All posts by Ciara Sachkowsky

Cyber Liability Insurance, Risk Management, Risk Transfer

New York Department of Financial Services Warns Businesses Who Use “Instant Quote” Software of Targeted Cyber Attacks

The New York Department of Financial Services (DFS) has issued a cybersecurity fraud alert to all of its regulated entities, describing a “systemic and aggressive” campaign to steal consumers’ private data.

The DFS has reported from several regulated entities of successful or attempted data theft from websites that provide instant quotes to the end-user.  All entities using instant quote software on their public-facing websites are vulnerable to this type of data theft attack. These attackers appear to be using the stolen data to apply for pandemic and unemployment benefits.

According to this alert, all regulated entities with instant quote websites should immediately review their websites for evidence of hacking. Reports have shown that even when consumer data is redacted, cybercriminals have proven they can easily recover the full unredacted information.

Reports have confirmed several methods that criminals successfully (or attempted) to use to steal consumer data from auto quote websites:

  • Taking unredacted information from the Auto Quote Websites’ HTML (Hypertext Markup Language) that was not displayed on the rendered page, but was visible in the code.
  • Using developer debug tools to intercept & decode unredacted consumer information.
  • Manipulating the technology to access parts of a public-facing website to view where the unredacted data is stored.
  • Purchasing a policy, after requesting a quote, using fraudulent payment methods in order to view the policy owner’s information, including his or her driver’s license number.
  • Requesting a quote and receiving an agent’s contact information to use social engineering to elicit information from the agent.

The DFS has requested prompt reporting of any attempts to steal consumer information from public-facing websites. Reports of unsuccessful attacks have previously been used to identify the techniques used by attackers. This helps the DFS respond quickly to new threats and continue to help protect consumers and the financial services industry.

Any DFS-regulated entity with a website that uses this type of technology should immediately review the following indicators:

  • Data analytics and website traffic metrics for spikes of quote requests. An unusual spike in abandoned quotes occurring in a short time frame was one of the key indicators of this type of attack. On a broader scope, regulated entities should look for an increase in consumer submissions that terminate as soon as consumer data is revealed.
  • Server logs for evidence of unauthorized access to private information. After your IT team has reviewed your web traffic, have them review your server logs for that period. When examining the logs of customer sessions, security teams should check to see if there has been any site manipulation using web developer tools.

These are just two suggestions by the DFS. There are a number of other ways cybercriminals can access information. Regulated entities should also follow their usual procedures for detecting and responding to cyber incidents.

The DFS has suggested the following steps for entities that are using Instant Quote websites to collect information:

  • Conduct a thorough review of website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS), and Hypertext Markup Language (HTML) configurations.
  • Review public-facing websites for browser web developer tool functionalities. Verify and limit the access so that users cannot adjust, deface or manipulate the website content using web developer tools.
  • Review and confirm that its redaction software for consumer information is properly implemented throughout the entire transmission of the data.
  • Ensure that privacy protections are up to date and effectively protect the data by reviewing which applications use the data, who has the authorization to view the data, and most importantly where is the data stored
  • Search and scrub public code repositories for proprietary code.
  • Block any IP addresses of suspected unauthorized users and consider a Quote limit per user session or IP address.

Any questions regarding the alert from the NY Department of Financial Service should contact their department directly, at CyberAlert@dfs.ny.gov

 

If you have any questions regarding your own cybersecurity. Contact one of our Risk Advisors at 914-357-8444 or visit our Contact Us page to schedule a 10-minute meeting.

 

Claims Management, Construction Practice Group Content, Line of Insurance, Risk Management, Workers Compensation Insurance

Protecting Your Workforce From Winter Related Illness

Winter weather creates new challenges for employers trying to protect their employees from work-related accidents. Snow and Ice. How are you protecting your employees from potential slip and fall incidents related to snow and ice? According to OSHA, 20% of all workplace injuries are due to trips, slips, and falls. 

Types Of Cold Related Illness

Every year, around 1,330 people die of exposure to the cold. These deaths are preventable with the proper clothing. The four types of Cold related illnesses are hypothermia, frostbite, chilblains, and trench foot.

Hypothermia

When your body is exposed to cold temperatures, the body begins to lose heat faster than it can be produced. Prolonged exposure will eventually use up the body’s stored energy.

