All posts tagged coverage

How to Avoid Having Your Cyber Claim Denied

cyberattacker

You no doubt have seen our admonitions about the need for businesses to secure cyber insurance policies that can help defray the costs of an attack on your network or a theft of your employees’ or clients’ personally identifiable information.

Businesses are faced with increasing threats and cyber criminals are constantly working to devise new ways to infiltrate organizations’ databases and extract information or find some way to monetize their hacks.

Cyber insurance can help your business recover from these events, but as with all insurance, there are risks that are covered and those that aren’t – and you often will have a certain amount of time to file a claim once you’ve incurred damage.

Your claim may be denied if you file too late, don’t understand your coverage, don’t understand your exclusions or don’t get the insurance company involved early enough, according to the insurance news website PropertyCasualty 360.

In order to best ensure that your claim gets paid, you should do the following:

 

  1. File your claim on time

Most cyber policies are written on a “claims made” basis, meaning they will only cover claims that are made when the policy is in effect. If someone files a claim against your company after the policy expiration, it would likely be rejected.

Some policies may include language that allows claims to be made for a few months after the policy expires, but not all policies contain this language.

Also, if your organization experiences a cyber event that may eventually lead to a claim, it’s important that you notify your insurer during the policy period. This is really important because if you fail to alert the insurer about it early in the process, they may deny the claim.

You need to communicate to your staff (particularly any information technology personnel) that they need to alert management about any suspicious activity on your networks. Make sure that you create a policy for staff to report all suspicious activity so that it can be investigated further to see if it merits reporting it.

 

  1. Understand the depth of your coverage

Because cyber policies are a relatively new phenomenon and continuously evolving, coverage will often vary from insurer to insurer.

It’s important that when purchasing a policy that you sit down with us to discuss your exposures (such as if you store client credit card information on your servers). This can help us find the right coverage for your organization.

Coverage will vary depending on the type of business you are running, the technology you are using and what data or company intellectual property you want to protect.

Some policies will also require that you have specific protocols and software in place to reduce the chances of your data being hacked. For example, policies will require that the policyholder applies security patches, uses encryption technology and has a secure-socket layer to protect credit card data.

If you fail to have this in place when your policy is in effect, the insurer may reject your claim if your systems are breached.

Other areas that cyber policies will often differ on include:

  • Paying for any potential legal costs after a breach.
  • Paying for tools to remediate any exposure.

 

  1. Understand what’s not covered

All insurance policies have exclusions, and cyber policies are no different. There are many exclusions in cyber policies, but again, they vary from insurer to insurer. Examples of exclusions include:

  • If your data is compromised when sharing it with a vendor, such as a payroll provider.
  • If you have a system pipeline into a client’s network and the network is hacked.
  • Fraudulent entry into certain parts of your network systems.
  • Patent or copyright infringement.

 

Again, it’s crucial that you read your policy before signing and that you evaluate whether any existing or future contracts with vendors or clients fall outside the policy’s coverage area.

 

Two of the major areas of coverage you may want to look for in exclusions are:

  • Will the policy cover data that is stored outside of your network, either on the cloud or on a vendor’s network?
  • Will externally generated data be covered if a breach occurs within your system?

 

  1. Get the insurer involved early

When in doubt, reach out to us or the insurance carrier if you think you’ve had a breach. Even if it’s just asking questions or trying to clear up your uncertainty, it’s better to contact the insurance company so that the event rises to its radar.

It’s better to reach out early because it will give the insurer a chance to investigate the matter and determine if there has been any exposure.

This will give you peace of mind that you will be protected should the matter rise to the level of a genuine claim.

The worst thing you can do is to wait until after you’ve started receiving complaints from customers, vendors or regulators. At that point your insurer will have a much more difficult task on its hands.

Getting the insurer involved early will let it get ahead of the claim, which makes managing it easier – and it can limit the amount of fallout.

