EEOC uses this data to enforce federal anti-discrimination laws.

Employers Subject to EEO-1

Reporting In general, a private-sector employer is subject to EEO-1 reporting if it:

  • Has 100 or more employees;
  • Has 15-99 employees and is part of a group of employers with 100 or more employees; or
  • Is a federal contractor with 50 or more employees and a contract of $50,000 or more.

Employers that are subject to EEO-1 reporting now have until Aug. 23, 2021, to submit data from 2019 and 2020.

Employer Action Items

Employers subject to EEO-1 reporting requirements should ensure that they complete their EEO-1 submissions by Aug. 23, 2021. These employers should also review the EEOC’s home page and website dedicated to EEO data collections for additional information.

Important Dates

  • July 19, 2021: Prior deadline for submission of 2019 and 2020 workforce data.
  • Aug. 23, 2021: New deadline for employers subject to EEO-1 reporting to submit 2019 and 2020 workforce data.
  • March 31, 2022: Deadline for submission of EEO-1 data from 2021.

CYBER RISKS & LIABILITIES – Penetration Testing Explained

Image

Keeping workplace technology up and running is vital to any organization’s success. While this task seems feasible, it’s growing harder and harder each year as cybercriminals expand their reach.  It’s not enough to simply protect workplace technology with software and security protocols. It’s also critical for your organization to test the overall effectiveness of these protocols on a regular basis. That’s where penetration testing can help.

Essentially, penetration testing consists of an IT professional mimicking the actions of a malicious cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and can withstand their attack efforts. Conducting a penetration test can help your organization review the effectiveness of workplace cybersecurity measures, identify the most likely avenues for a cyberattack and better understand potential weaknesses.

Review this guidance to learn more about what penetration testing is, the benefits of such testing and best practices for carrying out a successful test within your organization.

What Is Penetration Testing?


Put simply, penetration testing refers to the simulation of an actual cyberattack to analyze an organization’s cybersecurity strengths and weaknesses. This testing usually targets a specific type of workplace technology, such as the organization’s network(s), website, applications, software, security systems or physical assets (e.g., computers and smart devices). Penetration testing can leverage various attack methods, including malware, social engineering, password cracking and network hacking, among others. Generally speaking, penetration testing is often performed by a professional from a contracted IT firm who is not associated with the organization being assessed in any way. This helps the cyberattack simulation seem as authentic as possible. Penetration testing is typically either external or internal in nature. The primary differences between these forms of testing are as follows:

  • External penetration testing requires the IT expert to attack an organization’s external-facing workplace technology from an outside perspective. In most cases, the IT professional won’t even be permitted to enter the organization’s physical establishment during external penetration testing. Rather, they must execute the cyberattack remotely—often from a vehicle or building nearby—to imitate the methods of an actual cybercriminal.
  • Internal penetration testing allows the IT expert to attack an organization’s internal-facing workplace technology from an inside perspective. This form of testing can help the organization understand the amount of damage that an aggrieved employee could potentially inflict through a cyberattack. 

In addition to these testing formats, there are also two distinct types of penetration tests. How much information an organization provides the IT professional prior to the cyberattack simulation will determine the penetration test type. Specifically:

  • An open-box test occurs when the IT expert is given some details regarding the organization’s workplace technology or cybersecurity protocols before launching the attack.
  • A closed-box test occurs when the IT expert is provided with no details other than the organization’s name before conducting the attack.

Ultimately, the penetration testing format and type should be selected based on the particular workplace technology elements or cybersecurity measures that an organization is looking to evaluate.


Benefits of Penetration Testing

Penetration testing can offer numerous advantages to your organization, including:

  • Improved cybersecurity evaluations—By simulating realistic cyberattack situations, penetration testing can help your organization more accurately evaluate its varying security strengths and weaknesses—as well as reveal the true costs and of any security concerns.
  • Greater detection of potential vulnerabilities—If any of your workplace technology or other cybersecurity protocols fail during a penetration test, you will have a clearer picture of where your organization is most vulnerable. You can then use this information to rectify any security gaps or invest further in certain cyber initiatives.
  • Increased compliance capabilities—In some sectors, organizations are legally required to engage in penetration testing. For example, the Payment Card Industry Data Security Standard calls for organizations that accept or process payment transactions to execute routine penetration tests. As such, conducting these tests may help your organization remain compliant and uphold sector-specific expectations.
  • Bolstered cybersecurity awareness—Mimicking real-life cyberattack circumstances will highlight the value of having effective prevention measures in place for your employees, thus encouraging them to prioritize workplace cybersecurity protocols.

Penetration Testing Best Practices

Consider these top tips for executing a successful penetration test within your organization:

  • Establish goals. It’s crucial for you to decide what your organization’s goals are regarding the penetration test. In particular, be sure to ask:
  • What is my organization looking to gain or better understand from penetration testing?
  • Which cybersecurity threats and trends are currently most prevalent within my organization or industry? How can these threats and trends be applied to the penetration test?
  • What specific workplace technology elements or cybersecurity protocols will the penetration test target?
  • Select a trusted IT professional. Consult an experienced IT expert to assist your organization with the penetration test. Make sure to share your organization’s goals with the IT professional to help them understand how to best execute the test.
  • Have a plan. Before beginning the penetration test, work with the IT expert to create an appropriate plan. This plan should outline:
  • The general testing timeframe
  • Who will be made aware of the test
  • The test type and format
  • Which regulatory requirements (if any) must be satisfied through the test
  • The boundaries of the test (e.g., which cyberattack simulations can be utilized and what workplace technology can be targeted)
  • Document and review the results. Take detailed notes as the penetration test occurs and review test results with the IT expert. Look closely at which cybersecurity tactics were successful during the attack simulation and which measures fell short, as well as the consequences of these shortcomings. Ask the IT professional for suggestions on how to rectify security gaps properly.
  • Make changes as needed. Based on penetration test results, make any necessary adjustments to workplace technology or cybersecurity protocols. This may entail updating security software or revising workplace policies.
  • Follow a schedule. Conduct penetration testing at least once every year, as well as after implementing any new workplace technology.

If you are a Risk Manager or Principal of a PEO and want to learn how you could help protect your client company’s interests through our affordable Master Cyber Liability program, eMail James Buscarini, Fl License #A036520 at jbuscarini@libertateins.com to find out more. The Master Cyber program is written through Axis, an A rated carrier, 250K in coverage, no underwriting, and a revenue generator!