Signs of Hypothermia:

Early Symptoms

  • Shivering
  • Fatigue
  • Loss of coordination
  • Confusion and disorientation

Late Symptoms

  • No shivering
  • Blue skin
  • Dilated pupils
  • Slowed pulse and breathing
  • Loss of consciousness

First Aid for Hypothermia

  1. Move employee to a warm room or shelter
  2. Remove their wet clothing
  3. Warm the center of their body first-chest, neck, head, and groin-using an electric blanket, if available; or use skin-to-skin contact under loose, dry layers of blankets, clothing, towels, or sheets.
  4. Warm beverages may help, but do not give alcoholic beverages. Do not try to give beverages to an unconscious person
  5. After their body temperature has increased, keep victim dry and wrapped in a blanket
  6. If the victim is unresponsive begin CPR

 

Frost Bite 

Frostbite is caused by freezing. It causes loss of feeling and color in the affected areas. Frostbite most commonly affects the nose, ears, cheeks, chin, fingers, and toes. It can cause permanent damages to body tissue and severe cases can lead to amputation. 

 

Symptoms:

  • Reduced blood flow to hands and feet (fingers or toes can freeze)
  • Numbness
  • Tingling or stinging
  • Aching
  • Bluish or pale, waxy skin

First Aid

  • Get into a warm room as soon as possible.
  • Unless absolutely necessary, do not walk on frostbitten feet or toes-this increases the damage.
  • Immerse the affected area in warm-not hot-water (the temperature should be comfortable to the touch for unaffected parts of the body).
  • Warm the affected area using body heat; for example, the heat of an armpit can be used to warm frostbitten fingers.
  • Do not rub or massage the frostbitten area; doing so may cause more damage.
  • Do not use a heating pad, heat lamp, or the heat of a stove, fireplace, or radiator for warming. Affected areas are numb and can be easily burned.

Chilblains

 Chilblains are the inflammation of blood vessels in the skin in response to repeated exposure to cold but not freezing air. 

Symptoms

  • Small, itchy red areas on your skin, often on your feet or hands
  • Possible blistering or skin ulcers
  • Swelling of your skin
  • Burning sensation on your skin
  • Changes in skin color from red to dark blue, accompanied by pain

First Aid

  • Keep hands and feet warm and dry
  • Wear gloves & socks
  • Change damp gloves and socks when needed
  • Move affected person inside

Cold related illnesses aren’t the only hazard that an organization faces with winter. Slip and fall injuries are more prevalent in the winter as well.

Cyber Liability Insurance

Email Attachment File Types That Can Potentially Contain Malware

With more departments working remotely, an email from the IT department asking for remote access to your computer isn’t an unreasonable find in your inbox. Cybercriminals know this.

Malware in the form of an email attachment is the easiest way a cybercriminal can attack an organization. Using Social Engineering, cybercriminals can pose as job candidates easily convincing HR departments to open files like “resumes.docx” without considering that a link or file may actually be Ransomware or Keylogging software.

With more organizations operating remotely, an email from the “IT Department” asking employees to update an organization’s software through an email attachment isn’t a far reach, especially in a time where fewer employees are commuting to the office and digital communications are at an all-time high.

Emails from cybercriminals posing as trusted sources are a common phishing scheme that can cost organizations. Some schemes are socially engineered to pose as a coworker asking to send gift cards, others are hackers sending malware via attachment.

What is Malware?

Malware is any software designed to disrupt, damage, or gain unauthorized access to a computer system. Malware can lay dormant on an organization’s systems for months before activating. In some cases, this malware can be linked to software that isn’t hurting anything on the network but is just gathering information for cybercriminals.

Files That Are Commonly Attached To Email 

These are the most common types of files attached to an email.  If you receive an email from an unknown sender, email the sender back before opening any attachments.