Think like a risk manager to reduce your insurance costs

All large corporations and national businesses have someone in charge of risk management, if not a whole department.

But hiring a risk specialist or dedicating a number of employees to that kind of work is typically too expensive for most small and mid-sized companies. So, this risk mitigation typically is left to the business owner or the duties are spread among senior managers.

One way that you can reduce the risk to your finances is to purchase appropriate insurance coverage, which can sometimes be expensive. However, if you focus on managing your company’s risks, you can do more than solely reducing the risk of accidents (and having to file claims).

Insurance companies like policyholders that try to manage their risks, and they reward them by reducing their premiums.

You too can reduce the cost of your insurance if you start thinking like a risk manager. In this article we provide you with some tips to do just that.

How far you want to go depends on how much time you want to spend honing your risk management skills. The more you learn, the better you will have a broad perspective of the various risks that your organization faces.

To start thinking like a risk manager, it helps to organize your risks into categories:

 

  • Human resources – Employees are your biggest asset, but they can also be one of your biggest liabilities. Businesses are regularly sued by their employees and job applicants for a number of alleged transgressions, such as discrimination, retaliation and hostile work environments. Some people are serial lawsuit filers.
    To reduce the chances of this, you need to screen job applicants and document everything, including candidate searches, interviews, hires, reviews, complaints and behavior or performance issues of your employees, especially if you have to terminate someone.
    Also, promote a culture safety with regular training, and strive to keep your workers happy, motivated and feeling like they have are vested in your enterprise.
  • Property and assets – Fire and theft devastate thousands of American businesses every year. Protect your property with fire and burglar alarms, and take precautions against damage from severe weather.
    Make sure that you keep your company’s data safe (especially any personally identifiable information on your staff and customers, and credit card information).
    Erect firewalls, install virus and malware protection and store vital company data on- and offsite. Develop an emergency response plan in case your data is compromised or if your network fails.
  • Income – This includes any risks that affect your company’s finances and income stream. Keep thorough records and meticulously quantify your costs of goods sold, gross and net income.
    Monitor your accounting and ensure that a chosen few of your staff have access to your accounts and check books.
    Protect your business income by having a solid supply-chain management plan in place, with connections made with backup suppliers should one of your current suppliers suddenly be unable to provide you with product.
    Have a contingency management plan in place to keep your business operating if disruptions occur due to equipment failure, a breakdown in transportation networks or natural disaster.
  • Liability – Every year there seems to be a new and novel lawsuit threat that companies never knew existed. Make sure that you do all you can to reduce the potential of liabilities to third parties, including vendors and customers and the public at large.
    Identify any hazards on your premises, and train your employees to drive carefully and not endanger your customers or the public.
    Keep your workplace safe, as well. Engage in proactive safety training and a program to identify potential hazards to your staff. Keeping your staff safe and reducing the risk of injuries keeps your workers healthy and safe – and your workers’ comp premium low.
    Have a social media policy with clear do’s and don’ts.

 

While there is much more that you can do, these tips are a good place to start in thinking like a risk manager and reducing the chances of your firm having to pay more than it should, or being sued.
Finally, consult with us as we can help you identify the biggest risks that your organization faces and what you can do to reduce those risks to a comfortable level.

Remember, insurance is there to pay for many of these issues, but to keep your rates as low as they can be and reduce the potential of fallout, put on your risk manager cap and get to work.

 

thinking-cap

Same-sex Marriage Ruling and Your Employee Benefits

In June, the Supreme Court ruled that same-sex marriages are valid and should be performed throughout the United States.

While the ruling in the case of Obergefell vs.Hodges  is about personal liberties, it also will have an effect on employers’ employee benefit plans – and you need to know how to respond.

First, in its ruling the court did not touch on sexual orientation discrimination in the workplace. As a result, the decision does not require employers to treat the same-sex spouses of their employees the same as opposite-sex spouses with respect to the provision of health and welfare benefits.