  • .Txt Files that end in .Txt are typically safe to open. There have been instances in the past where cybercriminals have sent out mass emails that appear to be .txt files, but really have an additional extension that was no displayed by most email programs. As soon as users opened what they thought was a .txt file, the other extension ran instead.
  • .PDF PDFs are also considered safe to open. However, there have been known cases of security gaps in programs that open.PDF files. Even though these files are typically safe top open. Verify that the sender is someone trustworthy before you open the attachment.
  • .doc/.docx/.xls/xlsx/.ppt/.pptx Microsoft Office Documents of all types are very commonly manipulated to contain malware. Microsoft Office created .docx to help mitigate the number of macro viruses that could be attached to files that ended in .doc. If you receive a file that ends in .doc ask the sender to resend the file as a .pdf
  • .jpg this extension is often used to camouflage executable programs. If the full file extension does not show on your email program you could face challenges or malware.
  • Compressed Files .zip/.rar can have malware embedded in them that is released as soon as the file is opened. These files should not be opened from any unknown senders.
  • Executable Files- Most email providers now filter for this file type and block emails with these files attached to them. Executable files can contain anything from legitimate software updates to actual malware.
At Metropolitan Risk, we offer a full cyber evaluation to help your organization recognize its digital strengths and weaknesses. Click here to request a Cyber Evaluation or call 914-357-8444 to speak with a Risk Advisor.
OSHA, Workers Compensation Insurance

OSHA 2020 Workplace Injury Reports Due By March 2, 2021

The Occupational Safety and Health Administration (OSHA) reminds employers that it began collecting 2020 workplace injury data on Jan. 2, 2021.

When are OSHA 300A Reports Due?

All OSHA 300a records must be submitted electronically by March 2, 2021.

Organizations with 250 or more employees are currently required to keep OSHA injury and illness records for up to 5 years. OSHA requires that all organizations submit their injury and illness data for 2019 electronically by March 2, 2021. You can submit records electronically through the Injury Tracking Application available here.

The form to used is OSHA Form 300A Summary of Injuries. Current and former employees have the right to request further injury records via the OSHA 300 Report. It’s very important that you true up your OSHA 300 reports for the year then complete the OSHA 300A report and post it on-site or sites. Failure to do so can trigger fines and or an investigation by OSHA. OSHA can swing by and ask for evidence of your compliance at any time. Need help? Download our updated OSHA Reporting Guide for 2021 and share it with HR & or Safety Compliance.

F.A.Q.s – CLICK HERE TO VIEW OSHA’s FULL LIST OF F.A.Qs

What is a recordable incident? 

Check out this flowchart.

What is a reportable incident?

Check out this flowchart.

Do I need to fill out an OSHA 300A log for every location?

You must keep a separate OSHA 300 Log for each establishment that is expected to be in operation for one year or longer.

Do I need to keep OSHA injury and illness records for short-term establishments (i.e., establishments that will exist for less than a year)?

Yes, however, you do not have to keep a separate OSHA 300 Log for each such establishment. You may keep one OSHA 300 Log that covers all of your short-term establishments. You may also include the short-term establishments’ recordable injuries and illnesses on an OSHA 300 Log that covers short-term establishments for individual company divisions or geographic regions.

Some of my employees work at several different locations or do not work at any of my establishments at all. How do I record cases for these employees?

You must link each of your employees with one of your establishments, for recordkeeping purposes. You must record the injury and illness on the OSHA 300 Log of the injured or ill employee’s establishment, or on an OSHA 300 Log that covers that employee’s short-term establishment.

How do I record an injury or illness when an employee of one of my establishments is injured or becomes ill while visiting or working at another of my establishments, or while working away from any of my establishments?

If the injury or illness occurs at one of your establishments, you must record the injury or illness on the OSHA 300 Log of the establishment at which the injury or illness occurred. If the employee is injured or becomes ill and is not at one of your establishments, you must record the case on the OSHA 300 Log at the establishment at which the employee normally works.

 

Construction Practice Group Content, Food & Beverage Practice Group Content, HR Challenges, Human Services Practice Group Content, New York, Risk Management, State Law, Transportation Practice Group Content, Workers Compensation Insurance, Workers Compensation Premium Audits

New York State’s Updated Sick Leave Law

New York State’s Paid Sick Leave policies were introduced on April 3, 2020, and went into effect on Sept. 30, 2020.

On January 1, 2021, employees may start using their accrued leave. 

The number of sick leave hours required is based on the number of employees that work within your organization:

0-4 Employees:

If your net income is $1 Million or less, employers must up to 40 hours of unpaid sick leave. If net income is greater than $1 Million, employers must provide up to 40 hours of paid sick leave 

5-99 Employees: 

Employers must provide 40 hours of paid sick leave per calendar year.

100+ Employees:

Employers must provide up to 56 hours of paid sick leave in a calendar year. 

How sick leave is accrued 

Employees begin accruing leave on September 30, 2020. Leave must be accrued at the rate not less than one hour of leave accrued for every thirty hours worked. 

An alternative to the accrual of sick leave by hours, employers may choose to provide the full amount of sick leave at the beginning of each calendar year (ex. An employer with 50 employees may choose to provide 40 hours of sick leave starting Jan.1 of yea year or at the beginning of a 12-month period determined by the employer. NOTE: Upfront sick leave cannot be subject to later revocation or reduction if the employee works fewer hours than anticipated by the employer.). 

Who is eligible

All private-sector employees in New York State are covered, regardless of industry, occupation, part-time status, and overtime-exempt status. Federal, state, local, and government employees are NOT covered, but employees of charter schools, private schools, and not-for-profit corporates are covered.

Permitted Usage of Sick Leave 

After Jan 1, 2021 employees may use accrued leave following a verbal or written request to their employers for the following reasons impacting the employee or a member of their family for whom they are providing care or assistance with care. 

Sick Leave: 

  • For Mental or physical illness, injury or health conditions, regardless of whether it has been diagnosed or requires medical care at the time of request for leave
  • For the diagnosis, care, or treatment of a mental or physical illness, injury or health condition, or need for medical diagnosis or preventative care.

 

Safe Leave:

  • For an absence from work when the employee or employee’s family member has been the victim of domestic violence as defined by the State Human Rights Law, a family offense, sexual offense, stalking, or human trafficking due to any of the following as it relates to the domestic violence, family offense, sexual offense, stalking, or human trafficking: 
    • to obtain services from a domestic violence shelter, rape crisis center, or other services program; 
    • to participate in safety planning, temporarily or permanently relocate, or take other actions to increase the safety of the employee or employee’s family members; 
    • to meet with an attorney or other social services provider to obtain information and advice on, and prepare for or participate in any criminal or civil proceeding; 
    • to file a complaint or domestic incident report with law enforcement; 
    • to meet with a district attorney’s office; 
    • to enroll children in a new school; or 
    • to take any other actions necessary to ensure the health or safety of the employee or the employee’s family member or to protect those who associate or work with the employee. 

Leave Increments 

Employers are permitted to require that leave be used in increments (e.g., 15 minutes, 1 hour, etc.) but may not set the minimum increment at more than 4 hours.

Employers must notify employees of these leave increment policies in writing or by posting a notice in the worksite prior to leave being acured, any restrictions in their leave policy affecting the employees’ use of leave, including any limitations on leave increments 

Rate Of Pay

Employees must be paid their normal rate of pay for any paid leave time under this law, or the applicable minimum wage rate, whichever is greater. No allowances or credits may be claimed for paid leave hours, and employers are prohibited from reducing an employee’s rate of pay for sick leave hours only. 

An employer cannot retaliate against an employee in any way for exercising their rights to use sick leave. Furthermore, employees must be restored to their position of employment as it had been prior to any sick leave taken. Employees who believe they have been retaliated against for exercising their sick leave rights should contact the department of labor’s anti-retaliation unit.

Record Keeping

Employers are required to keep payroll records for 6 years, which must include the amount of sick leave accrued and used by each employee on a weekly basis.

Employers are required to provide within three business days a summary of the amount of sick leave accrued and used by the employee in a current calendar year or any previous calendar year, at the request of the employee.

 

Employees who believe that they have been retaliated against for exercising their sick leave rights should contact the Department of Labor’s Anti-Retaliation Unit at 888-52-LABOR or LSAsk@labor.ny.gov

 

If you still have questions, contact a Risk Advisor at 914-357-8444. If they cannot help you they’ll direct you to an employment lawyer that can. 

Cyber Liability Insurance, Marketplace News

Cyber Security Awareness Month

October is Cyber Security Awareness Month! 