That said, though, despite not addressing those issues, the case will require that employers make changes to their employee benefit plans. There are a number of factors for you to consider if you already offer your employees and their spouses benefits.

 

Expanding eligibility

If you were not previously offering same-sex spouse coverage, you may wish to offer an off-anniversary open enrollment for any employee with a same-sex spouse to now add various health and other welfare benefit coverage. This is likely to affect a number of your benefits offerings, including health, dental, vision, dependent life or voluntary benefits.

In other words, any benefits normally offered to a spouse, as well as coverage for any children of a spouse, should be extended to same-sex couples. You should review your plan documents and insurance policies to determine if same-sex coverage jibes with their existing verbiage or whether you need to include new wording in order to extend coverage.

Additionally, you may want to revisit your employee handbooks, benefit guides, enrollment forms, and other materials that you typically give to employees or new hires.  Make sure the current wording in those documents properly communicates your benefits options and that they can apply to same-sex spouses if you offer family coverage.

Since the court case was not about benefits, but did in effect allow same-sex couples in all states to marry immediately after the decision, employers rightfully want to know when they should make changes to their benefits plans.

Benefits advisers recommend that if you are already offering family and spouse coverage via your employee benefits plans and you plan to extend the offering to same-sex spouses, you should consider the following:

  • When you want to start the new eligibility for same-sex spouses. You can either start immediately or pick a date in the near future.
  • When can employees begin to enroll? You may need to check with us to see if your current health plan carrier will allow open enrollment for an expanded eligibility of same-sex spouses and their offspring, if any.
  • Do you need to change any of your documentation?

 

Other considerations

Besides changes to your health plan, you have to consider other changes to your benefits offerings, as well as other administrative issues.

 

Taxes – As a result of the ruling, states must treat all spouses the same for tax purposes. That may require you to make changes in how you report benefits for same-sex spouse. In essence, the ruling should result in less administration on your part since a same-sex spouse will be treated the same as a spouse of the opposite sex. This is especially important if you have been offering domestic partner benefits.

 

Not extending coverage  – The Employee Retirement Income Security Act of 1974 gives employers a wide berth in deciding whether to extend benefits to same-sex spouses. But going this route can set you up for headaches in the future, especially if you’ve been offering benefits to opposite-sex spouses up until now. There are legal implications, like being targeted in a lawsuit by employees in same-sex marriages.

Although the Supreme Court has not addressed whether offering health coverage only to opposite-sex spouses constitutes impermissible discrimination, some state laws may prohibit employers from discriminating with respect to the provision of employee benefits.

It’s best not to be the employer whose case sets precedent in this arena.

 

Domestic partner benefits  – As gay marriage was already the law in a number of states before this decision, many employers have eliminated domestic partner benefits, which they extended to employees who were legally barred from marrying in the past.

But this benefit could still prove useful since there are individuals who are cohabitating with a partner and who don’t want to get married. If you do decide to do away with domestic partner benefits, you should give your employees notice that they will be phased out over a certain period (like between now and the next open enrollment).

 

 

 

Supply Chain Risk Lessons from the Ports Strike

The West Coast ports strike illustrates the dangers of just how fragile most companies’ supply chains are, as disruptions to the delivery of crucial items threatened the viability of many businesses during the industrial action.

Retailers waiting for shipments had empty shelf space where some items were supposed be, carmakers suspended operations because key parts were sitting on the docks or waiting to be unloaded, and some companies were forced to lay people off due to the ports’ inability to take in more cargo.

The fallout should come as no surprise. Whenever there is a supply chain disruption, companies suffer as products and key parts deliveries are delayed indefinitely. As more companies rely on just-in-time manufacturing and the supply chain stretches to all corners of the globe, small hiccups can turn into big problems.