 


Cybersecurity is one of the fastest-growing concerns for businesses as many opportunities for growth within an organization have developed into fully remote positions.  To Celebrate Cybersecurity awareness month We suggest having these conversations with your team:

 

Cybersecurity management starts with training your organization to recognize potential cyber threats.  This year’s theme for Cybersecurity awareness month is Do Your Part. #BeCyberSmart 

Follow our social media accounts for our updates throughout the month. If you need more information on cybersecurity or cyber liability insurance, contact a risk advisor at 914-357-8444. Remember, do your part. #BeCyberSmart.

 

Workers Compensation Insurance

New Jersey’s New COVID-19 Workers’ Compensation Legislation Favors Employees

On Sept 14, 2020, New Jersey Governor Phil Murphy signed into law Senate Bill 2380 (S2380), expanding access to workers’ compensation benefits for workers infected with COVID-19. This bill retroactively covers Covid-19 positive “essential” workers up to March 9, 2020.

This new law diminishes the usual requirement of a worker to prove that his injury or illness was caused on the job. This new law presumes that essential workers’ illnesses arising during the pandemic are related to their work.

Employers can only rebuttal these presumptions if the employer can demonstrate that the essential worker was not exposed to COVID-19 at their place of work.

The law redefines “essential employee” as an employee in the public or private sector who, during a state of emergency: (1) is a public safety worker or first responder; (2) is involved in providing medical and other healthcare services; (3) performs functions which involve physical proximity to members of the public and are essential to the public’s health and safety (e.g. grocery clerk); and (4) any other employee deemed an essential employee by a public authority. It should be noted, however, this presumption will only apply if the employee contracts COVID-19 during the State of Emergency.

Note: Gov. Murphy declared a State of Emergency in New Jersey on March 9, 2020, and has extended that order indefinitely.

New York State currently does not have a similar law but is considering rebuttal presumption legislation also.

Claims paid in relation to this bill would be excluded from consideration when calculating an employer’s Experience Modification Factor, negating any direct impact on the employer’s workers’ compensation premium.

When you see a state’s legislate insurance coverage like this it has a downstream adverse effect in that local market. At the very least, you may see insurance rates increase due to the additional exposure they are asked to carry. The work comp rates currently in effect did not contemplate coverage for a pandemic. Further, they cannot recoup their losses through the EMR as they do with all other claims which means they need to take rate increases. Exactly the wrong time to saddle NJ business owners with higher costs.

Fortunately, as a business owner who is paying attention, there are steps you can take to mitigate this. For More Information on how this new legislation may affect your New Jersey business, contact a Risk Advisor at 924-357-8444.

 

Source: https://www.natlawreview.com/article/nj-law-expands-access-to-workers-comp-benefits-essential-employees-infected-covid-19

Cyber Liability Insurance, HR Challenges, Risk Management

Cybercriminals Are Targeting HR Depts. With This Resume Scheme

Trojan malware attacks are resurfacing since businesses are starting to return to work embracing a new normal in a post-COVID-19 world. Organizations have started to resume their hiring practices by posting job opportunities on their website, across job boards, and on LinkedIn to reach as many potential candidates as possible.

Some of these businesses are streamlining their hiring process by requesting that resumes are directly emailed to their HR department. Streamlining this process is creating new exposures in cybersecurity due to a cybercriminal’s ability to socially engineer the situation. 

 

 

Cybercriminals are sending emails with attachments posing as resumes to HR departments. The premise of these attacks is a modern-day Trojan Horse.  A threat posing as a harmless gift. Trojan malware is not a new cyberattack, but it is one of the most unsuspecting. 

If your HR Department fields dozens of resumes a day, there is a significant chance that one of the resumes they open could contain malware. If the file does contain malware, your organization could be allowing keylogging software or ransomware onto your server to attack unencrypted files. 

Without the HR department’s knowledge, a cybercriminal can attach a malicious file to an email that mirrors any other job seekers’ resume. The cyberattack can download ransomware or keylogging software onto the HR department’s computer or infect the entire network. 

 

Ways to Avoid A Potential Trojan Malware In Your inbox.

 

  1. Avoid Resumes sent as Word documents. Have job candidates submit their resumes as plain text within an email or as a PDF. Word Documents are the 2nd most likely file type to contain malware. ZIP and program files are the most likely. 
  2. Do not click social media links embedded into the email. If an applicant shares a link to their social media accounts, don’t click the link. Type out the full URL to ensure the social media account exists. Or search the social media website for the user name your applicant has given you.
  3. Use a recruiter. Working with a trusted recruiter is one way to reduce the number of random emails with attachments that end up in your HR department’s inbox. A trusted recruiter will share only the resumes that are the best fit for your organization.
  4. Have resumes submitted as plain text files instead of as an attachment. If you’re using a web form, have applicants upload their resume as plain text right into a response box instead of having applicants attach a document to an email or upload a document.
  5. Have applicants fax or mail their resumes. Paper wins against malware every time. Submitting a resume through Fax or the regular mail, this ensures there is no way that the submitted resume can contain malware.

These are a few ways to negate the risk of Trojan malware attacking your organization. For more information on how to protect your organization from cyber risks Contact a Risk Advisor at 914-357-8444.

Source Article: Hackers  Targeting Employers- Forbes

 

 

HR Challenges, Risk Management

Returning To The Office During COVID-19

Returning to the office has proven to be challenging for employers. Organizations of all sizes are struggling to determine which employee health screenings they can execute without infringing on their employees’ rights. From scheduled questionnaires to employee temperature checks, employers are working hard to adapt to this new normal.

Employee health screenings need to be voluntary. Hourly employees should be considered on the clock if they are waiting in line for testing and while the test is being administered. If an employee is sent home because they are ill they should be paid for the time out of work, if possible. If the employee refuses to take the test or respond to the survey, it is within your rights as an employer to send them home without pay. 


Temperature Checks

Before COVID-19, temperature checks were considered to be a part of a medical exam. Employers need to follow the following rules to ensure that employee health screenings are minimally invasive and confidential. 

Health screenings are voluntary but a necessary way for employers to best protect the entire workforce. Reassure your employees that these screenings are completely private and confidential.  If your business does not have an on-site nurse, determine which employee will be responsible for taking the other employees’ temperatures. 

Employees should be considered on the clock while waiting in line for and while the test is being administered. If an employee is sent home ill they should be paid for the time out of work if possible. If the employee refuses to take the test, it is within your rights as an employer to send them home without pay. 

Additional Safety Measures 

Cloth-Face Masks 

Cloth Face masks are not appropriate substitutes for workers who must wear N94 respiratory masks or medical/surgical face masks. A cloth face mask should cover the nose and mouth to contain the wearer’s potentially infectious respiratory droplets. Cloth face masks will not protect the wearer from airborne transmissible infectious agents due to their lack of seal or inadequate filtration.  (Click here to view the CDC Recommendations for Masks and Cloth Face Coverings

Provide employees with guidelines of when they can and cannot take off their masks. For example, some office employees may not be required to wear their mask at their desks, but do need to wear them in common areas while food service employees  may be required to wear their masks their entire shifts. Make sure to express these guidelines and requirements to your employees. Address any concerns they may have regarding the new policy. Post these new guidelines and rules throughout the business in places where employees can see them. 

 

Keeping a minimum 6-ft distance between workers

Employees should keep a minimum of 6 ft away (two arms lengths away) from each other. Workspaces should allow employees to sit a comfortable distance away from other employees. If needed, consider rearranging the workspace and adding additional protective barriers for employees. Businesses considering to reopen should consult the “Reopening the workplace during a pandemic” decision chart released by the CDC. 

 

Keep Common Areas and Surfaces Clean 

While returning to your office space, be aware of how often you’re cleaning. You might be questioning if you’re cleaning enough. Wiping down shared areas multiple times a day with the proper cleaning products is one way to help prevent the spread of the coronavirus. 

  • Clean AND disinfect frequently touched surfaces daily. This includes common areas, tables, doorknobs, light switches, countertops, handles, desks, phones, keyboards, toilets, faucets, and sinks.
  • If these surfaces appear to be dirty, wash them with soap and water before using chemical disinfectants. The EPA released this list of common household disinfectants that will help prevent the spread of COVID-19 

 

Still want more info on how to carefully reopen your business in a Post-COVID19 world? Contact A Risk Advisor at 914-357-8444.