Prudent companies address these challenges by building safeguards into their supply chains, and planning that includes contingencies. They enhance those risk management efforts by purchasing contingent business interruption insurance, which will cover lost profits if an event shuts down critical suppliers or major customers.

And while it’s typically the woes of big companies that make the news, the impact is felt far and wide – and small companies are especially vulnerable. That’s why it’s important that you create a solid plan for dealing with disruptions to your supply chain, as most every company has one to some extent.

 

Understanding your supply chain

You’ll be best able to reduce the effects of supply chain disruptions on your business by identifying the risks within your supply chain and developing ways to mitigate them. You should document this process in your risk management plan, which is part of your overall business continuity plan.

There are four main types of external supply chain risks, which are largely out of a business’s control:

  • Supply chain risks that are caused by any interruptions to the flow of products, whether finished goods, raw material or parts, within your supply chain.
  • Environmental risks, which are related to economic, social, governmental, political and climate factors – including the threat of terrorism – that affect the supply chain.
  • Business risks, which can be caused by factors such as a supplier’s financial or management stability, or purchase and sale of supplier companies.
  • Physical plant risks, which can be caused by the condition of a supplier’s physical facility and regulatory compliance. For example, if your key supplier has a machinery breakdown and can’t produce, or regulators shut the facility down, your supply chain will be affected.

 

Developing a plan

The best way to manage a supply chain disruption is to prepare for it. You should undertake a business impact analysis to prepare your business to address the impacts of supply chain disruption.

Form a team of key personnel that should include shipping and receiving, and management and supervisors involved in your key processes. The team should:

  • To mitigate risks caused by disruptions, consider lining up alternatives to critical suppliers in advance, as finding a new supplier in the midst of a crisis situation could be challenging. It’s important this is done in advance so that you aren’t trying to hunt down a new supplier during a disruption. Even if you find one, you still have to certify that it is able to meet your quality standards, which can be a time-consuming process.
    One option is to contract with a supplier in advance, so the contractor has already been certified and has capacity available as soon as a company loses a critical supplier.
  • Model the impact of disruptions on your sourcing and inventory strategies. You should do this for the four disruption types listed above, so that all contingencies are covered. Under these scenarios, think about how non-delivery of a key part or material would affect your operation. Examine the likely fallout and build contingencies based on those results.
  • Outline the steps that need to be taken for all of the “what if” scenarios that would affect your operations. Be realistic about assessing your capacity to respond to these scenarios. If you would be rendered unable to cope, start now in developing plans.
  • Engineer an actionable contingency plan for failure of any supply chain pillars. Identify key thresholds for executing risk-mitigating decisions, like sourcing from alternative partners, channels or alternative manufacturing and distribution systems whose risks are divorced from the preferred options.
  • Most disaster situations lead to chaos due to the non-alignment of multiple departments within the same company. That makes centralized decision-making based on real-time information from all sources crucial. Institutionalize a contingency management team that will champion all actions during times of disruption. This team must be comprised of senior people who can exercise influence over the various decision levers of the company.
  • Make sure your supply chain is flexible to dealing with risks. Look at opportunities to alleviate current supply chain bottlenecks, model alternative transportation network configurations and look for alternative sources of supply.

 

The insurance backstop

Companies can address supply chain risks either through business interruption insurance or contingent business interruption insurance. Business interruption insurance covers lost profits after a company’s own facility is damaged by an insured peril, while contingent business interruption insurance covers lost profits if an insured peril skips over the policyholder’s own facilities but shuts down its critical supplier or a major customer.

Contingent business interruption coverage is triggered if there is:

  1. Direct physical loss or damage to a dependent property (supplier or customer);
  2. The loss or damage is caused by a covered cause of loss; and
  3. The loss results in a suspension of operations at a covered location.

 

supply chain

Post-Charlie Hebdo: Reassessing Your Need for Terrorism Coverage

The tragedy that unfolded in Paris at the satirical magazine Charlie Hebdo and a kosher market, as well as a number of other smaller-scale terrorism attacks, is evidence of a new kind of terrorism that’s hit the West.

Besides the risk of loss of life and injuries, an act of terrorism would sink most small and mid-sized businesses. But that doesn’t have to be the case, since the cost of terrorism coverage is relatively cheap compared to other lines of insurance.

Companies with a total insured value of less than $100 million paid a median of $51 per million in coverage in 2013, according to the “2014 Terrorism Risk Insurance Report” by Marsh. Prices differ depending on the industry and location, with construction paying some of the highest rates.

There was some concern that availability of terrorism coverage would dry up when it was unclear whether Congress would pass an extension of the Terrorism Risk Insurance Act, which provides a financial backstop for insurance companies in case of large-scale terrorist attacks.

However, Congress did pass that legislation and President Obama signed it into law. That in turn means that insurers will continue to offer stand-alone terrorism policies at reasonable rates.

It should be noted that even if your business is not hit by terrorism but is in an area where an event unfolds, it could still be affected. Besides the obvious – the risk to property – the biggest overall risk to businesses is lost revenue.

There are usually two categories of effects from terrorism:

  • Businesses that suffer direct damage, which would be covered by a terrorism rider. However, if they have a property policy, the damage would not be covered.
  • Businesses located in the area of the event. In the case of the Boston bombing, that was a rather wide area that was closed for more than a week as authorities investigated. Coverage for such businesses would be dependent on the interpretation of “civil authority” under the policy.
    A civil authority provision is usually contained in many business-owner property insurance policies. Civil authority provisions are usually written as additional coverage provisions, not exclusions. They generally provide coverage for lost business income due to an “action” taken by a civil authority, such as closing streets to investigate.

 

Meanwhile, payouts are also dependent up on how the government classifies an attack. Businesses with terrorism coverage have to wait for this ruling by the Treasury Department.

As part of this process, the Treasury Department says that the event or attack must be “committed by an individual or individuals as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion.” Additionally, total insured damage must reach at least $5 million.

 

Why not property coverage?

Business property insurance protects companies from financial loss due to the physical assets of a business being damaged. These can include the building the business is housed in, its inventory, its equipment and other essential contents. This type of coverage protects against things like fire, lightning, hail, wind storms, explosions, riots and vandalism.

Also, you can purchase endorsements that can be added to a policy that will protect it further. Common endorsements include ones for flood, earthquakes, business income and equipment breakdown.

Unfortunately, however, according to data from the Congressional Research Service, nearly four out of 10 commercial insurance policies have exemptions relating to terrorism, which would allow insurers to reject business interruption claims.

Large office buildings are much more likely to have terrorism insurance than small businesses.

 

Some issues to consider:

  • Is terrorism coverage worth it for your business? It’s up to you to decide if it’s worth it. There is a wide range of factors that you’ll use to determine whether this coverage is wise. First, consider your location. If you’re in a small town, then your need for this coverage is likely much lower than a company located in New York City.
    If you are concerned, you can start by analyzing your current insurance coverage and determine if you are protected in the event of a terrorist attack. Many businesses don’t know they have gaps in their coverage for terrorism.
  • Consider the cost. Cost is another issue, though it will be tied to your location. In a small town you might pay as little as $25 for an entire year’s worth of coverage, but in larger metropolitan areas the rates are typically higher, although not by much.
  • What’s covered and not covered by terrorism coverage? You’ll need to read the specifics of your policy, but generally speaking, terrorism insurance doesn’t cover nuclear attacks, biological attacks, or acts of war.

 

The takeaway

As with any type of coverage, the key to deciding if you need to add terrorism insurance comes down to a simple risk assessment. What do you stand to gain if you have the coverage and you need it, and what you stand to lose if you need it and don’t have it?

You can start by reviewing your exposures with us to determine the best way to handle this issue. We can help you make a decision that’s right for your company.

 

terrorism